Analysis

  • max time kernel
    118s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 22:38

General

  • Target

    19603fe7829efa24905b5926cdc82c60N.exe

  • Size

    266KB

  • MD5

    19603fe7829efa24905b5926cdc82c60

  • SHA1

    d06f14588249f71ba6c2ffc91f6c936080c4d7e4

  • SHA256

    7618ba68a3427461f3df54bfcbaf7d23b45827ee59bccf9c6ca7f3f4f6881079

  • SHA512

    94f3d1e424d7e539e13b4ee12263b3d2a56a9221e9b6b81328585758d4581fcde995c6d7df07f409d8f627ee92c9eda343c5d95999f173fc5d2974d800f12e32

  • SSDEEP

    3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/e:WFzDqa86hV6uRRqX1evPlwAm

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19603fe7829efa24905b5926cdc82c60N.exe
    "C:\Users\Admin\AppData\Local\Temp\19603fe7829efa24905b5926cdc82c60N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe
      "C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2464
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2860
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:3016

    Network

    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    No results found
    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
      145 B
      1
      1

      DNS Request

      corporation.warzonedns.com

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat

      Filesize

      213B

      MD5

      0955cb4b691d44b37f8b6fad48a33b8e

      SHA1

      9dae759ae014cc124ab6eed7c8035788c124ae4a

      SHA256

      9092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71

      SHA512

      08b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235

    • \Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe

      Filesize

      266KB

      MD5

      105fd56a595e06da62cded9ba58af747

      SHA1

      2248dea53fee4b5f1fcb32a73095d0cd42d606a2

      SHA256

      8e4018f22eacc5e5912f537230d7fac4df1c942936ffeb5bd5ff15b73e38e7df

      SHA512

      3d8b95bc1d8585a94dec383fb5353f0439c393f33ef6a0d8943f6744a4ff7a83d4edd3c75be37e57284b05959652e877b7958a560b97066d98ac1027b546cd18

    • memory/1916-24-0x0000000074E80000-0x000000007556E000-memory.dmp

      Filesize

      6.9MB

    • memory/1916-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

      Filesize

      4KB

    • memory/1916-2-0x0000000000320000-0x000000000032A000-memory.dmp

      Filesize

      40KB

    • memory/1916-1-0x00000000008C0000-0x0000000000906000-memory.dmp

      Filesize

      280KB

    • memory/1916-3-0x0000000074E80000-0x000000007556E000-memory.dmp

      Filesize

      6.9MB

    • memory/2464-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2464-25-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/2464-34-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/2464-35-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/2464-31-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/2464-29-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/2464-27-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/2464-36-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/2472-21-0x00000000011A0000-0x00000000011E6000-memory.dmp

      Filesize

      280KB

    • memory/2472-23-0x0000000074E80000-0x000000007556E000-memory.dmp

      Filesize

      6.9MB

    • memory/2472-37-0x0000000074E80000-0x000000007556E000-memory.dmp

      Filesize

      6.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.