asyncrat | 829fcf481eccee4d91cffb6e6c1eef3048cab4a9ac10a6c65397bc8b70f06f66

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 15:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ORDER-24603909AF.js
Size

8KB
MD5

8bc951c9580b40a1b7c6222613b97da4
SHA1

ffeed34cea7de42eb7b1262113ef3c753ae121c0
SHA256

a47fb3147b531316317dd8150333f7417f6fe196f0ef8656babb070e37d9cc0d
SHA512

5b07d8c2ed5c1a6ea604dfac05a598756e5fa2dfe3db5d3e4219e3752bad176a1b5b8f1f29c7b44513e0939e16ee4d8388c31e6fd232e262a28fbfbf04023bc8
SSDEEP

48:1PueRvRbecveUMW9gdueHhUfJawYYueihb+EKpOFwSmvkuess9vGbFKpbbyh:Zz5FMYoBnmaLKpD+mZ

Score

10^/10

asyncrat execution rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 32 IoCs

rat

resource	yara_rule
behavioral2/memory/3644-29-0x0000000003350000-0x0000000003376000-memory.dmp	family_asyncrat
behavioral2/memory/3644-89-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-87-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-85-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-83-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-81-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-79-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-77-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-75-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-73-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-71-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-69-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-67-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-65-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-63-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-61-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-59-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-57-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-55-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-53-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-51-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-49-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-47-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-45-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-43-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-41-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-39-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-37-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-35-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-33-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-31-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat
behavioral2/memory/3644-30-0x0000000003350000-0x0000000003370000-memory.dmp	family_asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	1476	wscript.exe
10	1476	wscript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	SGUDBQ.exe

Executes dropped EXE 4 IoCs

pid	Process
2984	SGUDBQ.exe
3644	SGUDBQ.exe
5472	audio.exe
5512	audio.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 3644	2984	SGUDBQ.exe	96
PID 5472 set thread context of 5512	5472	audio.exe	104

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5432	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5448	timeout.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe
3644	SGUDBQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	SGUDBQ.exe
Token: SeDebugPrivilege	5512	audio.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2984	1476	wscript.exe	95
PID 1476 wrote to memory of 2984	1476	wscript.exe	95
PID 1476 wrote to memory of 2984	1476	wscript.exe	95
PID 2984 wrote to memory of 3644	2984	SGUDBQ.exe	96
PID 2984 wrote to memory of 3644	2984	SGUDBQ.exe	96
PID 2984 wrote to memory of 3644	2984	SGUDBQ.exe	96
PID 2984 wrote to memory of 3644	2984	SGUDBQ.exe	96
PID 2984 wrote to memory of 3644	2984	SGUDBQ.exe	96
PID 2984 wrote to memory of 3644	2984	SGUDBQ.exe	96
PID 2984 wrote to memory of 3644	2984	SGUDBQ.exe	96
PID 2984 wrote to memory of 3644	2984	SGUDBQ.exe	96
PID 2984 wrote to memory of 3644	2984	SGUDBQ.exe	96
PID 3644 wrote to memory of 5304	3644	SGUDBQ.exe	97
PID 3644 wrote to memory of 5304	3644	SGUDBQ.exe	97
PID 3644 wrote to memory of 5304	3644	SGUDBQ.exe	97
PID 3644 wrote to memory of 5320	3644	SGUDBQ.exe	98
PID 3644 wrote to memory of 5320	3644	SGUDBQ.exe	98
PID 3644 wrote to memory of 5320	3644	SGUDBQ.exe	98
PID 5304 wrote to memory of 5432	5304	cmd.exe	101
PID 5304 wrote to memory of 5432	5304	cmd.exe	101
PID 5304 wrote to memory of 5432	5304	cmd.exe	101
PID 5320 wrote to memory of 5448	5320	cmd.exe	102
PID 5320 wrote to memory of 5448	5320	cmd.exe	102
PID 5320 wrote to memory of 5448	5320	cmd.exe	102
PID 5320 wrote to memory of 5472	5320	cmd.exe	103
PID 5320 wrote to memory of 5472	5320	cmd.exe	103
PID 5320 wrote to memory of 5472	5320	cmd.exe	103
PID 5472 wrote to memory of 5512	5472	audio.exe	104
PID 5472 wrote to memory of 5512	5472	audio.exe	104
PID 5472 wrote to memory of 5512	5472	audio.exe	104
PID 5472 wrote to memory of 5512	5472	audio.exe	104
PID 5472 wrote to memory of 5512	5472	audio.exe	104
PID 5472 wrote to memory of 5512	5472	audio.exe	104
PID 5472 wrote to memory of 5512	5472	audio.exe	104
PID 5472 wrote to memory of 5512	5472	audio.exe	104
PID 5472 wrote to memory of 5512	5472	audio.exe	104

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-24603909AF.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
  "C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
    "C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "audio" /tr '"C:\Users\Admin\AppData\Local\Temp\audio.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5304
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "audio" /tr '"C:\Users\Admin\AppData\Local\Temp\audio.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:5432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA43F.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5320
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:5448
    - - C:\Users\Admin\AppData\Local\Temp\audio.exe
        
        "C:\Users\Admin\AppData\Local\Temp\audio.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5472
      - C:\Users\Admin\AppData\Local\Temp\audio.exe
        
        "C:\Users\Admin\AppData\Local\Temp\audio.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe

Filesize
696KB

MD5
f672108901b809c33d38bb6801c9b273

SHA1
b5d45949ba7d38b92c20d31cfcae6d437dea8c18

SHA256
90e5d1dba754723f6b34acbc974c65467495605f197857569a7ff211aeffca7f

SHA512
6f0cae9ca529b197fd5464c6d929437fadfc5c6c36aee5fc7fce1425d5e94cd8a90573c486c339df79ca75b532ef21d9105981eb7650c652db1abc6401c73c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA43F.tmp.bat

Filesize
152B

MD5
bc82a9c545309dc557e04af4ab9c7b9d

SHA1
ff0419021fd7cc73733718b49115387dc3c8e9d5

SHA256
492a32a7219913efde46aaa36cf17098acb6ba582123990df3ba1602df144840

SHA512
85aaa23d3eca39823a838247cf2111e003934aad97fca60a7eba820b0efa018694df791f0109b8a81577e9adb0a1c27836d44b18e3df2864102087823d1cadaf

Download Submit
memory/2984-15-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/2984-16-0x00000000009D0000-0x0000000000A86000-memory.dmp

Filesize
728KB

Download
memory/2984-17-0x0000000005940000-0x0000000005EE4000-memory.dmp

Filesize
5.6MB

Download
memory/2984-18-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/2984-19-0x00000000053F0000-0x0000000005404000-memory.dmp

Filesize
80KB

Download
memory/2984-20-0x0000000005410000-0x0000000005418000-memory.dmp

Filesize
32KB

Download
memory/2984-25-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/2984-676-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/2984-675-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/3644-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3644-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3644-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3644-28-0x00000000032A0000-0x00000000032C8000-memory.dmp

Filesize
160KB

Download
memory/3644-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3644-27-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/3644-29-0x0000000003350000-0x0000000003376000-memory.dmp

Filesize
152KB

Download
memory/3644-294-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3644-89-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-87-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-85-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-83-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-81-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-79-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-77-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-75-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-73-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-71-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-69-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-67-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-65-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-63-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-61-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-59-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-57-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-55-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-53-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-51-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-49-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-47-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-45-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-43-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-41-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-39-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-37-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-35-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-33-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-31-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-30-0x0000000003350000-0x0000000003370000-memory.dmp

Filesize
128KB

Download
memory/3644-345-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3644-346-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3644-347-0x0000000005A40000-0x0000000005ADC000-memory.dmp

Filesize
624KB

Download
memory/3644-352-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3644-353-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download