Analysis
-
max time kernel
147s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 23:06
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20240221-en
General
-
Target
AsyncClient.exe
-
Size
48KB
-
MD5
d933c68464a25181fceeaf51aff27c7d
-
SHA1
c683186a615cc17e30a234e3a8ed666528c81998
-
SHA256
84a10e968ebf326f31f230f19bc4aced4388e87cecb3f08b7d9cadfec3627df4
-
SHA512
e62f70bc6437ec94bbab5b3f098b52861b7b7e4eaaafd4d82abb77df6e9c1307a771ee5a1fbdb3ca0afafd22a1cd5cee5b3cfaedc10f00af5b0715bf544c44aa
-
SSDEEP
768:quwhFTAY3IQWUe9jqmo2qLfRyqD+4ZEzZPISu+Spy0b91pDlsISFnqBUVd/QYt0S:quwhFTA4/2YrhEWr+CNb9nOIyqBUVdI2
Malware Config
Extracted
asyncrat
0.5.8
Default
report-dust.gl.at.ply.gg:28329
9VMpESMh922h
-
delay
3
-
install
true
-
install_file
Svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023266-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 1 IoCs
pid Process 4652 Svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1808 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4336 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe 5064 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5064 AsyncClient.exe Token: SeDebugPrivilege 4652 Svchost.exe Token: SeDebugPrivilege 4652 Svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 5064 wrote to memory of 3860 5064 AsyncClient.exe 96 PID 5064 wrote to memory of 3860 5064 AsyncClient.exe 96 PID 5064 wrote to memory of 3860 5064 AsyncClient.exe 96 PID 5064 wrote to memory of 2196 5064 AsyncClient.exe 98 PID 5064 wrote to memory of 2196 5064 AsyncClient.exe 98 PID 5064 wrote to memory of 2196 5064 AsyncClient.exe 98 PID 3860 wrote to memory of 1808 3860 cmd.exe 100 PID 3860 wrote to memory of 1808 3860 cmd.exe 100 PID 3860 wrote to memory of 1808 3860 cmd.exe 100 PID 2196 wrote to memory of 4336 2196 cmd.exe 101 PID 2196 wrote to memory of 4336 2196 cmd.exe 101 PID 2196 wrote to memory of 4336 2196 cmd.exe 101 PID 2196 wrote to memory of 4652 2196 cmd.exe 102 PID 2196 wrote to memory of 4652 2196 cmd.exe 102 PID 2196 wrote to memory of 4652 2196 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"'3⤵
- Creates scheduled task(s)
PID:1808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4541.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4336
-
-
C:\Users\Admin\AppData\Roaming\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4020 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:3996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5fd97a97518adb73a8063cb441446c966
SHA17f52fe4b179fe0928f9520f07d4230fa0bb1ba6f
SHA2561cd65d874c205120793348e381b2c482f8a39de147554a68b4d6a9c4ba787919
SHA512ee482484ffa8c71abcd83bad10fcd33e5a73aa2089ede4b8f14e06b8c2b374355dc9a5340b3fbdd21ca7fba838e525e607e82a9a1989b891d362f2db7fcdb3d4
-
Filesize
48KB
MD5d933c68464a25181fceeaf51aff27c7d
SHA1c683186a615cc17e30a234e3a8ed666528c81998
SHA25684a10e968ebf326f31f230f19bc4aced4388e87cecb3f08b7d9cadfec3627df4
SHA512e62f70bc6437ec94bbab5b3f098b52861b7b7e4eaaafd4d82abb77df6e9c1307a771ee5a1fbdb3ca0afafd22a1cd5cee5b3cfaedc10f00af5b0715bf544c44aa