Analysis

  • max time kernel
    147s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-04-2024 23:06

General

  • Target

    AsyncClient.exe

  • Size

    48KB

  • MD5

    d933c68464a25181fceeaf51aff27c7d

  • SHA1

    c683186a615cc17e30a234e3a8ed666528c81998

  • SHA256

    84a10e968ebf326f31f230f19bc4aced4388e87cecb3f08b7d9cadfec3627df4

  • SHA512

    e62f70bc6437ec94bbab5b3f098b52861b7b7e4eaaafd4d82abb77df6e9c1307a771ee5a1fbdb3ca0afafd22a1cd5cee5b3cfaedc10f00af5b0715bf544c44aa

  • SSDEEP

    768:quwhFTAY3IQWUe9jqmo2qLfRyqD+4ZEzZPISu+Spy0b91pDlsISFnqBUVd/QYt0S:quwhFTA4/2YrhEWr+CNb9nOIyqBUVdI2

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

report-dust.gl.at.ply.gg:28329

Mutex

9VMpESMh922h

Attributes
  • delay

    3

  • install

    true

  • install_file

    Svchost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
    "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3860
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1808
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4541.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4336
      • C:\Users\Admin\AppData\Roaming\Svchost.exe
        "C:\Users\Admin\AppData\Roaming\Svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4652
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4020 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp4541.tmp.bat

      Filesize

      151B

      MD5

      fd97a97518adb73a8063cb441446c966

      SHA1

      7f52fe4b179fe0928f9520f07d4230fa0bb1ba6f

      SHA256

      1cd65d874c205120793348e381b2c482f8a39de147554a68b4d6a9c4ba787919

      SHA512

      ee482484ffa8c71abcd83bad10fcd33e5a73aa2089ede4b8f14e06b8c2b374355dc9a5340b3fbdd21ca7fba838e525e607e82a9a1989b891d362f2db7fcdb3d4

    • C:\Users\Admin\AppData\Roaming\Svchost.exe

      Filesize

      48KB

      MD5

      d933c68464a25181fceeaf51aff27c7d

      SHA1

      c683186a615cc17e30a234e3a8ed666528c81998

      SHA256

      84a10e968ebf326f31f230f19bc4aced4388e87cecb3f08b7d9cadfec3627df4

      SHA512

      e62f70bc6437ec94bbab5b3f098b52861b7b7e4eaaafd4d82abb77df6e9c1307a771ee5a1fbdb3ca0afafd22a1cd5cee5b3cfaedc10f00af5b0715bf544c44aa

    • memory/4652-13-0x0000000074AF0000-0x00000000752A0000-memory.dmp

      Filesize

      7.7MB

    • memory/4652-14-0x0000000074AF0000-0x00000000752A0000-memory.dmp

      Filesize

      7.7MB

    • memory/5064-0-0x0000000074B70000-0x0000000075320000-memory.dmp

      Filesize

      7.7MB

    • memory/5064-1-0x0000000000140000-0x0000000000152000-memory.dmp

      Filesize

      72KB

    • memory/5064-2-0x0000000004B20000-0x0000000004B30000-memory.dmp

      Filesize

      64KB

    • memory/5064-3-0x0000000004E30000-0x0000000004ECC000-memory.dmp

      Filesize

      624KB

    • memory/5064-9-0x0000000074B70000-0x0000000075320000-memory.dmp

      Filesize

      7.7MB