Analysis
-
max time kernel
125s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 23:09
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20240220-en
General
-
Target
AsyncClient.exe
-
Size
48KB
-
MD5
0712481ec7be68e2f67672b911aebf23
-
SHA1
527ceb23db13a4e84b5f27a850116bb1421981dd
-
SHA256
6a26dc7c12eddcdc36e00ca1633eb4f231a433deee4f574122c51690f28a3e67
-
SHA512
bce33d4a59624ccee236df8b3ff061bd58377dee284e44849471e7afdd9baf7845a91dc9701647ce9290ea13c3f18ca2bda780dce646a28b3c1436ad78d248cd
-
SSDEEP
768:/uwhFTAY3IQWUe9jqmo2qLwjbovXejeM8emPISZrul5UrM0bfg02Gzd6jq7eDZyG:/uwhFTA4/2pjboOehAgruYrfbfAGzMqQ
Malware Config
Extracted
asyncrat
0.5.8
Default
report-dust.gl.at.ply.gg:28329
report-dust.gl.at.ply.gg:8188
9VMpESMh922h
-
delay
3
-
install
true
-
install_file
Svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000c000000012331-13.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2112 Svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2568 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2668 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2276 AsyncClient.exe 2276 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2276 AsyncClient.exe Token: SeDebugPrivilege 2112 Svchost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2276 wrote to memory of 1948 2276 AsyncClient.exe 28 PID 2276 wrote to memory of 1948 2276 AsyncClient.exe 28 PID 2276 wrote to memory of 1948 2276 AsyncClient.exe 28 PID 2276 wrote to memory of 1948 2276 AsyncClient.exe 28 PID 2276 wrote to memory of 2568 2276 AsyncClient.exe 30 PID 2276 wrote to memory of 2568 2276 AsyncClient.exe 30 PID 2276 wrote to memory of 2568 2276 AsyncClient.exe 30 PID 2276 wrote to memory of 2568 2276 AsyncClient.exe 30 PID 2568 wrote to memory of 2668 2568 cmd.exe 33 PID 2568 wrote to memory of 2668 2568 cmd.exe 33 PID 2568 wrote to memory of 2668 2568 cmd.exe 33 PID 2568 wrote to memory of 2668 2568 cmd.exe 33 PID 1948 wrote to memory of 2664 1948 cmd.exe 32 PID 1948 wrote to memory of 2664 1948 cmd.exe 32 PID 1948 wrote to memory of 2664 1948 cmd.exe 32 PID 1948 wrote to memory of 2664 1948 cmd.exe 32 PID 2568 wrote to memory of 2112 2568 cmd.exe 34 PID 2568 wrote to memory of 2112 2568 cmd.exe 34 PID 2568 wrote to memory of 2112 2568 cmd.exe 34 PID 2568 wrote to memory of 2112 2568 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp191C.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2668
-
-
C:\Users\Admin\AppData\Roaming\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD581217d02b452480266f0f881d11baa57
SHA1d252dd4e364eef934494d02e647d2bc80cc456b7
SHA256ceaaea60f5b63a14b151c43461a18071bed8e486c01221d302a4b277531c72d2
SHA512d02d23c44b7f96eb0db4d4573976567d17c489103980700c05f37050cf5c85d332089ef85e9ae5b268f100095cdfb9c27e3fca26388cbdcdd0d1f3c68f25641c
-
Filesize
48KB
MD50712481ec7be68e2f67672b911aebf23
SHA1527ceb23db13a4e84b5f27a850116bb1421981dd
SHA2566a26dc7c12eddcdc36e00ca1633eb4f231a433deee4f574122c51690f28a3e67
SHA512bce33d4a59624ccee236df8b3ff061bd58377dee284e44849471e7afdd9baf7845a91dc9701647ce9290ea13c3f18ca2bda780dce646a28b3c1436ad78d248cd