Malware Analysis Report

2024-08-06 13:14

Sample ID 240614-t5gsdsycpd
Target AsyncClient.exe
SHA256 fb9193c127e0ac2e3599920b4e46827d381d8ff976691863a6da3b862723583e
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb9193c127e0ac2e3599920b4e46827d381d8ff976691863a6da3b862723583e

Threat Level: Known bad

The file AsyncClient.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Asyncrat family

AsyncRat

Async RAT payload

Async RAT payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 16:38

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 16:38

Reported

2024-06-14 16:40

Platform

win7-20240508-en

Max time kernel

126s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2764 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2764 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2764 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2E60.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft.exe

"C:\Users\Admin\AppData\Roaming\Microsoft.exe"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PushLimit.wav"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp

Files

memory/2244-0-0x000000007448E000-0x000000007448F000-memory.dmp

memory/2244-1-0x0000000000320000-0x0000000000332000-memory.dmp

memory/2244-2-0x0000000074480000-0x0000000074B6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2E60.tmp.bat

MD5 13ecb43d6a910437097fb4c650db89cc
SHA1 0d0bcfc0bd20537dc31dfdaf54980b2e39b4d02b
SHA256 b9eec07906e3c4e5428afe960f39b47f05365b75b0d5f48e0489a4b8d91f9ebc
SHA512 3a2c49b27bea97760c4d82d228f5bb155cafb7a585b9e7564daf43bf4de65b59e799086bf669a34db8862cd38165c2b0eaebb83210f352452879c819194a7dc8

memory/2244-11-0x0000000074480000-0x0000000074B6E000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft.exe

MD5 0cd7314d619f1b8a92c579224f73e9ae
SHA1 56f4e51d6d6fcd8ca418c957dd5a2436e1718761
SHA256 fb9193c127e0ac2e3599920b4e46827d381d8ff976691863a6da3b862723583e
SHA512 53d47d3b25d12f245742af999e9f442e5711740371b8ad995573410ad45c6916cbad298f54dc740c24632425bb9fdde84a73e12c34ed9236f8e6b82d0e310444

memory/2704-16-0x00000000013D0000-0x00000000013E2000-memory.dmp

C:\Users\Public\Desktop\Firefox.lnk

MD5 e7b67d9f038814dc05038c080813d062
SHA1 63941644de7e0647db76bc52803d67e7834cf553
SHA256 91cf63659cfd851cfca2cb201d697753aa36560063793cea70792c6eb871849b
SHA512 2f7c667a0c20cc3a43e40e707aca35f97e2fa2d843978e00652014888698bed6bdb739b2d0c2804234abfe75fca9a1f9e4498da0b339b979457f0e6063fc90d0

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 826aba2260a3c6c9bc25c0dfe165d2a6
SHA1 97b10d41f3dc81a69d4ba6c13ece6a13343c9e28
SHA256 55a664638a13ed86f4983ab3cdffe3ca64f3dd51db8c3d1f34af7048f11ebc33
SHA512 d8da39eed87b10e21040c8e51052d811b66e19c221f950a458a54bcc31b6553904357c2c20bc25e16224056087906e8b6500c95b32b9bd6f5c7189c7fd47efc1

C:\Users\Public\Desktop\VLC media player.lnk

MD5 208eaaaa5fb5269bda3347a820b7b973
SHA1 f9ce85269570ee22d77fce2b69b90a50dec0a143
SHA256 bb7c897575d45255208e1912a3764a553af5add012630569477cfed88509ca92
SHA512 b67fce2839350a3a3c5e3ab78818400a33b68076112024fdda671ebe52253c141c1f6c684b2df722b45b1c648093898f204df3aad490a32c23a315e1536877c2

C:\Users\Admin\Desktop\ConfirmEnable.au

MD5 9147381f88ec5e65fa21964e04324446
SHA1 72480abf831082f75847706de6c7069a3b3de002
SHA256 3147cd13706b179db2a279d139d86752de85e754772c9c0390d9e51f14704c6c
SHA512 d6f509982b3f9c0d5d6a300993a5fe5cf5af3ff7027293f3d29d2f2d0b7b47989263b0a8b45ce46a3d5265c5db9d1476463982140afb631c49a028c4f63a64d9

