Analysis
-
max time kernel
1795s -
max time network
1152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2024 05:49
Behavioral task
behavioral1
Sample
Notepad+++.exe
Resource
win7-20240903-en
General
-
Target
Notepad+++.exe
-
Size
176KB
-
MD5
e811a2eea76cc805e26501c13ce781e4
-
SHA1
9588e37dbdaf367882202067b56a8b89550f16f4
-
SHA256
04f2eadb4cf1c2aa1748467be02e801bb3236d0b1cb4ee22edb01eb12abe0dd3
-
SHA512
a4d58e513d00543767d37a571e5f4a5b923a72d7963cc65f138c28c580854fc74a9e3fdad08102b2630f0ded48be01446132477c4ec211848bd9f201f692ccaf
-
SSDEEP
3072:LuLMTwip2wiMf3bjww24LZGjXpoGoByXPQs2UTXQ8yb7aFcUiSIvF68fJvx:LuLCs/E3bQ4ZGbpYByPT7lyvIcdSIvFX
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
2MadfT525Jmp
-
delay
3
-
install
true
-
install_file
epicgames.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x0008000000023c63-12.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Notepad+++.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Notepad+++.exe -
Executes dropped EXE 1 IoCs
Processes:
epicgames.exepid Process 2956 epicgames.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Notepad+++.execmd.execmd.exeschtasks.exetimeout.exeepicgames.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Notepad+++.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language epicgames.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 4756 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
Notepad+++.exepid Process 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe 924 Notepad+++.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Notepad+++.exeepicgames.exedescription pid Process Token: SeDebugPrivilege 924 Notepad+++.exe Token: SeDebugPrivilege 2956 epicgames.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Notepad+++.execmd.execmd.exedescription pid Process procid_target PID 924 wrote to memory of 1432 924 Notepad+++.exe 87 PID 924 wrote to memory of 1432 924 Notepad+++.exe 87 PID 924 wrote to memory of 1432 924 Notepad+++.exe 87 PID 924 wrote to memory of 2472 924 Notepad+++.exe 89 PID 924 wrote to memory of 2472 924 Notepad+++.exe 89 PID 924 wrote to memory of 2472 924 Notepad+++.exe 89 PID 1432 wrote to memory of 2308 1432 cmd.exe 91 PID 1432 wrote to memory of 2308 1432 cmd.exe 91 PID 1432 wrote to memory of 2308 1432 cmd.exe 91 PID 2472 wrote to memory of 4756 2472 cmd.exe 92 PID 2472 wrote to memory of 4756 2472 cmd.exe 92 PID 2472 wrote to memory of 4756 2472 cmd.exe 92 PID 2472 wrote to memory of 2956 2472 cmd.exe 93 PID 2472 wrote to memory of 2956 2472 cmd.exe 93 PID 2472 wrote to memory of 2956 2472 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\Notepad+++.exe"C:\Users\Admin\AppData\Local\Temp\Notepad+++.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "epicgames" /tr '"C:\Users\Admin\AppData\Roaming\epicgames.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "epicgames" /tr '"C:\Users\Admin\AppData\Roaming\epicgames.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA037.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4756
-
-
C:\Users\Admin\AppData\Roaming\epicgames.exe"C:\Users\Admin\AppData\Roaming\epicgames.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD52f62dd6048a54ec0d80fbfd6e00511dd
SHA1d7e08fb55313913ddc04b10a214eadde188a7f27
SHA2564bbc955beb24bd4e2aebe98212acf01b3b701287a9e20617f9c58d8e68620ed0
SHA512d8f8a900005c740803b1e60194708e414746b57aa3969d0da8366d5687f51a4b2f231e355c90ebbbda7a52ce5a7a9500f1a47ef7cb1375e20b8c830612730828
-
Filesize
176KB
MD5e811a2eea76cc805e26501c13ce781e4
SHA19588e37dbdaf367882202067b56a8b89550f16f4
SHA25604f2eadb4cf1c2aa1748467be02e801bb3236d0b1cb4ee22edb01eb12abe0dd3
SHA512a4d58e513d00543767d37a571e5f4a5b923a72d7963cc65f138c28c580854fc74a9e3fdad08102b2630f0ded48be01446132477c4ec211848bd9f201f692ccaf