asyncrat | ffe2d2e6b930f0b8f752d2a478d77cfbf9467006d294474fe33970a8c529b75a

Analysis

max time kernel
379s
max time network
403s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
31/07/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost23.exe
Size

63KB
MD5

5f00c912f2ac12df8525a30afb8f776e
SHA1

516af350678a65e9e10901b8c990ef4601ae0844
SHA256

ffe2d2e6b930f0b8f752d2a478d77cfbf9467006d294474fe33970a8c529b75a
SHA512

5e9e96ed14d4c1fff020d9d1d00f137cbf1121cd5c3c58a054002d7d1f29a417b6f2f71d8f534c7207ea6bd87a3b57d7afea76390b90a1c8badf482dbba710d5
SSDEEP

1536:FhMpLbRQkB4+ENds+jFBncsSRoAGbbzwHvGHtpqKmY7:FhMpLbRQkB4tds+jFBl2JGbbzt2z

Score

10^/10

asyncrat default execution ransomware rat

Malware Config

Extracted

Family

asyncrat

Version

1.2

Botnet

Default

stores-less.gl.at.ply.gg:45080

Mutex

AtomRatMutex_penka

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000900000001ab90-11.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
1608	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEA22.tmp.jpg"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
200	timeout.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop\WallpaperStyle = "2"	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2228	svchost23.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4952	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	svchost23.exe
Token: SeDebugPrivilege	2228	svchost23.exe
Token: SeDebugPrivilege	1608	svchost.exe
Token: SeDebugPrivilege	1608	svchost.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	4952	taskmgr.exe
Token: SeSystemProfilePrivilege	4952	taskmgr.exe
Token: SeCreateGlobalPrivilege	4952	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe
4952	taskmgr.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 96	2228	svchost23.exe	73
PID 2228 wrote to memory of 96	2228	svchost23.exe	73
PID 2228 wrote to memory of 3636	2228	svchost23.exe	74
PID 2228 wrote to memory of 3636	2228	svchost23.exe	74
PID 96 wrote to memory of 2224	96	cmd.exe	77
PID 96 wrote to memory of 2224	96	cmd.exe	77
PID 3636 wrote to memory of 200	3636	cmd.exe	78
PID 3636 wrote to memory of 200	3636	cmd.exe	78
PID 3636 wrote to memory of 1608	3636	cmd.exe	79
PID 3636 wrote to memory of 1608	3636	cmd.exe	79
PID 1608 wrote to memory of 2768	1608	svchost.exe	81
PID 1608 wrote to memory of 2768	1608	svchost.exe	81
PID 2768 wrote to memory of 2596	2768	cmd.exe	83
PID 2768 wrote to memory of 2596	2768	cmd.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost23.exe
"C:\Users\Admin\AppData\Local\Temp\svchost23.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:96
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp76B6.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:200
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\5395837224819484373.jpg"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\5395837224819484373.jpg"'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_03pyswbe.o5v.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp76B6.tmp.bat

Filesize
151B

MD5
792e2a4f80b485c1a4c1f75c94140a03

SHA1
9274b14fd843d3e03f015b4d0cf6b9521ec3f0c2

SHA256
84f040a1305927ec52fde5e43b71a31791d9ad459b6b7f11334010a735eb74b0

SHA512
8de066552123bb2805510282c6c57fe47b38aa8fbc295d8126d0894f12fa2575808d8da8f464c2232a68798a8c6df310a2bc970821b3b2e098d86d21c482174c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmp.jpg

Filesize
49KB

MD5
207cbe253dc5c86502c7258ec2fc562a

SHA1
989ef44e60447fa99cbd75c8d6c75633d6b8ac56

SHA256
5472d48d854cc9c2885782ab7f7fc77e255088b9f2d28a48f572f7e2bdb5d501

SHA512
280399699dd9e5aeb1a67392a35d3ffa563d3fdab18c14bb3c0ca660670f8117502b928c6de30a3c8fedc1b61e660d74fe2336124935a8b81e3567545eaa0a89

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
63KB

MD5
5f00c912f2ac12df8525a30afb8f776e

SHA1
516af350678a65e9e10901b8c990ef4601ae0844

SHA256
ffe2d2e6b930f0b8f752d2a478d77cfbf9467006d294474fe33970a8c529b75a

SHA512
5e9e96ed14d4c1fff020d9d1d00f137cbf1121cd5c3c58a054002d7d1f29a417b6f2f71d8f534c7207ea6bd87a3b57d7afea76390b90a1c8badf482dbba710d5

Download Submit
memory/1608-16-0x0000024166C40000-0x0000024166C4E000-memory.dmp

Filesize
56KB

Download
memory/1608-15-0x0000024168B60000-0x0000024168BD6000-memory.dmp

Filesize
472KB

Download
memory/1608-17-0x0000024166CB0000-0x0000024166CCE000-memory.dmp

Filesize
120KB

Download
memory/1608-24-0x0000024166C50000-0x0000024166C5C000-memory.dmp

Filesize
48KB

Download
memory/1608-62-0x0000024167030000-0x000002416703E000-memory.dmp

Filesize
56KB

Download
memory/1608-63-0x0000024168BE0000-0x0000024168C06000-memory.dmp

Filesize
152KB

Download
memory/2228-9-0x00007FFDCCAC0000-0x00007FFDCD4AC000-memory.dmp

Filesize
9.9MB

Download
memory/2228-3-0x00007FFDCCAC0000-0x00007FFDCD4AC000-memory.dmp

Filesize
9.9MB

Download
memory/2228-0-0x000002056FDF0000-0x000002056FE06000-memory.dmp

Filesize
88KB

Download
memory/2228-2-0x00007FFDCCAC0000-0x00007FFDCD4AC000-memory.dmp

Filesize
9.9MB

Download
memory/2228-1-0x00007FFDCCAC3000-0x00007FFDCCAC4000-memory.dmp

Filesize
4KB

Download
memory/2596-30-0x000001FB2CEC0000-0x000001FB2CEE2000-memory.dmp

Filesize
136KB

Download