Overview

overview

10

Static

static

10

AsyncClient (1).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    80s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 03:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AsyncClient (1).exe

  • Size

    47KB

  • MD5

    f65631d6798eaa350884e4f996f7f6a9

  • SHA1

    a913ae3757728dc296bc1076147eb840e887d8fc

  • SHA256

    e0f9ca55f06233cd4e2a7e4cf77fb678a9cff34b548c85ea7c2cdf7ede07270c

  • SHA512

    e0c73a639c5236a9cb1800732c736c3a3071e50660495517e43b55b815eb99d0faf74f04e3de79e9fa112b6a09721d178f3b3929585fbfdb5bee2cda95b6bd0e

  • SSDEEP

    768:xuyxNTAoZjRWUJd9bmo2qL5+Cr96UGMRPIom7e7PesJ0bFm3sJsynjSY1zeBDZMx:xuyxNTAGL2xuCMOom7ebRubFm3kZlMdO

Score
10/10
asyncratdefaultdiscoverypersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

between-reprint.gl.at.ply.gg:5942

Mutex

CKnrCmvLB4KG

Attributes
  • delay

    3

  • install

    true

  • install_file

    Windows.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AsyncClient (1).exe
    "C:\Users\Admin\AppData\Local\Temp\AsyncClient (1).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Roaming\Windows.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Roaming\Windows.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4368
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp395D.tmp.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2108
      • C:\Users\Admin\AppData\Roaming\Windows.exe
        "C:\Users\Admin\AppData\Roaming\Windows.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:540
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4828
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2484
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:1340
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:1580
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:4416
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:1060
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:1180
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:2208
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:3860
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:4172
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:3612

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
                      Filesize

                      471B

                      MD5

                      99ba6b7f0f3ec8d66a8b6a80669c7b3d

                      SHA1

                      33ad0940219903cb4f9cf461b4f4bb711b9919f3

                      SHA256

                      d3b813690dfc256c53b3af9fc4015f5aa3344abb4416ce0d79bc2ce6603d299b

                      SHA512

                      eb9f31ef0c68f76f91ab1b0fe9d6c04237fa5dc1889d9ee31ae4186588d5da3903ccee6f8c25a9fd5c870364594798d3d5bcf462bef46cb301ae3acf29d4044c

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
                      Filesize

                      412B

                      MD5

                      92ff4dd76890ee2b321f59bf2a3331fb

                      SHA1

                      8776d36e6f6f685f650f291a742d684090dc795c

                      SHA256

                      f28431be94147c57367e0689d399352f4c1265ce63503054d549a7aa4eb66230

                      SHA512

                      4c84248ea43f2e040173735edbf8f83894268bd15b49dc10f6bacc5810ec2ba0dd273f8c6819a6f00649d50744252dabce52afdd00268fa4b3983d8f7328ece4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmp395D.tmp.bat
                      Filesize

                      151B

                      MD5

                      2e3407a9905d00d93562843c8d557d3e

                      SHA1

                      05fdffcbff642d0c343d4005b377fcafe7c4b22f

                      SHA256

                      dab8782afbd055e7ca6205df29f70d0ba5eaa658323a0923bd1b7c780b685278

                      SHA512

                      d84d56b094e7f58a78bbc6e42647bd6a0a5866dc8e54ea8bbe31a40a3fa86515e0bd588782c268e9ad1d7a5f655697fac9f5ab9e34f0148563d5d1801f36cbc3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Windows.exe
                      Filesize

                      47KB

                      MD5

                      f65631d6798eaa350884e4f996f7f6a9

                      SHA1

                      a913ae3757728dc296bc1076147eb840e887d8fc

                      SHA256

                      e0f9ca55f06233cd4e2a7e4cf77fb678a9cff34b548c85ea7c2cdf7ede07270c

                      SHA512

                      e0c73a639c5236a9cb1800732c736c3a3071e50660495517e43b55b815eb99d0faf74f04e3de79e9fa112b6a09721d178f3b3929585fbfdb5bee2cda95b6bd0e

                      Download Submit

                    • memory/540-33-0x0000000007100000-0x0000000007192000-memory.dmp

                      Filesize

                      584KB

                      Download

                    • memory/540-29-0x00000000065F0000-0x0000000006B94000-memory.dmp

                      Filesize

                      5.6MB

                      Download

                    • memory/540-30-0x0000000006E20000-0x0000000006E96000-memory.dmp

                      Filesize

                      472KB

                      Download

                    • memory/540-31-0x0000000006DA0000-0x0000000006E08000-memory.dmp

                      Filesize

                      416KB

                      Download

                    • memory/540-32-0x0000000006F10000-0x0000000006F2E000-memory.dmp

                      Filesize

                      120KB

                      Download

                    • memory/540-34-0x0000000007530000-0x0000000007590000-memory.dmp

                      Filesize

                      384KB

                      Download

                    • memory/1060-45-0x0000000003190000-0x0000000003191000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2208-46-0x000001B891580000-0x000001B891680000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/2208-51-0x000001B8925A0000-0x000001B8925C0000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/2208-64-0x000001B892560000-0x000001B892580000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/2208-82-0x000001B892970000-0x000001B892990000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/4828-11-0x000002A8350E0000-0x000002A8350E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4828-21-0x000002A8350E0000-0x000002A8350E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4828-17-0x000002A8350E0000-0x000002A8350E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4828-19-0x000002A8350E0000-0x000002A8350E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4828-20-0x000002A8350E0000-0x000002A8350E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4828-22-0x000002A8350E0000-0x000002A8350E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4828-23-0x000002A8350E0000-0x000002A8350E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4828-18-0x000002A8350E0000-0x000002A8350E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4828-13-0x000002A8350E0000-0x000002A8350E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4828-12-0x000002A8350E0000-0x000002A8350E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4984-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4984-10-0x0000000074A60000-0x0000000075210000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/4984-4-0x00000000055D0000-0x000000000566C000-memory.dmp

                      Filesize

                      624KB

                      Download

                    • memory/4984-3-0x0000000005140000-0x00000000051A6000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/4984-2-0x0000000074A60000-0x0000000075210000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/4984-1-0x00000000007A0000-0x00000000007B2000-memory.dmp

                      Filesize

                      72KB

                      Download