Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/04/2023, 03:48
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20230220-en
General
-
Target
AsyncClient.exe
-
Size
47KB
-
MD5
05db410247a5899d2784c9d79a7e9f7a
-
SHA1
9be286a04858d149eee48e4cb4f3e73ea5c5c2b8
-
SHA256
211b91753a7aa02a6ab3a2fafdd350c4c82870b8982fdecfe4f18ef0fcfa277b
-
SHA512
730325ce9cb5553c9e208ab34db04efde78c38ddea36a6d13bd47fb54fd0bc973d51604b0c03e83464c4f6dbb301d90cca835a98d457e2e5d56cf8ef65d0254d
-
SSDEEP
768:eu/6ZTgoiziWUUM9rmo2qrAcazlaQPIX1XVrbOi0bGf9omSH8M6AaQLczGdBDZgx:eu/6ZTgle2W9XFRUbGfe3laQLcazdgx
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:61288
146.70.165.10:61288
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/4708-133-0x0000000000F70000-0x0000000000F82000-memory.dmp asyncrat behavioral2/files/0x00020000000225be-167.dat asyncrat behavioral2/files/0x00020000000225be-168.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 1 IoCs
pid Process 404 kbukxp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2848 timeout.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 3836 powershell.exe 3836 powershell.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe 404 kbukxp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4708 AsyncClient.exe Token: SeDebugPrivilege 3836 powershell.exe Token: SeDebugPrivilege 404 kbukxp.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4708 wrote to memory of 2304 4708 AsyncClient.exe 88 PID 4708 wrote to memory of 2304 4708 AsyncClient.exe 88 PID 4708 wrote to memory of 2304 4708 AsyncClient.exe 88 PID 4708 wrote to memory of 3776 4708 AsyncClient.exe 90 PID 4708 wrote to memory of 3776 4708 AsyncClient.exe 90 PID 4708 wrote to memory of 3776 4708 AsyncClient.exe 90 PID 2304 wrote to memory of 3836 2304 cmd.exe 92 PID 2304 wrote to memory of 3836 2304 cmd.exe 92 PID 2304 wrote to memory of 3836 2304 cmd.exe 92 PID 3776 wrote to memory of 2848 3776 cmd.exe 93 PID 3776 wrote to memory of 2848 3776 cmd.exe 93 PID 3776 wrote to memory of 2848 3776 cmd.exe 93 PID 3836 wrote to memory of 404 3836 powershell.exe 94 PID 3836 wrote to memory of 404 3836 powershell.exe 94 PID 3836 wrote to memory of 404 3836 powershell.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kbukxp.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kbukxp.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\kbukxp.exe"C:\Users\Admin\AppData\Local\Temp\kbukxp.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8F25.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
PID:2848
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
47KB
MD505db410247a5899d2784c9d79a7e9f7a
SHA19be286a04858d149eee48e4cb4f3e73ea5c5c2b8
SHA256211b91753a7aa02a6ab3a2fafdd350c4c82870b8982fdecfe4f18ef0fcfa277b
SHA512730325ce9cb5553c9e208ab34db04efde78c38ddea36a6d13bd47fb54fd0bc973d51604b0c03e83464c4f6dbb301d90cca835a98d457e2e5d56cf8ef65d0254d
-
Filesize
47KB
MD505db410247a5899d2784c9d79a7e9f7a
SHA19be286a04858d149eee48e4cb4f3e73ea5c5c2b8
SHA256211b91753a7aa02a6ab3a2fafdd350c4c82870b8982fdecfe4f18ef0fcfa277b
SHA512730325ce9cb5553c9e208ab34db04efde78c38ddea36a6d13bd47fb54fd0bc973d51604b0c03e83464c4f6dbb301d90cca835a98d457e2e5d56cf8ef65d0254d
-
Filesize
163B
MD52ef77f4dcd456d76af721b9b69a3a7d2
SHA134391cb02820681decb287c4b04075c61665e8f8
SHA256ae4f4b44729ea269e263db938365ea8bba403e812066d91519dcc3ac6132038e
SHA51218fa71d26bc5e9c24429de6a7eed66c63fe411a44279d81928e4fc4f55e088241227faebef4c33bb5e12747d07a9241fb233662395f79a5452c7c194370ade4d