Overview

overview

10

Static

static

10

Client.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Client.exe

  • Size

    47KB

  • Sample

    250302-swhgwsxps2

  • MD5

    86342644c9b86db7318560eccad4387d

  • SHA1

    90942a986c08fe6f308912a99b44413405ce3392

  • SHA256

    2bb183b9da31dc9327ba06a935fdcb235747e49643b173c490adc39629b0f9e5

  • SHA512

    e7d49dd0c0ebe430623be21fb8743dc4bb627d97dc98884adc8912e247552f84785a0d6a4e7c31a04b620a0b08f12867abd33e3a8be7ca3308ed140091805cb9

  • SSDEEP

    768:sWmfbILUWQw+jiVtelDSN+iV08YbygeV5C47pvC8tKvEgK/JbZVc6KN:sWmV4VtKDs4zb1o537pvC8tKnkJbZVcD

Score
10/10
asyncratdefaultdefense_evasionevasionexecutionransomwarerattrojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

C0re-50342.portmap.host:50342

Mutex

asdas7dcad4ca9sdca7sdc

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Targets

    • Target

      Client.exe

    • Size

      47KB

    • MD5

      86342644c9b86db7318560eccad4387d

    • SHA1

      90942a986c08fe6f308912a99b44413405ce3392

    • SHA256

      2bb183b9da31dc9327ba06a935fdcb235747e49643b173c490adc39629b0f9e5

    • SHA512

      e7d49dd0c0ebe430623be21fb8743dc4bb627d97dc98884adc8912e247552f84785a0d6a4e7c31a04b620a0b08f12867abd33e3a8be7ca3308ed140091805cb9

    • SSDEEP

      768:sWmfbILUWQw+jiVtelDSN+iV08YbygeV5C47pvC8tKvEgK/JbZVc6KN:sWmV4VtKDs4zb1o537pvC8tKnkJbZVcD

    Score
    10/10
    asyncratdefaultdefense_evasionevasionexecutionransomwarerattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      defense_evasiontrojan

    • Modifies Windows Defender TamperProtection settings

      evasiontrojan

    • UAC bypass

      defense_evasiontrojan

    • Async RAT payload

      rat

    • Renames multiple (3209) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      defense_evasiontrojan

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

5
T1562

Disable or Modify Tools

5
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks