Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 16:30
Static task
static1
Behavioral task
behavioral1
Sample
VAMSKIDH_INVOICE.exe
Resource
win7-20220414-en
General
-
Target
VAMSKIDH_INVOICE.exe
-
Size
200.0MB
-
MD5
cf46eb85c503955b25cb4b2ab6051357
-
SHA1
dcfc790d0c190ba754e97d86ee9b9fad6e2ae079
-
SHA256
a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f
-
SHA512
3ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2
Malware Config
Extracted
bitrat
1.38
bitrat9400.duckdns.org:9400
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
casr.execasr.exepid process 1000 casr.exe 640 casr.exe -
Processes:
resource yara_rule behavioral1/memory/936-61-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/936-63-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/936-67-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/936-66-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/936-64-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/936-70-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/936-71-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/936-72-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/936-73-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/960-94-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/960-95-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
RegAsm.exeRegAsm.exepid process 936 RegAsm.exe 936 RegAsm.exe 936 RegAsm.exe 936 RegAsm.exe 960 RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
VAMSKIDH_INVOICE.execasr.exedescription pid process target process PID 1452 set thread context of 936 1452 VAMSKIDH_INVOICE.exe RegAsm.exe PID 1000 set thread context of 960 1000 casr.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
NTFS ADS 1 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Users\Admin\AppData\Local:21-06-2022 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RegAsm.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 936 RegAsm.exe Token: SeShutdownPrivilege 936 RegAsm.exe Token: SeDebugPrivilege 960 RegAsm.exe Token: SeShutdownPrivilege 960 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 936 RegAsm.exe 936 RegAsm.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
VAMSKIDH_INVOICE.execmd.exetaskeng.execasr.execmd.exedescription pid process target process PID 1452 wrote to memory of 1636 1452 VAMSKIDH_INVOICE.exe cmd.exe PID 1452 wrote to memory of 1636 1452 VAMSKIDH_INVOICE.exe cmd.exe PID 1452 wrote to memory of 1636 1452 VAMSKIDH_INVOICE.exe cmd.exe PID 1452 wrote to memory of 1636 1452 VAMSKIDH_INVOICE.exe cmd.exe PID 1636 wrote to memory of 740 1636 cmd.exe schtasks.exe PID 1636 wrote to memory of 740 1636 cmd.exe schtasks.exe PID 1636 wrote to memory of 740 1636 cmd.exe schtasks.exe PID 1636 wrote to memory of 740 1636 cmd.exe schtasks.exe PID 1452 wrote to memory of 940 1452 VAMSKIDH_INVOICE.exe cmd.exe PID 1452 wrote to memory of 940 1452 VAMSKIDH_INVOICE.exe cmd.exe PID 1452 wrote to memory of 940 1452 VAMSKIDH_INVOICE.exe cmd.exe PID 1452 wrote to memory of 940 1452 VAMSKIDH_INVOICE.exe cmd.exe PID 1452 wrote to memory of 936 1452 VAMSKIDH_INVOICE.exe RegAsm.exe PID 1452 wrote to memory of 936 1452 VAMSKIDH_INVOICE.exe RegAsm.exe PID 1452 wrote to memory of 936 1452 VAMSKIDH_INVOICE.exe RegAsm.exe PID 1452 wrote to memory of 936 1452 VAMSKIDH_INVOICE.exe RegAsm.exe PID 1452 wrote to memory of 936 1452 VAMSKIDH_INVOICE.exe RegAsm.exe PID 1452 wrote to memory of 936 1452 VAMSKIDH_INVOICE.exe RegAsm.exe PID 1452 wrote to memory of 936 1452 VAMSKIDH_INVOICE.exe RegAsm.exe PID 1452 wrote to memory of 936 1452 VAMSKIDH_INVOICE.exe RegAsm.exe PID 1452 wrote to memory of 936 1452 VAMSKIDH_INVOICE.exe RegAsm.exe PID 1452 wrote to memory of 936 1452 VAMSKIDH_INVOICE.exe RegAsm.exe PID 1452 wrote to memory of 936 1452 VAMSKIDH_INVOICE.exe RegAsm.exe PID 852 wrote to memory of 1000 852 taskeng.exe casr.exe PID 852 wrote to memory of 1000 852 taskeng.exe casr.exe PID 852 wrote to memory of 1000 852 taskeng.exe casr.exe PID 852 wrote to memory of 1000 852 taskeng.exe casr.exe PID 1000 wrote to memory of 1760 1000 casr.exe cmd.exe PID 1000 wrote to memory of 1760 1000 casr.exe cmd.exe PID 1000 wrote to memory of 1760 1000 casr.exe cmd.exe PID 1000 wrote to