Analysis
-
max time kernel
119s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 14:53
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-en-20211208
General
-
Target
invoice.exe
-
Size
688KB
-
MD5
720b1afcfa57b140329465ecbcdec31e
-
SHA1
be0387473f50e017a13e3a097ac80cca00bd0350
-
SHA256
c306becc8baa90c1d305a2dd9dfb7649ecbc51f356553da16d4300ac728cea3c
-
SHA512
134750da6778a2ce634c579cd2b26344d9a164ec026e737f368dad5d5738472fb4afc10e8310e837c7a896dc94b15b7639ed92d5a71594ebe27376e4603475a3
Malware Config
Extracted
asyncrat
0.5.7B
Default
exportmunic007.duckdns.org:6606
exportmunic007.duckdns.org:7707
exportmunic007.duckdns.org:8808
AsyncMutex_6SI8OkPnk
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
Async RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1532-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1532-65-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1532-63-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1532-66-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1532-72-0x00000000004F0000-0x0000000000512000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice.exedescription pid process target process PID 1464 set thread context of 1532 1464 invoice.exe invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
invoice.exepowershell.exepid process 1464 invoice.exe 1464 invoice.exe 1464 invoice.exe 1464 invoice.exe 1464 invoice.exe 1464 invoice.exe 1464 invoice.exe 1964 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
invoice.exepowershell.exeinvoice.exedescription pid process Token: SeDebugPrivilege 1464 invoice.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 1532 invoice.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
invoice.exedescription pid process target process PID 1464 wrote to memory of 1964 1464 invoice.exe powershell.exe PID 1464 wrote to memory of 1964 1464 invoice.exe powershell.exe PID 1464 wrote to memory of 1964 1464 invoice.exe powershell.exe PID 1464 wrote to memory of 1964 1464 invoice.exe powershell.exe PID 1464 wrote to memory of 956 1464 invoice.exe schtasks.exe PID 1464 wrote to memory of 956 1464 invoice.exe schtasks.exe PID 1464 wrote to memory of 956 1464 invoice.exe schtasks.exe PID 1464 wrote to memory of 956 1464 invoice.exe schtasks.exe PID 1464 wrote to memory of 1532 1464 invoice.exe invoice.exe PID 1464 wrote to memory of 1532 1464 invoice.exe invoice.exe PID 1464 wrote to memory of 1532 1464 invoice.exe invoice.exe PID 1464 wrote to memory of 1532 1464 invoice.exe invoice.exe PID 1464 wrote to memory of 1532 1464 invoice.exe invoice.exe PID 1464 wrote to memory of 1532 1464 invoice.exe invoice.exe PID 1464 wrote to memory of 1532 1464 invoice.exe invoice.exe PID 1464 wrote to memory of 1532 1464 invoice.exe invoice.exe PID 1464 wrote to memory of 1532 1464 invoice.exe invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KkFQRCLo.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KkFQRCLo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmpMD5
8c3d2fb96461da0862746a8aa772d2d7
SHA1d435c8f4c1ad7eb62e363b1b56d3765997b16442
SHA25658e0edd7611e5ad142b2a20fe169dab91ee4363214539e910074127e1c59dc0e
SHA51210545255ccab47242bd97c2461c15aa14edf280318e8d401ee64980dec7b8e1a37220ad0285dc6fe48af1204dc2d328e2bb947f299f5b2b0cac41a3d5b906663
-
memory/1464-54-0x0000000000FC0000-0x0000000001072000-memory.dmpFilesize
712KB
-
memory/1464-55-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB
-
memory/1464-56-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/1464-57-0x0000000000930000-0x000000000093C000-memory.dmpFilesize
48KB
-
memory/1464-58-0x0000000000DC0000-0x0000000000DFC000-memory.dmpFilesize
240KB
-
memory/1532-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1532-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1532-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1532-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1532-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1532-66-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1532-71-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/1532-72-0x00000000004F0000-0x0000000000512000-memory.dmpFilesize
136KB
-
memory/1964-67-0x0000000001F40000-0x00000000020F0000-memory.dmpFilesize
1.7MB
-
memory/1964-68-0x0000000001F40000-0x00000000020F0000-memory.dmpFilesize
1.7MB
-
memory/1964-69-0x0000000001F40000-0x00000000020F0000-memory.dmpFilesize
1.7MB