Keypoints
- Sample SHA256 provided: 05c2195aa671d62b3b47ff42630db25f39453375de9cffa92fc4a67fa5b6493b.
- Initial DETE entropy analysis revealed a high-entropy region consistent with an embedded/encrypted payload, suggesting the file acts as a loader.
- Running the sample spawned aspnet_compiler.exe and the original process (05c.exe) exited, indicating the payload ran inside the legitimate process.
- Process Hacker’s “.NET assemblies” tab revealed an unexpected in-memory module named “vik” loaded into aspnet_compiler.exe.
- Attach dnSpy (32-bit) to aspnet_compiler.exe, open the module from memory, jump to the entry point, and inspect Settings.InitializeSettings() to decrypt configuration.
- Save the in-memory module and submit to sandboxes (Hatching Triage, Unpacme) to confirm family attribution and extract configuration—identified as Asyncrat.
MITRE Techniques
- [T1140] Deobfuscate/Decode Files or Information – The analyst runs the loader briefly to trigger in-memory unpacking so the payload becomes inspectable (‘run the file for a few seconds, and observing the process as well as any new processes that are spawned’).
- [T1218] Signed Binary Proxy Execution – The attacker uses a legitimate Microsoft binary (aspnet_compiler.exe) to host and execute a malicious .NET module (‘spawns aspnet_compiler.exe… (Verified) Microsoft Corporation – This is likely a legitimate process that has been hijacked’).
- [T1055] Process Injection – Malicious .NET content is loaded into and replaces code in the legitimate process memory (the real suspicious content ‘has likely been used to overwrite the original file in memory’).
- [T1057] Process Discovery – The analyst monitors and inspects running processes to find newly spawned or anomalous processes and loaded modules (‘observe any new processes that are spawned’ and check the ‘.NET assemblies’ tab).
Indicators of Compromise
- [SHA256] sample hash – 05c2195aa671d62b3b47ff42630db25f39453375de9cffa92fc4a67fa5b6493b
- [Process / Filename] execution context – 05c.exe (original loader), aspnet_compiler.exe (spawned legitimate binary hosting payload)
- [In-memory Module] loaded assembly name – vik (suspicious .NET module observed in aspnet_compiler.exe)
- [Zip password] sample extraction context – ‘infected’ (password used to unzip the distributed archive)
The technical procedure begins by saving and extracting the sample (ZIP password: “infected”) and performing a quick static check with Detect-it-easy to inspect the entropy graph; a high-entropy region suggested an embedded/encrypted payload and that the file likely functioned as a loader. An initial dnSpy inspection of the file on disk showed no clear malicious code, so the sample was executed briefly in a controlled VM to allow runtime unpacking.
While running the sample, Process Hacker was used to monitor processes; the loader spawned aspnet_compiler.exe, and the original process exited shortly after, implying the malicious payload had been moved into the spawned process. In Process Hacker’s Properties → .NET assemblies view the analyst identified an anomalous in-memory module named “vik” and noted the process was 32-bit (so dnSpy x86 is required). This pointed to a legitimate-signed binary being abused to host the malicious .NET assembly.
DnSpy (32-bit) was attached to the aspnet_compiler.exe process (Debug → Attach to Process) and the Modules window opened. Instead of viewing the on-disk module, the analyst opened the module from memory to access the overwritten assembly, then navigated to its entry point and inspected Settings.InitializeSettings() to observe configuration decryption. The in-memory assembly was saved from dnSpy and submitted to sandboxes (Hatching Triage, Unpacme), which correctly identified the payload as Asyncrat and extracted configuration values for further analysis.
Read more: https://embee-research.ghost.io/unpacking-net-malware-with-process-hacker/