asyncrat | 147f810affa8a7f95cc8a15cc5918933d3cf430232e132b340180d3878951974

Analysis

max time kernel
144s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d3f68d31efc5fc456850af228427c25.msi
Size

1.5MB
MD5

6d3f68d31efc5fc456850af228427c25
SHA1

487fcaaab61ce4e76d6a1e2568cf3602a5f6632b
SHA256

147f810affa8a7f95cc8a15cc5918933d3cf430232e132b340180d3878951974
SHA512

e1c26181065ad69078e281154f741d318ceec9d412c030a89397e6d27ff89c224ed7f106b68892f41309264830e48255ff114369985206efe9c5311f8725df3d
SSDEEP

24576:kt9cpVDhOXLcVXyEq9GRhv9cWP8rtPN01Mq7+xtA+w9TxDfoUBoiGt+eWilfdqF6:jpRhOXLcJyEq9GRhvVqtV01Mq7kctDAo

Score

10^/10

asyncrat mafiaexe discovery rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

mafiaexe

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

twinks234.duckdns.org:6606

twinks234.duckdns.org:7707

twinks234.duckdns.org:8808

Mutex

mafiaEXE

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000a000000023409-66.dat	family_asyncrat

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2344	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6477.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\e5763ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5763ab.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{BE13E8ED-EE1E-41EA-93EE-21B2B781511E}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1044	mafiachroom.exe

Loads dropped DLL 1 IoCs

pid	Process
4764	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003013bddf4a62308e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003013bddf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003013bddf000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3013bddf000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003013bddf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1752	msiexec.exe
1752	msiexec.exe
1044	mafiachroom.exe
1044	mafiachroom.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3016	msiexec.exe
Token: SeSecurityPrivilege	1752	msiexec.exe
Token: SeCreateTokenPrivilege	3016	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3016	msiexec.exe
Token: SeLockMemoryPrivilege	3016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3016	msiexec.exe
Token: SeMachineAccountPrivilege	3016	msiexec.exe
Token: SeTcbPrivilege	3016	msiexec.exe
Token: SeSecurityPrivilege	3016	msiexec.exe
Token: SeTakeOwnershipPrivilege	3016	msiexec.exe
Token: SeLoadDriverPrivilege	3016	msiexec.exe
Token: SeSystemProfilePrivilege	3016	msiexec.exe
Token: SeSystemtimePrivilege	3016	msiexec.exe
Token: SeProfSingleProcessPrivilege	3016	msiexec.exe
Token: SeIncBasePriorityPrivilege	3016	msiexec.exe
Token: SeCreatePagefilePrivilege	3016	msiexec.exe
Token: SeCreatePermanentPrivilege	3016	msiexec.exe
Token: SeBackupPrivilege	3016	msiexec.exe
Token: SeRestorePrivilege	3016	msiexec.exe
Token: SeShutdownPrivilege	3016	msiexec.exe
Token: SeDebugPrivilege	3016	msiexec.exe
Token: SeAuditPrivilege	3016	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3016	msiexec.exe
Token: SeChangeNotifyPrivilege	3016	msiexec.exe
Token: SeRemoteShutdownPrivilege	3016	msiexec.exe
Token: SeUndockPrivilege	3016	msiexec.exe
Token: SeSyncAgentPrivilege	3016	msiexec.exe
Token: SeEnableDelegationPrivilege	3016	msiexec.exe
Token: SeManageVolumePrivilege	3016	msiexec.exe
Token: SeImpersonatePrivilege	3016	msiexec.exe
Token: SeCreateGlobalPrivilege	3016	msiexec.exe
Token: SeBackupPrivilege	672	vssvc.exe
Token: SeRestorePrivilege	672	vssvc.exe
Token: SeAuditPrivilege	672	vssvc.exe
Token: SeBackupPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeDebugPrivilege	1044	mafiachroom.exe
Token: SeBackupPrivilege	4192	srtasks.exe
Token: SeRestorePrivilege	4192	srtasks.exe
Token: SeSecurityPrivilege	4192	srtasks.exe
Token: SeTakeOwnershipPrivilege	4192	srtasks.exe
Token: SeBackupPrivilege	4192	srtasks.exe
Token: SeRestorePrivilege	4192	srtasks.exe
Token: SeSecurityPrivilege	4192	srtasks.exe
Token: SeTakeOwnershipPrivilege	4192	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3016	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1044	mafiachroom.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4192	1752	msiexec.exe	105
PID 1752 wrote to memory of 4192	1752	msiexec.exe	105
PID 1752 wrote to memory of 4764	1752	msiexec.exe	107
PID 1752 wrote to memory of 4764	1752	msiexec.exe	107
PID 1752 wrote to memory of 4764	1752	msiexec.exe	107
PID 4764 wrote to memory of 2344	4764	MsiExec.exe	108
PID 4764 wrote to memory of 2344	4764	MsiExec.exe	108
PID 4764 wrote to memory of 2344	4764	MsiExec.exe	108
PID 4764 wrote to memory of 4588	4764	MsiExec.exe	110
PID 4764 wrote to memory of 4588	4764	MsiExec.exe	110
PID 4764 wrote to memory of 4588	4764	MsiExec.exe	110
PID 4764 wrote to memory of 1044	4764	MsiExec.exe	112
PID 4764 wrote to memory of 1044	4764	MsiExec.exe	112
PID 4764 wrote to memory of 1044	4764	MsiExec.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6d3f68d31efc5fc456850af228427c25.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3016

