Analysis
-
max time kernel
48s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30-09-2022 22:51
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
invoice.exe
Resource
win10v2004-20220812-en
General
-
Target
invoice.exe
-
Size
48KB
-
MD5
8396e6f6cd0b1745d38e136ada381831
-
SHA1
640ab13f6791b51718f484c6bb2fc637f4b51fdf
-
SHA256
11a11d95827f52fc174de321bdd183ee2e8cfbfc4019a3650d95ccbf1719e54f
-
SHA512
111e548cc8949bd11191df92c82297a684d9231dacfbf0ea5c8de4768749ddfb2241c8879aea613c3ae30327dcb0272fc2d8bca04b102c6a2c526fd6e70f12e0
-
SSDEEP
768:/dhivTBBPTc0g9A7W06aa9MAefRmGPUkbMZy7tuhzA6qPJiHh9KvtnMW+:lhiA9EF6alE07bM47tuhc6atnMW+
Malware Config
Extracted
asyncrat
0.5.7B
Default
54.84.208.91:52643
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
redline
HEXO-SOFTWARE
amrican-sport-live-stream.cc:4581
-
auth_value
fea440ffae02b6f56d7b00fe8105ccb8
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/848-73-0x0000000000400000-0x0000000000460000-memory.dmp family_redline behavioral1/memory/848-74-0x0000000000400000-0x0000000000460000-memory.dmp family_redline behavioral1/memory/848-76-0x0000000000400000-0x0000000000460000-memory.dmp family_redline behavioral1/memory/848-78-0x000000000045AC7E-mapping.dmp family_redline behavioral1/memory/848-82-0x0000000000400000-0x0000000000460000-memory.dmp family_redline behavioral1/memory/1220-87-0x000000000045AC7E-mapping.dmp family_redline behavioral1/memory/848-86-0x0000000000400000-0x0000000000460000-memory.dmp family_redline -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1060-54-0x0000000000D40000-0x0000000000D52000-memory.dmp asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
CheckSystemT.exeCheckMemoryB.exepid process 1936 CheckSystemT.exe 1240 CheckMemoryB.exe -
Loads dropped DLL 2 IoCs
Processes:
invoice.exepid process 1060 invoice.exe 1060 invoice.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
CheckSystemT.exeCheckMemoryB.exedescription pid process target process PID 1936 set thread context of 848 1936 CheckSystemT.exe RegAsm.exe PID 1240 set thread context of 1220 1240 CheckMemoryB.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
CheckMemoryB.exeRegAsm.exeRegAsm.exepid process 1240 CheckMemoryB.exe 1240 CheckMemoryB.exe 1240 CheckMemoryB.exe 1240 CheckMemoryB.exe 848 RegAsm.exe 1220 RegAsm.exe 1220 RegAsm.exe 848 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
invoice.exeCheckSystemT.exeCheckMemoryB.exeRegAsm.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1060 invoice.exe Token: SeDebugPrivilege 1936 CheckSystemT.exe Token: SeDebugPrivilege 1240 CheckMemoryB.exe Token: SeDebugPrivilege 1060 invoice.exe Token: SeDebugPrivilege 848 RegAsm.exe Token: SeDebugPrivilege 1220 RegAsm.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
invoice.exeCheckMemoryB.exeCheckSystemT.exedescription pid process target process PID 1060 wrote to memory of 1936 1060 invoice.exe CheckSystemT.exe PID 1060 wrote to memory of 1936 1060 invoice.exe CheckSystemT.exe PID 1060 wrote to memory of 1936 1060 invoice.exe CheckSystemT.exe PID 1060 wrote to memory of 1936 1060 invoice.exe CheckSystemT.exe PID 1060 wrote to memory of 1240 1060 invoice.exe CheckMemoryB.exe PID 1060 wrote to memory of 1240 1060 invoice.exe CheckMemoryB.exe PID 1060 wrote to memory of 1240 1060 invoice.exe CheckMemoryB.exe PID 1060 wrote to memory of 1240 1060 invoice.exe CheckMemoryB.exe PID 1240 wrote to memory of 980 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 980 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 980 1240 CheckMemoryB.exe RegAsm.exe PID 1936 wrote to memory of 848 1936 CheckSystemT.exe RegAsm.exe PID 1936 wrote to memory of 848 1936 CheckSystemT.exe RegAsm.exe PID 1936 wrote to memory of 848 1936 CheckSystemT.exe RegAsm.exe PID 1936 wrote to memory of 848 1936 CheckSystemT.exe RegAsm.exe PID 1936 wrote to memory of 848 1936 CheckSystemT.exe RegAsm.exe PID 1936 wrote to memory of 848 1936 CheckSystemT.exe RegAsm.exe PID 1936 wrote to memory of 848 1936 CheckSystemT.exe RegAsm.exe PID 1240 wrote to memory of 980 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 980 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 980 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 980 1240 CheckMemoryB.exe RegAsm.exe PID 1936 wrote to memory of 848 1936 CheckSystemT.exe RegAsm.exe PID 1936 wrote to memory of 848 1936 CheckSystemT.exe