Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-02-2022 11:04
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE_PAYMENT.exe
Resource
win7-en-20211208
General
-
Target
INVOICE_PAYMENT.exe
-
Size
825KB
-
MD5
d05c3e50c2fe19f0c73104fcdcc69b10
-
SHA1
76d9509cfc31cc5dccf2dab9566a9145be2554bd
-
SHA256
71279240d14f290a3b81f4a9a660c5cdb37d52c7c65c60f1fa035d5b05745537
-
SHA512
7434d374919b6ad96cead1ae18d982bab0293be08dfd1eb6b37d5e1b3788424e14ccd0b0400fa1da5f8675453fdd2baadc7e5b560bf8a015ace75c59d6110516
Malware Config
Extracted
asyncrat
0.5.6D
NEWYEAR
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
79.134.225.34:6606
79.134.225.34:7707
79.134.225.34:8808
yvlmeiqesk
-
anti_vm
false
-
bsod
false
-
delay
10
-
install
false
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral1/memory/1724-57-0x0000000000380000-0x0000000000398000-memory.dmp net_reactor -
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/684-62-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/684-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/684-63-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/684-65-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE_PAYMENT.exedescription pid process target process PID 1724 set thread context of 684 1724 INVOICE_PAYMENT.exe INVOICE_PAYMENT.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
INVOICE_PAYMENT.exedescription pid process target process PID 1724 wrote to memory of 684 1724 INVOICE_PAYMENT.exe INVOICE_PAYMENT.exe PID 1724 wrote to memory of 684 1724 INVOICE_PAYMENT.exe INVOICE_PAYMENT.exe PID 1724 wrote to memory of 684 1724 INVOICE_PAYMENT.exe INVOICE_PAYMENT.exe PID 1724 wrote to memory of 684 1724 INVOICE_PAYMENT.exe INVOICE_PAYMENT.exe PID 1724 wrote to memory of 684 1724 INVOICE_PAYMENT.exe INVOICE_PAYMENT.exe PID 1724 wrote to memory of 684 1724 INVOICE_PAYMENT.exe INVOICE_PAYMENT.exe PID 1724 wrote to memory of 684 1724 INVOICE_PAYMENT.exe INVOICE_PAYMENT.exe PID 1724 wrote to memory of 684 1724 INVOICE_PAYMENT.exe INVOICE_PAYMENT.exe PID 1724 wrote to memory of 684 1724 INVOICE_PAYMENT.exe INVOICE_PAYMENT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/684-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/684-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/684-68-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/684-67-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB
-
memory/684-66-0x0000000074E4E000-0x0000000074E4F000-memory.dmpFilesize
4KB
-
memory/684-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/684-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/684-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/684-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1724-54-0x0000000000CF0000-0x0000000000DC4000-memory.dmpFilesize
848KB
-
memory/1724-55-0x0000000074E4E000-0x0000000074E4F000-memory.dmpFilesize
4KB
-
memory/1724-59-0x0000000000580000-0x0000000000594000-memory.dmpFilesize
80KB
-
memory/1724-58-0x0000000000B50000-0x0000000000B88000-memory.dmpFilesize
224KB
-
memory/1724-57-0x0000000000380000-0x0000000000398000-memory.dmpFilesize
96KB
-
memory/1724-56-0x00000000071C0000-0x00000000071C1000-memory.dmpFilesize
4KB