asyncrat | d43d1942c7ce8818ced3b67e0b080de71737bbe77f39011f1baecf54cb9c8e82

General

Target

22a3ab6e642e474d953b412f0ddf58d0N.exe
Size

268KB
MD5

22a3ab6e642e474d953b412f0ddf58d0
SHA1

de6ac1aa488e973c36f23290e2399cfcca17ff85
SHA256

d43d1942c7ce8818ced3b67e0b080de71737bbe77f39011f1baecf54cb9c8e82
SHA512

c9b292f5ae7809d18407fb95cc684d595eb3a28b091245adb43b4a4640684a79ff462f628add8484dc4f12e03d10ef8243daf456e4157ed8eb6f797cd349fb49
SSDEEP

3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/i:WFzDqa86hV6uRRqX1evPlwAq

Score

10^/10

asyncrat discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.4.9G

C2

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes

delay
0
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/4988-29-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	22a3ab6e642e474d953b412f0ddf58d0N.exe

Executes dropped EXE 1 IoCs

pid	Process
4404	HiPatchService.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HiPatch = "C:\\Users\\Admin\\AppData\\Roaming\\HiPatch\\HiPatchService.exe"	22a3ab6e642e474d953b412f0ddf58d0N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4404 set thread context of 4988	4404	HiPatchService.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22a3ab6e642e474d953b412f0ddf58d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HiPatchService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RegAsm.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3620	timeout.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe
4988	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 4404	4500	22a3ab6e642e474d953b412f0ddf58d0N.exe	94
PID 4500 wrote to memory of 4404	4500	22a3ab6e642e474d953b412f0ddf58d0N.exe	94
PID 4500 wrote to memory of 4404	4500	22a3ab6e642e474d953b412f0ddf58d0N.exe	94
PID 4500 wrote to memory of 1064	4500	22a3ab6e642e474d953b412f0ddf58d0N.exe	95
PID 4500 wrote to memory of 1064	4500	22a3ab6e642e474d953b412f0ddf58d0N.exe	95
PID 4500 wrote to memory of 1064	4500	22a3ab6e642e474d953b412f0ddf58d0N.exe	95
PID 1064 wrote to memory of 3620	1064	cmd.exe	97
PID 1064 wrote to memory of 3620	1064	cmd.exe	97
PID 1064 wrote to memory of 3620	1064	cmd.exe	97
PID 4404 wrote to memory of 4988	4404	HiPatchService.exe	98
PID 4404 wrote to memory of 4988	4404	HiPatchService.exe	98
PID 4404 wrote to memory of 4988	4404	HiPatchService.exe	98
PID 4404 wrote to memory of 4988	4404	HiPatchService.exe	98
PID 4404 wrote to memory of 4988	4404	HiPatchService.exe	98
PID 4404 wrote to memory of 4988	4404	HiPatchService.exe	98
PID 4404 wrote to memory of 4988	4404	HiPatchService.exe	98
PID 4404 wrote to memory of 4988	4404	HiPatchService.exe	98

C:\Users\Admin\AppData\Local\Temp\22a3ab6e642e474d953b412f0ddf58d0N.exe
"C:\Users\Admin\AppData\Local\Temp\22a3ab6e642e474d953b412f0ddf58d0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe
  "C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 180
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat

Filesize
213B

MD5
0955cb4b691d44b37f8b6fad48a33b8e

SHA1
9dae759ae014cc124ab6eed7c8035788c124ae4a

SHA256
9092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71

SHA512
08b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235

Download Submit
C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe

Filesize
268KB

MD5
ac66ad3a04e2909ab01b17ba6954192f

SHA1
1050b91c005cd79b4119c7278d07a339bc3e0ef0

SHA256
ec68fac1b1bc3abd9750845849e524d21bcff39ee09166cd75298bb1000b68d4

SHA512
c02a8eb1b2e1eb399edc3e9a61426924ae454adcfe4d83814939124fe2a21e5a222d952b30ce9db7efd70eded80115338de12fc78a5d0845ce4d2a912c323d98

Download Submit
memory/4404-31-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/4404-28-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/4404-26-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/4500-6-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/4500-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/4500-10-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/4500-5-0x00000000053C0000-0x00000000053CA000-memory.dmp

Filesize
40KB

Download
memory/4500-25-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/4500-4-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/4500-3-0x0000000005220000-0x00000000052B2000-memory.dmp

Filesize
584KB

Download
memory/4500-2-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/4500-1-0x00000000007E0000-0x0000000000826000-memory.dmp

Filesize
280KB

Download
memory/4988-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads