asyncrat | 12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6

General

Target

12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exe
Size

46KB
MD5

194de251c043183099b2d6f7f5d1e09f
SHA1

dc477dfc0e090e8d7bd31fb808f59060dd2cf360
SHA256

12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6
SHA512

6a1433b9bc070f18f60c3f115a1173e8979d211f6e97daf3fc7fe13f05ab15123874919418fc014fdd8af62c82426cb091b867b36a49fe7fc8fe929709b3a433
SSDEEP

768:fqZKAqubXIsg3uNkOicvHk3eHlWMPbPgF0qgkx5XKbukYI6OCm2tYcFmVc6KD:f/1uNXvZH0ub4FrgQwv6OrKmVclD

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

Mutex

v5tvc4rc3ex778899

Attributes

delay
5
install
true
install_file
audiodrvs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detects file containing reversed ASEP Autorun registry keys 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3004-1-0x0000000000C50000-0x0000000000C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/3016-16-0x0000000001300000-0x0000000001312000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

Executes dropped EXE 1 IoCs

Processes:

audiodrvs.exe

pid process

3016 audiodrvs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3052 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2080 timeout.exe

pid	process
3016	audiodrvs.exe

pid	process
3052	schtasks.exe

pid	process
2080	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exeaudiodrvs.exe

pid	process
3004	12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exe
3004	12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exe
3016	audiodrvs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exeaudiodrvs.exe

description	pid	process
Token: SeDebugPrivilege	3004	12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exe
Token: SeDebugPrivilege	3016	audiodrvs.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.execmd.exe

description	pid	process	target process
PID 3004 wrote to memory of 3052	3004	12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exe	schtasks.exe
PID 3004 wrote to memory of 3052	3004	12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exe	schtasks.exe
PID 3004 wrote to memory of 3052	3004	12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exe	schtasks.exe
PID 3004 wrote to memory of 2848	3004	12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exe	cmd.exe
PID 3004 wrote to memory of 2848	3004	12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exe	cmd.exe
PID 3004 wrote to memory of 2848	3004	12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exe	cmd.exe
PID 2848 wrote to memory of 2080	2848	cmd.exe	timeout.exe
PID 2848 wrote to memory of 2080	2848	cmd.exe	timeout.exe
PID 2848 wrote to memory of 2080	2848	cmd.exe	timeout.exe
PID 2848 wrote to memory of 3016	2848	cmd.exe	audiodrvs.exe
PID 2848 wrote to memory of 3016	2848	cmd.exe	audiodrvs.exe
PID 2848 wrote to memory of 3016	2848	cmd.exe	audiodrvs.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exe
"C:\Users\Admin\AppData\Local\Temp\12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodrvs.exe"'
  2⤵
  - Creates scheduled task(s)
  PID:3052
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4F39.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2080
- - C:\Users\Admin\AppData\Roaming\audiodrvs.exe
    "C:\Users\Admin\AppData\Roaming\audiodrvs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4F39.tmp.bat

Filesize
153B

MD5
668bfbad09097ac45b49956fc7d22455

SHA1
0e0f33ad711b2c9ee7f1fb1e0a1ba8866d3874dd

SHA256
bfc14f964c31453dc589efee6130463ff121a2b5f938d6d2c610cdf28b5cd7e5

SHA512
d418f2fd0656ae6c0651bfa7bec575dd16ba6936e7b575bc568b28fb12a6c9cf5889d8b3f0059365176bc2d94c45886db7749a0607dde490a8affee55bdf8c2f

Download Submit
C:\Users\Admin\AppData\Roaming\audiodrvs.exe

Filesize
45.0MB

MD5
8c0c371048057d34d3fbfd44f82bfaff

SHA1
1127e3ac8556e981e5ec0e4f5587ce9a8a20c4c6

SHA256
e756eb11a39d95f3cd4e1dfcf3fb0a725a0e546e230b3714e4e79f8dcaec3ff1

SHA512
b857ee39ac097af51d2488e6afb9a2453153b49b6b4834d3f43db2fe9b5330e8edb226330ca1dc9b3369996d1d805164545c39412f7469de6fb3f6cf7f980672

Download Submit
memory/3004-0-0x000007FEF4E63000-0x000007FEF4E64000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/3004-2-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/3004-12-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-16-0x0000000001300000-0x0000000001312000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads