asyncrat | becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9

Analysis

max time kernel
9s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9.exe
Size

266KB
MD5

d65b5445fa5e3736626098ef689331c5
SHA1

b62313172586337872dd25b1ecb968c9c5a9010e
SHA256

becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9
SHA512

769adc82278c4dbce0a42769119d7ca7fca17712d4ae6a7669ae95d54060e0fa89d142479d080b7c569142d6471f25697324277c3619d0fb3ede78ce8a8e0337
SSDEEP

3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8w:WFzDqa86hV6uRRqX1evPlwAEJ

Score

10^/10

asyncrat persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource yara_rule

behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def
Detects Windows executables referencing non-Windows User-Agents 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Detects file containing reversed ASEP Autorun registry keys 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

resource	yara_rule
behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def

resource	yara_rule
behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

resource	yara_rule
behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

resource	yara_rule
behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

resource	yara_rule
behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HiPatch = "C:\\Users\\Admin\\AppData\\Roaming\\HiPatch\\HiPatchService.exe"	becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3056 timeout.exe

pid	process
3056	timeout.exe

C:\Users\Admin\AppData\Local\Temp\becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9.exe
"C:\Users\Admin\AppData\Local\Temp\becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9.exe"
1⤵
- Adds Run key to start application
PID:1352

C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe
"C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"
2⤵
PID:60

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""
2⤵
PID:3312

C:\Windows\SysWOW64\timeout.exe
timeout /t 180
3⤵
- Delays execution with timeout.exe
PID:3056

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2804

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat
Filesize
213B

MD5
0955cb4b691d44b37f8b6fad48a33b8e

SHA1
9dae759ae014cc124ab6eed7c8035788c124ae4a

SHA256
9092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71

SHA512
08b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235

Download Submit
C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe
Filesize
266KB

MD5
6ed457a82b15b029699a7a1c5ba22075

SHA1
0fa960ced0f1bf43626af0a498110a0e7e79cdd7

SHA256
ccca07eff828a77609521ec7c02ab135d2657db4f3ae883d125b6c977d6bd5da

SHA512
85cd1fab41494c66be4888376d215dd4c57ae206db12d1cfbff9b5ffe7a101a6645c38277c41bda0fe25f6cb93ed13ccf652b1a5e15ec0f50bb88d5b8e6208ac

Download Submit
memory/60-27-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/60-30-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/60-24-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/1352-3-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/1352-4-0x0000000005300000-0x000000000530A000-memory.dmp

Filesize
40KB

Download
memory/1352-25-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/1352-6-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/1352-5-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/1352-0-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/1352-2-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/1352-1-0x0000000000800000-0x0000000000846000-memory.dmp

Filesize
280KB

Download
memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download