asyncrat | e86ff967ff444d50d892200880556b56a66262b4a0fe2a22dee45127d3df6a7f

General

Target

3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Size

997KB
MD5

3fcf99f1e0d9dc0a7286728d20bc7580
SHA1

c4bee57583397289f759e7262b6e0ab9eb4d3129
SHA256

e86ff967ff444d50d892200880556b56a66262b4a0fe2a22dee45127d3df6a7f
SHA512

afbbe4cba3fd8b92d9223d69c05665dfad3df0251c691b33372ec4b3759af565ab6ddb1cbbeccf2124ecb072a4ba32a820dad7867a271f7b14892d65b9929978
SSDEEP

12288:IdJTcoZzrQlJ88LdyODyoOwpghwS72CJ5ZDlN7k:IdJxzr8685y49327ZpN7k

Score

10^/10

asyncrat zgrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/4884-0-0x0000000000DF0000-0x0000000000EEE000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000500000002296b-17.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000500000002296b-17.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe

Executes dropped EXE 1 IoCs

pid	Process
1620	AnyDesk60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2408	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2604	timeout.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{6BD7C179}\5824905E\1 = "238156161186008171033027102243037020090194102007"	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{D3558E25-821F3-72C3-8A52-54A482A54739}\5824905E\2 = "159021122206117200165108097018043012143072010113"	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{6BD7C179}\5824905E\0 = "238156161186008171033027102243037020090194102007"	AnyDesk60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{6BD7C179}\5824905E\1 = "238156161186008171033027102243037020090194102007"	AnyDesk60.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{B1159E65-821C3-21C5-CE21-34A484D54444}\5824905E	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{B1159E65-821C3-21C5-CE21-34A484D54444}\5824905E\0 = "238156161186008171033027102243037020090194102007"	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{B1159E65-821C3-21C5-CE21-34A484D54444}\5824905E\1 = "238156161186008171033027102243037020090194102007"	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{B1159E65-821C3-21C5-CE21-34A484D54444}\5824905E\3 = "246087206208176072158153005148068255072109058117"	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{6BD7C179}\5824905E\3 = "246087206208176072158153005148068255072109058117"	AnyDesk60.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{A3358E75-826A3-31A5-2C1E-14A484D53571}\5824905E	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{D3558E25-821F3-72C3-8A52-54A482A54739}\5824905E	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{A3358E75-826A3-31A5-2C1E-14A484D53571}\5824905E\2 = "238156161186008171033027102243037020090194102007"	AnyDesk60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{D3558E25-821F3-72C3-8A52-54A482A54739}\5824905E\2 = "184247108017042164043138105196050007165060111131"	AnyDesk60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{A3358E75-826A3-31A5-2C1E-14A484D53571}\5824905E\2 = "238156161186008171033027102243037020090194102007"	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{D3558E25-821F3-72C3-8A52-54A482A54739}	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{6BD7C179}\5824905E	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{6BD7C179}	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{6BD7C179}\5824905E\0 = "238156161186008171033027102243037020090194102007"	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{A3358E75-826A3-31A5-2C1E-14A484D53571}	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{B1159E65-821C3-21C5-CE21-34A484D54444}	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CID\{6BD7C179}\5824905E\3 = "246087206208176072158153005148068255072109058117"	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
1620	AnyDesk60.exe
1620	AnyDesk60.exe
1620	AnyDesk60.exe
1620	AnyDesk60.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
Token: SeDebugPrivilege	1620	AnyDesk60.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 5292	4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe	91
PID 4884 wrote to memory of 5292	4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe	91
PID 4884 wrote to memory of 4348	4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe	93
PID 4884 wrote to memory of 4348	4884	3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe	93
PID 4348 wrote to memory of 2604	4348	cmd.exe	95
PID 4348 wrote to memory of 2604	4348	cmd.exe	95
PID 5292 wrote to memory of 2408	5292	cmd.exe	96
PID 5292 wrote to memory of 2408	5292	cmd.exe	96
PID 4348 wrote to memory of 1620	4348	cmd.exe	98
PID 4348 wrote to memory of 1620	4348	cmd.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\3fcf99f1e0d9dc0a7286728d20bc7580_NEIKI.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AnyDesk60" /tr '"C:\Users\Admin\AppData\Roaming\AnyDesk60.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5292
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "AnyDesk60" /tr '"C:\Users\Admin\AppData\Roaming\AnyDesk60.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5275.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2604
- - C:\Users\Admin\AppData\Roaming\AnyDesk60.exe
    "C:\Users\Admin\AppData\Roaming\AnyDesk60.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Isolated Storage\5824905E\44538E74

