asyncrat | 459443def8fd0c940b2da33d9703fcf5771dbcd9ce4aff2dcc670528c1d1d3c1

Analysis

max time kernel
1795s
max time network
1496s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-10-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DeliciousPart.exe
Size

854KB
MD5

8432070440b9827f88a75bef7e65dd60
SHA1

6c7a2124b7076383f577eb0042f9ea917b2b4066
SHA256

459443def8fd0c940b2da33d9703fcf5771dbcd9ce4aff2dcc670528c1d1d3c1
SHA512

50d8ca74f51257b03678fcb9e98b8ad3eb412403d3b87efdba1dbf09af207aba6e21f849fe811600467e4d5803188ed8e521c407e8942adf0a002c1d937bbf61
SSDEEP

24576:ZY/1EAAfF8FU1lqbrkSqdKHYiJfLYkoDhsYPWLiK:8VAt8FU1lekSq0c68FK

Score

10^/10

asyncrat discovery rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Deletes itself 1 IoCs

Processes:

Faced.pif

pid process

3152 Faced.pif
Executes dropped EXE 2 IoCs

Processes:

Faced.pifRegAsm.exe

pid process

3152 Faced.pif
1512 RegAsm.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3080 tasklist.exe
2996 tasklist.exe

pid	process
3080	tasklist.exe
2996	tasklist.exe

Drops file in Windows directory 5 IoCs

Processes:

DeliciousPart.exe

description	ioc	process
File opened for modification	C:\Windows\BasedBrakes	DeliciousPart.exe
File opened for modification	C:\Windows\ChapelSpoken	DeliciousPart.exe
File opened for modification	C:\Windows\TypesCroatia	DeliciousPart.exe
File opened for modification	C:\Windows\MotherboardLooking	DeliciousPart.exe
File opened for modification	C:\Windows\CiscoHarder	DeliciousPart.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DeliciousPart.execmd.execmd.exechoice.exefindstr.exetasklist.exefindstr.exetasklist.execmd.exefindstr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeliciousPart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1712 schtasks.exe

pid	process
1712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

Faced.pif

pid	process
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif
3152	Faced.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2996 tasklist.exe
Token: SeDebugPrivilege 3080 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Faced.pif

pid process

3152 Faced.pif
3152 Faced.pif
3152 Faced.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Faced.pif

pid process

3152 Faced.pif
3152 Faced.pif
3152 Faced.pif

description	pid	process
Token: SeDebugPrivilege	2996	tasklist.exe
Token: SeDebugPrivilege	3080	tasklist.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

DeliciousPart.execmd.exeFaced.pif

description	pid	process	target process
PID 1392 wrote to memory of 1516	1392	DeliciousPart.exe	cmd.exe
PID 1392 wrote to memory of 1516	1392	DeliciousPart.exe	cmd.exe
PID 1392 wrote to memory of 1516	1392	DeliciousPart.exe	cmd.exe
PID 1516 wrote to memory of 2996	1516	cmd.exe	tasklist.exe
PID 1516 wrote to memory of 2996	1516	cmd.exe	tasklist.exe
PID 1516 wrote to memory of 2996	1516	cmd.exe	tasklist.exe
PID 1516 wrote to memory of 5684	1516	cmd.exe	findstr.exe
PID 1516 wrote to memory of 5684	1516	cmd.exe	findstr.exe
PID 1516 wrote to memory of 5684	1516	cmd.exe	findstr.exe
PID 1516 wrote to memory of 3080	1516	cmd.exe	tasklist.exe
PID 1516 wrote to memory of 3080	1516	cmd.exe	tasklist.exe
PID 1516 wrote to memory of 3080	1516	cmd.exe	tasklist.exe
PID 1516 wrote to memory of 2232	1516	cmd.exe	findstr.exe
PID 1516 wrote to memory of 2232	1516	cmd.exe	findstr.exe
PID 1516 wrote to memory of 2232	1516	cmd.exe	findstr.exe
PID 1516 wrote to memory of 1384	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 1384	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 1384	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 2456	1516	cmd.exe	findstr.exe
PID 1516 wrote to memory of 2456	1516	cmd.exe	findstr.exe
PID 1516 wrote to memory of 2456	1516	cmd.exe	findstr.exe
PID 1516 wrote to memory of 908	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 908	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 908	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 3152	1516	cmd.exe	Faced.pif
PID 1516 wrote to memory of 3152	1516	cmd.exe	Faced.pif
PID 3152 wrote to memory of 1712	3152	Faced.pif	schtasks.exe
PID 3152 wrote to memory of 1712	3152	Faced.pif	schtasks.exe
PID 1516 wrote to memory of 1576	1516	cmd.exe	choice.exe
PID 1516 wrote to memory of 1576	1516	cmd.exe	choice.exe
PID 1516 wrote to memory of 1576	1516	cmd.exe	choice.exe
PID 3152 wrote to memory of 1512	3152	Faced.pif	RegAsm.exe
PID 3152 wrote to memory of 1512	3152	Faced.pif	RegAsm.exe
PID 3152 wrote to memory of 1512	3152	Faced.pif	RegAsm.exe
PID 3152 wrote to memory of 1512	3152	Faced.pif	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DeliciousPart.exe
"C:\Users\Admin\AppData\Local\Temp\DeliciousPart.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Tall Tall.bat & Tall.bat
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
3⤵
- System Location Discovery: System Language Discovery
PID:5684

