Analysis
-
max time kernel
1797s -
max time network
1146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2024 04:14
Behavioral task
behavioral1
Sample
Notepad+++.exe
Resource
win7-20240729-en
General
-
Target
Notepad+++.exe
-
Size
176KB
-
MD5
e811a2eea76cc805e26501c13ce781e4
-
SHA1
9588e37dbdaf367882202067b56a8b89550f16f4
-
SHA256
04f2eadb4cf1c2aa1748467be02e801bb3236d0b1cb4ee22edb01eb12abe0dd3
-
SHA512
a4d58e513d00543767d37a571e5f4a5b923a72d7963cc65f138c28c580854fc74a9e3fdad08102b2630f0ded48be01446132477c4ec211848bd9f201f692ccaf
-
SSDEEP
3072:LuLMTwip2wiMf3bjww24LZGjXpoGoByXPQs2UTXQ8yb7aFcUiSIvF68fJvx:LuLCs/E3bQ4ZGbpYByPT7lyvIcdSIvFX
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
2MadfT525Jmp
-
delay
3
-
install
true
-
install_file
epicgames.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x000b000000023b94-12.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Notepad+++.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Notepad+++.exe -
Executes dropped EXE 1 IoCs
Processes:
epicgames.exepid Process 2380 epicgames.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Notepad+++.execmd.execmd.exetimeout.exeschtasks.exeepicgames.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Notepad+++.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language epicgames.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 3652 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
Notepad+++.exepid Process 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe 5088 Notepad+++.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Notepad+++.exeepicgames.exedescription pid Process Token: SeDebugPrivilege 5088 Notepad+++.exe Token: SeDebugPrivilege 2380 epicgames.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Notepad+++.execmd.execmd.exedescription pid Process procid_target PID 5088 wrote to memory of 2512 5088 Notepad+++.exe 87 PID 5088 wrote to memory of 2512 5088 Notepad+++.exe 87 PID 5088 wrote to memory of 2512 5088 Notepad+++.exe 87 PID 5088 wrote to memory of 1672 5088 Notepad+++.exe 89 PID 5088 wrote to memory of 1672 5088 Notepad+++.exe 89 PID 5088 wrote to memory of 1672 5088 Notepad+++.exe 89 PID 2512 wrote to memory of 688 2512 cmd.exe 91 PID 2512 wrote to memory of 688 2512 cmd.exe 91 PID 2512 wrote to memory of 688 2512 cmd.exe 91 PID 1672 wrote to memory of 3652 1672 cmd.exe 92 PID 1672 wrote to memory of 3652 1672 cmd.exe 92 PID 1672 wrote to memory of 3652 1672 cmd.exe 92 PID 1672 wrote to memory of 2380 1672 cmd.exe 93 PID 1672 wrote to memory of 2380 1672 cmd.exe 93 PID 1672 wrote to memory of 2380 1672 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\Notepad+++.exe"C:\Users\Admin\AppData\Local\Temp\Notepad+++.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "epicgames" /tr '"C:\Users\Admin\AppData\Roaming\epicgames.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "epicgames" /tr '"C:\Users\Admin\AppData\Roaming\epicgames.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3652
-
-
C:\Users\Admin\AppData\Roaming\epicgames.exe"C:\Users\Admin\AppData\Roaming\epicgames.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD582a9da7a60499bd966efa80246244a38
SHA1bafeeee09aa53497b2f82086b302adcffeffd67d
SHA256950c8c8db957e05a66b88bc03286d6454939cf36a6f9e00653f0a7c726314d9a
SHA5129c4c670245e6bde773d17e0c9b1f13bf68c984956eaef8f43e5dc780ac64315b054c2ca89609d779d63a2a9f422e9d0add2e63e9310950e5854669f2f483a999
-
Filesize
176KB
MD5e811a2eea76cc805e26501c13ce781e4
SHA19588e37dbdaf367882202067b56a8b89550f16f4
SHA25604f2eadb4cf1c2aa1748467be02e801bb3236d0b1cb4ee22edb01eb12abe0dd3
SHA512a4d58e513d00543767d37a571e5f4a5b923a72d7963cc65f138c28c580854fc74a9e3fdad08102b2630f0ded48be01446132477c4ec211848bd9f201f692ccaf