Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/04/2023, 03:34
General
-
Target
AsyncClient.exe
-
Size
45KB
-
MD5
3e22b4881d403e06a2790b6eed7be6e2
-
SHA1
0253bbed2fd792ddceb33c81196e24283ce9a492
-
SHA256
e4754f6bf9dab9b5c124d1d1b1238ddbfa1383e593f686f55a9eb747d44a938f
-
SHA512
543f2eebc95f052512766dda20f9f84866214412f7e03bff33ac3168996f351c6d856f71cd53b4f9d4c71ed2e99f6b7ae55f858c3e91e8ca635b0a3b977df3fa
-
SSDEEP
768:Hu/6ZTgoiziWUUM9rmo2qrrKjGKG6PIyzjbFgX3i1WTulwrU19R4p5BDZjx:Hu/6ZTgle2mKYDy3bCXScTuln19R4pdd
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:61288
146.70.165.10:61288
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AsyncClient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AsyncClient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AsyncClient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AsyncClient.exe -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1760-133-0x0000000000A40000-0x0000000000A52000-memory.dmp asyncrat -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features AsyncClient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" AsyncClient.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5080 powershell.exe 5080 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1760 AsyncClient.exe Token: SeDebugPrivilege 5080 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1760 wrote to memory of 5080 1760 AsyncClient.exe 93 PID 1760 wrote to memory of 5080 1760 AsyncClient.exe 93 PID 1760 wrote to memory of 5080 1760 AsyncClient.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82