asyncrat | cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5

General

Target

cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5.exe
Size

544KB
MD5

72f75a45c5a2dba67de3552b48b83fb2
SHA1

89eaaeeca99407019a85e5c8e950f2d47fe8157b
SHA256

cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5
SHA512

9146102fb862d0b9a8c0fbefabd76e0963d33295defe1a53bc4efaae724583f2552490f97df440d6d09e4c97a3b7c526f42f81a7ea3bc2691a063dfed4779254
SSDEEP

6144:hHL4WOLSPswA+PjIMcTCRu9DWoitq2+nVE7pSwqPN+:uWO+PtBPj/cWwpYq+

Score

10^/10

asyncrat discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.4.9G

C2

corporation.warzonedns.com:9341

Mutex

65845562146GZ23

Attributes

delay
0
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5.exe

Executes dropped EXE 1 IoCs

pid	Process
3128	PlexMedia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PlexService = "C:\\Users\\Admin\\AppData\\Roaming\\PlexService\\PlexMedia.exe"	cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3128 set thread context of 1500	3128	PlexMedia.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PlexMedia.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3948	timeout.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe
1500	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 3128	4416	cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5.exe	84
PID 4416 wrote to memory of 3128	4416	cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5.exe	84
PID 4416 wrote to memory of 3128	4416	cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5.exe	84
PID 4416 wrote to memory of 4888	4416	cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5.exe	85
PID 4416 wrote to memory of 4888	4416	cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5.exe	85
PID 4416 wrote to memory of 4888	4416	cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5.exe	85
PID 4888 wrote to memory of 3948	4888	cmd.exe	87
PID 4888 wrote to memory of 3948	4888	cmd.exe	87
PID 4888 wrote to memory of 3948	4888	cmd.exe	87
PID 3128 wrote to memory of 1500	3128	PlexMedia.exe	88
PID 3128 wrote to memory of 1500	3128	PlexMedia.exe	88
PID 3128 wrote to memory of 1500	3128	PlexMedia.exe	88
PID 3128 wrote to memory of 1500	3128	PlexMedia.exe	88
PID 3128 wrote to memory of 1500	3128	PlexMedia.exe	88
PID 3128 wrote to memory of 1500	3128	PlexMedia.exe	88
PID 3128 wrote to memory of 1500	3128	PlexMedia.exe	88
PID 3128 wrote to memory of 1500	3128	PlexMedia.exe	88

C:\Users\Admin\AppData\Local\Temp\cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5.exe
"C:\Users\Admin\AppData\Local\Temp\cede04b7fea82b617ddf512fe1ede907ec6ea0e88c0fbd416636843abe2f4aa5.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\AppData\Roaming\PlexService\PlexMedia.exe
  "C:\Users\Admin\AppData\Roaming\PlexService\PlexMedia.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\PlexService\PlexMedia.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 180
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3948

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\PlexService\PlexMedia.bat

Filesize
212B

MD5
787142f81eb1a9ec3f978ac64e069ee9

SHA1
cb5d7aa00da5378f01bcab6ea47e2e1ec75209af

SHA256
d1092363d523d099cdbbaefef20dba86d6f8a8b7717b311a7262367f8fa9a303

SHA512
d1abd517f1a4a6702787f707efe3fe8c355cafe2664b0a4784c22c7076bc90aaa570292d5e079c12f72ef6ebebb36b0f51215412bb963854b6614332ce447a5d

Download Submit
C:\Users\Admin\AppData\Roaming\PlexService\PlexMedia.exe

Filesize
544KB

MD5
4d1552795115f53a55d24f5dcf361d21

SHA1
adbd9a15e6fae66d05c2cdaafb9e87eea180d152

SHA256
c48ef14dbeb86127b7e3c2230670459564f6f2c7e107fd46bac94a4f37e89d1f

SHA512
e0a7ffd59df25a0b6252ab3d6e152d8d1dd95767a1c2d581cf2d760701be7324484f341119dae5fd6b5e02a981091f639246ca55ab46916753a3fc2b6235f42e

Download Submit
memory/1500-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3128-26-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/3128-32-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/3128-28-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4416-5-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/4416-2-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/4416-6-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4416-12-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/4416-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/4416-27-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4416-1-0x00000000007A0000-0x000000000082E000-memory.dmp

Filesize
568KB

Download
memory/4416-24-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4416-4-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/4416-3-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads