Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 03:45
Behavioral task
behavioral1
Sample
dede998c648aa3f9239ddddb59f53789694c142486c2138a06d015bcf152aeb1.exe
Resource
win7-20240508-en
3 signatures
150 seconds
General
-
Target
dede998c648aa3f9239ddddb59f53789694c142486c2138a06d015bcf152aeb1.exe
-
Size
47KB
-
MD5
18d494d508d16f2c16cb9d30c4f11bf3
-
SHA1
f4a05b98a75505ece207f6c542949223baa3844b
-
SHA256
dede998c648aa3f9239ddddb59f53789694c142486c2138a06d015bcf152aeb1
-
SHA512
3a63fc4de20e1cd43179801262a7ba70845d689144726b17eed53d64c53fdc0836ba77c6ba1685ab37b6d3002db2904acdc752e9380a60a44ea618218c282008
-
SSDEEP
768:MuPfZTg4pYiWUU9jjmo2qr/XtXyTCXLHpfNd7vPIbiJ1Qi0bBLwhtD2U/9lDP3S3:MuPfZTgKa2YIC9fNdEbiJqdbBLk9/9lw
Malware Config
Extracted
Family
asyncrat
Version
0.5.8
Botnet
Default
C2
5.tcp.eu.ngrok.io:14915
Mutex
YVISpSrdK8Qe
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
Processes:
flow ioc 2 5.tcp.eu.ngrok.io 12 5.tcp.eu.ngrok.io 17 5.tcp.eu.ngrok.io 18 5.tcp.eu.ngrok.io 5 5.tcp.eu.ngrok.io 13 5.tcp.eu.ngrok.io 14 5.tcp.eu.ngrok.io 15 5.tcp.eu.ngrok.io 16 5.tcp.eu.ngrok.io -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dede998c648aa3f9239ddddb59f53789694c142486c2138a06d015bcf152aeb1.exedescription pid process Token: SeDebugPrivilege 3984 dede998c648aa3f9239ddddb59f53789694c142486c2138a06d015bcf152aeb1.exe Token: SeDebugPrivilege 3984 dede998c648aa3f9239ddddb59f53789694c142486c2138a06d015bcf152aeb1.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3984-0-0x00000000748AE000-0x00000000748AF000-memory.dmpFilesize
4KB
-
memory/3984-1-0x0000000000AA0000-0x0000000000AB2000-memory.dmpFilesize
72KB
-
memory/3984-2-0x00000000748A0000-0x0000000075050000-memory.dmpFilesize
7.7MB
-
memory/3984-3-0x0000000005450000-0x00000000054B6000-memory.dmpFilesize
408KB
-
memory/3984-4-0x0000000005900000-0x000000000599C000-memory.dmpFilesize
624KB
-
memory/3984-5-0x00000000748AE000-0x00000000748AF000-memory.dmpFilesize
4KB
-
memory/3984-6-0x00000000748A0000-0x0000000075050000-memory.dmpFilesize
7.7MB