asyncrat | 7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca

Analysis

max time kernel
126s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-08-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
Size

64KB
MD5

919b43661894503a00d44ffd1174d613
SHA1

c510009fb7bad735e35a10c0ebe925d730ca961f
SHA256

7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca
SHA512

5019e86e2c0585aa59d7c14b4a0b03c911440487b9bd843db0a6138861e46274f17d72deea09429b650c5976aa9bf03d7427d65b26cc4b65c0c0bd9f1b19997b
SSDEEP

768:N9aGzWs/9PiPJ5eit9JSTLavfU4OnsD3q66T1+4SCv7mqb2nRpwH1oDjoUhPGnPP:vaW90TekUJyq6OqGbbUwDuGnPpqKmY7

Score

10^/10

asyncrat discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

server.underground-cheat.xyz:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
Host Process for Windows.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

blue.o7lab.me:7777

server.underground-cheat.xyz:7777

Mutex

RPYntXGt1eJi

Attributes

delay
3
install
true
install_file
WinUpdate.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000029cb8-11.dat	family_asyncrat
behavioral2/files/0x000400000002aa1f-26.dat	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
3248	Host Process for Windows.exe
1984	$77svchost.exe
4964	WinUpdate.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
1340	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2076	timeout.exe
1788	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1872	schtasks.exe
4760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
1340	powershell.exe
1340	powershell.exe
3248	Host Process for Windows.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe
1984	$77svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
Token: SeDebugPrivilege	3248	Host Process for Windows.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1984	$77svchost.exe
Token: SeDebugPrivilege	4964	WinUpdate.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 1708	3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe	82
PID 3328 wrote to memory of 1708	3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe	82
PID 3328 wrote to memory of 4576	3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe	84
PID 3328 wrote to memory of 4576	3328	7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe	84
PID 4576 wrote to memory of 2076	4576	cmd.exe	86
PID 4576 wrote to memory of 2076	4576	cmd.exe	86
PID 1708 wrote to memory of 1872	1708	cmd.exe	87
PID 1708 wrote to memory of 1872	1708	cmd.exe	87
PID 4576 wrote to memory of 3248	4576	cmd.exe	88
PID 4576 wrote to memory of 3248	4576	cmd.exe	88
PID 3248 wrote to memory of 788	3248	Host Process for Windows.exe	90
PID 3248 wrote to memory of 788	3248	Host Process for Windows.exe	90
PID 788 wrote to memory of 1340	788	cmd.exe	92
PID 788 wrote to memory of 1340	788	cmd.exe	92
PID 1340 wrote to memory of 1984	1340	powershell.exe	93
PID 1340 wrote to memory of 1984	1340	powershell.exe	93
PID 1340 wrote to memory of 1984	1340	powershell.exe	93
PID 1984 wrote to memory of 2448	1984	$77svchost.exe	94
PID 1984 wrote to memory of 2448	1984	$77svchost.exe	94
PID 1984 wrote to memory of 2448	1984	$77svchost.exe	94
PID 1984 wrote to memory of 3512	1984	$77svchost.exe	96
PID 1984 wrote to memory of 3512	1984	$77svchost.exe	96
PID 1984 wrote to memory of 3512	1984	$77svchost.exe	96
PID 3512 wrote to memory of 1788	3512	cmd.exe	98
PID 3512 wrote to memory of 1788	3512	cmd.exe	98
PID 3512 wrote to memory of 1788	3512	cmd.exe	98
PID 2448 wrote to memory of 4760	2448	cmd.exe	99
PID 2448 wrote to memory of 4760	2448	cmd.exe	99
PID 2448 wrote to memory of 4760	2448	cmd.exe	99
PID 3512 wrote to memory of 4964	3512	cmd.exe	100
PID 3512 wrote to memory of 4964	3512	cmd.exe	100
PID 3512 wrote to memory of 4964	3512	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe
"C:\Users\Admin\AppData\Local\Temp\7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Host Process for Windows" /tr '"C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Host Process for Windows" /tr '"C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF7CD.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2076
- - C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe
    "C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\$77svchost.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\$77svchost.exe"'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Users\Admin\AppData\Local\Temp\$77svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\$77svchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"' & exit
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"'
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2DE1.tmp.bat""
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\WinUpdate.exe
        
        "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$77svchost.exe

Filesize
45KB

MD5
a44a767dba207c04c74afae17144f787

SHA1
fa14f38216e259be5b181c825719f1c864691a5f

SHA256
26eaa5bce06cadc54cb4990fabb1b9150966ef720b07a836ef2bd456360246b2

SHA512
7dfd6e182ac9f16b29843cb0eabaa7db02fa3ee59c65c7822d9213859c4a7185d0fdcd1d51747a11b4fdd3a7947ea14fdc7fa583c13b4d3edf50b8d6d3178619

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hds34sj2.1h5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2DE1.tmp.bat

Filesize
153B

MD5
69792070f017ebd0a3a58c1125f6384c

SHA1
bc56259523079dfdcaecdc1e3c3031e5eb200dd8

SHA256
0f7a9c0e1c04a4eb6f214eec2ce3005232576faa7c1a7ce81da0f97dc1794521

SHA512
12147926c547885ebb3c79bd01d8f8b192cb5e3a842051e600185ecd3eac86ce1333781bf79d9b928198ad0d1b437414a699892a5ad0c1c9fbcf7ad0d8887c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF7CD.tmp.bat

Filesize
168B

MD5
4032b5ff1f062d5a7a8e4a1f05a1233b

SHA1
99b35f79731666f68251dfa70b12ec1efb54e0e3

SHA256
9617aa2ea85919272cab240b66c6a871ab952c820827da1969049e291435c74d

SHA512
d01a96a32f07c633c8e4c57877802c8df531bd8976927964e8a272cb355758dd208d48d3166683c967e2229cb4fd43045f84833cf61c9a7543dd4713857e75f2

Download Submit
C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe

Filesize
64KB

MD5
919b43661894503a00d44ffd1174d613

SHA1
c510009fb7bad735e35a10c0ebe925d730ca961f

SHA256
7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca

SHA512
5019e86e2c0585aa59d7c14b4a0b03c911440487b9bd843db0a6138861e46274f17d72deea09429b650c5976aa9bf03d7427d65b26cc4b65c0c0bd9f1b19997b

Download Submit
memory/1340-25-0x000001E81C0B0000-0x000001E81C0D2000-memory.dmp

Filesize
136KB

Download
memory/1984-31-0x0000000004FA0000-0x000000000503C000-memory.dmp

Filesize
624KB

Download
memory/1984-30-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/3248-14-0x0000000002970000-0x000000000297E000-memory.dmp

Filesize
56KB

Download
memory/3248-15-0x000000001B2D0000-0x000000001B2EE000-memory.dmp

Filesize
120KB

Download
memory/3248-13-0x000000001C0D0000-0x000000001C146000-memory.dmp

Filesize
472KB

Download
memory/3328-0-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/3328-8-0x00007FF80AFF0000-0x00007FF80BAB2000-memory.dmp

Filesize
10.8MB

Download
memory/3328-3-0x00007FF80AFF0000-0x00007FF80BAB2000-memory.dmp

Filesize
10.8MB

Download
memory/3328-2-0x00007FF80AFF0000-0x00007FF80BAB2000-memory.dmp

Filesize
10.8MB

Download
memory/3328-1-0x00007FF80AFF3000-0x00007FF80AFF5000-memory.dmp

Filesize
8KB

Download