Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/01/2024, 21:53
Static task
static1
General
-
Target
Vape_Launcher.exe
-
Size
94.6MB
-
MD5
b99c3ffb881206c15be0cf1e88267ada
-
SHA1
c58375b1fb2271207881286f9683c40ef6d732b2
-
SHA256
2809abeff525d504140c1fa73be37d4b5292be1e1a42528e1559075136a3adfb
-
SHA512
dff35370682e013cd37cd4974ab53c296fb9bdc1e8b11894902c76d6b44972d0ce39ffaf5631ea1d76f3eeca9af458faf1a589a1880d145149c433b5ff110cb0
-
SSDEEP
1572864:KrrBrau8j2BYvBNY38m8M64Bo0okX5ZXRTRBvj0LMSLna7Yx6no8ZIxRy9/2Qh3u:saLGBTnr7IQ2
Malware Config
Extracted
asyncrat
Default
127.0.0.1:8080
127.0.0.1:6915
18.ip.gl.ply.gg:8080
18.ip.gl.ply.gg:6915
ااΗFKΙD尺w比Tبب9AI斯8C
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x0002000000029eb9-7.dat asyncrat behavioral1/memory/5380-14-0x00000000009D0000-0x00000000009E6000-memory.dmp asyncrat -
Nirsoft 4 IoCs
resource yara_rule behavioral1/files/0x0002000000029ebb-20.dat Nirsoft behavioral1/files/0x0002000000029ebb-26.dat Nirsoft behavioral1/files/0x0002000000029ebb-27.dat Nirsoft behavioral1/memory/4032-31-0x00000254F4710000-0x00000254F836A000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 5380 Infected.exe 4032 Vape Launcher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe 4032 Vape Launcher.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5380 Infected.exe Token: SeDebugPrivilege 4032 Vape Launcher.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2396 wrote to memory of 5380 2396 Vape_Launcher.exe 79 PID 2396 wrote to memory of 5380 2396 Vape_Launcher.exe 79 PID 2396 wrote to memory of 4032 2396 Vape_Launcher.exe 80 PID 2396 wrote to memory of 4032 2396 Vape_Launcher.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vape_Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Vape_Launcher.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5380
-
-
C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d08bccadaa48c06a1469789ff0112691
SHA10dc033820315a9065ad0b1a711ac6fc08c750a28
SHA256cdcdc9ba2ac83c9fa2d65683f99723f2d377660f204be8fc4eecb0097e7751df
SHA512176b8b0c39807e61eda9a274c1055b5fec2c23a12661028848271a0cd85dda9759f10f9b466f124602b92463a644879adc7d36ec7c87cf9c3c4d49407365e704
-
Filesize
1.7MB
MD57522deaf33d557e3ccf280fe1fdfd617
SHA1c271023f336b5057e474a149a8e5965f6ca436f8
SHA256abc99bedc258091de5a5a70f15593f3520e6a3d4dd9f25f278271d64b77e7499
SHA5126a2ecb2eaa033e6362f3318155159b86666017dc832b2efb8dfa69c5a9e7c773cec4765bba54dad18f7c14bb59ae24b0c55762612c71151cf3f6b553a37b9d0a
-
Filesize
1.3MB
MD500e4aac3935f9070dfdf0013a1ff97f9
SHA1e658d3ad9fbb78c5c62e81168fc10098c947052f
SHA25640bafd3962c66e20c5adabf67d7adb435fbfa8b614de83ce724b364c2acfbadb
SHA51258ec0652be4e1fc5d76e6b1edce7ac3acab8f9100b3277edb51b62c58db4073c4ccf26467562293290cc01d373705925170dc17d74844a5fa6a18bd10148bdb4
-
Filesize
1.1MB
MD582ffc9bfc9bad0ecb925447a8e08b762
SHA135caea8fe613aae298d444eaa77564c077721db2
SHA2566f5c49b75f0bfa28a5cf6366786ec3f45683c1c2f979410720a4b107e7426ceb
SHA512c8b0e84f69ba68841b493f139f364822d8ff130745264903bc1e3e4162d1a9124cc7dec1b5681a69b8348f89d3bf7cdae0b037306d53fa2ea7b862f3981a43c6