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 66E6A536B3DA32E3664290BB2C0D6F45
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2344
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4588
- - C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\files\mafiachroom.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\files\mafiachroom.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\files.cab

Filesize
1.2MB

MD5
d4e7f05d7f6a7dc75f468dbcaa9f437f

SHA1
f377284434b0200c6ebeba730dfcddaff7f2de13

SHA256
943ef4c71d53ef383ee9591d460799c7e503e493c26abdd6ded50eb82f2dd47f

SHA512
9f8d960ee4367f388a0717b9a3991682a900f13db547dd51242a6c1686a2d9badbb94446db36700116c0c7753daacc7fb43ec35c09e94bc462e74c36e2b86bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\files\mafiachroom.exe

Filesize
1.2MB

MD5
6e7ebd37b6095cb1a2f3ffa9d5598c81

SHA1
d4d0cfa65f6dd224af16ff81a29abdf6ab0eab69

SHA256
1cf774a50175eb7321b1366c585ccfc68bdf0916d8e78edf1fe24e079209eb9e

SHA512
f23d689393db2f8292018d8b303992b19dd8b9cfd4f226a84ddd70d30ec2d89083e9b1418d5f82e04a1a81d9014387e0450747b99a02fc32e094c987cc2c782b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\msiwrapper.ini

Filesize
1KB

MD5
9a41d4f44ca69fe6799dfbb66a49f932

SHA1
8c11180c25a464ac86e8622d2f5aa0bf3eb7fe21

SHA256
ef187294353af2ac211597aaf9225fb7990cd7afa6e1e2ce1accde89935fd3bc

SHA512
e108c7b56f677ba0dc639f6f5af1ae7d507ce21b608a8f81eac21f4113297061036f1acc5ab1b6f387c869b349e5ca452f123f0612355747b4cc44c5f4801077

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\msiwrapper.ini

Filesize
1KB

MD5
97719f6eae7e7e6d8e1fe8970f65a935

SHA1
65611f13bb89873c295e44f21a9e3ef96d5d46df

SHA256
ed2e0cca8483413fe62b9865895de3cbbc330897fd493be7d719f0b6c05550c1

SHA512
c0c8c210871eac6f37899962efe33d2c06b90b6c4dac83b19567c524682755fcbf45c4b9d69c8cd8fc471fbd42aef15f2ddef4dbe2d0ba2ebc0c939016ffde67

Download Submit
C:\Windows\Installer\MSI6477.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
d5cc1fbd277d0442b7c322a6163f3a20

SHA1
8631ab4015c797f9f32495774ced4e9de972de77

SHA256
89d04688afba0d435f75722924c520f0b2d96f5b65b6c0cef5f7c18af222832a

SHA512
16ca6e654162c8c0c9a86e7e3daa3a05daa10033496edd92e3e2e6a833f0f2266125ed58e649b9fe433c64daed3f7fbd1c0b390fba56e617d7ff3c9b97887c64

Download Submit
\??\Volume{dfbd1330-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1b0eb991-4623-4181-a4c4-75c9188477e4}_OnDiskSnapshotProp

Filesize
6KB

MD5
d20ad38dc8fbdf573f15cdbf0a6009c2

SHA1
f34847db86058ec3a5df6f6f6a576c3cd1c9ea15

SHA256
10dc4645acda1f1018f15b92e530fe49bcb386029ac0552ea4dec8c8877f6be4

SHA512
57da5ef2cc0498f1b58bf4c73ffee931cb66c539b8e2a97ba40cdf82754da28e03ec7a2c32cbe9b770e749308e1e96ef39f3253424615b1a483c00245e559b82

Download Submit
memory/1044-68-0x0000000000880000-0x00000000009C0000-memory.dmp

Filesize
1.2MB

Download
memory/1044-71-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/1044-72-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/1044-73-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/1044-70-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/1044-69-0x00000000726A0000-0x0000000072E50000-memory.dmp

Filesize
7.7MB

Download
memory/1044-76-0x00000000726A0000-0x0000000072E50000-memory.dmp

Filesize
7.7MB

Download
memory/1044-77-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download