memory of 1760 1000 casr.exe cmd.exe PID 1760 wrote to memory of 848 1760 cmd.exe schtasks.exe PID 1760 wrote to memory of 848 1760 cmd.exe schtasks.exe PID 1760 wrote to memory of 848 1760 cmd.exe schtasks.exe PID 1760 wrote to memory of 848 1760 cmd.exe schtasks.exe PID 1000 wrote to memory of 1368 1000 casr.exe cmd.exe PID 1000 wrote to memory of 1368 1000 casr.exe cmd.exe PID 1000 wrote to memory of 1368 1000 casr.exe cmd.exe PID 1000 wrote to memory of 1368 1000 casr.exe cmd.exe PID 1000 wrote to memory of 960 1000 casr.exe RegAsm.exe PID 1000 wrote to memory of 960 1000 casr.exe RegAsm.exe PID 1000 wrote to memory of 960 1000 casr.exe RegAsm.exe PID 1000 wrote to memory of 960 1000 casr.exe RegAsm.exe PID 1000 wrote to memory of 960 1000 casr.exe RegAsm.exe PID 1000 wrote to memory of 960 1000 casr.exe RegAsm.exe PID 1000 wrote to memory of 960 1000 casr.exe RegAsm.exe PID 1000 wrote to memory of 960 1000 casr.exe RegAsm.exe PID 1000 wrote to memory of 960 1000 casr.exe RegAsm.exe PID 1000 wrote to memory of 960 1000 casr.exe RegAsm.exe PID 1000 wrote to memory of 960 1000 casr.exe RegAsm.exe PID 852 wrote to memory of 640 852 taskeng.exe casr.exe PID 852 wrote to memory of 640 852 taskeng.exe casr.exe PID 852 wrote to memory of 640 852 taskeng.exe casr.exe PID 852 wrote to memory of 640 852 taskeng.exe casr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VAMSKIDH_INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\VAMSKIDH_INVOICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\VAMSKIDH_INVOICE.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {2179B07D-C19B-47CC-B64B-9FAF373AB4FA} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\casr.exeC:\Users\Admin\AppData\Roaming\casr.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\casr.exeC:\Users\Admin\AppData\Roaming\casr.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\casr.exeFilesize
200.0MB
MD5cf46eb85c503955b25cb4b2ab6051357
SHA1dcfc790d0c190ba754e97d86ee9b9fad6e2ae079
SHA256a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f
SHA5123ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2
-
C:\Users\Admin\AppData\Roaming\casr.exeFilesize
200.0MB
MD5cf46eb85c503955b25cb4b2ab6051357
SHA1dcfc790d0c190ba754e97d86ee9b9fad6e2ae079
SHA256a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f
SHA5123ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2
-
C:\Users\Admin\AppData\Roaming\casr.exeFilesize
200.0MB
MD5cf46eb85c503955b25cb4b2ab6051357
SHA1dcfc790d0c190ba754e97d86ee9b9fad6e2ae079
SHA256a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f
SHA5123ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2
-
memory/640-98-0x0000000000C50000-0x0000000000DE4000-memory.dmpFilesize
1.6MB
-
memory/640-96-0x0000000000000000-mapping.dmp
-
memory/740-58-0x0000000000000000-mapping.dmp
-
memory/848-80-0x0000000000000000-mapping.dmp
-
memory/936-71-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/936-61-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/936-65-0x00000000007E2740-mapping.dmp
-
memory/936-67-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/936-66-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/936-64-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/936-70-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/936-60-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/936-72-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/936-73-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/936-63-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/940-59-0x0000000000000000-mapping.dmp
-
memory/960-95-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/960-94-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/960-87-0x00000000007E2740-mapping.dmp
-
memory/1000-75-0x0000000000000000-mapping.dmp
-
memory/1000-77-0x0000000000C50000-0x0000000000DE4000-memory.dmpFilesize
1.6MB
-
memory/1368-81-0x0000000000000000-mapping.dmp
-
memory/1452-54-0x00000000001C0000-0x0000000000354000-memory.dmpFilesize
1.6MB
-
memory/1452-56-0x0000000005420000-0x0000000005596000-memory.dmpFilesize
1.5MB
-
memory/1452-55-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1636-57-0x0000000000000000-mapping.dmp
-
memory/1760-79-0x0000000000000000-mapping.dmp