Analysis
-
max time kernel
1049s -
max time network
443s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
31-10-2024 06:10
General
-
Target
AsyncClient.exe
-
Size
45KB
-
MD5
2e60471cc06ae9e107c9c446feab2306
-
SHA1
77925495dc0ff1ba87ff3d037056f21446e2d21d
-
SHA256
b88fad07ba2812f8023fd20a5939192c7932efa99b7c00953e532f77c0896ce6
-
SHA512
407ec9fcf2557233376da167f975b9ba9252a5d564b056c2aeb590390eda3309eca5cbaa57ea70691b5826359d22edb2c655c2d1b19ddfc825b10184f620ab84
-
SSDEEP
768:mu/dRTUo0HQbWUnmjSmo2qMwKjPGaG6PIyzjbFgX3iieuFYrK8I/IBDZyx:mu/dRTUPE2kKTkDy3bCXSLuFIImdyx
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
q7jNlmGQlMHA
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AsyncClient.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2328 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 2328 taskmgr.exe Token: SeSystemProfilePrivilege 2328 taskmgr.exe Token: SeCreateGlobalPrivilege 2328 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1644
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2328