Filesize
112B

MD5
91c85adf5883009f0171e62e56f4222c

SHA1
aae28c6a8fd23f1bc96ce288eef34e47fa47c220

SHA256
4cfea7eca82a2585aad6d4eecf60821f3b2edb6a94ff225a0ca66657389f4c46

SHA512
bb6f339eab5cecdae728f06c7d31d7551ee71ea747d91fef211df2a1d3a96b495d6aa9f8c46bad50a0bb646c4e52071401ae49be1ba0d6e2837ec7b1a2e99d7f

Download Submit
C:\ProgramData\Isolated Storage\5824905E\59FD041E

Filesize
320B

MD5
0f944a8bd80c6ffe20a648408388f76e

SHA1
8c493f5c99e9be2e32e7eef0d1d3beb4d524f104

SHA256
bff71c4689ea73c1a229428d9a7e10d15c755d64f58e8fa00fc7806086cda9c2

SHA512
ffe435668bd0af411021bc0055b7893542dbc42845264ef7a1bec70a8009734f90ed9a274e3fca7b37bda27a2d166c7451c3f0f67c181e5898c3111dd013e165

Download Submit
C:\ProgramData\Isolated Storage\5824905E\90424E7E

Filesize
112B

MD5
43358f4a1b59c42d34e80730be18ddf6

SHA1
3d58451bee0190597154740928eadb61245a71ac

SHA256
e831f042b10f3712843ff91e339f63c83630bf73b88c840d905f1f165ad0129a

SHA512
7913a895bbe202e60015f32851ff312d178d2a4d267d94aecd4b5ec26eb3e59e6396f36269d682352c3a265ae8cd12a55ca5d73c0435b23ac3f7519d93f407a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5275.tmp.bat

Filesize
153B

MD5
f6a6e7dfb661f6e02fdf43c170c4b5f8

SHA1
c0440dce57ceb27ee6314ed232ff4906a994c329

SHA256
21517b78213544bdb6261dcd2bbed9def51ccf6f79fd718737385f8e8ca87c03

SHA512
6ee600128d6ac3a3099d09f43796749456da2df6eb218757f2d2a7df0271046021e19098e74fe513e7338ba0605fe4abaed14d55d0d96433fd96b0d147c3474f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk60.exe

Filesize
997KB

MD5
3fcf99f1e0d9dc0a7286728d20bc7580

SHA1
c4bee57583397289f759e7262b6e0ab9eb4d3129

SHA256
e86ff967ff444d50d892200880556b56a66262b4a0fe2a22dee45127d3df6a7f

SHA512
afbbe4cba3fd8b92d9223d69c05665dfad3df0251c691b33372ec4b3759af565ab6ddb1cbbeccf2124ecb072a4ba32a820dad7867a271f7b14892d65b9929978

Download Submit
memory/4884-3-0x0000000003270000-0x000000000327A000-memory.dmp

Filesize
40KB

Download
memory/4884-13-0x000000001BEB0000-0x000000001C059000-memory.dmp

Filesize
1.7MB

Download
memory/4884-14-0x00007FFF334F0000-0x00007FFF33FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-5-0x00007FFF334F0000-0x00007FFF33FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-4-0x00007FFF334F0000-0x00007FFF33FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-0-0x0000000000DF0000-0x0000000000EEE000-memory.dmp

Filesize
1016KB

Download
memory/4884-2-0x00007FFF334F0000-0x00007FFF33FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-1-0x00007FFF334F3000-0x00007FFF334F5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads