Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 01:15
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20241010-en
General
-
Target
AsyncClient.exe
-
Size
47KB
-
MD5
ee97dc0328ea5ef92cdadeb280891591
-
SHA1
916924ecdb96aa0ec227b12df2af8f5038f239ab
-
SHA256
44b6e2af6e5e547cfc9c2c3607bd7cda4785688b60720c5501968b536ce331c9
-
SHA512
52ecca0f00d47f9bffc50bb516988715ae2c1aaf96f3a5bb132619ebbd8a370c9eef0f33d5b67accc2ffe2187e60564fa353eef037b35be9159f17aad6e621c2
-
SSDEEP
768:Zu6ZdTAYhbJWUh9Nzmo2qLxRQSJPVW1QMCfPIKSxlJpmqH0bAYpHZ+6GGAPMtV0g:Zu6ZdTAur2uQadMC4KSrvUbAYqMAknkU
Malware Config
Extracted
asyncrat
0.5.8
Default
listed-academics.gl.at.ply.gg:10068
f7BTmla4eysw
-
delay
3
-
install
true
-
install_file
das.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000800000001932a-13.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2900 das.exe -
Loads dropped DLL 1 IoCs
pid Process 3000 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language das.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1780 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1516 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2652 AsyncClient.exe 2652 AsyncClient.exe 2652 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2652 AsyncClient.exe Token: SeDebugPrivilege 2900 das.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2300 2652 AsyncClient.exe 31 PID 2652 wrote to memory of 2300 2652 AsyncClient.exe 31 PID 2652 wrote to memory of 2300 2652 AsyncClient.exe 31 PID 2652 wrote to memory of 2300 2652 AsyncClient.exe 31 PID 2652 wrote to memory of 3000 2652 AsyncClient.exe 33 PID 2652 wrote to memory of 3000 2652 AsyncClient.exe 33 PID 2652 wrote to memory of 3000 2652 AsyncClient.exe 33 PID 2652 wrote to memory of 3000 2652 AsyncClient.exe 33 PID 2300 wrote to memory of 1516 2300 cmd.exe 35 PID 2300 wrote to memory of 1516 2300 cmd.exe 35 PID 2300 wrote to memory of 1516 2300 cmd.exe 35 PID 2300 wrote to memory of 1516 2300 cmd.exe 35 PID 3000 wrote to memory of 1780 3000 cmd.exe 36 PID 3000 wrote to memory of 1780 3000 cmd.exe 36 PID 3000 wrote to memory of 1780 3000 cmd.exe 36 PID 3000 wrote to memory of 1780 3000 cmd.exe 36 PID 3000 wrote to memory of 2900 3000 cmd.exe 37 PID 3000 wrote to memory of 2900 3000 cmd.exe 37 PID 3000 wrote to memory of 2900 3000 cmd.exe 37 PID 3000 wrote to memory of 2900 3000 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "das" /tr '"C:\Users\Admin\AppData\Roaming\das.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "das" /tr '"C:\Users\Admin\AppData\Roaming\das.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDAC5.tmp.bat""2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1780
-
-
C:\Users\Admin\AppData\Roaming\das.exe"C:\Users\Admin\AppData\Roaming\das.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5e9a5a6dba9efe7fe40c1c8a4643e02aa
SHA11bb333c33d0c7a907fdc9badb5e855d6d5914c64
SHA256819336b31ab119c2de975b2267ce2455af32a5753247db92952e17e56fc2cda3
SHA512db112bec9a1d2e79cd5c80557eb08ed7fe8341f9780d5a8e436a9d49991f85b5c03ad42658f91e2120df65159cc3cd48f9d485e5280f9dd2514ff64829b7acf2
-
Filesize
47KB
MD5ee97dc0328ea5ef92cdadeb280891591
SHA1916924ecdb96aa0ec227b12df2af8f5038f239ab
SHA25644b6e2af6e5e547cfc9c2c3607bd7cda4785688b60720c5501968b536ce331c9
SHA51252ecca0f00d47f9bffc50bb516988715ae2c1aaf96f3a5bb132619ebbd8a370c9eef0f33d5b67accc2ffe2187e60564fa353eef037b35be9159f17aad6e621c2