RegAsm.exe PID 1240 wrote to memory of 1412 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1412 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1412 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1412 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1412 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1412 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1412 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1220 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1220 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1220 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1220 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1220 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1220 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1220 1240 CheckMemoryB.exe RegAsm.exe PID 1936 wrote to memory of 848 1936 CheckSystemT.exe RegAsm.exe PID 1936 wrote to memory of 848 1936 CheckSystemT.exe RegAsm.exe PID 1936 wrote to memory of 848 1936 CheckSystemT.exe RegAsm.exe PID 1240 wrote to memory of 1220 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1220 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1220 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1220 1240 CheckMemoryB.exe RegAsm.exe PID 1240 wrote to memory of 1220 1240 CheckMemoryB.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CheckSystemT.exe"C:\Users\Admin\AppData\Roaming\CheckSystemT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\CheckMemoryB.exe"C:\Users\Admin\AppData\Roaming\CheckMemoryB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\CheckMemoryB.exeFilesize
1.8MB
MD543f735e99626467bcec0895ddc51ee14
SHA1cfbd389da2a60e4e39b8ce3bb56ca57506985465
SHA25679208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b
SHA512467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4
-
C:\Users\Admin\AppData\Roaming\CheckMemoryB.exeFilesize
1.8MB
MD543f735e99626467bcec0895ddc51ee14
SHA1cfbd389da2a60e4e39b8ce3bb56ca57506985465
SHA25679208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b
SHA512467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4
-
C:\Users\Admin\AppData\Roaming\CheckSystemT.exeFilesize
1.8MB
MD543f735e99626467bcec0895ddc51ee14
SHA1cfbd389da2a60e4e39b8ce3bb56ca57506985465
SHA25679208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b
SHA512467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4
-
C:\Users\Admin\AppData\Roaming\CheckSystemT.exeFilesize
1.8MB
MD543f735e99626467bcec0895ddc51ee14
SHA1cfbd389da2a60e4e39b8ce3bb56ca57506985465
SHA25679208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b
SHA512467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4
-
\Users\Admin\AppData\Roaming\CheckMemoryB.exeFilesize
1.8MB
MD543f735e99626467bcec0895ddc51ee14
SHA1cfbd389da2a60e4e39b8ce3bb56ca57506985465
SHA25679208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b
SHA512467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4
-
\Users\Admin\AppData\Roaming\CheckSystemT.exeFilesize
1.8MB
MD543f735e99626467bcec0895ddc51ee14
SHA1cfbd389da2a60e4e39b8ce3bb56ca57506985465
SHA25679208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b
SHA512467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4
-
memory/848-94-0x0000000000330000-0x0000000000336000-memory.dmpFilesize
24KB
-
memory/848-86-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/848-73-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/848-71-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/848-82-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/848-74-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/848-76-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/848-78-0x000000000045AC7E-mapping.dmp
-
memory/848-70-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/1060-54-0x0000000000D40000-0x0000000000D52000-memory.dmpFilesize
72KB
-
memory/1060-55-0x0000000074DC1000-0x0000000074DC3000-memory.dmpFilesize
8KB
-
memory/1220-87-0x000000000045AC7E-mapping.dmp
-
memory/1240-66-0x0000000000CB0000-0x0000000000E80000-memory.dmpFilesize
1.8MB
-
memory/1240-62-0x0000000000000000-mapping.dmp
-
memory/1936-69-0x0000000004520000-0x00000000045B2000-memory.dmpFilesize
584KB
-
memory/1936-63-0x0000000002300000-0x00000000023C6000-memory.dmpFilesize
792KB
-
memory/1936-60-0x00000000002B0000-0x0000000000480000-memory.dmpFilesize
1.8MB
-
memory/1936-57-0x0000000000000000-mapping.dmp