Analysis
-
max time kernel
162s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 23:06
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20240221-en
General
-
Target
AsyncClient.exe
-
Size
48KB
-
MD5
d933c68464a25181fceeaf51aff27c7d
-
SHA1
c683186a615cc17e30a234e3a8ed666528c81998
-
SHA256
84a10e968ebf326f31f230f19bc4aced4388e87cecb3f08b7d9cadfec3627df4
-
SHA512
e62f70bc6437ec94bbab5b3f098b52861b7b7e4eaaafd4d82abb77df6e9c1307a771ee5a1fbdb3ca0afafd22a1cd5cee5b3cfaedc10f00af5b0715bf544c44aa
-
SSDEEP
768:quwhFTAY3IQWUe9jqmo2qLfRyqD+4ZEzZPISu+Spy0b91pDlsISFnqBUVd/QYt0S:quwhFTA4/2YrhEWr+CNb9nOIyqBUVdI2
Malware Config
Extracted
asyncrat
0.5.8
Default
report-dust.gl.at.ply.gg:28329
9VMpESMh922h
-
delay
3
-
install
true
-
install_file
Svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000f0000000122de-13.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2620 Svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2552 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2696 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2576 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2100 AsyncClient.exe 2100 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2100 AsyncClient.exe Token: SeDebugPrivilege 2620 Svchost.exe Token: SeDebugPrivilege 2620 Svchost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2912 2100 AsyncClient.exe 27 PID 2100 wrote to memory of 2912 2100 AsyncClient.exe 27 PID 2100 wrote to memory of 2912 2100 AsyncClient.exe 27 PID 2100 wrote to memory of 2912 2100 AsyncClient.exe 27 PID 2100 wrote to memory of 2552 2100 AsyncClient.exe 29 PID 2100 wrote to memory of 2552 2100 AsyncClient.exe 29 PID 2100 wrote to memory of 2552 2100 AsyncClient.exe 29 PID 2100 wrote to memory of 2552 2100 AsyncClient.exe 29 PID 2912 wrote to memory of 2696 2912 cmd.exe 31 PID 2912 wrote to memory of 2696 2912 cmd.exe 31 PID 2912 wrote to memory of 2696 2912 cmd.exe 31 PID 2912 wrote to memory of 2696 2912 cmd.exe 31 PID 2552 wrote to memory of 2576 2552 cmd.exe 32 PID 2552 wrote to memory of 2576 2552 cmd.exe 32 PID 2552 wrote to memory of 2576 2552 cmd.exe 32 PID 2552 wrote to memory of 2576 2552 cmd.exe 32 PID 2552 wrote to memory of 2620 2552 cmd.exe 33 PID 2552 wrote to memory of 2620 2552 cmd.exe 33 PID 2552 wrote to memory of 2620 2552 cmd.exe 33 PID 2552 wrote to memory of 2620 2552 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA506.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2576
-
-
C:\Users\Admin\AppData\Roaming\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5379882b5c10e39492e34a1880f7e8e2c
SHA1eb5d3bf30d3ec84f0bf94dd4e33f09efc12b8143
SHA256eaa823732b6fca85ebf03fa114609bae3e602184cceb6628b3e575447e135bfb
SHA512570e3c8a108b02589e30ae0fb4df493792890c9c90720f7d2dc7cc2587e22ac3fbec88396c96ffeef78eab3c2ea763870fd01f8738f026fbb3627fa3b26fecfa
-
Filesize
48KB
MD5d933c68464a25181fceeaf51aff27c7d
SHA1c683186a615cc17e30a234e3a8ed666528c81998
SHA25684a10e968ebf326f31f230f19bc4aced4388e87cecb3f08b7d9cadfec3627df4
SHA512e62f70bc6437ec94bbab5b3f098b52861b7b7e4eaaafd4d82abb77df6e9c1307a771ee5a1fbdb3ca0afafd22a1cd5cee5b3cfaedc10f00af5b0715bf544c44aa