asyncrat | 4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750

General

Target

4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750N.exe
Size

268KB
MD5

b7e6d9e4bf0e64884edfaa470bab7160
SHA1

47ec237e66cf527a53ce78d24ab68c00f204be1b
SHA256

4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750
SHA512

9cbe3ad1ad8069ae85e91ae9c9cb38470eb9e596bbe16fb12ca5e7ad773b4688b01e1459983da4d94bf544fb4f644465a40eabebacf534e681bb40a4ccd56525
SSDEEP

3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8Dj:WFzDqa86hV6uRRqX1evPlwAEQj

Score

10^/10

asyncrat discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.4.9G

C2

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes

delay
0
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/3156-30-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750N.exe

Executes dropped EXE 1 IoCs

pid	Process
3476	HiPatchService.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HiPatch = "C:\\Users\\Admin\\AppData\\Roaming\\HiPatch\\HiPatchService.exe"	4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3476 set thread context of 3156	3476	HiPatchService.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HiPatchService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1764	timeout.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3476	HiPatchService.exe
3476	HiPatchService.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe
3156	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	HiPatchService.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 3476	4204	4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750N.exe	91
PID 4204 wrote to memory of 3476	4204	4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750N.exe	91
PID 4204 wrote to memory of 3476	4204	4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750N.exe	91
PID 4204 wrote to memory of 1092	4204	4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750N.exe	92
PID 4204 wrote to memory of 1092	4204	4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750N.exe	92
PID 4204 wrote to memory of 1092	4204	4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750N.exe	92
PID 1092 wrote to memory of 1764	1092	cmd.exe	94
PID 1092 wrote to memory of 1764	1092	cmd.exe	94
PID 1092 wrote to memory of 1764	1092	cmd.exe	94
PID 3476 wrote to memory of 4648	3476	HiPatchService.exe	98
PID 3476 wrote to memory of 4648	3476	HiPatchService.exe	98
PID 3476 wrote to memory of 4648	3476	HiPatchService.exe	98
PID 3476 wrote to memory of 3156	3476	HiPatchService.exe	99
PID 3476 wrote to memory of 3156	3476	HiPatchService.exe	99
PID 3476 wrote to memory of 3156	3476	HiPatchService.exe	99
PID 3476 wrote to memory of 3156	3476	HiPatchService.exe	99
PID 3476 wrote to memory of 3156	3476	HiPatchService.exe	99
PID 3476 wrote to memory of 3156	3476	HiPatchService.exe	99
PID 3476 wrote to memory of 3156	3476	HiPatchService.exe	99
PID 3476 wrote to memory of 3156	3476	HiPatchService.exe	99

C:\Users\Admin\AppData\Local\Temp\4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750N.exe
"C:\Users\Admin\AppData\Local\Temp\4ff903deb13375705b4beb2d30fe494fdca733a42efee484d7380773e9d24750N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe
  "C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 180
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1764

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat

Filesize
213B

MD5
0955cb4b691d44b37f8b6fad48a33b8e

SHA1
9dae759ae014cc124ab6eed7c8035788c124ae4a

SHA256
9092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71

SHA512
08b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235

Download Submit
C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe

Filesize
268KB

MD5
09847a923b859b79bbbfcd3f08d0153a

SHA1
e0320f74e2d2575544142fb45dd6bcda40abe7bc

SHA256
b7b5f1dae49c5df3fca958ce68430f8322241bbc689ad25db99705046f22882d

SHA512
7ed1b7d62308e4aa661d4056a5aae40495be3cead14afe8963291f8157e24096754bcd3adbeb6798444defa27c749d4264f56aa4d7c78e54a1bc70c20fadc4bc

Download Submit
memory/3156-30-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3476-32-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/3476-28-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/3476-26-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4204-4-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/4204-10-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

Filesize
4KB

Download
memory/4204-6-0x00000000053C0000-0x00000000053CA000-memory.dmp

Filesize
40KB

Download
memory/4204-5-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4204-24-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4204-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

Filesize
4KB

Download
memory/4204-27-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4204-3-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/4204-2-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/4204-1-0x0000000000990000-0x00000000009D6000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads