This article demonstrates a hands-on method to unpack a .NET-based loader by using Process Hacker to monitor in-memory .NET modules and DnSpy to extract the payload. It guides readers through initial assessment, memory extraction, module inspection, and verification with sandboxes and open-source reports. #Asyncrat #ProcessHacker #DnSpy #AspnetCompiler #vik #HatchingTriage #Unpacme
Keypoints
- Use Process Hacker to observe .NET modules loaded into memory during execution and identify suspicious loader activity.
- Detect-it-easy reveals high-entropy areas, suggesting encrypted or packed payloads within the sample.
- Initial assessment with DnSpy confirms whether the file is already unpacked before attempting extraction.
- The sample spawns a suspicious process (aspnet_compiler.exe) while the original process exits, implying in-memory payload execution.
- A suspicious module named vik masquerades as aspnet_compiler.exe, indicating potential process hijacking or masquerading.
- Deobfuscation step shows where configuration values are decrypted and loaded (Settings.InitializeSettings()), guiding extraction of the actual payload.
- Verification steps include saving unpacked content, sandbox analysis (Hatching Triage), and cross-referencing with public reports (e.g., Asyncrat) to confirm the malware family.
MITRE Techniques
- [T1106] Native API β Spawns new processes (aspnet_compiler.exe) during execution to load the payload. βRunning the file for a few seconds, we can see that it spawns aspnet_compiler.exe.β
- [T1036] Masquerading β The module named vik masquerades as aspnet_compiler.exe; βregular path is that of aspnet_compiler.exe. This is suspicious, why would aspnet_compiler be named vik?β
- [T1027] Obfuscated/Compressed Files and Information β High-entropy areas suggest an encrypted payload within the file. βThis area suggests that the file could be a loader (as it contains a possible encrypted payload).β
- [T1140] Deobfuscate/Decode Files or Information β Decryption of configuration values within the file, as seen in the entry point. βSettings.InitializeSettings() method, we can see where the configuration values are decrypted and loaded into the file.β
Indicators of Compromise
- [SHA256] 05c2195aa671d62b3b47ff42630db25f39453375de9cffa92fc4a67fa5b6493b β Sample file identified by its hash.
- [File name] 05c.exe β Original sample filename observed during analysis; used to load the loader.
- [File name] aspnet_compiler.exe β Suspicious process spawned by the loader during unpacking.
- [Module name] vik β Unusual loaded module that masquerades as aspnet_compiler.exe.
- [URL] https://bazaar.abuse.ch/sample/05c2195aa671d62b3b47ff42630db25f39453375de9cffa92fc4a67fa5b6493b/?ref=embeeresearch.io β Malware Bazaar sample page for the hash.
- [URL] https://tria.ge/?ref=embeeresearch.io β Hatching Triage submission page referenced for analysis results.
Read more: https://www.embeeresearch.io/unpacking-net-malware-with-process-hacker/