Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 16:30
Static task
static1
Behavioral task
behavioral1
Sample
VAMSKIDH_INVOICE.exe
Resource
win7-20220414-en
General
-
Target
VAMSKIDH_INVOICE.exe
-
Size
200.0MB
-
MD5
cf46eb85c503955b25cb4b2ab6051357
-
SHA1
dcfc790d0c190ba754e97d86ee9b9fad6e2ae079
-
SHA256
a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f
-
SHA512
3ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2
Malware Config
Extracted
bitrat
1.38
bitrat9400.duckdns.org:9400
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
casr.execasr.exepid process 3104 casr.exe 3972 casr.exe -
Processes:
resource yara_rule behavioral2/memory/4164-137-0x0000000000B90000-0x0000000000F74000-memory.dmp upx behavioral2/memory/4164-138-0x0000000000B90000-0x0000000000F74000-memory.dmp upx behavioral2/memory/4636-145-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4636-146-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4636-147-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4636-148-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4636-149-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4636-153-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
RegAsm.exepid process 4636 RegAsm.exe 4636 RegAsm.exe 4636 RegAsm.exe 4636 RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
VAMSKIDH_INVOICE.execasr.exedescription pid process target process PID 3816 set thread context of 4164 3816 VAMSKIDH_INVOICE.exe RegAsm.exe PID 3104 set thread context of 4636 3104 casr.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4732 4164 WerFault.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeShutdownPrivilege 4636 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 4636 RegAsm.exe 4636 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
VAMSKIDH_INVOICE.execmd.execasr.execmd.exedescription pid process target process PID 3816 wrote to memory of 1672 3816 VAMSKIDH_INVOICE.exe cmd.exe PID 3816 wrote to memory of 1672 3816 VAMSKIDH_INVOICE.exe cmd.exe PID 3816 wrote to memory of 1672 3816 VAMSKIDH_INVOICE.exe cmd.exe PID 1672 wrote to memory of 632 1672 cmd.exe schtasks.exe PID 1672 wrote to memory of 632 1672 cmd.exe schtasks.exe PID 1672 wrote to memory of 632 1672 cmd.exe schtasks.exe PID 3816 wrote to memory of 4072 3816 VAMSKIDH_INVOICE.exe cmd.exe PID 3816 wrote to memory of 4072 3816 VAMSKIDH_INVOICE.exe cmd.exe PID 3816 wrote to memory of 4072 3816 VAMSKIDH_INVOICE.exe cmd.exe PID 3816 wrote to memory of 4164 3816 VAMSKIDH_INVOICE.exe RegAsm.exe PID 3816 wrote to memory of 4164 3816 VAMSKIDH_INVOICE.exe RegAsm.exe PID 3816 wrote to memory of 4164 3816 VAMSKIDH_INVOICE.exe RegAsm.exe PID 3816 wrote to memory of 4164 3816 VAMSKIDH_INVOICE.exe RegAsm.exe PID 3816 wrote to memory of 4164 3816 VAMSKIDH_INVOICE.exe RegAsm.exe PID 3816 wrote to memory of 4164 3816 VAMSKIDH_INVOICE.exe RegAsm.exe PID 3816 wrote to memory of 4164 3816 VAMSKIDH_INVOICE.exe RegAsm.exe PID 3104 wrote to memory of 988 3104 casr.exe cmd.exe PID 3104 wrote to memory of 988 3104 casr.exe cmd.exe PID 3104 wrote to memory of 988 3104 casr.exe cmd.exe PID 988 wrote to memory of 368 988 cmd.exe schtasks.exe PID 988 wrote to memory of 368 988 cmd.exe schtasks.exe PID 988 wrote to memory of 368 988 cmd.exe schtasks.exe PID 3104 wrote to memory of 3724 3104 casr.exe cmd.exe PID 3104 wrote to memory of 3724 3104 casr.exe cmd.exe PID 3104 wrote to memory of 3724 3104 casr.exe cmd.exe PID 3104 wrote to memory of 4636 3104 casr.exe RegAsm.exe PID 3104 wrote to memory of 4636 3104 casr.exe RegAsm.exe PID 3104 wrote to memory of 4636 3104 casr.exe RegAsm.exe PID 3104 wrote to memory of 4636 3104 casr.exe RegAsm.exe PID 3104 wrote to memory of 4636 3104 casr.exe RegAsm.exe PID 3104 wrote to memory of 4636 3104 casr.exe RegAsm.exe PID 3104 wrote to memory of 4636 3104 casr.