Analysis
-
max time kernel
65s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/04/2023, 05:31
General
-
Target
AsyncClient.exe
-
Size
48KB
-
MD5
f543c4cf51fb25b1bacb1bd54b9d8bc1
-
SHA1
13b1846a380f4a4840cce067d274d1d0eaf4076e
-
SHA256
2feff6f4c4076cf3938109607fe65dd5f0de893aad9ea2e732a2a37f3aa55f35
-
SHA512
d3c7fcc79a69cdd87dbc873a237dcb963d8f14d80a63674384070538fafbde9230056c487a0833903608b71551104db7ef07ef3644b4ece4811de64bce8bdeb0
-
SSDEEP
768:8ugSNTokqd97WUHgAKpmo2q7qPGlhPIkZHNe2dxbpzZmigzXxYMLDpBDZIR:8ugSNToTdQT2g+SHNDLbp0fzl3dIR
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:61288
146.70.165.10:61288
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Microsoft Update.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral1/memory/4164-133-0x0000000000450000-0x0000000000462000-memory.dmp asyncrat behavioral1/files/0x0008000000022cfd-142.dat asyncrat behavioral1/files/0x0008000000022cfd-143.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 1 IoCs
pid Process 4540 Microsoft Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3764 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 832 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe 4164 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4164 AsyncClient.exe Token: SeDebugPrivilege 4540 Microsoft Update.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4164 wrote to memory of 3484 4164 AsyncClient.exe 87 PID 4164 wrote to memory of 3484 4164 AsyncClient.exe 87 PID 4164 wrote to memory of 3484 4164 AsyncClient.exe 87 PID 4164 wrote to memory of 1584 4164 AsyncClient.exe 89 PID 4164 wrote to memory of 1584 4164 AsyncClient.exe 89 PID 4164 wrote to memory of 1584 4164 AsyncClient.exe 89 PID 1584 wrote to memory of 832 1584 cmd.exe 92 PID 1584 wrote to memory of 832 1584 cmd.exe 92 PID 1584 wrote to memory of 832 1584 cmd.exe 92 PID 3484 wrote to memory of 3764 3484 cmd.exe 91 PID 3484 wrote to memory of 3764 3484 cmd.exe 91 PID 3484 wrote to memory of 3764 3484 cmd.exe 91 PID 1584 wrote to memory of 4540 1584 cmd.exe 94 PID 1584 wrote to memory of 4540 1584 cmd.exe 94 PID 1584 wrote to memory of 4540 1584 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'3⤵
- Creates scheduled task(s)
PID:3764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp14A1.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:832
-
-
C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD537865e9459775c3ef1631b199545b835
SHA11001e6bcdfd3036e6e8c06361f824035a985fbd4
SHA256f0fb23cd2de16411075f6c84cc7646d59692b1b0ad6ff180ac69629b679c5024
SHA5127446f703a60c804cc2abe0c70e71d045be2017862df4a75e1fa55854f539ea10bfb0e9b4c609494ec36bbd37bf83896afa426accbfb01773721fb592ac8a75f0
-
Filesize
48KB
MD5f543c4cf51fb25b1bacb1bd54b9d8bc1
SHA113b1846a380f4a4840cce067d274d1d0eaf4076e
SHA2562feff6f4c4076cf3938109607fe65dd5f0de893aad9ea2e732a2a37f3aa55f35
SHA512d3c7fcc79a69cdd87dbc873a237dcb963d8f14d80a63674384070538fafbde9230056c487a0833903608b71551104db7ef07ef3644b4ece4811de64bce8bdeb0
-
Filesize
48KB
MD5f543c4cf51fb25b1bacb1bd54b9d8bc1
SHA113b1846a380f4a4840cce067d274d1d0eaf4076e
SHA2562feff6f4c4076cf3938109607fe65dd5f0de893aad9ea2e732a2a37f3aa55f35
SHA512d3c7fcc79a69cdd87dbc873a237dcb963d8f14d80a63674384070538fafbde9230056c487a0833903608b71551104db7ef07ef3644b4ece4811de64bce8bdeb0