asyncrat | 233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f

Analysis

max time kernel
144s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Size

821KB
MD5

40173279dca40dc2eb04e130d7142ce2
SHA1

a9d3cf03484120a0471d14ba59f82b38d26d84b0
SHA256

233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f
SHA512

db2aa317e12095ab880ffa4bdd00839b5fd6ff86c3f9a1d69a5459a626a72949b138b757fc01673a46f298073c5e489ec7929b4cc440d4f9c0ef65abfbea9d5d
SSDEEP

12288:dMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9JhBBxdsP2g:dnsJ39LyjbJkQFMhmC+6GD9X5dsu

Score

10^/10

asyncrat default discovery macro persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

Mutex

lol.exe

Attributes

delay
1
install
true
install_file
lol.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 8 IoCs

Detects VenomRAT.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0007000000012118-4.dat	VenomRAT
behavioral1/files/0x0008000000016d56-12.dat	VenomRAT
behavioral1/memory/2580-25-0x0000000000400000-0x00000000004D3000-memory.dmp	VenomRAT
behavioral1/memory/1936-28-0x0000000000B10000-0x0000000000B28000-memory.dmp	VenomRAT
behavioral1/memory/2824-36-0x0000000000370000-0x0000000000388000-memory.dmp	VenomRAT
behavioral1/memory/2928-92-0x0000000000400000-0x00000000004D3000-memory.dmp	VenomRAT
behavioral1/memory/2928-93-0x0000000000400000-0x00000000004D3000-memory.dmp	VenomRAT
behavioral1/memory/2928-125-0x0000000000400000-0x00000000004D3000-memory.dmp	VenomRAT

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x0007000000012118-4.dat	family_asyncrat

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
behavioral1/files/0x0007000000018bd2-86.dat

Executes dropped EXE 3 IoCs

Processes:

._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
2928	Synaptics.exe
2824	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

Processes:

233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exeSynaptics.exe

pid	Process
2580	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
2580	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
2580	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
2928	Synaptics.exe
2928	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exeSynaptics.exeEXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2752	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe

description	pid	Process
Token: SeDebugPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeIncreaseQuotaPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeSecurityPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeTakeOwnershipPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeLoadDriverPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeSystemProfilePrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeSystemtimePrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeProfSingleProcessPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeIncBasePriorityPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeCreatePagefilePrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeBackupPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeRestorePrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeShutdownPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeDebugPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeSystemEnvironmentPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeRemoteShutdownPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeUndockPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeManageVolumePrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: 33	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: 34	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: 35	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeIncreaseQuotaPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeSecurityPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeTakeOwnershipPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeLoadDriverPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeSystemProfilePrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeSystemtimePrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeProfSingleProcessPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeIncBasePriorityPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeCreatePagefilePrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeBackupPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeRestorePrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeShutdownPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeDebugPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeSystemEnvironmentPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeRemoteShutdownPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeUndockPrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: SeManageVolumePrivilege	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: 33	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: 34	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
Token: 35	1936	._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2752	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exeSynaptics.exe._cache_Synaptics.exe

description	pid	Process	procid_target
PID 2580 wrote to memory of 1936	2580	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe	30
PID 2580 wrote to memory of 1936	2580	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe	30
PID 2580 wrote to memory of 1936	2580	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe	30
PID 2580 wrote to memory of 1936	2580	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe	30
PID 2580 wrote to memory of 2928	2580	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe	31
PID 2580 wrote to memory of 2928	2580	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe	31
PID 2580 wrote to memory of 2928	2580	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe	31
PID 2580 wrote to memory of 2928	2580	233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe	31
PID 2928 wrote to memory of 2824	2928	Synaptics.exe	32
PID 2928 wrote to memory of 2824	2928	Synaptics.exe	32
PID 2928 wrote to memory of 2824	2928	Synaptics.exe	32
PID 2928 wrote to memory of 2824	2928	Synaptics.exe	32
PID 2824 wrote to memory of 2672	2824	._cache_Synaptics.exe	34
PID 2824 wrote to memory of 2672	2824	._cache_Synaptics.exe	34
PID 2824 wrote to memory of 2672	2824	._cache_Synaptics.exe	34

C:\Users\Admin\AppData\Local\Temp\233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
"C:\Users\Admin\AppData\Local\Temp\233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2824 -s 568
      4⤵
      PID:2672

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
821KB

MD5
40173279dca40dc2eb04e130d7142ce2

SHA1
a9d3cf03484120a0471d14ba59f82b38d26d84b0

SHA256
233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f

SHA512
db2aa317e12095ab880ffa4bdd00839b5fd6ff86c3f9a1d69a5459a626a72949b138b757fc01673a46f298073c5e489ec7929b4cc440d4f9c0ef65abfbea9d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7SkupaH.xlsm

Filesize
28KB

MD5
b4a3ef72c98b59b8fa0b719d6f25ee7e

SHA1
7fc7a0513dbc806df3afd21436f08c937f291c79

SHA256
0ca7f6c34384ec91232b1a21b3a7515319790978daae267c734fc35374421be8

SHA512
1fb250c9681e98da4f1caea9b4bb50a3396115fcfdafad040eafc747505198d4ed21130e7e0666701eabb7529bcdf43f9af1386680939f6d8ba89feac20bcec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7SkupaH.xlsm

Filesize
25KB

MD5
c32dbbc3c06e4bfe06d9ace6a8150878

SHA1
22a18cb67cc943f05f6f1109f79b7f90ca173d64

SHA256
5408ae2fa179490632c2a25a0094b3a3cafe0d5fa9d17d416da9467e1f6bf291

SHA512
8604534ed65b2c8ac58ff000c024dda5001525aa610b8e3defa494694c13a382a943b2ed3b6a309fe28792190c723ebb122ebcc462ac6c192e28d806ebc96ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7SkupaH.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_233fee4945229292aef7f2a515ddad8a0a6b1ccbdc40bb2ae9f343c2d96ddc8f.exe

Filesize
74KB

MD5
32b65e6e0e6112b5dae6b43f214c28f6

SHA1
8c268ab559f6cce631c9da6949cc7c2d4abced08

SHA256
296674e268379a496e66b4e571881c32e75e46e661aa7247405201a126a782c6

SHA512
c670f08f60bf3934817f842539a2dc3534c2503234892f4ec3d4809e4ab88624810dbca7c31002d5c2c900145d7fe5db7727746268bdcefd36a893cf11606a07

Download Submit
memory/1936-28-0x0000000000B10000-0x0000000000B28000-memory.dmp

Filesize
96KB

Download
memory/2580-25-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2580-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2752-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2824-36-0x0000000000370000-0x0000000000388000-memory.dmp

Filesize
96KB

Download
memory/2928-92-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2928-93-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2928-125-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download