Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 17:24
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20241010-en
General
-
Target
AsyncClient.exe
-
Size
45KB
-
MD5
b77efa9b19b5b1b63264632c6b9dc749
-
SHA1
b31eb2953de482cdcced69283032fbc8ca6b1042
-
SHA256
af864a8fd8576810fdf0171c9983280536199bafc68cc37a5d532ceff71fff88
-
SHA512
2d602f3a99131a9d691b952416de0c0e098a2f680deb425034458db26240d32d9e98ac6e636ab1ac15f51f37dc6551197aacd4171e623dcd4fa676ae971cd84c
-
SSDEEP
768:+uynFTMIGZ8btAWUu7y6mo2q8YKjPGaG6PIyzjbFgX3iQjEZsTNt77R1CtBDZqx:+uynFTMtkf2MKTkDy3bCXSQ/3dCdqx
Malware Config
Extracted
asyncrat
0.5.8
Default
192.168.0.174:8808
bsOjaqZKQz62
-
delay
3
-
install
true
-
install_file
dad.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000200000001e746-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 1 IoCs
pid Process 3588 dad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4528 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3084 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe 3764 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3764 AsyncClient.exe Token: SeDebugPrivilege 3588 dad.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3764 wrote to memory of 2692 3764 AsyncClient.exe 83 PID 3764 wrote to memory of 2692 3764 AsyncClient.exe 83 PID 3764 wrote to memory of 2692 3764 AsyncClient.exe 83 PID 3764 wrote to memory of 3848 3764 AsyncClient.exe 85 PID 3764 wrote to memory of 3848 3764 AsyncClient.exe 85 PID 3764 wrote to memory of 3848 3764 AsyncClient.exe 85 PID 3848 wrote to memory of 4528 3848 cmd.exe 87 PID 3848 wrote to memory of 4528 3848 cmd.exe 87 PID 3848 wrote to memory of 4528 3848 cmd.exe 87 PID 2692 wrote to memory of 3084 2692 cmd.exe 88 PID 2692 wrote to memory of 3084 2692 cmd.exe 88 PID 2692 wrote to memory of 3084 2692 cmd.exe 88 PID 3848 wrote to memory of 3588 3848 cmd.exe 91 PID 3848 wrote to memory of 3588 3848 cmd.exe 91 PID 3848 wrote to memory of 3588 3848 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dad" /tr '"C:\Users\Admin\AppData\Roaming\dad.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "dad" /tr '"C:\Users\Admin\AppData\Roaming\dad.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp84A1.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4528
-
-
C:\Users\Admin\AppData\Roaming\dad.exe"C:\Users\Admin\AppData\Roaming\dad.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5db1c545dec36b091ac71d8c31bca5c5c
SHA1bf90543fd002dcf86fe00e9de3d561c800caa22c
SHA256e272c6f62395b107bd4e12f9167f55d2466b5747eeadcbf5380a3cef3a5be8f2
SHA512e57ba25988045224389dc5501f393236a473adcb9f9ac9574e0c63c66e7b141372c81dcff7c4c38a6f57e97584ab3262312abe09b0271244e25cfa339fe2e601
-
Filesize
45KB
MD5b77efa9b19b5b1b63264632c6b9dc749
SHA1b31eb2953de482cdcced69283032fbc8ca6b1042
SHA256af864a8fd8576810fdf0171c9983280536199bafc68cc37a5d532ceff71fff88
SHA5122d602f3a99131a9d691b952416de0c0e098a2f680deb425034458db26240d32d9e98ac6e636ab1ac15f51f37dc6551197aacd4171e623dcd4fa676ae971cd84c