Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2024 01:15
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20241010-en
General
-
Target
AsyncClient.exe
-
Size
47KB
-
MD5
ee97dc0328ea5ef92cdadeb280891591
-
SHA1
916924ecdb96aa0ec227b12df2af8f5038f239ab
-
SHA256
44b6e2af6e5e547cfc9c2c3607bd7cda4785688b60720c5501968b536ce331c9
-
SHA512
52ecca0f00d47f9bffc50bb516988715ae2c1aaf96f3a5bb132619ebbd8a370c9eef0f33d5b67accc2ffe2187e60564fa353eef037b35be9159f17aad6e621c2
-
SSDEEP
768:Zu6ZdTAYhbJWUh9Nzmo2qLxRQSJPVW1QMCfPIKSxlJpmqH0bAYpHZ+6GGAPMtV0g:Zu6ZdTAur2uQadMC4KSrvUbAYqMAknkU
Malware Config
Extracted
asyncrat
0.5.8
Default
listed-academics.gl.at.ply.gg:10068
f7BTmla4eysw
-
delay
3
-
install
true
-
install_file
das.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023c37-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 1 IoCs
pid Process 3892 das.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language das.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1892 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1080 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe 3336 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3336 AsyncClient.exe Token: SeDebugPrivilege 3892 das.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3336 wrote to memory of 4204 3336 AsyncClient.exe 86 PID 3336 wrote to memory of 4204 3336 AsyncClient.exe 86 PID 3336 wrote to memory of 4204 3336 AsyncClient.exe 86 PID 3336 wrote to memory of 4908 3336 AsyncClient.exe 88 PID 3336 wrote to memory of 4908 3336 AsyncClient.exe 88 PID 3336 wrote to memory of 4908 3336 AsyncClient.exe 88 PID 4204 wrote to memory of 1080 4204 cmd.exe 90 PID 4204 wrote to memory of 1080 4204 cmd.exe 90 PID 4204 wrote to memory of 1080 4204 cmd.exe 90 PID 4908 wrote to memory of 1892 4908 cmd.exe 91 PID 4908 wrote to memory of 1892 4908 cmd.exe 91 PID 4908 wrote to memory of 1892 4908 cmd.exe 91 PID 4908 wrote to memory of 3892 4908 cmd.exe 96 PID 4908 wrote to memory of 3892 4908 cmd.exe 96 PID 4908 wrote to memory of 3892 4908 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "das" /tr '"C:\Users\Admin\AppData\Roaming\das.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "das" /tr '"C:\Users\Admin\AppData\Roaming\das.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9D3A.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1892
-
-
C:\Users\Admin\AppData\Roaming\das.exe"C:\Users\Admin\AppData\Roaming\das.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5949f7f8e83bd27df2c828105845cd1da
SHA193f141b01ef5aaea9b027c374934a80565bd7b1b
SHA256359d9fa4999b07b1057bdefa91e9ae8b261c0bfad036484391f4b17662b1b39c
SHA51220dbea08aa1c1196574154ebbd27d46e60af8d642f35128bcd4cf3972767673f678fe2e978193b76906d0634f08a305df7eeff56460e9893d0d31b1531b412a2
-
Filesize
47KB
MD5ee97dc0328ea5ef92cdadeb280891591
SHA1916924ecdb96aa0ec227b12df2af8f5038f239ab
SHA25644b6e2af6e5e547cfc9c2c3607bd7cda4785688b60720c5501968b536ce331c9
SHA51252ecca0f00d47f9bffc50bb516988715ae2c1aaf96f3a5bb132619ebbd8a370c9eef0f33d5b67accc2ffe2187e60564fa353eef037b35be9159f17aad6e621c2