C:\Users\Admin\Desktop\ConfirmMerge.fon

MD5 d4e65b8b9f951018b6e15f31f6c4e0dc
SHA1 07ebe7942ab777810bb94009c38fb4c23cf7bed9
SHA256 3b6fcfe39147f19bbdaaca61f630c2f259c34387507fc703fd24b7350ad9cd49
SHA512 5edd01663829db4c20e9a63451fc9913900c54b3ac41b5ab9f06588550ece16db4f4b181738005ba82d27eb523f3ab61f7459cb6b55374627b0976aa4d6d2c28

C:\Users\Admin\Desktop\EnterUnblock.bat

MD5 95dbe888e1342497fe2597115564a192
SHA1 7f7561a0bf3aa5fe814955f3690b25c887024a79
SHA256 4a3a60fc7fb66e4bedadd8158ea5eea6f1a8e1f078a0a3ac6e6cf92d2c8cadcf
SHA512 fd5fc922d56cc7b6b693b46efa3d5021439f7b9b700274aa1f33e0048992ab372024f453df129dc1be740fd7a7bc1ad956e74ce3e14b87a31ab8f3602c1e3168

C:\Users\Admin\Desktop\GroupLimit.contact

MD5 5aa6c4a1fef55b9b04d476a960f0c439
SHA1 cf14f8545d9d9718f91887a81539d7d595f488cb
SHA256 4d8950896ce9cf96f30b999b4f6e47b3b4d5757c7d72cad2a75dae65e41540fc
SHA512 05ab3fc1349cb4a179eb1d0dc4219d2832dbb036cffd0bb48ae4e97a9059b2ee8d3ea36d695d9778525a6a92dd6c6e7b5d9d57b6f176f8800e1affa7076e2c6a

C:\Users\Admin\Desktop\InstallDisconnect.mid

MD5 237c2d4424ace568ffb0534d55c9becd
SHA1 df319b7d5c7fe9fa66c3fbe07927d3b83874357c
SHA256 6d4b3ad34cf196e7ac06d801804551abb13c991e6df42ae4453040952c0300db
SHA512 dc640d27b15cf64d46e1cf3d389d21994aa69b9a13f075055e1201fc9332018457756b2c9df6210b06f3957443e907888903d9023fa75b604f4f77eb5bd9fed9

C:\Users\Admin\Desktop\LimitReceive.csv

MD5 30883429172e7382c546884fd8273be8
SHA1 2aae2fb0491bed852cd1714409b3debee8de6c9d
SHA256 7e554d14a7fad18af08f7a483148028af317eb0bb031cdf9989834282b26a739
SHA512 7688be0395d7df0e6c6fa1d4fecc63425f94f2e2774216b0f28aa697ab5e6002db56c9c7442d7fff88d7a4e001235b95ea743210edc9f7093fbbc261601bf8d0

C:\Users\Admin\Desktop\ResetRegister.dll

MD5 538369498848e0a9125abbb65bfbbfaf
SHA1 ac103d612977466f2f748e7a10c4724b51d59cb6
SHA256 7b0398b5e759265ab2e995d8e3e4cb9fbeddd1ccc7f90da2a47ceab861bc9bf8
SHA512 1b9bef13f8c574049e20ab5fb59e13c6f431a6900cb0a41fef4d119e0d14e8232424857017216271b0c93f69a139de1db6fd86bab8e2deac939fff93032fdb50

C:\Users\Admin\Desktop\SelectJoin.sys

MD5 9abd04cacd1ec6cbe7bfa67a60fe9576
SHA1 9490ff28e154cc18632504e8d3af54a93d491838
SHA256 9332f126beccc7adf005debd60f5c91c2f52065dd8444dc73a848f6d4271a2ac
SHA512 43f8da28e13322d718db4e9136b03d7e817a6eca964751bdef3688f1dabc000de8da3ac626bd444b221ff8ffffae522e21d4b626129d0276858485acb3507795