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VAMSKIDH_INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\VAMSKIDH_INVOICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\VAMSKIDH_INVOICE.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 5403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4164 -ip 41641⤵
-
C:\Users\Admin\AppData\Roaming\casr.exeC:\Users\Admin\AppData\Roaming\casr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\casr.exeC:\Users\Admin\AppData\Roaming\casr.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\casr.exe.logFilesize
520B
MD541c37de2b4598f7759f865817dba5f80
SHA1884ccf344bc2dd409425dc5ace0fd909a5f8cce4
SHA256427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc
SHA512a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd
-
C:\Users\Admin\AppData\Roaming\casr.exeFilesize
200.0MB
MD5cf46eb85c503955b25cb4b2ab6051357
SHA1dcfc790d0c190ba754e97d86ee9b9fad6e2ae079
SHA256a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f
SHA5123ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2
-
C:\Users\Admin\AppData\Roaming\casr.exeFilesize
200.0MB
MD5cf46eb85c503955b25cb4b2ab6051357
SHA1dcfc790d0c190ba754e97d86ee9b9fad6e2ae079
SHA256a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f
SHA5123ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2
-
C:\Users\Admin\AppData\Roaming\casr.exeFilesize
192.1MB
MD5260b7e1596877200b1eb97fe86d42a75
SHA174835cda5557cc2a65b800b30171bb72f7c5e2e8
SHA256cb5dc7ae29c04800888f1c9349eed8752d515cd8efcc952bef586adb4a03255c
SHA51256fad01b3df917ff15e58f7d9d02b1d5033a60899d949fcc92f32d9db65de8634d5511f123c14c20cc44856888c1476ac1a13173d948204d8715616b49d239e5
-
memory/368-142-0x0000000000000000-mapping.dmp
-
memory/632-132-0x0000000000000000-mapping.dmp
-
memory/988-141-0x0000000000000000-mapping.dmp
-
memory/1672-131-0x0000000000000000-mapping.dmp
-
memory/3724-143-0x0000000000000000-mapping.dmp
-
memory/3816-133-0x0000000006030000-0x00000000065D4000-memory.dmpFilesize
5.6MB
-
memory/3816-130-0x0000000000A40000-0x0000000000BD4000-memory.dmpFilesize
1.6MB
-
memory/4072-134-0x0000000000000000-mapping.dmp
-
memory/4164-137-0x0000000000B90000-0x0000000000F74000-memory.dmpFilesize
3.9MB
-
memory/4164-138-0x0000000000B90000-0x0000000000F74000-memory.dmpFilesize
3.9MB
-
memory/4164-135-0x0000000000000000-mapping.dmp
-
memory/4636-151-0x0000000074E00000-0x0000000074E39000-memory.dmpFilesize
228KB
-
memory/4636-147-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4636-148-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4636-149-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4636-144-0x0000000000000000-mapping.dmp
-
memory/4636-150-0x0000000074A60000-0x0000000074A99000-memory.dmpFilesize
228KB
-
memory/4636-152-0x0000000074E00000-0x0000000074E39000-memory.dmpFilesize
228KB
-
memory/4636-153-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4636-154-0x0000000074E00000-0x0000000074E39000-memory.dmpFilesize
228KB
-
memory/4636-146-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4636-145-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4636-157-0x0000000074B20000-0x0000000074B59000-memory.dmpFilesize
228KB