Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
Vape_Launcher.exe
Resource
win7-20231215-en
General
-
Target
Vape_Launcher.exe
-
Size
94.6MB
-
MD5
b99c3ffb881206c15be0cf1e88267ada
-
SHA1
c58375b1fb2271207881286f9683c40ef6d732b2
-
SHA256
2809abeff525d504140c1fa73be37d4b5292be1e1a42528e1559075136a3adfb
-
SHA512
dff35370682e013cd37cd4974ab53c296fb9bdc1e8b11894902c76d6b44972d0ce39ffaf5631ea1d76f3eeca9af458faf1a589a1880d145149c433b5ff110cb0
-
SSDEEP
1572864:KrrBrau8j2BYvBNY38m8M64Bo0okX5ZXRTRBvj0LMSLna7Yx6no8ZIxRy9/2Qh3u:saLGBTnr7IQ2
Malware Config
Extracted
asyncrat
Default
127.0.0.1:8080
127.0.0.1:6915
18.ip.gl.ply.gg:8080
18.ip.gl.ply.gg:6915
ااΗFKΙD尺w比Tبب9AI斯8C
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/files/0x000300000001e7bf-8.dat asyncrat behavioral2/memory/2028-14-0x00000000002A0000-0x00000000002B6000-memory.dmp asyncrat behavioral2/memory/2028-44-0x000000001CBF0000-0x000000001CC24000-memory.dmp asyncrat -
Nirsoft 4 IoCs
resource yara_rule behavioral2/files/0x000300000001e7c0-20.dat Nirsoft behavioral2/files/0x000300000001e7c0-27.dat Nirsoft behavioral2/files/0x000300000001e7c0-26.dat Nirsoft behavioral2/memory/3584-31-0x00000202F7C30000-0x00000202FB88A000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation Vape_Launcher.exe -
Executes dropped EXE 2 IoCs
pid Process 2028 Infected.exe 3584 Vape Launcher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe 3584 Vape Launcher.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2028 Infected.exe Token: SeDebugPrivilege 3584 Vape Launcher.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4608 wrote to memory of 2028 4608 Vape_Launcher.exe 92 PID 4608 wrote to memory of 2028 4608 Vape_Launcher.exe 92 PID 4608 wrote to memory of 3584 4608 Vape_Launcher.exe 94 PID 4608 wrote to memory of 3584 4608 Vape_Launcher.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vape_Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Vape_Launcher.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d08bccadaa48c06a1469789ff0112691
SHA10dc033820315a9065ad0b1a711ac6fc08c750a28
SHA256cdcdc9ba2ac83c9fa2d65683f99723f2d377660f204be8fc4eecb0097e7751df
SHA512176b8b0c39807e61eda9a274c1055b5fec2c23a12661028848271a0cd85dda9759f10f9b466f124602b92463a644879adc7d36ec7c87cf9c3c4d49407365e704
-
Filesize
4.6MB
MD5fbfc954fcc998f53b95a5facc242f5c6
SHA1715b83929187bb735901c9bc897486b4fcf8b3b3
SHA256ec5a7070d1edf4e4bb7d797e54ae0366348fc7a233377649ec71c4e009e4599a
SHA5128ad113e70addb62b88820f13ca814c95e4f9ca0b9e1167884594808ff00025aa7af314d2f2d0e7c6db4585f3df69257087d03515938382772c8c4e8613ec582f
-
Filesize
1.8MB
MD5bbf95eea023c3866de080ee757feb9e1
SHA1075770c06794698a325dd8c508466b4e59809fe6
SHA2565289b28940ecd498b1db55ac7048fcb73d099f21525e65fcbb775387faac0e80
SHA512decb9f2f1547386a38d99d5ef74915c0cbdd5b31c337dee3d9cb4121a2bfc39f516261c9d03d2c88ca293a959b22d428cd163f3ff9b8227b649ca3c538421ffc
-
Filesize
1.7MB
MD5e62bce5650f41618d25b062a58527b42
SHA12994c16b2802fcac74af0ae92b9fe8471e32a644
SHA25651985a99afb52866724ad80a67a5258aaaaaaaa22297937c12ba7787a29f035a
SHA512f52931a0541f67c1c49b6a61943f6ed0c5da4ae6d2d63f6702af1b84e72e10cc2e91cd4555afeb7de2a26fb61d137224c741d8430dc9f21698ad73dd72bd449d