Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20-06-2024 19:29
General
-
Target
smss.exe
-
Size
47KB
-
MD5
73ef7a1f952dc519d57d09359ab8d527
-
SHA1
c2e72d35420ac17e637f5cec05cb2fe3b8b3c9be
-
SHA256
b9d269f2b05a9a972d83ec004aef9116da9776a2d2323eb4de05c283ead489ec
-
SHA512
0cb788ddd68a4a0413994264ed9c69a8b8c90c35377fcc5bbdd43df86db33ef5139f708a93362a194fd148b34e5e20374b417b9f3acdfd7e0ff947c411223f7c
-
SSDEEP
768:ouPfZTg4pYiWUU9jjmo2qrvxF7Handx/pcvPIX6BthC7x/af0bl21TO605ATxSWE:ouPfZTgKa2sbqdAoX6BthIZblkkANSWE
Malware Config
Extracted
Family
asyncrat
Version
0.5.8
Botnet
Default
C2
4.tcp.eu.ngrok.io:11252
Mutex
eVSWBbTWgj8n
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 17 4.tcp.eu.ngrok.io 29 4.tcp.eu.ngrok.io 1 4.tcp.eu.ngrok.io 10 4.tcp.eu.ngrok.io 14 4.tcp.eu.ngrok.io -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
smss.exedescription pid process Token: SeDebugPrivilege 748 smss.exe Token: SeDebugPrivilege 748 smss.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-0-0x000000007325E000-0x000000007325F000-memory.dmpFilesize
4KB
-
memory/748-1-0x0000000000200000-0x0000000000212000-memory.dmpFilesize
72KB
-
memory/748-2-0x0000000073250000-0x000000007393E000-memory.dmpFilesize
6.9MB
-
memory/748-3-0x0000000004E40000-0x0000000004EA6000-memory.dmpFilesize
408KB
-
memory/748-4-0x00000000053A0000-0x000000000543C000-memory.dmpFilesize
624KB
-
memory/748-5-0x000000007325E000-0x000000007325F000-memory.dmpFilesize
4KB
-
memory/748-6-0x0000000073250000-0x000000007393E000-memory.dmpFilesize
6.9MB