Analysis
-
max time kernel
593s -
max time network
1051s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-12-2024 19:08
General
-
Target
AsyncClient.exe
-
Size
45KB
-
MD5
87b6917db381131a861ba84d4269b0bd
-
SHA1
801e58b238a02f2d0bb972ee230e77f4bfe4baa1
-
SHA256
02d242ea2f9251a46c8fc7fdc8a7c00a64491f015b3b8dbe11ff7afaff3fa7c9
-
SHA512
b297874e06ff77aa8115f9935a7b13fd34a472f904f960708f9c8c86881c6256834362fe8bbdee35914a132d9db4b5fc7f2fb6d418f042cbf5d8a89c5bf5fb6e
-
SSDEEP
768:/u67dTAYhbJWUh9Nzmo2qLIKjPGaG6PIyzjbFgX3iuzTMsfaP9c9CysmBDZER:/u67dTAur2RKTkDy3bCXSoMWaP9QjdER
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
149.143.127.81:6606
149.143.127.81:7707
149.143.127.81:8808
RPDOrlBP5iQP
-
delay
3
-
install
true
-
install_file
Update.exe
-
install_folder
%Temp%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x001c00000002ab84-12.dat family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
Update.exepid Process 2084 Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AsyncClient.execmd.execmd.exetimeout.exeschtasks.exeUpdate.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 964 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
AsyncClient.exepid Process 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe 4584 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
AsyncClient.exeUpdate.exedescription pid Process Token: SeDebugPrivilege 4584 AsyncClient.exe Token: SeDebugPrivilege 2084 Update.exe Token: SeDebugPrivilege 2084 Update.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
AsyncClient.execmd.execmd.exedescription pid Process procid_target PID 4584 wrote to memory of 2824 4584 AsyncClient.exe 78 PID 4584 wrote to memory of 2824 4584 AsyncClient.exe 78 PID 4584 wrote to memory of 2824 4584 AsyncClient.exe 78 PID 4584 wrote to memory of 1772 4584 AsyncClient.exe 80 PID 4584 wrote to memory of 1772 4584 AsyncClient.exe 80 PID 4584 wrote to memory of 1772 4584 AsyncClient.exe 80 PID 1772 wrote to memory of 964 1772 cmd.exe 82 PID 1772 wrote to memory of 964 1772 cmd.exe 82 PID 1772 wrote to memory of 964 1772 cmd.exe 82 PID 2824 wrote to memory of 3056 2824 cmd.exe 83 PID 2824 wrote to memory of 3056 2824 cmd.exe 83 PID 2824 wrote to memory of 3056 2824 cmd.exe 83 PID 1772 wrote to memory of 2084 1772 cmd.exe 84 PID 1772 wrote to memory of 2084 1772 cmd.exe 84 PID 1772 wrote to memory of 2084 1772 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Local\Temp\Update.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Local\Temp\Update.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCB8D.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:964
-
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD587b6917db381131a861ba84d4269b0bd
SHA1801e58b238a02f2d0bb972ee230e77f4bfe4baa1
SHA25602d242ea2f9251a46c8fc7fdc8a7c00a64491f015b3b8dbe11ff7afaff3fa7c9
SHA512b297874e06ff77aa8115f9935a7b13fd34a472f904f960708f9c8c86881c6256834362fe8bbdee35914a132d9db4b5fc7f2fb6d418f042cbf5d8a89c5bf5fb6e
-
Filesize
153B
MD54f946ceede07e1fe72af75c977402e11
SHA11f1a163ef7a732c6b0c92ab271ead3f0004ecd19
SHA256fae927a9998ed553ff4526487c7ab2cd2339fc2732db9ce1298c97bd827c6a7d
SHA5124a14c4d2e4a6868167517cc26c196c20c4e9d9182014e8c3ab38c5e2c65e5745561084b4db9148f1eba1a7597b9a4ac01d66a365f6bdcedb454c888f204db7ff