Analysis
-
max time kernel
1796s -
max time network
1559s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-12-2024 04:14
Behavioral task
behavioral1
Sample
Notepad+++.exe
Resource
win7-20240729-en
General
-
Target
Notepad+++.exe
-
Size
176KB
-
MD5
e811a2eea76cc805e26501c13ce781e4
-
SHA1
9588e37dbdaf367882202067b56a8b89550f16f4
-
SHA256
04f2eadb4cf1c2aa1748467be02e801bb3236d0b1cb4ee22edb01eb12abe0dd3
-
SHA512
a4d58e513d00543767d37a571e5f4a5b923a72d7963cc65f138c28c580854fc74a9e3fdad08102b2630f0ded48be01446132477c4ec211848bd9f201f692ccaf
-
SSDEEP
3072:LuLMTwip2wiMf3bjww24LZGjXpoGoByXPQs2UTXQ8yb7aFcUiSIvF68fJvx:LuLCs/E3bQ4ZGbpYByPT7lyvIcdSIvFX
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
2MadfT525Jmp
-
delay
3
-
install
true
-
install_file
epicgames.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b0000000122cf-14.dat family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
epicgames.exepid Process 2604 epicgames.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid Process 2688 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Notepad+++.execmd.execmd.exeschtasks.exetimeout.exeepicgames.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Notepad+++.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language epicgames.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 2568 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Notepad+++.exepid Process 2656 Notepad+++.exe 2656 Notepad+++.exe 2656 Notepad+++.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Notepad+++.exeepicgames.exedescription pid Process Token: SeDebugPrivilege 2656 Notepad+++.exe Token: SeDebugPrivilege 2604 epicgames.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Notepad+++.execmd.execmd.exedescription pid Process procid_target PID 2656 wrote to memory of 2588 2656 Notepad+++.exe 31 PID 2656 wrote to memory of 2588 2656 Notepad+++.exe 31 PID 2656 wrote to memory of 2588 2656 Notepad+++.exe 31 PID 2656 wrote to memory of 2588 2656 Notepad+++.exe 31 PID 2656 wrote to memory of 2688 2656 Notepad+++.exe 33 PID 2656 wrote to memory of 2688 2656 Notepad+++.exe 33 PID 2656 wrote to memory of 2688 2656 Notepad+++.exe 33 PID 2656 wrote to memory of 2688 2656 Notepad+++.exe 33 PID 2588 wrote to memory of 2548 2588 cmd.exe 35 PID 2588 wrote to memory of 2548 2588 cmd.exe 35 PID 2588 wrote to memory of 2548 2588 cmd.exe 35 PID 2588 wrote to memory of 2548 2588 cmd.exe 35 PID 2688 wrote to memory of 2568 2688 cmd.exe 36 PID 2688 wrote to memory of 2568 2688 cmd.exe 36 PID 2688 wrote to memory of 2568 2688 cmd.exe 36 PID 2688 wrote to memory of 2568 2688 cmd.exe 36 PID 2688 wrote to memory of 2604 2688 cmd.exe 37 PID 2688 wrote to memory of 2604 2688 cmd.exe 37 PID 2688 wrote to memory of 2604 2688 cmd.exe 37 PID 2688 wrote to memory of 2604 2688 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Notepad+++.exe"C:\Users\Admin\AppData\Local\Temp\Notepad+++.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "epicgames" /tr '"C:\Users\Admin\AppData\Roaming\epicgames.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "epicgames" /tr '"C:\Users\Admin\AppData\Roaming\epicgames.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3BF7.tmp.bat""2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2568
-
-
C:\Users\Admin\AppData\Roaming\epicgames.exe"C:\Users\Admin\AppData\Roaming\epicgames.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD51e80fa35fc42e597c4409eb57a53cadc
SHA102a8547408bc21bdbdbfaafe892a2f09db76e051
SHA2564852f54cbd3034f11da1ae35aacbb3075e09666e9dd6496880f1adc9aa42ca7c
SHA5127fad8a9bdd26cb5c430d3e2a3425c2b96059590224d875af3fcd213c29ee43462a01bde727b8bf5f54f3b6add2ab7ff7c9503b0e2e36e5ad82bd4cbcbf8c2864
-
Filesize
176KB
MD5e811a2eea76cc805e26501c13ce781e4
SHA19588e37dbdaf367882202067b56a8b89550f16f4
SHA25604f2eadb4cf1c2aa1748467be02e801bb3236d0b1cb4ee22edb01eb12abe0dd3
SHA512a4d58e513d00543767d37a571e5f4a5b923a72d7963cc65f138c28c580854fc74a9e3fdad08102b2630f0ded48be01446132477c4ec211848bd9f201f692ccaf