Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/01/2024, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
Vape_Launcher.exe
Resource
win7-20231215-en
General
-
Target
Vape_Launcher.exe
-
Size
94.6MB
-
MD5
b99c3ffb881206c15be0cf1e88267ada
-
SHA1
c58375b1fb2271207881286f9683c40ef6d732b2
-
SHA256
2809abeff525d504140c1fa73be37d4b5292be1e1a42528e1559075136a3adfb
-
SHA512
dff35370682e013cd37cd4974ab53c296fb9bdc1e8b11894902c76d6b44972d0ce39ffaf5631ea1d76f3eeca9af458faf1a589a1880d145149c433b5ff110cb0
-
SSDEEP
1572864:KrrBrau8j2BYvBNY38m8M64Bo0okX5ZXRTRBvj0LMSLna7Yx6no8ZIxRy9/2Qh3u:saLGBTnr7IQ2
Malware Config
Extracted
asyncrat
Default
127.0.0.1:8080
127.0.0.1:6915
18.ip.gl.ply.gg:8080
18.ip.gl.ply.gg:6915
ااΗFKΙD尺w比Tبب9AI斯8C
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x000b000000012261-5.dat asyncrat behavioral1/memory/2692-9-0x0000000000AF0000-0x0000000000B06000-memory.dmp asyncrat behavioral1/memory/2692-48-0x0000000000550000-0x0000000000584000-memory.dmp asyncrat -
Nirsoft 5 IoCs
resource yara_rule behavioral1/files/0x0009000000012263-17.dat Nirsoft behavioral1/files/0x0009000000012263-16.dat Nirsoft behavioral1/files/0x0009000000012263-14.dat Nirsoft behavioral1/memory/2576-20-0x0000000000370000-0x0000000003FCA000-memory.dmp Nirsoft behavioral1/files/0x0009000000012263-29.dat Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 2692 Infected.exe 2576 Vape Launcher.exe -
Loads dropped DLL 3 IoCs
pid Process 2148 Vape_Launcher.exe 2148 Vape_Launcher.exe 1264 Process not Found -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe 2576 Vape Launcher.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2692 Infected.exe Token: SeDebugPrivilege 2576 Vape Launcher.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2692 2148 Vape_Launcher.exe 28 PID 2148 wrote to memory of 2692 2148 Vape_Launcher.exe 28 PID 2148 wrote to memory of 2692 2148 Vape_Launcher.exe 28 PID 2148 wrote to memory of 2692 2148 Vape_Launcher.exe 28 PID 2148 wrote to memory of 2576 2148 Vape_Launcher.exe 31 PID 2148 wrote to memory of 2576 2148 Vape_Launcher.exe 31 PID 2148 wrote to memory of 2576 2148 Vape_Launcher.exe 31 PID 2148 wrote to memory of 2576 2148 Vape_Launcher.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vape_Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Vape_Launcher.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
687KB
MD59618a49b1accf26cec8a6be9dd97a920
SHA1c103169e3038d7d9b3c8c7c3b28bf46d368e856f
SHA256d4d4b256353cb57a048a1b888f0d96835956c2a0b1d48dfd9b569d3400650d17
SHA5128209bbc7819e821c624954388b8b2648a1254d63237e516e3793f81e79b7fc06d2d00fffc2b3fbdaa4beba13f29bea09159f7d5c09ae1bd38a3356a1b1acaaa8
-
Filesize
748KB
MD5939fa67b074d1ef2130bd73b3b4874c4
SHA1b4fe2468cea7ee332405838496b5e0412ecdec20
SHA256627bf5ec853d08b67dbeb5d5492dadb9c777d34cc4f55b960f096bcb6dcc5590
SHA512d45e04fd930f9e86a8e5463601d8df6a01e08a2e49d864acf78f021d6c791f84c799e570f8fd7f2d0d09128ef43a062136d2b1576990883c648d46fb0eb7c9e7
-
Filesize
64KB
MD5d08bccadaa48c06a1469789ff0112691
SHA10dc033820315a9065ad0b1a711ac6fc08c750a28
SHA256cdcdc9ba2ac83c9fa2d65683f99723f2d377660f204be8fc4eecb0097e7751df
SHA512176b8b0c39807e61eda9a274c1055b5fec2c23a12661028848271a0cd85dda9759f10f9b466f124602b92463a644879adc7d36ec7c87cf9c3c4d49407365e704
-
Filesize
848KB
MD5945aafd975a1c8077f323749a92600d6
SHA1365da6b022e155de12752fc93e14238627434640
SHA256ba7bfedbea30aeb079fb8e94633178f116f27951f921500b1fb012792bd3a4f5
SHA512ff9966c32cefb2c50edc2b6f903f5764fd48bb4f88579f1677f9b2c876bd2ef6be15c8740b8b1a46207eef339e29bf7db90a8b934db0c95129f5589c6e30bd68
-
Filesize
2.6MB
MD5bcc78d6990ad722c6c78497de7c4811d
SHA11077b38f8371bab5eb602788d5beace77d963d0d
SHA256baf3fe4a8adc40fa8fa3049fde20b24738577f98aa232fb7d93ea10dddf25a7d
SHA5126d352092836e4265d04f6387062007d3007b72568b964dddb2dc3bcf8518b8fd76e1c5a8376f48d894493699d282fe10ac9f0dfff8c4609be8cfffe5633a23cf