asyncrat | 5ccd9ffc7816ab61d788ea00ae0db035cd84e5410a8ac9bb26d21008666e4bcb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Widows Defender.exe
Size

63KB
MD5

6ba07796ba7c18a6cacc048276e43592
SHA1

1eced49b42a4bc2a80d7f458173f9b05408ce6ff
SHA256

5ccd9ffc7816ab61d788ea00ae0db035cd84e5410a8ac9bb26d21008666e4bcb
SHA512

f4e058fea4c33bfed9c52ad6952eb0e6e649a54e46fbfc90101a0a39ea1a894525206c9b791d8710fe104a7fde9e09648f601058f5b9604ed8847d09cfbdf400
SSDEEP

768:wh6d2hP4Wo783IC8A+XqTuCY79VpTnBEP1+T4uSBGHmDbDDphWoXzHi4fSucdpqM:Di4WkYuJ9t8tYUbBhHfKucdpqKmY7

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

w-delivery.gl.at.ply.gg:3149

Attributes

delay
1
install
true
install_file
Registry.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023c9d-11.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Widows Defender.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Widows Defender.exe

Executes dropped EXE 1 IoCs

Processes:

Registry.exe

pid	Process
2856	Registry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
5116	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
1108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Widows Defender.exetaskmgr.exe

pid	Process
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
3716	Widows Defender.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
1764	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Widows Defender.exeRegistry.exetaskmgr.exe

description	pid	Process
Token: SeDebugPrivilege	3716	Widows Defender.exe
Token: SeDebugPrivilege	3716	Widows Defender.exe
Token: SeDebugPrivilege	2856	Registry.exe
Token: SeDebugPrivilege	2856	Registry.exe
Token: SeDebugPrivilege	1764	taskmgr.exe
Token: SeSystemProfilePrivilege	1764	taskmgr.exe
Token: SeCreateGlobalPrivilege	1764	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	Process
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	Process
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Widows Defender.execmd.execmd.exe

description	pid	Process	procid_target
PID 3716 wrote to memory of 1064	3716	Widows Defender.exe	84
PID 3716 wrote to memory of 1064	3716	Widows Defender.exe	84
PID 3716 wrote to memory of 1976	3716	Widows Defender.exe	86
PID 3716 wrote to memory of 1976	3716	Widows Defender.exe	86
PID 1976 wrote to memory of 5116	1976	cmd.exe	88
PID 1976 wrote to memory of 5116	1976	cmd.exe	88
PID 1064 wrote to memory of 1108	1064	cmd.exe	89
PID 1064 wrote to memory of 1108	1064	cmd.exe	89
PID 1976 wrote to memory of 2856	1976	cmd.exe	93
PID 1976 wrote to memory of 2856	1976	cmd.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Widows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Widows Defender.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Registry" /tr '"C:\Users\Admin\AppData\Roaming\Registry.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Registry" /tr '"C:\Users\Admin\AppData\Roaming\Registry.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp948F.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:5116
- - C:\Users\Admin\AppData\Roaming\Registry.exe
    "C:\Users\Admin\AppData\Roaming\Registry.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2856

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp948F.tmp.bat

Filesize
152B

MD5
b668bc59b7b0e4b02f8d826cc97f7e1a

SHA1
60533cba0c237a43e806902cae3c783bb095052e

SHA256
6803bce81d39f32d52f2b5e779f9a3aca4686b488b0b6f577d2b48c8114992b9

SHA512
dfc5a3d33959b69dc175795ebe782f069f81b2d8e350d245d4b642b03b217ee17c7fb7603d55bed025e025dd68bd5d41e9343a57f6b03c26050f1507aaca0bc2

Download Submit
C:\Users\Admin\AppData\Roaming\Registry.exe

Filesize
63KB

MD5
6ba07796ba7c18a6cacc048276e43592

SHA1
1eced49b42a4bc2a80d7f458173f9b05408ce6ff

SHA256
5ccd9ffc7816ab61d788ea00ae0db035cd84e5410a8ac9bb26d21008666e4bcb

SHA512
f4e058fea4c33bfed9c52ad6952eb0e6e649a54e46fbfc90101a0a39ea1a894525206c9b791d8710fe104a7fde9e09648f601058f5b9604ed8847d09cfbdf400

Download Submit
memory/1764-24-0x000001D723E30000-0x000001D723E31000-memory.dmp

Filesize
4KB

Download
memory/1764-23-0x000001D723E30000-0x000001D723E31000-memory.dmp

Filesize
4KB

Download
memory/1764-19-0x000001D723E30000-0x000001D723E31000-memory.dmp

Filesize
4KB

Download
memory/1764-20-0x000001D723E30000-0x000001D723E31000-memory.dmp

Filesize
4KB

Download
memory/1764-22-0x000001D723E30000-0x000001D723E31000-memory.dmp

Filesize
4KB

Download
memory/1764-13-0x000001D723E30000-0x000001D723E31000-memory.dmp

Filesize
4KB

Download
memory/1764-14-0x000001D723E30000-0x000001D723E31000-memory.dmp

Filesize
4KB

Download
memory/1764-15-0x000001D723E30000-0x000001D723E31000-memory.dmp

Filesize
4KB

Download
memory/1764-21-0x000001D723E30000-0x000001D723E31000-memory.dmp

Filesize
4KB

Download
memory/1764-25-0x000001D723E30000-0x000001D723E31000-memory.dmp

Filesize
4KB

Download
memory/3716-1-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/3716-0-0x00007FFB668C3000-0x00007FFB668C5000-memory.dmp

Filesize
8KB

Download
memory/3716-8-0x00007FFB668C0000-0x00007FFB67381000-memory.dmp

Filesize
10.8MB

Download
memory/3716-2-0x00007FFB668C0000-0x00007FFB67381000-memory.dmp

Filesize
10.8MB

Download
memory/3716-7-0x00007FFB668C0000-0x00007FFB67381000-memory.dmp

Filesize
10.8MB

Download