Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2023, 18:44
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20230220-en
General
-
Target
AsyncClient.exe
-
Size
45KB
-
MD5
dcfb73959b8a575a7f5765bb0723a861
-
SHA1
b9757ac469bc18714e7c138094bd461707ff80c5
-
SHA256
afbe39d83050f54ca4cdaca312b52475f70389dd7f906653c5869f4db914c85a
-
SHA512
c2f4a52227ae66263266c41d7cd5823c0ded669fddec194b1c5f47d8be95851dd359da887a60f9d8a7e7a63f17f4e95e24e4ea7a1ee087925a7bbdad04f43090
-
SSDEEP
768:3uyRNTAoZjRWUJs9bmo2qL7KjGKG6PIyzjbFgX3i+ETtzcHmjBEgmyBDZzx:3uyRNTAGo2WKYDy3bCXS+camjBndzx
Malware Config
Extracted
asyncrat
0.5.7B
Default
181.ip.ply.gg:5050
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/1504-133-0x0000000000B30000-0x0000000000B42000-memory.dmp asyncrat behavioral2/files/0x000200000001e2b8-142.dat asyncrat behavioral2/files/0x000200000001e2b8-143.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 1 IoCs
pid Process 316 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 112 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 228 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 1504 AsyncClient.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2344 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1504 AsyncClient.exe Token: SeDebugPrivilege 316 svchost.exe Token: SeDebugPrivilege 2344 taskmgr.exe Token: SeSystemProfilePrivilege 2344 taskmgr.exe Token: SeCreateGlobalPrivilege 2344 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe 2344 taskmgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1504 wrote to memory of 4560 1504 AsyncClient.exe 87 PID 1504 wrote to memory of 4560 1504 AsyncClient.exe 87 PID 1504 wrote to memory of 4560 1504 AsyncClient.exe 87 PID 1504 wrote to memory of 3208 1504 AsyncClient.exe 89 PID 1504 wrote to memory of 3208 1504 AsyncClient.exe 89 PID 1504 wrote to memory of 3208 1504 AsyncClient.exe 89 PID 4560 wrote to memory of 112 4560 cmd.exe 91 PID 4560 wrote to memory of 112 4560 cmd.exe 91 PID 4560 wrote to memory of 112 4560 cmd.exe 91 PID 3208 wrote to memory of 228 3208 cmd.exe 92 PID 3208 wrote to memory of 228 3208 cmd.exe 92 PID 3208 wrote to memory of 228 3208 cmd.exe 92 PID 3208 wrote to memory of 316 3208 cmd.exe 94 PID 3208 wrote to memory of 316 3208 cmd.exe 94 PID 3208 wrote to memory of 316 3208 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp886E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:228
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD555d99e37d985f57a6b617a061662d995
SHA1a7830d44aed87d273b3fb402af4f5710d7bbb431
SHA2562b1052390765720d932ea5c92a47cfe8d194e5c9681928e178299bee0848980e
SHA512bb017e06a706947f013fd3c21426e87846affdc999382919aac73b8b22f7fdf4c3e55e7ac6181e85001938fe70972b501b8ca5aa3ffe59078efb629359a479d1
-
Filesize
45KB
MD5dcfb73959b8a575a7f5765bb0723a861
SHA1b9757ac469bc18714e7c138094bd461707ff80c5
SHA256afbe39d83050f54ca4cdaca312b52475f70389dd7f906653c5869f4db914c85a
SHA512c2f4a52227ae66263266c41d7cd5823c0ded669fddec194b1c5f47d8be95851dd359da887a60f9d8a7e7a63f17f4e95e24e4ea7a1ee087925a7bbdad04f43090
-
Filesize
45KB
MD5dcfb73959b8a575a7f5765bb0723a861
SHA1b9757ac469bc18714e7c138094bd461707ff80c5
SHA256afbe39d83050f54ca4cdaca312b52475f70389dd7f906653c5869f4db914c85a
SHA512c2f4a52227ae66263266c41d7cd5823c0ded669fddec194b1c5f47d8be95851dd359da887a60f9d8a7e7a63f17f4e95e24e4ea7a1ee087925a7bbdad04f43090