asyncrat | ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04

General

Target

ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe
Size

265KB
MD5

9a6424790f1417195908979b877f51b0
SHA1

e6ae0f82782c3b85a8cf2a2cbe0a3af64ee0b789
SHA256

ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04
SHA512

8d7e75cc50dff3289c8d64220283eb9fafb8d74f9e459c9c6a58a324d4f119ad1832247c5ea030b06fa704d498b92bd364ea4165607180247df5beddf90ebf61
SSDEEP

3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/m:WFzDqa86hV6uRRqX1evPlwAe

Score

10^/10

asyncrat persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2688-29-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def
behavioral1/memory/2688-35-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def
behavioral1/memory/2688-34-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def
behavioral1/memory/2688-36-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def
behavioral1/memory/2688-31-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def

Executes dropped EXE 1 IoCs

pid	Process
1632	HiPatchService.exe

Loads dropped DLL 1 IoCs

pid	Process
1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HiPatch = "C:\\Users\\Admin\\AppData\\Roaming\\HiPatch\\HiPatchService.exe"	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 2688	1632	HiPatchService.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2688	RegAsm.exe
2688	RegAsm.exe
2688	RegAsm.exe
2688	RegAsm.exe
2688	RegAsm.exe
2688	RegAsm.exe
2688	RegAsm.exe
2688	RegAsm.exe
2688	RegAsm.exe
2688	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1632	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	28
PID 1056 wrote to memory of 1632	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	28
PID 1056 wrote to memory of 1632	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	28
PID 1056 wrote to memory of 1632	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	28
PID 1056 wrote to memory of 1632	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	28
PID 1056 wrote to memory of 1632	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	28
PID 1056 wrote to memory of 1632	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	28
PID 1056 wrote to memory of 2888	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	29
PID 1056 wrote to memory of 2888	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	29
PID 1056 wrote to memory of 2888	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	29
PID 1056 wrote to memory of 2888	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	29
PID 1056 wrote to memory of 2888	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	29
PID 1056 wrote to memory of 2888	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	29
PID 1056 wrote to memory of 2888	1056	ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe	29
PID 1632 wrote to memory of 2688	1632	HiPatchService.exe	31
PID 1632 wrote to memory of 2688	1632	HiPatchService.exe	31
PID 1632 wrote to memory of 2688	1632	HiPatchService.exe	31
PID 1632 wrote to memory of 2688	1632	HiPatchService.exe	31
PID 1632 wrote to memory of 2688	1632	HiPatchService.exe	31
PID 1632 wrote to memory of 2688	1632	HiPatchService.exe	31
PID 1632 wrote to memory of 2688	1632	HiPatchService.exe	31
PID 1632 wrote to memory of 2688	1632	HiPatchService.exe	31
PID 1632 wrote to memory of 2688	1632	HiPatchService.exe	31
PID 1632 wrote to memory of 2688	1632	HiPatchService.exe	31
PID 1632 wrote to memory of 2688	1632	HiPatchService.exe	31
PID 1632 wrote to memory of 2688	1632	HiPatchService.exe	31

C:\Users\Admin\AppData\Local\Temp\ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe
"C:\Users\Admin\AppData\Local\Temp\ae74cd3811dd7af7f1ecebdbee210c8ed6175251f64284361587439983523e04.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe
  "C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""
  2⤵
  PID:2888

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat

Filesize
213B

MD5
0955cb4b691d44b37f8b6fad48a33b8e

SHA1
9dae759ae014cc124ab6eed7c8035788c124ae4a

SHA256
9092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71

SHA512
08b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235

Download Submit
C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe

Filesize
265KB

MD5
ef77b6219a7d83b0ded03cef568d28e4

SHA1
50711d8e210c1b1fbf94b348682f5beb22bbf34b

SHA256
47c57ffe945177af2d6357420c57e8378d06e4adb122ace7fc93756a989b22ef

SHA512
7712ed279475a983482b4aed17677b155d908740e193d74ef4c1a38275a30a06987087b69ed52f496703632f2739624d145b3fbd28981ae8733c65ffb303629f

Download Submit
memory/1056-24-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1056-2-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download
memory/1056-1-0x0000000000CF0000-0x0000000000D36000-memory.dmp

Filesize
280KB

Download
memory/1056-0-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

Filesize
4KB

Download
memory/1056-3-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1632-37-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1632-22-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1632-21-0x0000000000370000-0x00000000003B6000-memory.dmp

Filesize
280KB

Download
memory/2688-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2688-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2688-35-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2688-34-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2688-36-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2688-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-31-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2688-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads