asyncrat | 317e0a76962ba5435726b570ff84ac25374b65fb8001fdbeeab50aad1c0806e8

Resubmissions

08-08-2024 19:55

240808-ynb8ssydpl 10

08-08-2024 07:49

240808-jn15la1epq 10

Analysis

max time kernel
149s
max time network
156s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
08-08-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f3c7379dd29298aa24b3aa3a3113ed3051f4515bc3c016893e285d311a74202.exe
Size

48KB
MD5

a4c35dcd0013a04666a9d58095ff4060
SHA1

8943579c1d6db5bb74322efec322a4a6a6c00723
SHA256

1f3c7379dd29298aa24b3aa3a3113ed3051f4515bc3c016893e285d311a74202
SHA512

7e63464b4bd2cbec56e7635c77a7bf15d2d8983b25e63e81b1f08ca202ca24252bf4de60b96e578885c284c64e5b85b4b373cb07fd4469fb8acf49c7d216c178
SSDEEP

768:zuifNTdFHLBWUZzGrmo2qrA75dsmegjs6Za3PIO6oIxlY0bsSVola1uFhHToCHbg:zuifNTdB+2Xegjs6MwODmTbscOnHTPa7

Score

10^/10

asyncrat july 26 discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

July 26

donzola.duckdns.org:2000

Mutex

AsyncMutex_iuykt5yr5ur58n8tnur8herjncr8tk

Attributes

delay
3
install
false
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f3c7379dd29298aa24b3aa3a3113ed3051f4515bc3c016893e285d311a74202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31123917"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30d29e2acde9da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f010b92acde9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4EFC4783-55C0-11EF-9650-6E1C4DEC9E1E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31123917"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023a621264b0c034ba468298c744ca3cd0000000002000000000010660000000100002000000022dadb2430530c8db48c459cf22b12f1e01e6370159a07d0936ada09aed4edf4000000000e800000000200002000000005f08340b46b0c64eee08957c9f6c892cf9388f053c9c307ca80f9b98a3cb571200000009f2f532d7a1485178fae5a61113e2978fb5ec4736f0f57b789f48698b00228ca40000000eb87c4898aed7ab2669e71a66e130c0f074b0748048df6a9227b5d9444d4c7bef829710c1b3f82c9bc92b319f8137179834bdeada796be5d787521b0b5ea823e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023a621264b0c034ba468298c744ca3cd000000000200000000001066000000010000200000006241ba5689fee39a9843292ac5ffc22c524a8d9ff8d25114cd852c9d3696edb9000000000e8000000002000020000000381e3917fd258ab10658687a566e4afa8519a72102a647790278835d90eed546200000008c1268804cb56251ca899f24dd463a6429b29d191d9f5e39b637c797aa3ffd074000000095830f5c2897c801fa9f34d8c555c82b18325ee89efba169ca0c2cde4daf0d0f98522f3981e04f4ae398afb4ce097a6eb6a89c160ef00886cb6b3a87e6ac4245	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "597084762"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "597084762"	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5064	POWERPNT.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	1f3c7379dd29298aa24b3aa3a3113ed3051f4515bc3c016893e285d311a74202.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1984	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1984	iexplore.exe
1984	iexplore.exe
608	IEXPLORE.EXE
608	IEXPLORE.EXE
608	IEXPLORE.EXE
608	IEXPLORE.EXE
608	IEXPLORE.EXE
5064	POWERPNT.EXE
5064	POWERPNT.EXE
5064	POWERPNT.EXE
5064	POWERPNT.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 608	1984	iexplore.exe	74
PID 1984 wrote to memory of 608	1984	iexplore.exe	74
PID 1984 wrote to memory of 608	1984	iexplore.exe	74

C:\Users\Admin\AppData\Local\Temp\1f3c7379dd29298aa24b3aa3a3113ed3051f4515bc3c016893e285d311a74202.exe
"C:\Users\Admin\AppData\Local\Temp\1f3c7379dd29298aa24b3aa3a3113ed3051f4515bc3c016893e285d311a74202.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:82945 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:608

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\SyncPush.odp" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
ef8a2be229af78cd5eefd4c463eccd83

SHA1
5a41b1831ef4b6cfc0f12a81eda4b24f86f48043

SHA256
e5667538b9e5b320fb67fe93546c5d06a4c225159572e55b5c75aaf606d706dc

SHA512
b92010363f9220aed92c0b64090265eff559e0faf71db6c1e3560f405370984dd85601fe1a4f76998c2f7e7d1bb30e3effa18718e1b24064b3cab5990e827800

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF4022832AD7C75D9C.TMP

Filesize
16KB

MD5
0d3d4fcbbd7696fced786412d6a08527

SHA1
ab2f1245a05f5186d23616c4591a8980b15c9f5b

SHA256
d9009aa5ba57b0017b41574d1809f511d34534211ff3876d6ab1ee73fb71b8b9

SHA512
dc493d793b374d645fd89a540d32d207c791e4e048dd44bd46b5c76c6743535ac4c0740508dcd4f6d2b60ef9d503c345a449777b1808215a826e6c45eb4d7d21

Download Submit
memory/2536-0-0x000000007390E000-0x000000007390F000-memory.dmp

Filesize
4KB

Download
memory/2536-1-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/2536-2-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-3-0x000000007390E000-0x000000007390F000-memory.dmp

Filesize
4KB

Download
memory/2536-4-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/5064-18-0x00007FF8F6130000-0x00007FF8F6140000-memory.dmp

Filesize
64KB

Download
memory/5064-39-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-14-0x00007FF936145000-0x00007FF936146000-memory.dmp

Filesize
4KB

Download
memory/5064-19-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-20-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-24-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-23-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-31-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-33-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-32-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-34-0x00007FF8F25C0000-0x00007FF8F25D0000-memory.dmp

Filesize
64KB

Download
memory/5064-35-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-36-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-37-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-38-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-17-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-43-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-44-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-42-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-41-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-40-0x00007FF8F25C0000-0x00007FF8F25D0000-memory.dmp

Filesize
64KB

Download
memory/5064-15-0x00007FF8F6130000-0x00007FF8F6140000-memory.dmp

Filesize
64KB

Download
memory/5064-16-0x00007FF8F6130000-0x00007FF8F6140000-memory.dmp

Filesize
64KB

Download
memory/5064-13-0x00007FF8F6130000-0x00007FF8F6140000-memory.dmp

Filesize
64KB

Download
memory/5064-230-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-231-0x00007FF936145000-0x00007FF936146000-memory.dmp

Filesize
4KB

Download
memory/5064-232-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/5064-539-0x00007FF8F6130000-0x00007FF8F6140000-memory.dmp

Filesize
64KB

Download
memory/5064-540-0x00007FF8F6130000-0x00007FF8F6140000-memory.dmp

Filesize
64KB

Download
memory/5064-542-0x00007FF8F6130000-0x00007FF8F6140000-memory.dmp

Filesize
64KB

Download
memory/5064-541-0x00007FF8F6130000-0x00007FF8F6140000-memory.dmp

Filesize
64KB

Download
memory/5064-543-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads