Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
16-01-2021 07:35
Static task
static1
Behavioral task
behavioral1
Sample
FedEx Invoice 202116435.exe
Resource
win7v20201028
General
-
Target
FedEx Invoice 202116435.exe
-
Size
766KB
-
MD5
fd3988d887f5e982384dca104ea49001
-
SHA1
d3ad5fa2af44707e5e27b76fdbebf5a9ae28b457
-
SHA256
aa0399675c53f77a7996102b5301ea24814642e9eee30648c9ac75b3b1052235
-
SHA512
868c4795ae2fea9aaa98ad069c97564bc051ee73e728bdd61ba7f250b8b9d9b41013b4446a61a364c71f6f4105f25790938a1cbeaba64850159f69ad4836811c
Malware Config
Extracted
asyncrat
0.5.7B
79.134.225.45:2233
AsyncMutex_6SI8OkPnk
-
aes_key
yCFT3D6MMz3qsbxnPTBTTSsUCB2B6gqZ
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
79.134.225.45
-
hwid
5
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
2233
-
version
0.5.7B
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1876-9-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1876-10-0x000000000040C70E-mapping.dmp asyncrat behavioral1/memory/1876-11-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1876-12-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FedEx Invoice 202116435.exedescription pid process target process PID 792 set thread context of 1876 792 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
FedEx Invoice 202116435.exepid process 792 FedEx Invoice 202116435.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FedEx Invoice 202116435.exedescription pid process Token: SeDebugPrivilege 792 FedEx Invoice 202116435.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
FedEx Invoice 202116435.exedescription pid process target process PID 792 wrote to memory of 1012 792 FedEx Invoice 202116435.exe schtasks.exe PID 792 wrote to memory of 1012 792 FedEx Invoice 202116435.exe schtasks.exe PID 792 wrote to memory of 1012 792 FedEx Invoice 202116435.exe schtasks.exe PID 792 wrote to memory of 1012 792 FedEx Invoice 202116435.exe schtasks.exe PID 792 wrote to memory of 1876 792 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 792 wrote to memory of 1876 792 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 792 wrote to memory of 1876 792 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 792 wrote to memory of 1876 792 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 792 wrote to memory of 1876 792 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 792 wrote to memory of 1876 792 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 792 wrote to memory of 1876 792 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 792 wrote to memory of 1876 792 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 792 wrote to memory of 1876 792 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FedEx Invoice 202116435.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice 202116435.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pVJgNVIylS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp49DC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\FedEx Invoice 202116435.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice 202116435.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp49DC.tmpMD5
0cf8cd0185e353050e2b3a48b53876f7
SHA18e4d6e1411849b50090f400b29affda3cecf714a
SHA256d1c48e991988987fa7eb3047f325f314c2725450312053bc41ff976ec45a97d0
SHA512c31698bc930dc7640fabf9f6ad050ce5bcfede0f760382ec6574859faed5848e9626bf040e6a6ef98ae3a4d948a41b8f61c86aa3c518e1ac9c6478869a52bd10
-
memory/792-2-0x00000000747A0000-0x0000000074E8E000-memory.dmpFilesize
6.9MB
-
memory/792-3-0x0000000001060000-0x0000000001061000-memory.dmpFilesize
4KB
-
memory/792-5-0x00000000003D0000-0x00000000003E3000-memory.dmpFilesize
76KB
-
memory/792-6-0x0000000000CD0000-0x0000000000D18000-memory.dmpFilesize
288KB
-
memory/1012-7-0x0000000000000000-mapping.dmp
-
memory/1876-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1876-10-0x000000000040C70E-mapping.dmp
-
memory/1876-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1876-12-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1876-13-0x00000000747A0000-0x0000000074E8E000-memory.dmpFilesize
6.9MB