C:\Users\Admin\Desktop\StepCompare.search-ms

MD5 17e6cecfec3da0c56e5948f5ed9fd32d
SHA1 77f92833f657c49efc5a730f6cecfffcd3489495
SHA256 29a913d32402e65d091e1e7b8575c88e1e9dda6ef31956391da0626afc44b824
SHA512 d64a35e4aadb6d36220a5dbf9c013e9e16882d332c2301ce87a4b6efb3d6ff9cc4314df86f7f7cd5aa5552b48c4c3d275d1f44248cf25a73682a0d2d30e1414c

C:\Users\Admin\Desktop\UseHide.7z

MD5 fa4f9c51fa8131a02c51dfca7c4e0721
SHA1 301df0ccb26358c3d5786469c08fcc4403007915
SHA256 c2fe08df172ba5ba5d79abec1e957a09c624c5895ebe0b6c028ca22afb9d4d6f
SHA512 2f263682f3c15cf0abdc121ccdaefac69eb4aa29e3948f05dc72facc036ff224f34a2c4a5b10e1a112dd0dff6e3c3d429e5720f6d06672144a1707a43d504b39

C:\Users\Admin\Desktop\WaitSwitch.M2T

MD5 3f68c2a10bd0fec9377e617606cbaf7d
SHA1 fc0b6a9de67a8fb3c14b56b176f8ca97524d34ce
SHA256 df0db47930ca5df5e6c25abf6fe8ec02ce93c2c8f2f3999a8adfe71c941229fb
SHA512 efc9c67ac8d53be263cbfce96b5024cc8ea2ec3699bfc12dddeed5622f59d01929d8365cfbd45cba0f10bc49389275b89927ccd4814ee713704cb72622bceacf

C:\Users\Admin\Desktop\UpdateStop.rtf

MD5 6baf071ef90197718a4d4bf33e3bf78f
SHA1 2c517246c14c3669fdcc05144a2a63908085e341
SHA256 544c201c21d7683f881f2daba728064bc7b66b932d0117a5064d75e221c68ea8
SHA512 69e180f56907f1d232b7517721408a24ac643ff24f5607a8dc1057076472c4ac5c7d90c95289719508ca4a183d3089c8dde4b7c98cbe473421b9b80491121177

memory/1620-50-0x000007FEF5190000-0x000007FEF51C4000-memory.dmp

memory/1620-49-0x000000013F580000-0x000000013F678000-memory.dmp

memory/1620-51-0x000007FEF4ED0000-0x000007FEF5186000-memory.dmp

memory/1620-52-0x000007FEF3B80000-0x000007FEF4C30000-memory.dmp

memory/2816-53-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2816-54-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 16:38

Reported

2024-06-14 16:40

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1176 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1176 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4788 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4788 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4788 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4788 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 4788 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 4788 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7417.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft.exe

"C:\Users\Admin\AppData\Roaming\Microsoft.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp

Files

memory/2968-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

memory/2968-1-0x0000000000F40000-0x0000000000F52000-memory.dmp

memory/2968-2-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2968-3-0x0000000005830000-0x0000000005896000-memory.dmp

memory/2968-4-0x0000000005C90000-0x0000000005D2C000-memory.dmp

memory/2968-9-0x00000000749F0000-0x00000000751A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7417.tmp.bat

MD5 b29522be372ba08eb6911068b6932077
SHA1 c2785a843b174307d61f47b919e66baf8d8012e2
SHA256 d6ac997b6f57e8ff9d99755db646701b740e4a47eff1f051c80800af5ed9afc3
SHA512 cc0e9332aa597b17562fa46572c21a12b5f91e9f7467f6d599c3cccf60bba75e72285480ce0520f58645c52d2c6816af30b74e4e32d31c8834cd82ea47af3941

C:\Users\Admin\AppData\Roaming\Microsoft.exe

MD5 0cd7314d619f1b8a92c579224f73e9ae
SHA1 56f4e51d6d6fcd8ca418c957dd5a2436e1718761
SHA256 fb9193c127e0ac2e3599920b4e46827d381d8ff976691863a6da3b862723583e
SHA512 53d47d3b25d12f245742af999e9f442e5711740371b8ad995573410ad45c6916cbad298f54dc740c24632425bb9fdde84a73e12c34ed9236f8e6b82d0e310444

memory/2464-14-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/2464-15-0x0000000074940000-0x00000000750F0000-memory.dmp