Analysis
-
max time kernel
900s -
max time network
869s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 14:56
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20240903-en
General
-
Target
AsyncClient.exe
-
Size
72KB
-
MD5
4e6add4d01c71b6da1b1ef92ece5e4d9
-
SHA1
119c4d128e6a0bc216d724de3cae474b236be3a9
-
SHA256
f383a6ec81b2cc2c6f76d35d63c6d63e927e52d4b35e7fe4e1974eda71fe3331
-
SHA512
002e6b5665cd901eeb4ad21271dc59ba2b028ef234d41c4f391a08f3c7d7da58f1ce4645c78b7d015ed9c967a0fb0fab6489df8d12f6edeedcb991d97724238d
-
SSDEEP
1536:Qum81TQq72dKTkDy3bCXSNqEoldZeZ5/EAH5Bx:QumoTQq72dskDy3bCZ5lHoltHPx
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
192.168.40.78:6606
192.168.40.78:7707
192.168.40.78:8808
2MadfT525Jmp
-
delay
3
-
install
true
-
install_file
epicgames.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0032000000023b75-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 1 IoCs
pid Process 1656 epicgames.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language epicgames.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4248 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5112 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 1172 AsyncClient.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3164 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1172 AsyncClient.exe Token: SeDebugPrivilege 3164 taskmgr.exe Token: SeSystemProfilePrivilege 3164 taskmgr.exe Token: SeCreateGlobalPrivilege 3164 taskmgr.exe Token: SeDebugPrivilege 1656 epicgames.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe 3164 taskmgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1172 wrote to memory of 4500 1172 AsyncClient.exe 82 PID 1172 wrote to memory of 4500 1172 AsyncClient.exe 82 PID 1172 wrote to memory of 4500 1172 AsyncClient.exe 82 PID 1172 wrote to memory of 3424 1172 AsyncClient.exe 84 PID 1172 wrote to memory of 3424 1172 AsyncClient.exe 84 PID 1172 wrote to memory of 3424 1172 AsyncClient.exe 84 PID 4500 wrote to memory of 5112 4500 cmd.exe 86 PID 4500 wrote to memory of 5112 4500 cmd.exe 86 PID 4500 wrote to memory of 5112 4500 cmd.exe 86 PID 3424 wrote to memory of 4248 3424 cmd.exe 87 PID 3424 wrote to memory of 4248 3424 cmd.exe 87 PID 3424 wrote to memory of 4248 3424 cmd.exe 87 PID 3424 wrote to memory of 1656 3424 cmd.exe 89 PID 3424 wrote to memory of 1656 3424 cmd.exe 89 PID 3424 wrote to memory of 1656 3424 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "epicgames" /tr '"C:\Users\Admin\AppData\Roaming\epicgames.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "epicgames" /tr '"C:\Users\Admin\AppData\Roaming\epicgames.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8DD2.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4248
-
-
C:\Users\Admin\AppData\Roaming\epicgames.exe"C:\Users\Admin\AppData\Roaming\epicgames.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD59fb5e6bdeb98ed18bccf79c44d8184ef
SHA1508f0983048d21a0e6a889a5eed4ae78b8ca2b09
SHA2569209ba17c83375289d24257ad8701bcd1225e84362e6e3ce52f5352c6bfb54d3
SHA512efe802f40404857e3f00dc53f4853d6f31fa3a3ecd50bd15772741c1c31bd14fb3b5926fc3c496f93d7f9763c42cad4c6d6d8db1f3f7d5e5cc4be94f507852b2
-
Filesize
72KB
MD54e6add4d01c71b6da1b1ef92ece5e4d9
SHA1119c4d128e6a0bc216d724de3cae474b236be3a9
SHA256f383a6ec81b2cc2c6f76d35d63c6d63e927e52d4b35e7fe4e1974eda71fe3331
SHA512002e6b5665cd901eeb4ad21271dc59ba2b028ef234d41c4f391a08f3c7d7da58f1ce4645c78b7d015ed9c967a0fb0fab6489df8d12f6edeedcb991d97724238d