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
3⤵
- System Location Discovery: System Language Discovery
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd /c md 349877
3⤵
- System Location Discovery: System Language Discovery
PID:1384

C:\Windows\SysWOW64\findstr.exe
findstr /V "ORDINANCECHILDHOODCONVERTENDORSED" Booty
3⤵
- System Location Discovery: System Language Discovery
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Norwegian + ..\Mysql + ..\Tours + ..\Awareness + ..\Picking K
3⤵
- System Location Discovery: System Language Discovery
PID:908

C:\Users\Admin\AppData\Local\Temp\349877\Faced.pif
Faced.pif K
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /create /tn "BioMind" /tr "wscript //B 'C:\Users\Admin\AppData\Local\BioTech Dynamics\BioMind.js'" /sc onlogon /F /RL HIGHEST
4⤵
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe
4⤵
- Executes dropped EXE
PID:1512

C:\Windows\SysWOW64\choice.exe
choice /d y /t 15
3⤵
- System Location Discovery: System Language Discovery
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\349877\Faced.pif

Filesize
1.0MB

MD5
c63860691927d62432750013b5a20f5f

SHA1
03678170aadf6bab2ac2b742f5ea2fd1b11feca3

SHA256
69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353

SHA512
3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de

Download Submit
C:\Users\Admin\AppData\Local\Temp\349877\K

Filesize
294KB

MD5
c2a4fd12d413dfc8e4b1e37b8f8aee94

SHA1
5164e8f38a29ac76b34d03cdc16ce273a58bb432

SHA256
6885fd9a711b7f8ba4d057eb6de0cee6e3ac5c193086220f0df473a293e54fd0

SHA512
2cce54656fb690e7c494a2cbb2f9d2c7599f42ef8f138647d0aefd5b4cd0b4bd7f1674221359c9acaf70b8f3548b80b9f97e31b49c3d40fd49b0d370c7664c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe

Filesize
63KB

MD5
15d0f3abfb5a3e38e83ea61a082ef934

SHA1
9ff4a64e44efdcd088dfe489466ed612fff1ef55

SHA256
1136010a4706295f80343fe364d90d5789288dead5ab0ed0e0981d29ad669bbc

SHA512
b33aa91069382a2f57275fbae3cd94bf477c13ab263ee07a94422da9bc3d43513df4016449d103953d87ca672ba9e5f83d854d17e9228e865f5c1753466eea5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awareness

Filesize
95KB

MD5
3d433702ad47521887f8f4c46367e188

SHA1
1f6a35c56aa019baefa709970d8710d5b6cc9a09

SHA256
a7d8e066479c17eeafc4732d28b38c713ad82e45008c138bb482a302dbce4907

SHA512
9f590f44dbd66218a2b3b3fcba7477f69ef4464d69337d67e021cdd883f0d4fc4b4125630f578754d1dae1a06296580d5f8c879dcb167bdc0906080b59b6bc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Booty

Filesize
5KB

MD5
456e8d3795990ee35e9cbc227cd15982

SHA1
9975e340561e157ac4e3c4c8fd33d7eef308268d

SHA256
c9a8704bdb3aced2af9ef516c6c1ea53145460a763d54bacf3da50f07fbee52e

SHA512
bbf344bee7a00522667aca111db321d9520ce5e986e4f7069343923553388321b95479897af013ce214783f23ce665980c67d2998373c3f61a1ce1c30bd93f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Distributor

Filesize
1.0MB

MD5
350de0e31aa0d66122bd6f686c51a118

SHA1
6e97be100aca0c32186b29d0a1a01d0242bf92e3

SHA256
3e63313db20fe4d41a6d16f50df9dd632b44b519299f7729cc98f183804e0751

SHA512
3a45cb6b3d020d7006ba3813320024fb93ba8228674e474b061d078df39421c8900b25ef292bd5466a807a0bebf4e34deea585bf880cff7a8f3ef38a813775af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mysql

Filesize
91KB

MD5
ff82d720fafa65d0118b0158ca740524

SHA1
320a35c7ccb261719c4bce9eb102bf0644a6e70b

SHA256
388fb4562fb986384807fdacd20f6879b640c36fde7a2e954986f53305f4b533

SHA512
e43c701fe1635b2d84a9b39adc8d3bb7aeec81647cdacb5bce9a6298c98fa0da9d6858f7a7b8c72ad95a9ecf6874ad89fd33d06a9b400e3914db211552f6c392

Download Submit
C:\Users\Admin\AppData\Local\Temp\Norwegian

Filesize
52KB

MD5
2f1dd187a223dd7faead0d4bceeba5b3

SHA1
8d86c8e86f21103ad29f1f6862343c2712a69f23

SHA256
8687d07d8992cc9d82e7c30e09e02d5638ef497f1ca5f8162d6376f0ed82f2a6

SHA512
7e18885e9fcd7e7fdb3fe274ef961d69400f73e559872d58cc305f992296202097de81f3c845dd34d2d85b378fd98c0330cd4d5b15b9a4d1ca6155dcf0b12238

Download Submit
C:\Users\Admin\AppData\Local\Temp\Picking

Filesize
2KB

MD5
3a83957e84f93270c2bec9b39a578ce5

SHA1
68952c3e118405cf225796d6b5aa1c2bad16a0d6

SHA256
3dd565cfb94bf646f5b2b42efade7a4abe8ec67661fad5e4630492bb3bf7817c

SHA512
f8cc0ab08764b73622fae22687700957ce332d56150f863fef6cf4848129f2731ac559e2a6444d03c6a063c966b917c06ac8b79e5f615961bd84d179685254d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tall

Filesize
10KB

MD5
7bb1b88b0dad0d85e482bf27d8ed266f

SHA1
53621cae980c2232d1a06b834ee54f4cc551901c

SHA256
f06031fd4be1e9e5d057622752c9d1f1ce4511c2839f4b218b4d5fa89a783225

SHA512
cc479a4aed0568ddbf47d6e83d2a4f837fac47000244a7b6ceb81c02ab4480ae7a0dcf5d38cf05e179ff6fbc69e32e08041cdf65d52fe092de59fd3840d8a70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tours

Filesize
54KB

MD5
b771cf4019629d56e8492691792498e5

SHA1
b9e9e1d4829e6125c4ffb5fc19fd779968ce2778

SHA256
2840fe24a2d9b7ca532c5f351469d50cc6bed0d37fb648753e940b49786be891

SHA512
e20551a1dc3a8dd7445eceaecb14570c7f7681fd6b6c8322c31cdcd27560f5206ad9162d7cd71128bb28432f35f95f002233c0b3f7eeaf43b8539d281b153d48

Download Submit
memory/1512-29-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1512-32-0x0000010B52980000-0x0000010B529AC000-memory.dmp

Filesize
176KB

Download