Analysis
-
max time kernel
890s -
max time network
899s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 14:56
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20240903-en
General
-
Target
AsyncClient.exe
-
Size
72KB
-
MD5
4e6add4d01c71b6da1b1ef92ece5e4d9
-
SHA1
119c4d128e6a0bc216d724de3cae474b236be3a9
-
SHA256
f383a6ec81b2cc2c6f76d35d63c6d63e927e52d4b35e7fe4e1974eda71fe3331
-
SHA512
002e6b5665cd901eeb4ad21271dc59ba2b028ef234d41c4f391a08f3c7d7da58f1ce4645c78b7d015ed9c967a0fb0fab6489df8d12f6edeedcb991d97724238d
-
SSDEEP
1536:Qum81TQq72dKTkDy3bCXSNqEoldZeZ5/EAH5Bx:QumoTQq72dskDy3bCZ5lHoltHPx
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
192.168.40.78:6606
192.168.40.78:7707
192.168.40.78:8808
2MadfT525Jmp
-
delay
3
-
install
true
-
install_file
epicgames.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0004000000004ed7-13.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2796 epicgames.exe -
Loads dropped DLL 1 IoCs
pid Process 2840 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language epicgames.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2648 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2180 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2024 AsyncClient.exe 2024 AsyncClient.exe 2024 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2024 AsyncClient.exe Token: SeDebugPrivilege 2796 epicgames.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1704 2024 AsyncClient.exe 31 PID 2024 wrote to memory of 1704 2024 AsyncClient.exe 31 PID 2024 wrote to memory of 1704 2024 AsyncClient.exe 31 PID 2024 wrote to memory of 1704 2024 AsyncClient.exe 31 PID 2024 wrote to memory of 2840 2024 AsyncClient.exe 33 PID 2024 wrote to memory of 2840 2024 AsyncClient.exe 33 PID 2024 wrote to memory of 2840 2024 AsyncClient.exe 33 PID 2024 wrote to memory of 2840 2024 AsyncClient.exe 33 PID 2840 wrote to memory of 2648 2840 cmd.exe 36 PID 2840 wrote to memory of 2648 2840 cmd.exe 36 PID 2840 wrote to memory of 2648 2840 cmd.exe 36 PID 2840 wrote to memory of 2648 2840 cmd.exe 36 PID 1704 wrote to memory of 2180 1704 cmd.exe 35 PID 1704 wrote to memory of 2180 1704 cmd.exe 35 PID 1704 wrote to memory of 2180 1704 cmd.exe 35 PID 1704 wrote to memory of 2180 1704 cmd.exe 35 PID 2840 wrote to memory of 2796 2840 cmd.exe 37 PID 2840 wrote to memory of 2796 2840 cmd.exe 37 PID 2840 wrote to memory of 2796 2840 cmd.exe 37 PID 2840 wrote to memory of 2796 2840 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "epicgames" /tr '"C:\Users\Admin\AppData\Roaming\epicgames.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "epicgames" /tr '"C:\Users\Admin\AppData\Roaming\epicgames.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEBE5.tmp.bat""2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2648
-
-
C:\Users\Admin\AppData\Roaming\epicgames.exe"C:\Users\Admin\AppData\Roaming\epicgames.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5ee12bf0cfe09cfaa619b0ab0900b2784
SHA11fb7b8a824627a8cc0dec1df71df7203b4332d01
SHA25663d07b3eba7364187b3cdee175c4fa6e00697475bf1514bb806d67afc7748d8d
SHA5126cc867c29b1a4a7f46d6d866e2322e5b065fecf19db87a11ef66585de650abc944c7bae3c18d0a3c84754d2d2ce46c45d9d009de92936afdbfc85923d032b623
-
Filesize
72KB
MD54e6add4d01c71b6da1b1ef92ece5e4d9
SHA1119c4d128e6a0bc216d724de3cae474b236be3a9
SHA256f383a6ec81b2cc2c6f76d35d63c6d63e927e52d4b35e7fe4e1974eda71fe3331
SHA512002e6b5665cd901eeb4ad21271dc59ba2b028ef234d41c4f391a08f3c7d7da58f1ce4645c78b7d015ed9c967a0fb0fab6489df8d12f6edeedcb991d97724238d