asyncrat | 7c15fa68e1ae83f81c98a2c616753777ccd720a8a2a1adda490e08be9369a3c8

General

Target

search.exe
Size

63KB
MD5

4a3d7bd2084b48024bf8f459b10aa913
SHA1

ed47940c8e00f846e0656bd95ca14ddd8d157ba0
SHA256

7c15fa68e1ae83f81c98a2c616753777ccd720a8a2a1adda490e08be9369a3c8
SHA512

94e00110aa23f713e099039b027d01e7ea1c5521b4f9b6563cebf537eafb226a3aa840d7f3f4ec08872ec098bd57567c3fd8c3694ea62468139ae84ee5cc5b35
SSDEEP

768:RdGnVhwdjndk78TQC8A+XiuazcBRL5JTk1+T4KSBGHmDbD/ph0oXkDkhgOSuAdph:mnSdsNdSJYUbdh9kcIuAdpqKmY7

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

natural-familiar.gl.at.ply.gg:65030

Attributes

delay
1
install
true
install_file
search.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\search.exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

search.exe

pid process

1404 search.exe

pid	process
1404	search.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3524 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2428 schtasks.exe

pid	process
3524	timeout.exe

pid	process
2428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

search.exetaskmgr.exe

pid	process
3692	search.exe
3692	search.exe
3692	search.exe
3692	search.exe
3692	search.exe
3692	search.exe
3692	search.exe
3692	search.exe
3692	search.exe
3692	search.exe
3692	search.exe
3692	search.exe
3692	search.exe
3692	search.exe
3692	search.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

search.exesearch.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3692	search.exe
Token: SeDebugPrivilege	3692	search.exe
Token: SeDebugPrivilege	1404	search.exe
Token: SeDebugPrivilege	1404	search.exe
Token: SeDebugPrivilege	2520	taskmgr.exe
Token: SeSystemProfilePrivilege	2520	taskmgr.exe
Token: SeCreateGlobalPrivilege	2520	taskmgr.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

taskmgr.exe

pid	process
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

taskmgr.exe

pid	process
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

search.execmd.execmd.exe

description	pid	process	target process
PID 3692 wrote to memory of 4700	3692	search.exe	cmd.exe
PID 3692 wrote to memory of 4700	3692	search.exe	cmd.exe
PID 3692 wrote to memory of 3660	3692	search.exe	cmd.exe
PID 3692 wrote to memory of 3660	3692	search.exe	cmd.exe
PID 4700 wrote to memory of 2428	4700	cmd.exe	schtasks.exe
PID 4700 wrote to memory of 2428	4700	cmd.exe	schtasks.exe
PID 3660 wrote to memory of 3524	3660	cmd.exe	timeout.exe
PID 3660 wrote to memory of 3524	3660	cmd.exe	timeout.exe
PID 3660 wrote to memory of 1404	3660	cmd.exe	search.exe
PID 3660 wrote to memory of 1404	3660	cmd.exe	search.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\search.exe
"C:\Users\Admin\AppData\Local\Temp\search.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "search" /tr '"C:\Users\Admin\AppData\Roaming\search.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "search" /tr '"C:\Users\Admin\AppData\Roaming\search.exe"'
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6CC4.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3524

C:\Users\Admin\AppData\Roaming\search.exe
"C:\Users\Admin\AppData\Roaming\search.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\search.exe.log

Filesize
425B

MD5
2ead231ce66abe78de975d1b05d590a4

SHA1
c269fde7c1d36005928089b0689cecd0a2bc1e1c

SHA256
71879c54d43afa910afbabfc59235151a78b42049f79f152773fbfca74b2f294

SHA512
038480a37fe4227fe04f7323fea842037df486901aab0529145046718ffb48c99e62107f534857ca0023dbb5b72be778bc4911ae2873c01ad826865c44537fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6CC4.tmp.bat

Filesize
150B

MD5
54960a3924b0c503e383f844933b9059

SHA1
d9a833eb79582a0c2478c221acc8ba7f7b2d61ad

SHA256
7503595f41a0ad59bf0c06ce163e5965220116f3db2925bd143a98446612137d

SHA512
17913f4fcaf82b695ae131197057932c58390b1161c2bee40c3e14a8c41590015b247640f66e144d34f02d5ba4c2681b608ae85139dcdc29158c0271f604646d

Download Submit
C:\Users\Admin\AppData\Roaming\search.exe

Filesize
63KB

MD5
4a3d7bd2084b48024bf8f459b10aa913

SHA1
ed47940c8e00f846e0656bd95ca14ddd8d157ba0

SHA256
7c15fa68e1ae83f81c98a2c616753777ccd720a8a2a1adda490e08be9369a3c8

SHA512
94e00110aa23f713e099039b027d01e7ea1c5521b4f9b6563cebf537eafb226a3aa840d7f3f4ec08872ec098bd57567c3fd8c3694ea62468139ae84ee5cc5b35

Download Submit
memory/3692-1-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/3692-0-0x00007FFC94BD3000-0x00007FFC94BD4000-memory.dmp

Filesize
4KB

Download
memory/3692-2-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

Filesize
9.9MB

Download
memory/3692-3-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

Filesize
9.9MB

Download
memory/3692-8-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads