asyncrat | e47d21161e65f29997cc6ecffe41e8f12f79cfd052ad978037d966f42fa70eec

Analysis

max time kernel
118s
max time network
142s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe
Size

663KB
MD5

7b05be5398ce2cbc424d40b82b8bb4fe
SHA1

6c158dc6c7324e5b76bb9d89916261c778c23f63
SHA256

472819b55a8804b4d8787f5e45cc9b1aeb1026d5819f06e91bbc022d53ccae5c
SHA512

ddb856adf6ddf8d8f696b48a1b5d27584be742bc9f47e4bf07b0dca101be9afa598a087d7bc8e5dc9c0d515d0e7333093ef4c597bd8d3197a2e340caf9da8257
SSDEEP

12288:fU3929BC4rqhpqBHIA01a29EprIHAJp3UadAAHkR:fU89BNuhaoEprIHAJpkoAr

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

5.252.165.55:1986

Mutex

AsyncMutex_5SI8OkPnk

Attributes

delay
3
install
true
install_file
Notes.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe
2844	powershell.exe
1748	powershell.exe
2564	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1952	Notes.exe
288	Notes.exe

Loads dropped DLL 1 IoCs

pid	Process
2336	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1480 set thread context of 3004	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	37
PID 1952 set thread context of 288	1952	Notes.exe	52

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Notes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Notes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1296	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2856	schtasks.exe
2348	schtasks.exe
780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2844	powershell.exe
2936	powershell.exe
3004	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe
3004	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe
3004	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe
2564	powershell.exe
1748	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	3004	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	288	Notes.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2936	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	31
PID 1480 wrote to memory of 2936	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	31
PID 1480 wrote to memory of 2936	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	31
PID 1480 wrote to memory of 2936	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	31
PID 1480 wrote to memory of 2844	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	33
PID 1480 wrote to memory of 2844	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	33
PID 1480 wrote to memory of 2844	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	33
PID 1480 wrote to memory of 2844	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	33
PID 1480 wrote to memory of 2856	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	35
PID 1480 wrote to memory of 2856	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	35
PID 1480 wrote to memory of 2856	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	35
PID 1480 wrote to memory of 2856	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	35
PID 1480 wrote to memory of 3004	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	37
PID 1480 wrote to memory of 3004	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	37
PID 1480 wrote to memory of 3004	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	37
PID 1480 wrote to memory of 3004	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	37
PID 1480 wrote to memory of 3004	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	37
PID 1480 wrote to memory of 3004	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	37
PID 1480 wrote to memory of 3004	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	37
PID 1480 wrote to memory of 3004	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	37
PID 1480 wrote to memory of 3004	1480	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	37
PID 3004 wrote to memory of 2136	3004	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	38
PID 3004 wrote to memory of 2136	3004	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	38
PID 3004 wrote to memory of 2136	3004	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	38
PID 3004 wrote to memory of 2136	3004	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	38
PID 3004 wrote to memory of 2336	3004	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	40
PID 3004 wrote to memory of 2336	3004	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	40
PID 3004 wrote to memory of 2336	3004	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	40
PID 3004 wrote to memory of 2336	3004	PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe	40
PID 2136 wrote to memory of 2348	2136	cmd.exe	42
PID 2136 wrote to memory of 2348	2136	cmd.exe	42
PID 2136 wrote to memory of 2348	2136	cmd.exe	42
PID 2136 wrote to memory of 2348	2136	cmd.exe	42
PID 2336 wrote to memory of 1296	2336	cmd.exe	43
PID 2336 wrote to memory of 1296	2336	cmd.exe	43
PID 2336 wrote to memory of 1296	2336	cmd.exe	43
PID 2336 wrote to memory of 1296	2336	cmd.exe	43
PID 2336 wrote to memory of 1952	2336	cmd.exe	45
PID 2336 wrote to memory of 1952	2336	cmd.exe	45
PID 2336 wrote to memory of 1952	2336	cmd.exe	45
PID 2336 wrote to memory of 1952	2336	cmd.exe	45
PID 1952 wrote to memory of 1748	1952	Notes.exe	46
PID 1952 wrote to memory of 1748	1952	Notes.exe	46
PID 1952 wrote to memory of 1748	1952	Notes.exe	46
PID 1952 wrote to memory of 1748	1952	Notes.exe	46
PID 1952 wrote to memory of 2564	1952	Notes.exe	47
PID 1952 wrote to memory of 2564	1952	Notes.exe	47
PID 1952 wrote to memory of 2564	1952	Notes.exe	47
PID 1952 wrote to memory of 2564	1952	Notes.exe	47
PID 1952 wrote to memory of 780	1952	Notes.exe	48
PID 1952 wrote to memory of 780	1952	Notes.exe	48
PID 1952 wrote to memory of 780	1952	Notes.exe	48
PID 1952 wrote to memory of 780	1952	Notes.exe	48
PID 1952 wrote to memory of 288	1952	Notes.exe	52
PID 1952 wrote to memory of 288	1952	Notes.exe	52
PID 1952 wrote to memory of 288	1952	Notes.exe	52
PID 1952 wrote to memory of 288	1952	Notes.exe	52
PID 1952 wrote to memory of 288	1952	Notes.exe	52
PID 1952 wrote to memory of 288	1952	Notes.exe	52
PID 1952 wrote to memory of 288	1952	Notes.exe	52
PID 1952 wrote to memory of 288	1952	Notes.exe	52
PID 1952 wrote to memory of 288	1952	Notes.exe	52

