asyncrat | ec7d6975587d8dd4effb5727882b1fbb867766d4df73ec304c88d27362ce6ace

Analysis

max time kernel
369s
max time network
373s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.ps1
Size

1002KB
MD5

53c4c7466cebb3357a4bf5fdde6e03bd
SHA1

3ae57e66c6651b2c35b873db5de86b87ccc969ad
SHA256

ec7d6975587d8dd4effb5727882b1fbb867766d4df73ec304c88d27362ce6ace
SHA512

aa7a49bde2e30748853b66c772d5bc72372699d52a0d4806d373e870eaa0488ba6ff7b92669e15c9b0180f4cfebd45e698a75b514512b6eddb338dfaf2d2a75e
SSDEEP

24576:TawjBUo3v/AOhx415r2X0Kin4clpSeuoZ+tF0USjpMmaXBxwP0oOGAlLRqkbx2yY:e

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

grogrogrogro.ddnsgeek.com:4444

Mutex

AsyncMutex_6SI8OWDAW

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1568	powershell.exe
4760	powershell.exe
3364	powershell.exe
4136	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1568 set thread context of 3916	1568	powershell.exe	95
PID 4760 set thread context of 4736	4760	powershell.exe	101
PID 3364 set thread context of 4960	3364	powershell.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4136	powershell.exe
4136	powershell.exe
1568	powershell.exe
1568	powershell.exe
3916	RegSvcs.exe
4760	powershell.exe
4760	powershell.exe
3364	powershell.exe
3364	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	3916	RegSvcs.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3916	RegSvcs.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 1932	3332	WScript.exe	92
PID 3332 wrote to memory of 1932	3332	WScript.exe	92
PID 1932 wrote to memory of 1568	1932	cmd.exe	94
PID 1932 wrote to memory of 1568	1932	cmd.exe	94
PID 1568 wrote to memory of 3916	1568	powershell.exe	95
PID 1568 wrote to memory of 3916	1568	powershell.exe	95
PID 1568 wrote to memory of 3916	1568	powershell.exe	95
PID 1568 wrote to memory of 3916	1568	powershell.exe	95
PID 1568 wrote to memory of 3916	1568	powershell.exe	95
PID 1568 wrote to memory of 3916	1568	powershell.exe	95
PID 1568 wrote to memory of 3916	1568	powershell.exe	95
PID 1568 wrote to memory of 3916	1568	powershell.exe	95
PID 2844 wrote to memory of 3920	2844	WScript.exe	98
PID 2844 wrote to memory of 3920	2844	WScript.exe	98
PID 3920 wrote to memory of 4760	3920	cmd.exe	100
PID 3920 wrote to memory of 4760	3920	cmd.exe	100
PID 4760 wrote to memory of 4736	4760	powershell.exe	101
PID 4760 wrote to memory of 4736	4760	powershell.exe	101
PID 4760 wrote to memory of 4736	4760	powershell.exe	101
PID 4760 wrote to memory of 4736	4760	powershell.exe	101
PID 4760 wrote to memory of 4736	4760	powershell.exe	101
PID 4760 wrote to memory of 4736	4760	powershell.exe	101
PID 4760 wrote to memory of 4736	4760	powershell.exe	101
PID 4760 wrote to memory of 4736	4760	powershell.exe	101
PID 3888 wrote to memory of 2840	3888	WScript.exe	103
PID 3888 wrote to memory of 2840	3888	WScript.exe	103
PID 2840 wrote to memory of 3364	2840	cmd.exe	105
PID 2840 wrote to memory of 3364	2840	cmd.exe	105
PID 3364 wrote to memory of 4960	3364	powershell.exe	106
PID 3364 wrote to memory of 4960	3364	powershell.exe	106
PID 3364 wrote to memory of 4960	3364	powershell.exe	106
PID 3364 wrote to memory of 4960	3364	powershell.exe	106
PID 3364 wrote to memory of 4960	3364	powershell.exe	106
PID 3364 wrote to memory of 4960	3364	powershell.exe	106
PID 3364 wrote to memory of 4960	3364	powershell.exe	106
PID 3364 wrote to memory of 4960	3364	powershell.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\wingro8.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\wingro8.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\wingro8.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3916

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\wingro8.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\wingro8.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\wingro8.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4736

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\wingro8.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\wingro8.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\wingro8.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5bfec1063a497048fffb231a0621403

SHA1
97cf6a89f237f43b9c22e3e081f7d45924d435ba

SHA256
325d1ffa65e9593a834f3662168d0c1950de148c63f1e43b86727087f3881d6f

SHA512
e38c5189054cf09fb15de017d0bbe226338124ee02bb04530943c8fcfc303dbe5fe5fd28c9c1aea1b552d1a2b0b76cabbedd284a38a07d41ec9cf9e55b44dd0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dfac5aa862e961163189701c86a572cb

SHA1
a93f4f4c062136a69fd9edffc582df2f26380b54

SHA256
f4a6eb538ce468bff09c7f7268330452e9fbc2c3daf1cbd08dca4edf48e04e18

SHA512
3481ef0a9f31b9f94e9f977c16b53a21e7e1bc37cd2ce83458697ba387d953e522a8cd1e801266b65f664ceb646aa53b021d6377e75baab3843b2573e07bb073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
277f8a28e52e5d152911ca396aafc201

SHA1
e1c9a16e02d7f441b7ef8b158bedb1d073b027bc

SHA256
db34d44a764abe98ab93c23cd7ef48ca8170e362b1123498d672b015946011d0

SHA512
03febe29689333eeed9af284ba785bdacaed2945ed6e47911129e555d2b3a83b087081fd1f2e30cfa9b4ca751261af3b2e3a3e3cd4c37c0a5d67e648d0f49f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_31poyre5.ky1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\wingro8.bat

Filesize
204B

MD5
9ae3fd9aa024c8c635043f25e14e4582

SHA1
346bdf6d3fb90733b29e4b0679eed419d2337d8a

SHA256
08eb7706a9e1efa8a68e0174bc5d62fd48282ffafc561819c3bc87784a80e73f

SHA512
b4a87e683517cdfc1df43a08b238844bac0319be234ccfddb1ba0c55bc321d5f3b592a7ecd795370d735c629ff2122d9a6405c181a16128606ba4b26c1f67af2

Download Submit
C:\Users\Public\wingro8.ps1

Filesize
1000KB

MD5
a7c519fa08aa6c0e88292f403244958d

SHA1
66aa43c3d645041957e7da8ad263c6c8ac21875f

SHA256
6b69b5238db51c77517e5ad018160b9d1be9b9d6af217033b4cf0648e4dfe1fd

SHA512
f621dc60aed94d8571a75b9f3ef83831de09fa1baebd21e12d476c67315745b6974bd76c163c623ee765f7e181da4291aa298574397782020e0b4585911fb1bd

Download Submit
C:\Users\Public\wingro8.vbs

Filesize
689B

MD5
aeee1749af12130d3f8c69f286d82904

SHA1
1199175f300c2249c1e6fedb28efa44acffa88b1

SHA256
40dd27ce5d1b906557495317c0c0164cce12baab5dae79028b1539a65a9caf2b

SHA512
f8e944b7de50ef6200606f334b82216ea177bea391b3464bacda0db44395a346994cdb26f1bba4c83e6044f88b76cad87d89179ced0ea09114d15aeab49fffec

Download Submit
memory/1568-34-0x0000017F670D0000-0x0000017F67104000-memory.dmp

Filesize
208KB

Download
memory/3364-65-0x000001AB38D70000-0x000001AB38DA4000-memory.dmp

Filesize
208KB

Download
memory/3916-38-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/3916-35-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3916-37-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/3916-39-0x0000000005980000-0x000000000598A000-memory.dmp

Filesize
40KB

Download
memory/3916-40-0x0000000006450000-0x00000000064EC000-memory.dmp

Filesize
624KB

Download
memory/3916-41-0x00000000063B0000-0x0000000006416000-memory.dmp

Filesize
408KB

Download
memory/4136-19-0x00007FFD61930000-0x00007FFD623F1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-0-0x00007FFD61933000-0x00007FFD61935000-memory.dmp

Filesize
8KB

Download
memory/4136-16-0x00007FFD61930000-0x00007FFD623F1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-12-0x00007FFD61930000-0x00007FFD623F1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-11-0x00007FFD61930000-0x00007FFD623F1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-1-0x00000176E3AA0000-0x00000176E3AC2000-memory.dmp

Filesize
136KB

Download