asyncrat | 459443def8fd0c940b2da33d9703fcf5771dbcd9ce4aff2dcc670528c1d1d3c1

Analysis

max time kernel
131s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8432070440b9827f88a75bef7e65dd60.exe
Size

854KB
MD5

8432070440b9827f88a75bef7e65dd60
SHA1

6c7a2124b7076383f577eb0042f9ea917b2b4066
SHA256

459443def8fd0c940b2da33d9703fcf5771dbcd9ce4aff2dcc670528c1d1d3c1
SHA512

50d8ca74f51257b03678fcb9e98b8ad3eb412403d3b87efdba1dbf09af207aba6e21f849fe811600467e4d5803188ed8e521c407e8942adf0a002c1d937bbf61
SSDEEP

24576:ZY/1EAAfF8FU1lqbrkSqdKHYiJfLYkoDhsYPWLiK:8VAt8FU1lekSq0c68FK

Score

10^/10

asyncrat discovery rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8432070440b9827f88a75bef7e65dd60.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	8432070440b9827f88a75bef7e65dd60.exe

Deletes itself 1 IoCs

Processes:

Faced.pif

pid process

344 Faced.pif
Executes dropped EXE 2 IoCs

Processes:

Faced.pifRegAsm.exe

pid process

344 Faced.pif
2400 RegAsm.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3088 tasklist.exe
4800 tasklist.exe

pid	process
3088	tasklist.exe
4800	tasklist.exe

Drops file in Windows directory 5 IoCs

Processes:

8432070440b9827f88a75bef7e65dd60.exe

description	ioc	process
File opened for modification	C:\Windows\BasedBrakes	8432070440b9827f88a75bef7e65dd60.exe
File opened for modification	C:\Windows\ChapelSpoken	8432070440b9827f88a75bef7e65dd60.exe
File opened for modification	C:\Windows\TypesCroatia	8432070440b9827f88a75bef7e65dd60.exe
File opened for modification	C:\Windows\MotherboardLooking	8432070440b9827f88a75bef7e65dd60.exe
File opened for modification	C:\Windows\CiscoHarder	8432070440b9827f88a75bef7e65dd60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tasklist.exefindstr.exefindstr.execmd.exechoice.execmd.exetasklist.execmd.exefindstr.exe8432070440b9827f88a75bef7e65dd60.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8432070440b9827f88a75bef7e65dd60.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4000 schtasks.exe

pid	process
4000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

Faced.pif

pid	process
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif
344	Faced.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 3088 tasklist.exe
Token: SeDebugPrivilege 4800 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Faced.pif

pid process

344 Faced.pif
344 Faced.pif
344 Faced.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Faced.pif

pid process

344 Faced.pif
344 Faced.pif
344 Faced.pif

description	pid	process
Token: SeDebugPrivilege	3088	tasklist.exe
Token: SeDebugPrivilege	4800	tasklist.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

8432070440b9827f88a75bef7e65dd60.execmd.exeFaced.pif

description	pid	process	target process
PID 3772 wrote to memory of 2312	3772	8432070440b9827f88a75bef7e65dd60.exe	cmd.exe
PID 3772 wrote to memory of 2312	3772	8432070440b9827f88a75bef7e65dd60.exe	cmd.exe
PID 3772 wrote to memory of 2312	3772	8432070440b9827f88a75bef7e65dd60.exe	cmd.exe
PID 2312 wrote to memory of 3088	2312	cmd.exe	tasklist.exe
PID 2312 wrote to memory of 3088	2312	cmd.exe	tasklist.exe
PID 2312 wrote to memory of 3088	2312	cmd.exe	tasklist.exe
PID 2312 wrote to memory of 4580	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 4580	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 4580	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 4800	2312	cmd.exe	tasklist.exe
PID 2312 wrote to memory of 4800	2312	cmd.exe	tasklist.exe
PID 2312 wrote to memory of 4800	2312	cmd.exe	tasklist.exe
PID 2312 wrote to memory of 1260	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 1260	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 1260	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 2500	2312	cmd.exe	cmd.exe
PID 2312 wrote to memory of 2500	2312	cmd.exe	cmd.exe
PID 2312 wrote to memory of 2500	2312	cmd.exe	cmd.exe
PID 2312 wrote to memory of 4328	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 4328	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 4328	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 316	2312	cmd.exe	cmd.exe
PID 2312 wrote to memory of 316	2312	cmd.exe	cmd.exe
PID 2312 wrote to memory of 316	2312	cmd.exe	cmd.exe
PID 2312 wrote to memory of 344	2312	cmd.exe	Faced.pif
PID 2312 wrote to memory of 344	2312	cmd.exe	Faced.pif
PID 2312 wrote to memory of 3016	2312	cmd.exe	choice.exe
PID 2312 wrote to memory of 3016	2312	cmd.exe	choice.exe
PID 2312 wrote to memory of 3016	2312	cmd.exe	choice.exe
PID 344 wrote to memory of 4000	344	Faced.pif	schtasks.exe
PID 344 wrote to memory of 4000	344	Faced.pif	schtasks.exe
PID 344 wrote to memory of 2400	344	Faced.pif	RegAsm.exe
PID 344 wrote to memory of 2400	344	Faced.pif	RegAsm.exe
PID 344 wrote to memory of 2400	344	Faced.pif	RegAsm.exe
PID 344 wrote to memory of 2400	344	Faced.pif	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8432070440b9827f88a75bef7e65dd60.exe
"C:\Users\Admin\AppData\Local\Temp\8432070440b9827f88a75bef7e65dd60.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Tall Tall.bat & Tall.bat
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
3⤵
- System Location Discovery: System Language Discovery
PID:4580

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
3⤵
- System Location Discovery: System Language Discovery
PID:1260

C:\Windows\SysWOW64\cmd.exe
cmd /c md 349877
3⤵
- System Location Discovery: System Language Discovery
PID:2500

C:\Windows\SysWOW64\findstr.exe
findstr /V "ORDINANCECHILDHOODCONVERTENDORSED" Booty
3⤵
- System Location Discovery: System Language Discovery
PID:4328

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Norwegian + ..\Mysql + ..\Tours + ..\Awareness + ..\Picking K
3⤵
- System Location Discovery: System Language Discovery
PID:316

C:\Users\Admin\AppData\Local\Temp\349877\Faced.pif
Faced.pif K
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /create /tn "BioMind" /tr "wscript //B 'C:\Users\Admin\AppData\Local\BioTech Dynamics\BioMind.js'" /sc onlogon /F /RL HIGHEST
4⤵
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe
4⤵
- Executes dropped EXE
PID:2400

C:\Windows\SysWOW64\choice.exe
choice /d y /t 15
3⤵
- System Location Discovery: System Language Discovery
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\349877\Faced.pif

Filesize
1.0MB

MD5
c63860691927d62432750013b5a20f5f

SHA1
03678170aadf6bab2ac2b742f5ea2fd1b11feca3

SHA256
69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353

SHA512
3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de

Download Submit
C:\Users\Admin\AppData\Local\Temp\349877\K

Filesize
294KB

MD5
c2a4fd12d413dfc8e4b1e37b8f8aee94

SHA1
5164e8f38a29ac76b34d03cdc16ce273a58bb432

SHA256
6885fd9a711b7f8ba4d057eb6de0cee6e3ac5c193086220f0df473a293e54fd0

SHA512
2cce54656fb690e7c494a2cbb2f9d2c7599f42ef8f138647d0aefd5b4cd0b4bd7f1674221359c9acaf70b8f3548b80b9f97e31b49c3d40fd49b0d370c7664c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe

Filesize
63KB

MD5
a4eb36bae72c5cb7392f2b85609d4a7e

SHA1
5c58053a3a18c0226b98a4ac7e7320581300b6c9

SHA256
dc45704ba97d974d157c1c4a27dba402afa595eac2468d8def2ee8d0a2ee9a81

SHA512
8ebdd20b7c1ee87aa3766d812960b0d8cfa0a6ba6e371f730e589895d202dd540eb475f69940261c1532e90d1030370e9eb5102cadbf6e546f99b350de79b95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awareness

Filesize
95KB

MD5
3d433702ad47521887f8f4c46367e188

SHA1
1f6a35c56aa019baefa709970d8710d5b6cc9a09

SHA256
a7d8e066479c17eeafc4732d28b38c713ad82e45008c138bb482a302dbce4907

SHA512
9f590f44dbd66218a2b3b3fcba7477f69ef4464d69337d67e021cdd883f0d4fc4b4125630f578754d1dae1a06296580d5f8c879dcb167bdc0906080b59b6bc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Booty

Filesize
5KB

MD5
456e8d3795990ee35e9cbc227cd15982

SHA1
9975e340561e157ac4e3c4c8fd33d7eef308268d

SHA256
c9a8704bdb3aced2af9ef516c6c1ea53145460a763d54bacf3da50f07fbee52e

SHA512
bbf344bee7a00522667aca111db321d9520ce5e986e4f7069343923553388321b95479897af013ce214783f23ce665980c67d2998373c3f61a1ce1c30bd93f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Distributor

Filesize
1.0MB

MD5
350de0e31aa0d66122bd6f686c51a118

SHA1
6e97be100aca0c32186b29d0a1a01d0242bf92e3

SHA256
3e63313db20fe4d41a6d16f50df9dd632b44b519299f7729cc98f183804e0751

SHA512
3a45cb6b3d020d7006ba3813320024fb93ba8228674e474b061d078df39421c8900b25ef292bd5466a807a0bebf4e34deea585bf880cff7a8f3ef38a813775af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mysql

Filesize
91KB

MD5
ff82d720fafa65d0118b0158ca740524

SHA1
320a35c7ccb261719c4bce9eb102bf0644a6e70b

SHA256
388fb4562fb986384807fdacd20f6879b640c36fde7a2e954986f53305f4b533

SHA512
e43c701fe1635b2d84a9b39adc8d3bb7aeec81647cdacb5bce9a6298c98fa0da9d6858f7a7b8c72ad95a9ecf6874ad89fd33d06a9b400e3914db211552f6c392

Download Submit
C:\Users\Admin\AppData\Local\Temp\Norwegian

Filesize
52KB

MD5
2f1dd187a223dd7faead0d4bceeba5b3

SHA1
8d86c8e86f21103ad29f1f6862343c2712a69f23

SHA256
8687d07d8992cc9d82e7c30e09e02d5638ef497f1ca5f8162d6376f0ed82f2a6

SHA512
7e18885e9fcd7e7fdb3fe274ef961d69400f73e559872d58cc305f992296202097de81f3c845dd34d2d85b378fd98c0330cd4d5b15b9a4d1ca6155dcf0b12238

Download Submit
C:\Users\Admin\AppData\Local\Temp\Picking

Filesize
2KB

MD5
3a83957e84f93270c2bec9b39a578ce5

SHA1
68952c3e118405cf225796d6b5aa1c2bad16a0d6

SHA256
3dd565cfb94bf646f5b2b42efade7a4abe8ec67661fad5e4630492bb3bf7817c

SHA512
f8cc0ab08764b73622fae22687700957ce332d56150f863fef6cf4848129f2731ac559e2a6444d03c6a063c966b917c06ac8b79e5f615961bd84d179685254d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tall

Filesize
10KB

MD5
7bb1b88b0dad0d85e482bf27d8ed266f

SHA1
53621cae980c2232d1a06b834ee54f4cc551901c

SHA256
f06031fd4be1e9e5d057622752c9d1f1ce4511c2839f4b218b4d5fa89a783225

SHA512
cc479a4aed0568ddbf47d6e83d2a4f837fac47000244a7b6ceb81c02ab4480ae7a0dcf5d38cf05e179ff6fbc69e32e08041cdf65d52fe092de59fd3840d8a70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tours

Filesize
54KB

MD5
b771cf4019629d56e8492691792498e5

SHA1
b9e9e1d4829e6125c4ffb5fc19fd779968ce2778

SHA256
2840fe24a2d9b7ca532c5f351469d50cc6bed0d37fb648753e940b49786be891

SHA512
e20551a1dc3a8dd7445eceaecb14570c7f7681fd6b6c8322c31cdcd27560f5206ad9162d7cd71128bb28432f35f95f002233c0b3f7eeaf43b8539d281b153d48

Download Submit
memory/2400-29-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/2400-32-0x000001A84D3A0000-0x000001A84D3CC000-memory.dmp

Filesize
176KB

Download