asyncrat | 7ddbec7fac00ec5624f45da5879ebfa97d95b21c7842cbaa1058daa46a47bd41

Analysis

max time kernel
149s
max time network
133s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4c197e50214b25100e10fb00b2ac6e0.exe
Size

273KB
MD5

c4c197e50214b25100e10fb00b2ac6e0
SHA1

1dfac5794ccab5ec1e3c4897b8069c85e44bde19
SHA256

91b9c5ee1050b5ba75f7ad5e1daace80e64220fc71cb4cda0a2265b0559afa5f
SHA512

11d6fca3edc71affd5ae97743ae2e3a4ed8172f73e1f1a4d799baeb335a1f2a0219f652b2bc5d4d6a45144b936e047842579a50926813eacd9b9be1bfb8a2878
SSDEEP

3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdTk:WFzDqa86hV6uRRqX1evPlwAEdA

Score

10^/10

asyncrat discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.4.9G

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes

delay
0
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral19/memory/2616-36-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def
behavioral19/memory/2616-31-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def
behavioral19/memory/2616-33-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def
behavioral19/memory/2616-38-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def
behavioral19/memory/2616-37-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def

Executes dropped EXE 1 IoCs

pid	Process
2852	HiPatchService.exe

Loads dropped DLL 1 IoCs

pid	Process
3056	c4c197e50214b25100e10fb00b2ac6e0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HiPatch = "C:\\Users\\Admin\\AppData\\Roaming\\HiPatch\\HiPatchService.exe"	c4c197e50214b25100e10fb00b2ac6e0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2852 set thread context of 2616	2852	HiPatchService.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4c197e50214b25100e10fb00b2ac6e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HiPatchService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2852	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	30
PID 3056 wrote to memory of 2852	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	30
PID 3056 wrote to memory of 2852	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	30
PID 3056 wrote to memory of 2852	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	30
PID 3056 wrote to memory of 2852	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	30
PID 3056 wrote to memory of 2852	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	30
PID 3056 wrote to memory of 2852	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	30
PID 3056 wrote to memory of 2620	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	31
PID 3056 wrote to memory of 2620	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	31
PID 3056 wrote to memory of 2620	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	31
PID 3056 wrote to memory of 2620	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	31
PID 3056 wrote to memory of 2620	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	31
PID 3056 wrote to memory of 2620	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	31
PID 3056 wrote to memory of 2620	3056	c4c197e50214b25100e10fb00b2ac6e0.exe	31
PID 2852 wrote to memory of 2616	2852	HiPatchService.exe	33
PID 2852 wrote to memory of 2616	2852	HiPatchService.exe	33
PID 2852 wrote to memory of 2616	2852	HiPatchService.exe	33
PID 2852 wrote to memory of 2616	2852	HiPatchService.exe	33
PID 2852 wrote to memory of 2616	2852	HiPatchService.exe	33
PID 2852 wrote to memory of 2616	2852	HiPatchService.exe	33
PID 2852 wrote to memory of 2616	2852	HiPatchService.exe	33
PID 2852 wrote to memory of 2616	2852	HiPatchService.exe	33
PID 2852 wrote to memory of 2616	2852	HiPatchService.exe	33
PID 2852 wrote to memory of 2616	2852	HiPatchService.exe	33
PID 2852 wrote to memory of 2616	2852	HiPatchService.exe	33
PID 2852 wrote to memory of 2616	2852	HiPatchService.exe	33

C:\Users\Admin\AppData\Local\Temp\c4c197e50214b25100e10fb00b2ac6e0.exe
"C:\Users\Admin\AppData\Local\Temp\c4c197e50214b25100e10fb00b2ac6e0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe
  "C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat

Filesize
213B

MD5
0955cb4b691d44b37f8b6fad48a33b8e

SHA1
9dae759ae014cc124ab6eed7c8035788c124ae4a

SHA256
9092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71

SHA512
08b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235

Download Submit
\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe

Filesize
273KB

MD5
81f5044f96b417f122626b5393793dcd

SHA1
875b6a1f0d934d69839a51a0dbeb62553e432537

SHA256
df1f06e9b9a65719a39c738180bf99067ba62505f73309b49e98f5efb37341ad

SHA512
ad814b1ae5427835ae9c4805641f310c9aaf475df8b8c6cf90eead724fdcb9211ccfb2a8a7cd8722701b00133da543ee2e5c303971d103e88948f7c43d2fd0cd

Download Submit
memory/2616-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2616-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-37-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2616-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2616-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2616-31-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2616-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2616-36-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2852-39-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2852-22-0x0000000001270000-0x00000000012B6000-memory.dmp

Filesize
280KB

Download
memory/2852-24-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-23-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-26-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/3056-2-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/3056-1-0x0000000000B50000-0x0000000000B96000-memory.dmp

Filesize
280KB

Download
memory/3056-3-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-9-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download