asyncrat | be964bd01ae7ce65229159b675bf64c3e5fe02ad2034b7d9904b905fd51903ac

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-07-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e6725d654ad07c4b624189f4ad3f940N.exe
Size

63KB
MD5

1e6725d654ad07c4b624189f4ad3f940
SHA1

729dcee88e1c74c2fa4508ff5d97774daf555b30
SHA256

be964bd01ae7ce65229159b675bf64c3e5fe02ad2034b7d9904b905fd51903ac
SHA512

8fad99354fee9e201a847bd96a175561f12a1792c873afaa464991caea6591ecae24abb93349d1369f4bea60b389016d3ce4a8014b58caf8e330da9f71d54d35
SSDEEP

768:ijSu/n3jzh78J4C8A+XTSazcBRL5JTk1+T4KSBGHmDbD/ph0oXIT/gdMcSugdpqM:UrzV4dSJYUbdh9OmiugdpqKmY7

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

complete-veterans.gl.at.ply.gg:6374

complete-veterans.gl.at.ply.gg:32986

Attributes

delay
1
install
true
install_file
nvidiaapp.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000d00000001225f-15.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
3032	nvidiaapp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2632	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	1e6725d654ad07c4b624189f4ad3f940N.exe
2028	1e6725d654ad07c4b624189f4ad3f940N.exe
2028	1e6725d654ad07c4b624189f4ad3f940N.exe
2028	1e6725d654ad07c4b624189f4ad3f940N.exe
2028	1e6725d654ad07c4b624189f4ad3f940N.exe
2028	1e6725d654ad07c4b624189f4ad3f940N.exe
2028	1e6725d654ad07c4b624189f4ad3f940N.exe
2028	1e6725d654ad07c4b624189f4ad3f940N.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe
3032	nvidiaapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	1e6725d654ad07c4b624189f4ad3f940N.exe
Token: SeDebugPrivilege	3032	nvidiaapp.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2584	2028	1e6725d654ad07c4b624189f4ad3f940N.exe	31
PID 2028 wrote to memory of 2584	2028	1e6725d654ad07c4b624189f4ad3f940N.exe	31
PID 2028 wrote to memory of 2584	2028	1e6725d654ad07c4b624189f4ad3f940N.exe	31
PID 2028 wrote to memory of 1864	2028	1e6725d654ad07c4b624189f4ad3f940N.exe	33
PID 2028 wrote to memory of 1864	2028	1e6725d654ad07c4b624189f4ad3f940N.exe	33
PID 2028 wrote to memory of 1864	2028	1e6725d654ad07c4b624189f4ad3f940N.exe	33
PID 2584 wrote to memory of 2772	2584	cmd.exe	35
PID 2584 wrote to memory of 2772	2584	cmd.exe	35
PID 2584 wrote to memory of 2772	2584	cmd.exe	35
PID 1864 wrote to memory of 2632	1864	cmd.exe	36
PID 1864 wrote to memory of 2632	1864	cmd.exe	36
PID 1864 wrote to memory of 2632	1864	cmd.exe	36
PID 1864 wrote to memory of 3032	1864	cmd.exe	37
PID 1864 wrote to memory of 3032	1864	cmd.exe	37
PID 1864 wrote to memory of 3032	1864	cmd.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1e6725d654ad07c4b624189f4ad3f940N.exe
"C:\Users\Admin\AppData\Local\Temp\1e6725d654ad07c4b624189f4ad3f940N.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "nvidiaapp" /tr '"C:\Users\Admin\AppData\Roaming\nvidiaapp.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "nvidiaapp" /tr '"C:\Users\Admin\AppData\Roaming\nvidiaapp.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2772
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp42CA.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2632
- - C:\Users\Admin\AppData\Roaming\nvidiaapp.exe
    "C:\Users\Admin\AppData\Roaming\nvidiaapp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp42CA.tmp.bat

Filesize
153B

MD5
3a5d6b02560ba546224e8809264362c2

SHA1
84f512e285c0dec83ee859eda482f93d0157fded

SHA256
29dea23fec3a337451aa740103cdfbfd943f9c3338911b531db73b7f8fbf0b6a

SHA512
7a33ce14c420951b02611f9e766347f4fde543924e2c9aa07345f2c9577c23134bbf0ea1cc9f3588b0507dde76010c9a7ceca1ea2029e74a2898af4e10cf7acb

Download Submit
C:\Users\Admin\AppData\Roaming\nvidiaapp.exe

Filesize
63KB

MD5
1e6725d654ad07c4b624189f4ad3f940

SHA1
729dcee88e1c74c2fa4508ff5d97774daf555b30

SHA256
be964bd01ae7ce65229159b675bf64c3e5fe02ad2034b7d9904b905fd51903ac

SHA512
8fad99354fee9e201a847bd96a175561f12a1792c873afaa464991caea6591ecae24abb93349d1369f4bea60b389016d3ce4a8014b58caf8e330da9f71d54d35

Download Submit
memory/2028-0-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

Filesize
4KB

Download
memory/2028-1-0x00000000012D0000-0x00000000012E6000-memory.dmp

Filesize
88KB

Download
memory/2028-2-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2028-3-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2028-13-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/3032-17-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download