C:\Users\Admin\AppData\Local\Temp\PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe
"C:\Users\Admin\AppData\Local\Temp\PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZjHuIvPfp.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZjHuIvPfp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB886.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe
  "C:\Users\Admin\AppData\Local\Temp\PO 39567812_PDF Siemens Ltd. India iGST_eH2mYaM.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Notes" /tr '"C:\Users\Admin\AppData\Roaming\Notes.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Notes" /tr '"C:\Users\Admin\AppData\Roaming\Notes.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC7A3.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1296
  - - C:\Users\Admin\AppData\Roaming\Notes.exe
      "C:\Users\Admin\AppData\Roaming\Notes.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Notes.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZjHuIvPfp.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZjHuIvPfp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB76.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:780
    - - C:\Users\Admin\AppData\Roaming\Notes.exe
        
        "C:\Users\Admin\AppData\Roaming\Notes.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab1B7E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB886.tmp

Filesize
1KB

MD5
862b968946b8860e04b680021bd48b0c

SHA1
3069a57b5aca3cdf5d1d5055f37ae737991f806e

SHA256
2fb65a7ec8736773a70cf295dd86a6e0b76bb16089d4d2c8b5e89e62725cef26

SHA512
6051b251d8468f279c1ce83aa9c1d0cd193768d2332698171f3cf299e27be660b133b7b9e0a9866907eb500fcb3c44dbaf52b9b1c88d7243ec73da84c22fd361

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7A3.tmp.bat

Filesize
149B

MD5
9f0bd9fb1f1f8e8069865a8372742a6a

SHA1
7607563771cbc2c4dedc31d2ae0f13787f21ad4c

SHA256
22353a4b606eef9b9d85f68cf537720725447f7bd6fd74a47fb918fbc650e457

SHA512
db895e84f51f79e3fee9bbfe0ebb172dba802b3843617c508c2c2c0f469fdc58db22165af7e06e870c3f377e4a99b888d27b05c9ec0fbd32769af0ffdc355833

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ABNCPKV5CEOX7DI5QAF0.temp

Filesize
7KB

MD5
8ad19db48967a9ec94cc38d22df5c4b6

SHA1
13227bb5cffc1d073a92740e5c99214e0939632d

SHA256
e50b5d263b2d2fc6805757c6c9e7cd4c9aa41f41c791191930e273eb6d1a8ab2

SHA512
aa2f506fe71fa4da59e77dac209e9adf59c157b42055ccb02cec7b51e4d48e07e32a2e64369b88c69ad9a50225b9859988438aa038b36bc60644803198086d10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b31e635518137364c2ad0553eeca041

SHA1
cbb215b1717d18fe16942f58bda5bc8e71eb3dc2

SHA256
9df7d6b7be80f58f2ff3f1ef5d62914ba3836b26479fe50961eb2cf1e240b4f3

SHA512
dbb23879d18f2f4e8e943b0fc12b401fa56fc706b10118186e77e0fc90ae99d6d2ab052a316fe5ed972c6a3aee9ff72ae203390af58cf355daca11cdd4c720c7

Download Submit
\Users\Admin\AppData\Roaming\Notes.exe

Filesize
663KB

MD5
7b05be5398ce2cbc424d40b82b8bb4fe

SHA1
6c158dc6c7324e5b76bb9d89916261c778c23f63

SHA256
472819b55a8804b4d8787f5e45cc9b1aeb1026d5819f06e91bbc022d53ccae5c

SHA512
ddb856adf6ddf8d8f696b48a1b5d27584be742bc9f47e4bf07b0dca101be9afa598a087d7bc8e5dc9c0d515d0e7333093ef4c597bd8d3197a2e340caf9da8257

Download Submit
memory/288-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/288-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/288-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1480-2-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/1480-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/1480-1-0x0000000001100000-0x00000000011A8000-memory.dmp

Filesize
672KB

Download
memory/1480-4-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/1480-5-0x00000000006B0000-0x0000000000704000-memory.dmp

Filesize
336KB

Download
memory/1480-31-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/1480-3-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/1952-45-0x0000000000FA0000-0x0000000000FF4000-memory.dmp

Filesize
336KB

Download
memory/1952-44-0x0000000001040000-0x00000000010E8000-memory.dmp

Filesize
672KB

Download
memory/3004-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3004-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3004-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3004-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3004-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3004-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3004-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download