Overview

overview

10

Static

static

invoice.exe

windows7_x64

10

invoice.exe

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    26-01-2022 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice.exe

  • Size

    688KB

  • MD5

    720b1afcfa57b140329465ecbcdec31e

  • SHA1

    be0387473f50e017a13e3a097ac80cca00bd0350

  • SHA256

    c306becc8baa90c1d305a2dd9dfb7649ecbc51f356553da16d4300ac728cea3c

  • SHA512

    134750da6778a2ce634c579cd2b26344d9a164ec026e737f368dad5d5738472fb4afc10e8310e837c7a896dc94b15b7639ed92d5a71594ebe27376e4603475a3

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

exportmunic007.duckdns.org:6606

exportmunic007.duckdns.org:7707

exportmunic007.duckdns.org:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\invoice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KkFQRCLo.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1632
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KkFQRCLo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A5C.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2840
    • C:\Users\Admin\AppData\Local\Temp\invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\invoice.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5A5C.tmp
    MD5

    fbdebd3ab5bc5d79cfc6604245179df6

    SHA1

    1de3923bc40853a3c090abc3e32badef6af6b1be

    SHA256

    4a3710b5f4c03b69f1a5775c7bdc19a282003cec5fb2199a17ff1b2919f5789a

    SHA512

    748f1390881fb03c95d1c46710b2b8163415550aa28ca9dce4a18676de5a8fc80aedbc305452566d1a9e12e8d1fcfcc624ad081646b865d61cc74efdaa15efa4

    Download Submit
  • memory/436-226-0x00000000068A0000-0x00000000068BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/436-225-0x00000000067A0000-0x00000000067C2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/436-139-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/436-127-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1632-133-0x00000000079E0000-0x0000000007A46000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1632-135-0x0000000007320000-0x000000000733C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1632-356-0x00000000095B0000-0x00000000095B8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1632-351-0x0000000009660000-0x000000000967A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1632-126-0x00000000046D0000-0x0000000004706000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1632-158-0x0000000006D73000-0x0000000006D74000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1632-129-0x0000000006D72000-0x0000000006D73000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1632-128-0x0000000006D70000-0x0000000006D71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1632-130-0x00000000073B0000-0x00000000079D8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1632-131-0x0000000007110000-0x0000000007132000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1632-132-0x0000000007230000-0x0000000007296000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1632-155-0x00000000095C0000-0x0000000009654000-memory.dmp
    Filesize

    592KB

    Download
  • memory/1632-134-0x0000000007B50000-0x0000000007EA0000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1632-154-0x000000007ECF0000-0x000000007ECF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1632-136-0x0000000007360000-0x00000000073AB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1632-137-0x00000000081E0000-0x0000000008256000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1632-153-0x00000000091C0000-0x0000000009265000-memory.dmp
    Filesize

    660KB

    Download
  • memory/1632-147-0x0000000009080000-0x00000000090B3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1632-148-0x0000000009060000-0x000000000907E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2780-118-0x0000000004BD0000-0x00000000050CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2780-121-0x0000000000AE0000-0x0000000000B7C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2780-115-0x0000000000200000-0x00000000002B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/2780-119-0x0000000004AF0000-0x0000000004AFA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2780-117-0x0000000004B10000-0x0000000004BA2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2780-116-0x00000000050D0000-0x00000000055CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2780-120-0x0000000004DE0000-0x0000000004DEC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2780-122-0x0000000000A40000-0x0000000000A7C000-memory.dmp
    Filesize

    240KB

    Download