Overview

overview

10

Static

static

invoice.exe

windows7_x64

10

invoice.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    26-01-2022 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice.exe

  • Size

    688KB

  • MD5

    720b1afcfa57b140329465ecbcdec31e

  • SHA1

    be0387473f50e017a13e3a097ac80cca00bd0350

  • SHA256

    c306becc8baa90c1d305a2dd9dfb7649ecbc51f356553da16d4300ac728cea3c

  • SHA512

    134750da6778a2ce634c579cd2b26344d9a164ec026e737f368dad5d5738472fb4afc10e8310e837c7a896dc94b15b7639ed92d5a71594ebe27376e4603475a3

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

exportmunic007.duckdns.org:6606

exportmunic007.duckdns.org:7707

exportmunic007.duckdns.org:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 5 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\invoice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KkFQRCLo.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KkFQRCLo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:956
    • C:\Users\Admin\AppData\Local\Temp\invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\invoice.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp
    MD5

    8c3d2fb96461da0862746a8aa772d2d7

    SHA1

    d435c8f4c1ad7eb62e363b1b56d3765997b16442

    SHA256

    58e0edd7611e5ad142b2a20fe169dab91ee4363214539e910074127e1c59dc0e

    SHA512

    10545255ccab47242bd97c2461c15aa14edf280318e8d401ee64980dec7b8e1a37220ad0285dc6fe48af1204dc2d328e2bb947f299f5b2b0cac41a3d5b906663

    Download Submit
  • memory/1464-54-0x0000000000FC0000-0x0000000001072000-memory.dmp
    Filesize

    712KB

    Download
  • memory/1464-55-0x0000000075F81000-0x0000000075F83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1464-56-0x0000000004D90000-0x0000000004D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1464-57-0x0000000000930000-0x000000000093C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1464-58-0x0000000000DC0000-0x0000000000DFC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1532-63-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1532-65-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1532-64-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1532-62-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1532-61-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1532-66-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1532-71-0x0000000004E00000-0x0000000004E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1532-72-0x00000000004F0000-0x0000000000512000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1964-67-0x0000000001F40000-0x00000000020F0000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1964-68-0x0000000001F40000-0x00000000020F0000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1964-69-0x0000000001F40000-0x00000000020F0000-memory.dmp
    Filesize

    1.7MB

    Download