Analysis

  • max time kernel
    65s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/04/2023, 05:31

General

  • Target

    AsyncClient.exe

  • Size

    48KB

  • MD5

    f543c4cf51fb25b1bacb1bd54b9d8bc1

  • SHA1

    13b1846a380f4a4840cce067d274d1d0eaf4076e

  • SHA256

    2feff6f4c4076cf3938109607fe65dd5f0de893aad9ea2e732a2a37f3aa55f35

  • SHA512

    d3c7fcc79a69cdd87dbc873a237dcb963d8f14d80a63674384070538fafbde9230056c487a0833903608b71551104db7ef07ef3644b4ece4811de64bce8bdeb0

  • SSDEEP

    768:8ugSNTokqd97WUHgAKpmo2q7qPGlhPIkZHNe2dxbpzZmigzXxYMLDpBDZIR:8ugSNToTdQT2g+SHNDLbp0fzl3dIR

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:61288

146.70.165.10:61288

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Microsoft Update.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
    "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4164
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3484
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:3764
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp14A1.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:832
      • C:\Users\Admin\AppData\Roaming\Microsoft Update.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4540

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp14A1.tmp.bat

          Filesize

          160B

          MD5

          37865e9459775c3ef1631b199545b835

          SHA1

          1001e6bcdfd3036e6e8c06361f824035a985fbd4

          SHA256

          f0fb23cd2de16411075f6c84cc7646d59692b1b0ad6ff180ac69629b679c5024

          SHA512

          7446f703a60c804cc2abe0c70e71d045be2017862df4a75e1fa55854f539ea10bfb0e9b4c609494ec36bbd37bf83896afa426accbfb01773721fb592ac8a75f0

        • C:\Users\Admin\AppData\Roaming\Microsoft Update.exe

          Filesize

          48KB

          MD5

          f543c4cf51fb25b1bacb1bd54b9d8bc1

          SHA1

          13b1846a380f4a4840cce067d274d1d0eaf4076e

          SHA256

          2feff6f4c4076cf3938109607fe65dd5f0de893aad9ea2e732a2a37f3aa55f35

          SHA512

          d3c7fcc79a69cdd87dbc873a237dcb963d8f14d80a63674384070538fafbde9230056c487a0833903608b71551104db7ef07ef3644b4ece4811de64bce8bdeb0

        • C:\Users\Admin\AppData\Roaming\Microsoft Update.exe

          Filesize

          48KB

          MD5

          f543c4cf51fb25b1bacb1bd54b9d8bc1

          SHA1

          13b1846a380f4a4840cce067d274d1d0eaf4076e

          SHA256

          2feff6f4c4076cf3938109607fe65dd5f0de893aad9ea2e732a2a37f3aa55f35

          SHA512

          d3c7fcc79a69cdd87dbc873a237dcb963d8f14d80a63674384070538fafbde9230056c487a0833903608b71551104db7ef07ef3644b4ece4811de64bce8bdeb0

        • memory/4164-133-0x0000000000450000-0x0000000000462000-memory.dmp

          Filesize

          72KB

        • memory/4164-134-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

          Filesize

          64KB

        • memory/4164-135-0x0000000004F70000-0x000000000500C000-memory.dmp

          Filesize

          624KB

        • memory/4540-144-0x0000000005880000-0x0000000005890000-memory.dmp

          Filesize

          64KB

        • memory/4540-145-0x0000000005880000-0x0000000005890000-memory.dmp

          Filesize

          64KB

        • memory/4540-146-0x0000000006120000-0x00000000066C4000-memory.dmp

          Filesize

          5.6MB

        • memory/4540-147-0x0000000005B70000-0x0000000005BD6000-memory.dmp

          Filesize

          408KB