asyncrat | 8e746957ef98a98e2256e7816fce3aaf25aad3411dc4743de943bc55285079e7

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe
Size

1.5MB
MD5

72238a6294d8fef681a753d016d3af66
SHA1

9319816cff4c484238d521fa52c52c41491bfd99
SHA256

5bf3776166740f64879e1071a54267e70c53bd72856f74f71a1e5c8e72138446
SHA512

03370c451b2159eb1cbfd995d4a9d98eacd3b178d22b31b2972e9287350b5a2b40c689438d4a258434c1e8a865612401636db7a2ef41982b1253fbd9905a8f00
SSDEEP

24576:S4tIRuKO8VB4ZWR4wkEQV7DGsIKa26u41K/HqOdvn4WzJWjuj5L:SyB8syrRCqWL6psHqOB4Wze25

Score

10^/10

asyncrat googlee discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7A

Botnet

GOOGLEE

googlee.con-ip.com:6606

Mutex

uuooxuxbnkywum

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cjsickefd = "C:\\Users\\Admin\\AppData\\Roaming\\Cjsickefd.exe"	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 428 set thread context of 4428	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe	102

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2796	timeout.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe
Token: SeDebugPrivilege	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe
Token: SeDebugPrivilege	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 868	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe	84
PID 428 wrote to memory of 868	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe	84
PID 428 wrote to memory of 868	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe	84
PID 868 wrote to memory of 2796	868	cmd.exe	86
PID 868 wrote to memory of 2796	868	cmd.exe	86
PID 868 wrote to memory of 2796	868	cmd.exe	86
PID 428 wrote to memory of 4428	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe	102
PID 428 wrote to memory of 4428	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe	102
PID 428 wrote to memory of 4428	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe	102
PID 428 wrote to memory of 4428	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe	102
PID 428 wrote to memory of 4428	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe	102
PID 428 wrote to memory of 4428	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe	102
PID 428 wrote to memory of 4428	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe	102
PID 428 wrote to memory of 4428	428	DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe	102

C:\Users\Admin\AppData\Local\Temp\DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe
"C:\Users\Admin\AppData\Local\Temp\DOCMANGLOEUDHDKFI192461285901459370142836954352649435465765.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c timeout 21 & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\timeout.exe
    timeout 21
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/428-1-0x0000000000E90000-0x000000000100C000-memory.dmp

Filesize
1.5MB

Download
memory/428-2-0x0000000005BE0000-0x0000000005D74000-memory.dmp

Filesize
1.6MB

Download
memory/428-3-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/428-4-0x0000000005D70000-0x0000000005E38000-memory.dmp

Filesize
800KB

Download
memory/428-5-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/428-7-0x00000000065E0000-0x00000000066BA000-memory.dmp

Filesize
872KB

Download
memory/428-6-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/428-21-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-11-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-19-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-17-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-62-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-70-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-68-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-66-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-64-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-60-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-58-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-56-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-54-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-53-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-50-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-48-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-46-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-44-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-42-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-40-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-38-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-36-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-35-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/428-33-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-31-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-15-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-13-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-29-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-27-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-25-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-23-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-9-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-8-0x00000000065E0000-0x00000000066B4000-memory.dmp

Filesize
848KB

Download
memory/428-1043-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/428-1044-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/428-1045-0x0000000006820000-0x000000000687C000-memory.dmp

Filesize
368KB

Download
memory/428-1046-0x0000000006880000-0x00000000068CC000-memory.dmp

Filesize
304KB

Download
memory/428-1047-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/428-1048-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/428-1049-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/428-1050-0x0000000007D10000-0x00000000082B4000-memory.dmp

Filesize
5.6MB

Download
memory/428-1053-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/428-1052-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/428-1051-0x0000000005B20000-0x0000000005B74000-memory.dmp

Filesize
336KB

Download
memory/428-1058-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/4428-1057-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4428-1059-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/4428-1060-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/4428-1061-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads