asyncrat | 73cd0a128abf1c8d63ec550c4eef392bef06afc13867cd08fd1150157f2022af

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe
Size

5.5MB
MD5

9236138b3e06a43e09af78ebe2471930
SHA1

f8c11efa85dfdd424fb7f906ec5795ac07cfd8a2
SHA256

73cd0a128abf1c8d63ec550c4eef392bef06afc13867cd08fd1150157f2022af
SHA512

54d6f5d64bbe183188603c2faca3778b6abfd17573d861774e51bb56464773de5465aed26e947e4fa3360a76348ba5ea3703da5b146917700a9c4ece3ed79da4
SSDEEP

98304:GAsBbQ2H/oEMjghbO76uAqrngBNXsH7zMdDwPgQcM3qn8V/cwduNJKf+tLNTVGa:wRf/JTNXsH7z0DwPgdvwduGf67Ga

Score

10^/10

asyncrat risepro default persistence rat stealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

94.232.249.90:8848

Mutex

kalhf_nkjadhfjk333jvn

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmokerLtd = "C:\\Users\\Admin\\Documents\\TuktukUpdater\\updater.exe"	9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe

description pid process target process

PID 2480 set thread context of 4044 2480 9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe csc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4056 2480 WerFault.exe 9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

csc.exe

description pid process

Token: SeDebugPrivilege 4044 csc.exe

description	pid	process	target process
PID 2480 set thread context of 4044	2480	9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe	csc.exe

pid	pid_target	process	target process
4056	2480	WerFault.exe	9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	4044	csc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe

description	pid	process	target process
PID 2480 wrote to memory of 4044	2480	9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe	csc.exe
PID 2480 wrote to memory of 4044	2480	9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe	csc.exe
PID 2480 wrote to memory of 4044	2480	9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe	csc.exe
PID 2480 wrote to memory of 4044	2480	9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe	csc.exe
PID 2480 wrote to memory of 4044	2480	9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe	csc.exe

C:\Users\Admin\AppData\Local\Temp\9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9236138b3e06a43e09af78ebe2471930_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 140
  2⤵
  - Program crash
  PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2480 -ip 2480
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2480-13-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/2480-1-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/2480-2-0x0000000000408000-0x0000000000421000-memory.dmp

Filesize
100KB

Download
memory/2480-3-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/2480-0-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/2480-14-0x0000000000408000-0x0000000000421000-memory.dmp

Filesize
100KB

Download
memory/4044-4-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/4044-9-0x0000000005AB0000-0x0000000005B4C000-memory.dmp

Filesize
624KB

Download
memory/4044-10-0x0000000006100000-0x00000000066A4000-memory.dmp

Filesize
5.6MB

Download
memory/4044-11-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/4044-12-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4044-6-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4044-5-0x000000007438E000-0x000000007438F000-memory.dmp

Filesize
4KB

Download
memory/4044-15-0x000000007438E000-0x000000007438F000-memory.dmp

Filesize
4KB

Download
memory/4044-16-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4044-17-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download