Analysis
-
max time kernel
1795s -
max time network
1564s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-12-2024 05:49
Behavioral task
behavioral1
Sample
Notepad+++.exe
Resource
win7-20240903-en
General
-
Target
Notepad+++.exe
-
Size
176KB
-
MD5
e811a2eea76cc805e26501c13ce781e4
-
SHA1
9588e37dbdaf367882202067b56a8b89550f16f4
-
SHA256
04f2eadb4cf1c2aa1748467be02e801bb3236d0b1cb4ee22edb01eb12abe0dd3
-
SHA512
a4d58e513d00543767d37a571e5f4a5b923a72d7963cc65f138c28c580854fc74a9e3fdad08102b2630f0ded48be01446132477c4ec211848bd9f201f692ccaf
-
SSDEEP
3072:LuLMTwip2wiMf3bjww24LZGjXpoGoByXPQs2UTXQ8yb7aFcUiSIvF68fJvx:LuLCs/E3bQ4ZGbpYByPT7lyvIcdSIvFX
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
2MadfT525Jmp
-
delay
3
-
install
true
-
install_file
epicgames.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000c00000001226a-13.dat family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
epicgames.exepid Process 2772 epicgames.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid Process 2788 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Notepad+++.execmd.execmd.exeschtasks.exetimeout.exeepicgames.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Notepad+++.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language epicgames.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 2668 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Notepad+++.exepid Process 1916 Notepad+++.exe 1916 Notepad+++.exe 1916 Notepad+++.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Notepad+++.exeepicgames.exedescription pid Process Token: SeDebugPrivilege 1916 Notepad+++.exe Token: SeDebugPrivilege 2772 epicgames.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Notepad+++.execmd.execmd.exedescription pid Process procid_target PID 1916 wrote to memory of 3064 1916 Notepad+++.exe 32 PID 1916 wrote to memory of 3064 1916 Notepad+++.exe 32 PID 1916 wrote to memory of 3064 1916 Notepad+++.exe 32 PID 1916 wrote to memory of 3064 1916 Notepad+++.exe 32 PID 1916 wrote to memory of 2788 1916 Notepad+++.exe 34 PID 1916 wrote to memory of 2788 1916 Notepad+++.exe 34 PID 1916 wrote to memory of 2788 1916 Notepad+++.exe 34 PID 1916 wrote to memory of 2788 1916 Notepad+++.exe 34 PID 3064 wrote to memory of 2664 3064 cmd.exe 36 PID 3064 wrote to memory of 2664 3064 cmd.exe 36 PID 3064 wrote to memory of 2664 3064 cmd.exe 36 PID 3064 wrote to memory of 2664 3064 cmd.exe 36 PID 2788 wrote to memory of 2668 2788 cmd.exe 37 PID 2788 wrote to memory of 2668 2788 cmd.exe 37 PID 2788 wrote to memory of 2668 2788 cmd.exe 37 PID 2788 wrote to memory of 2668 2788 cmd.exe 37 PID 2788 wrote to memory of 2772 2788 cmd.exe 38 PID 2788 wrote to memory of 2772 2788 cmd.exe 38 PID 2788 wrote to memory of 2772 2788 cmd.exe 38 PID 2788 wrote to memory of 2772 2788 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\Notepad+++.exe"C:\Users\Admin\AppData\Local\Temp\Notepad+++.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "epicgames" /tr '"C:\Users\Admin\AppData\Roaming\epicgames.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "epicgames" /tr '"C:\Users\Admin\AppData\Roaming\epicgames.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF3C1.tmp.bat""2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2668
-
-
C:\Users\Admin\AppData\Roaming\epicgames.exe"C:\Users\Admin\AppData\Roaming\epicgames.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5623e052348fc015e955e9d69f17a18a2
SHA11d4d91b176c21974ccb79ff1f8e4181bfb9c100e
SHA2561664a306f600f31abac48747798d69e7a2b91a8fd85b34234dd19c584ac79f76
SHA5129ac371f2e69a029ad4d6480abce16b669319c250f68fdce024fc6c16a511167b8f77c3367e63b57dfe33424cbb40d11a3860dbcabc2ea73973aef70933b57b6e
-
Filesize
176KB
MD5e811a2eea76cc805e26501c13ce781e4
SHA19588e37dbdaf367882202067b56a8b89550f16f4
SHA25604f2eadb4cf1c2aa1748467be02e801bb3236d0b1cb4ee22edb01eb12abe0dd3
SHA512a4d58e513d00543767d37a571e5f4a5b923a72d7963cc65f138c28c580854fc74a9e3fdad08102b2630f0ded48be01446132477c4ec211848bd9f201f692ccaf