asyncrat | dc80f45af1fbb5cdad109756841f7668bb5c7688c14434892f8d53c9c64729d5

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06/10/2023, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fnexternal.exe
Size

47KB
MD5

0baac525ab667acc805e5fc39365677d
SHA1

bdbf2f2896c5f611bf05d511ae5df283fd4d5075
SHA256

dc80f45af1fbb5cdad109756841f7668bb5c7688c14434892f8d53c9c64729d5
SHA512

f37354cb81e09257926406b02d680387a004886a906b2e7319e6eec25e1e62cc1fd93cb6f27fe1781527613ac329fad25f1a38b9785c4dc685fa142cbeed5cf4
SSDEEP

768:zUSRUbDILQe08+bi7EQ8iZ/8Yb+g9dm546VYvEgK/J3ZVc6KN:oS8ErzbBamnkJ3ZVclN

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

127.0.0.1:8848

127.0.0.1:52364

199.36.223.62:8848

199.36.223.62:52364

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
..exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/2208-0-0x0000000000EA0000-0x0000000000EB2000-memory.dmp	asyncrat
behavioral1/files/0x00070000000120e6-14.dat	asyncrat
behavioral1/files/0x00070000000120e6-15.dat	asyncrat
behavioral1/memory/2916-16-0x00000000009A0000-0x00000000009B2000-memory.dmp	asyncrat
behavioral1/memory/2916-36-0x0000000001F30000-0x0000000001F3E000-memory.dmp	asyncrat
behavioral1/memory/2916-55-0x000000001A7C0000-0x000000001A7CE000-memory.dmp	asyncrat
behavioral1/memory/2916-76-0x000000001C020000-0x000000001C03E000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2916	..exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-86725733-3001458681-3405935542-1000\desktop.ini	..exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	..exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2844	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2596	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	fnexternal.exe
2208	fnexternal.exe
2208	fnexternal.exe
2208	fnexternal.exe
2208	fnexternal.exe
2208	fnexternal.exe
2208	fnexternal.exe
2208	fnexternal.exe
2208	fnexternal.exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe
2916	..exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	fnexternal.exe
Token: SeDebugPrivilege	2916	..exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2916	..exe
2916	..exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2632	2208	fnexternal.exe	28
PID 2208 wrote to memory of 2632	2208	fnexternal.exe	28
PID 2208 wrote to memory of 2632	2208	fnexternal.exe	28
PID 2208 wrote to memory of 2860	2208	fnexternal.exe	30
PID 2208 wrote to memory of 2860	2208	fnexternal.exe	30
PID 2208 wrote to memory of 2860	2208	fnexternal.exe	30
PID 2632 wrote to memory of 2844	2632	cmd.exe	32
PID 2632 wrote to memory of 2844	2632	cmd.exe	32
PID 2632 wrote to memory of 2844	2632	cmd.exe	32
PID 2860 wrote to memory of 2596	2860	cmd.exe	33
PID 2860 wrote to memory of 2596	2860	cmd.exe	33
PID 2860 wrote to memory of 2596	2860	cmd.exe	33
PID 2860 wrote to memory of 2916	2860	cmd.exe	34
PID 2860 wrote to memory of 2916	2860	cmd.exe	34
PID 2860 wrote to memory of 2916	2860	cmd.exe	34
PID 572 wrote to memory of 388	572	chrome.exe	39
PID 572 wrote to memory of 388	572	chrome.exe	39
PID 572 wrote to memory of 388	572	chrome.exe	39
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2964	572	chrome.exe	41
PID 572 wrote to memory of 2700	572	chrome.exe	42
PID 572 wrote to memory of 2700	572	chrome.exe	42
PID 572 wrote to memory of 2700	572	chrome.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fnexternal.exe
"C:\Users\Admin\AppData\Local\Temp\fnexternal.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "." /tr '"C:\Users\Admin\AppData\Local\Temp\..exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "." /tr '"C:\Users\Admin\AppData\Local\Temp\..exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2844
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7723.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2596
- - C:\Users\Admin\AppData\Local\Temp\..exe
    "C:\Users\Admin\AppData\Local\Temp\..exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef4f9758,0x7feef4f9768,0x7feef4f9778
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1368,i,14954336861324999993,12795861477139281879,131072 /prefetch:2
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1368,i,14954336861324999993,12795861477139281879,131072 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1368,i,14954336861324999993,12795861477139281879,131072 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1368,i,14954336861324999993,12795861477139281879,131072 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1368,i,14954336861324999993,12795861477139281879,131072 /prefetch:1
  2⤵
  PID:1008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\..exe

Filesize
47KB

MD5
0baac525ab667acc805e5fc39365677d

SHA1
bdbf2f2896c5f611bf05d511ae5df283fd4d5075

SHA256
dc80f45af1fbb5cdad109756841f7668bb5c7688c14434892f8d53c9c64729d5

SHA512
f37354cb81e09257926406b02d680387a004886a906b2e7319e6eec25e1e62cc1fd93cb6f27fe1781527613ac329fad25f1a38b9785c4dc685fa142cbeed5cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\..exe

Filesize
47KB

MD5
0baac525ab667acc805e5fc39365677d

SHA1
bdbf2f2896c5f611bf05d511ae5df283fd4d5075

SHA256
dc80f45af1fbb5cdad109756841f7668bb5c7688c14434892f8d53c9c64729d5

SHA512
f37354cb81e09257926406b02d680387a004886a906b2e7319e6eec25e1e62cc1fd93cb6f27fe1781527613ac329fad25f1a38b9785c4dc685fa142cbeed5cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8F47.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB022.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7723.tmp.bat

Filesize
148B

MD5
8db259931e7290ee3f89cc31750e042e

SHA1
ae62ad23948491ef5f3a012d70f23d68c2551e15

SHA256
690b9d70a1f13c227ac5c79efedb5bd95dd416ce84d7250bbf87c50ad4f9e9cc

SHA512
3b89343f215b28f67060f2a0b64801f3c91031d102b3c4b4f970a4e96abd7046cf6ce9b805e85dd76a795759d2bacc17a7ccf2772be52c693b3b6e826ffb3548

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7723.tmp.bat

Filesize
148B

MD5
8db259931e7290ee3f89cc31750e042e

SHA1
ae62ad23948491ef5f3a012d70f23d68c2551e15

SHA256
690b9d70a1f13c227ac5c79efedb5bd95dd416ce84d7250bbf87c50ad4f9e9cc

SHA512
3b89343f215b28f67060f2a0b64801f3c91031d102b3c4b4f970a4e96abd7046cf6ce9b805e85dd76a795759d2bacc17a7ccf2772be52c693b3b6e826ffb3548

Download Submit
memory/2208-1-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-2-0x0000000000590000-0x0000000000610000-memory.dmp

Filesize
512KB

Download
memory/2208-12-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-0-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

Filesize
72KB

Download
memory/2916-16-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/2916-36-0x0000000001F30000-0x0000000001F3E000-memory.dmp

Filesize
56KB

Download
memory/2916-35-0x000007FEF4750000-0x000007FEF513C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-55-0x000000001A7C0000-0x000000001A7CE000-memory.dmp

Filesize
56KB

Download
memory/2916-76-0x000000001C020000-0x000000001C03E000-memory.dmp

Filesize
120KB

Download
memory/2916-18-0x000000001A7F0000-0x000000001A870000-memory.dmp

Filesize
512KB

Download
memory/2916-17-0x000007FEF4750000-0x000007FEF513C000-memory.dmp

Filesize
9.9MB

Download