Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 03:45
Behavioral task
behavioral1
Sample
dede998c648aa3f9239ddddb59f53789694c142486c2138a06d015bcf152aeb1.exe
Resource
win7-20240508-en
3 signatures
150 seconds
General
-
Target
dede998c648aa3f9239ddddb59f53789694c142486c2138a06d015bcf152aeb1.exe
-
Size
47KB
-
MD5
18d494d508d16f2c16cb9d30c4f11bf3
-
SHA1
f4a05b98a75505ece207f6c542949223baa3844b
-
SHA256
dede998c648aa3f9239ddddb59f53789694c142486c2138a06d015bcf152aeb1
-
SHA512
3a63fc4de20e1cd43179801262a7ba70845d689144726b17eed53d64c53fdc0836ba77c6ba1685ab37b6d3002db2904acdc752e9380a60a44ea618218c282008
-
SSDEEP
768:MuPfZTg4pYiWUU9jjmo2qr/XtXyTCXLHpfNd7vPIbiJ1Qi0bBLwhtD2U/9lDP3S3:MuPfZTgKa2YIC9fNdEbiJqdbBLk9/9lw
Malware Config
Extracted
Family
asyncrat
Version
0.5.8
Botnet
Default
C2
5.tcp.eu.ngrok.io:14915
Mutex
YVISpSrdK8Qe
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
Processes:
flow ioc 6 5.tcp.eu.ngrok.io 7 5.tcp.eu.ngrok.io 2 5.tcp.eu.ngrok.io 4 5.tcp.eu.ngrok.io 9 5.tcp.eu.ngrok.io 10 5.tcp.eu.ngrok.io 11 5.tcp.eu.ngrok.io 5 5.tcp.eu.ngrok.io 8 5.tcp.eu.ngrok.io -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dede998c648aa3f9239ddddb59f53789694c142486c2138a06d015bcf152aeb1.exedescription pid process Token: SeDebugPrivilege 1632 dede998c648aa3f9239ddddb59f53789694c142486c2138a06d015bcf152aeb1.exe Token: SeDebugPrivilege 1632 dede998c648aa3f9239ddddb59f53789694c142486c2138a06d015bcf152aeb1.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1632-0-0x000000007495E000-0x000000007495F000-memory.dmpFilesize
4KB
-
memory/1632-1-0x0000000000BB0000-0x0000000000BC2000-memory.dmpFilesize
72KB
-
memory/1632-2-0x0000000074950000-0x000000007503E000-memory.dmpFilesize
6.9MB
-
memory/1632-3-0x000000007495E000-0x000000007495F000-memory.dmpFilesize
4KB
-
memory/1632-4-0x0000000074950000-0x000000007503E000-memory.dmpFilesize
6.9MB