Analysis Overview
SHA256
2809abeff525d504140c1fa73be37d4b5292be1e1a42528e1559075136a3adfb
Threat Level: Known bad
The file Vape_Launcher.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Nirsoft
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 21:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 21:53
Reported
2024-01-22 21:57
Platform
win11-20231215-en
Max time kernel
152s
Max time network
153s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2396 wrote to memory of 5380 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape_Launcher.exe | C:\Users\Admin\AppData\Local\Temp\Infected.exe |
| PID 2396 wrote to memory of 5380 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape_Launcher.exe | C:\Users\Admin\AppData\Local\Temp\Infected.exe |
| PID 2396 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape_Launcher.exe | C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe |
| PID 2396 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape_Launcher.exe | C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Vape_Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Vape_Launcher.exe"
C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 18.ip.gl.ply.gg | udp |
| US | 147.185.221.18:6915 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:8080 | tcp |
Files
memory/2396-0-0x0000000074EA0000-0x0000000075451000-memory.dmp
memory/2396-2-0x0000000009070000-0x0000000009080000-memory.dmp
memory/2396-1-0x0000000074EA0000-0x0000000075451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Infected.exe
| MD5 | d08bccadaa48c06a1469789ff0112691 |
| SHA1 | 0dc033820315a9065ad0b1a711ac6fc08c750a28 |
| SHA256 | cdcdc9ba2ac83c9fa2d65683f99723f2d377660f204be8fc4eecb0097e7751df |
| SHA512 | 176b8b0c39807e61eda9a274c1055b5fec2c23a12661028848271a0cd85dda9759f10f9b466f124602b92463a644879adc7d36ec7c87cf9c3c4d49407365e704 |
memory/5380-14-0x00000000009D0000-0x00000000009E6000-memory.dmp
memory/5380-15-0x00007FFAC2630000-0x00007FFAC30F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
| MD5 | 7522deaf33d557e3ccf280fe1fdfd617 |
| SHA1 | c271023f336b5057e474a149a8e5965f6ca436f8 |
| SHA256 | abc99bedc258091de5a5a70f15593f3520e6a3d4dd9f25f278271d64b77e7499 |
| SHA512 | 6a2ecb2eaa033e6362f3318155159b86666017dc832b2efb8dfa69c5a9e7c773cec4765bba54dad18f7c14bb59ae24b0c55762612c71151cf3f6b553a37b9d0a |
memory/5380-24-0x000000001B7C0000-0x000000001B7D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
| MD5 | 00e4aac3935f9070dfdf0013a1ff97f9 |
| SHA1 | e658d3ad9fbb78c5c62e81168fc10098c947052f |
| SHA256 | 40bafd3962c66e20c5adabf67d7adb435fbfa8b614de83ce724b364c2acfbadb |
| SHA512 | 58ec0652be4e1fc5d76e6b1edce7ac3acab8f9100b3277edb51b62c58db4073c4ccf26467562293290cc01d373705925170dc17d74844a5fa6a18bd10148bdb4 |
C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
| MD5 | 82ffc9bfc9bad0ecb925447a8e08b762 |
| SHA1 | 35caea8fe613aae298d444eaa77564c077721db2 |
| SHA256 | 6f5c49b75f0bfa28a5cf6366786ec3f45683c1c2f979410720a4b107e7426ceb |
| SHA512 | c8b0e84f69ba68841b493f139f364822d8ff130745264903bc1e3e4162d1a9124cc7dec1b5681a69b8348f89d3bf7cdae0b037306d53fa2ea7b862f3981a43c6 |
memory/2396-29-0x0000000074EA0000-0x0000000075451000-memory.dmp
memory/4032-30-0x00007FFAC2630000-0x00007FFAC30F2000-memory.dmp
memory/4032-31-0x00000254F4710000-0x00000254F836A000-memory.dmp
memory/5380-32-0x00007FFAE36E0000-0x00007FFAE38E9000-memory.dmp
memory/4032-33-0x00000254F87C0000-0x00000254F87D0000-memory.dmp
memory/4032-34-0x00000254FA8F0000-0x00000254FAA66000-memory.dmp
memory/4032-35-0x00000254F87D0000-0x00000254F8802000-memory.dmp
memory/4032-37-0x00000254F87C0000-0x00000254F87D0000-memory.dmp
memory/4032-36-0x00000254FC820000-0x00000254FC83C000-memory.dmp
memory/4032-38-0x00000254F87C0000-0x00000254F87D0000-memory.dmp
memory/4032-39-0x00000254FC840000-0x00000254FC846000-memory.dmp
memory/4032-40-0x00000254F87C0000-0x00000254F87D0000-memory.dmp
memory/5380-43-0x00007FFAC2630000-0x00007FFAC30F2000-memory.dmp
memory/5380-44-0x000000001B7C0000-0x000000001B7D0000-memory.dmp
memory/4032-45-0x00007FFAC2630000-0x00007FFAC30F2000-memory.dmp
memory/5380-46-0x00007FFAE36E0000-0x00007FFAE38E9000-memory.dmp
memory/4032-47-0x00000254F87C0000-0x00000254F87D0000-memory.dmp
memory/4032-49-0x00000254F87C0000-0x00000254F87D0000-memory.dmp
memory/4032-48-0x00000254F87C0000-0x00000254F87D0000-memory.dmp
memory/4032-50-0x00000254F87C0000-0x00000254F87D0000-memory.dmp