Analysis
-
max time kernel
62s -
max time network
65s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-01-2025 23:58
General
-
Target
NVIDIA GeForce Experience.exe
-
Size
515KB
-
MD5
96ef75b619c48477b1aff625f4aadd58
-
SHA1
c869edf72ef6cf1c4412f0c4d98891b3c66483c9
-
SHA256
abf8c0425e1f9fcda7ad276bf1bef3ed6c809f18566aa615b81c5cb7940bb025
-
SHA512
9835d256ffa1632f2a8f3b7f902a0b8e1c6dbcfd51e69dfa6ce7b9f6965e8cb760a2824749ff80c1845c9703506c8a40e780659418955193097ada97ff328197
-
SSDEEP
3072:1qXibN8kmKuHUYF2drg2Ab4aUzwtszjJY:AXm7/RXAb9Uz9i
Malware Config
Extracted
asyncrat
| Edit by Vinom Rat
Testing
AnonymousUser222222222222-49972.portmap.host:49972
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
NVIDIA.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x001c00000002aa41-12.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 3020 NVIDIA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NVIDIA GeForce Experience.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NVIDIA.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4740 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4892 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 4104 NVIDIA GeForce Experience.exe 3020 NVIDIA.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4104 NVIDIA GeForce Experience.exe Token: SeDebugPrivilege 3020 NVIDIA.exe Token: SeDebugPrivilege 3020 NVIDIA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3020 NVIDIA.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4104 wrote to memory of 4140 4104 NVIDIA GeForce Experience.exe 78 PID 4104 wrote to memory of 4140 4104 NVIDIA GeForce Experience.exe 78 PID 4104 wrote to memory of 4140 4104 NVIDIA GeForce Experience.exe 78 PID 4104 wrote to memory of 468 4104 NVIDIA GeForce Experience.exe 79 PID 4104 wrote to memory of 468 4104 NVIDIA GeForce Experience.exe 79 PID 4104 wrote to memory of 468 4104 NVIDIA GeForce Experience.exe 79 PID 468 wrote to memory of 4740 468 cmd.exe 82 PID 468 wrote to memory of 4740 468 cmd.exe 82 PID 468 wrote to memory of 4740 468 cmd.exe 82 PID 4140 wrote to memory of 4892 4140 cmd.exe 83 PID 4140 wrote to memory of 4892 4140 cmd.exe 83 PID 4140 wrote to memory of 4892 4140 cmd.exe 83 PID 468 wrote to memory of 3020 468 cmd.exe 84 PID 468 wrote to memory of 3020 468 cmd.exe 84 PID 468 wrote to memory of 3020 468 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\NVIDIA GeForce Experience.exe"C:\Users\Admin\AppData\Local\Temp\NVIDIA GeForce Experience.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NVIDIA" /tr '"C:\Users\Admin\AppData\Roaming\NVIDIA.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "NVIDIA" /tr '"C:\Users\Admin\AppData\Roaming\NVIDIA.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8ADB.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4740
-
-
C:\Users\Admin\AppData\Roaming\NVIDIA.exe"C:\Users\Admin\AppData\Roaming\NVIDIA.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3020
-
-
Network
-
Remote address:8.8.8.8:53RequestAnonymousUser222222222222-49972.portmap.hostIN AResponseAnonymousUser222222222222-49972.portmap.hostIN A193.161.193.99
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
260 B 200 B 5 5
-
260 B 160 B 5 4
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD577d36f45123df41d2a83c9e983d264b9
SHA15bfa2e9b61e02b2b9ef81a0a9ba50165b051d6c8
SHA256fa9b01fe487979fed64951769832236463c321743ed301ff7ed537e870aac184
SHA512de57d9d32bac373b286f882aed8d5662ed44a9d123d532990408f53a57f096636ce526feab71573ead416ef0cb98a8d3a472342a4a7ed9795ad9fa7bcf35424b
-
Filesize
515KB
MD596ef75b619c48477b1aff625f4aadd58
SHA1c869edf72ef6cf1c4412f0c4d98891b3c66483c9
SHA256abf8c0425e1f9fcda7ad276bf1bef3ed6c809f18566aa615b81c5cb7940bb025
SHA5129835d256ffa1632f2a8f3b7f902a0b8e1c6dbcfd51e69dfa6ce7b9f6965e8cb760a2824749ff80c1845c9703506c8a40e780659418955193097ada97ff328197