Analysis
-
max time kernel
91s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 22:51
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
invoice.exe
Resource
win10v2004-20220812-en
General
-
Target
invoice.exe
-
Size
48KB
-
MD5
8396e6f6cd0b1745d38e136ada381831
-
SHA1
640ab13f6791b51718f484c6bb2fc637f4b51fdf
-
SHA256
11a11d95827f52fc174de321bdd183ee2e8cfbfc4019a3650d95ccbf1719e54f
-
SHA512
111e548cc8949bd11191df92c82297a684d9231dacfbf0ea5c8de4768749ddfb2241c8879aea613c3ae30327dcb0272fc2d8bca04b102c6a2c526fd6e70f12e0
-
SSDEEP
768:/dhivTBBPTc0g9A7W06aa9MAefRmGPUkbMZy7tuhzA6qPJiHh9KvtnMW+:lhiA9EF6alE07bM47tuhc6atnMW+
Malware Config
Extracted
asyncrat
0.5.7B
Default
54.84.208.91:52643
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
redline
HEXO-SOFTWARE
amrican-sport-live-stream.cc:4581
-
auth_value
fea440ffae02b6f56d7b00fe8105ccb8
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2096-146-0x0000000000400000-0x0000000000460000-memory.dmp family_redline -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1496-132-0x0000000000F90000-0x0000000000FA2000-memory.dmp asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
CheckSystemT.exeCheckMemoryB.exepid process 4428 CheckSystemT.exe 2536 CheckMemoryB.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
invoice.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation invoice.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
CheckSystemT.exeCheckMemoryB.exedescription pid process target process PID 4428 set thread context of 2096 4428 CheckSystemT.exe RegAsm.exe PID 2536 set thread context of 4680 2536 CheckMemoryB.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
CheckMemoryB.exeRegAsm.exeRegAsm.exepid process 2536 CheckMemoryB.exe 2536 CheckMemoryB.exe 2536 CheckMemoryB.exe 2536 CheckMemoryB.exe 2096 RegAsm.exe 4680 RegAsm.exe 2096 RegAsm.exe 4680 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
invoice.exeCheckMemoryB.exeCheckSystemT.exeRegAsm.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1496 invoice.exe Token: SeDebugPrivilege 2536 CheckMemoryB.exe Token: SeDebugPrivilege 4428 CheckSystemT.exe Token: SeDebugPrivilege 1496 invoice.exe Token: SeDebugPrivilege 2096 RegAsm.exe Token: SeDebugPrivilege 4680 RegAsm.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
invoice.exeCheckSystemT.exeCheckMemoryB.exedescription pid process target process PID 1496 wrote to memory of 4428 1496 invoice.exe CheckSystemT.exe PID 1496 wrote to memory of 4428 1496 invoice.exe CheckSystemT.exe PID 1496 wrote to memory of 4428 1496 invoice.exe CheckSystemT.exe PID 1496 wrote to memory of 2536 1496 invoice.exe CheckMemoryB.exe PID 1496 wrote to memory of 2536 1496 invoice.exe CheckMemoryB.exe PID 1496 wrote to memory of 2536 1496 invoice.exe CheckMemoryB.exe PID 4428 wrote to memory of 2096 4428 CheckSystemT.exe RegAsm.exe PID 4428 wrote to memory of 2096 4428 CheckSystemT.exe RegAsm.exe PID 4428 wrote to memory of 2096 4428 CheckSystemT.exe RegAsm.exe PID 2536 wrote to memory of 3636 2536 CheckMemoryB.exe RegAsm.exe PID 2536 wrote to memory of 3636 2536 CheckMemoryB.exe RegAsm.exe PID 2536 wrote to memory of 3636 2536 CheckMemoryB.exe RegAsm.exe PID 4428 wrote to memory of 2096 4428 CheckSystemT.exe RegAsm.exe PID 4428 wrote to memory of 2096 4428 CheckSystemT.exe RegAsm.exe PID 4428 wrote to memory of 2096 4428 CheckSystemT.exe RegAsm.exe PID 4428 wrote to memory of 2096 4428 CheckSystemT.exe RegAsm.exe PID 4428 wrote to memory of 2096 4428 CheckSystemT.exe RegAsm.exe PID 2536 wrote to memory of 4104 2536 CheckMemoryB.exe RegAsm.exe PID 2536 wrote to memory of 4104 2536 CheckMemoryB.exe RegAsm.exe PID 2536 wrote to memory of 4104 2536 CheckMemoryB.exe RegAsm.exe PID 2536 wrote to memory of 4680 2536 CheckMemoryB.exe RegAsm.exe PID 2536 wrote to memory of 4680 2536 CheckMemoryB.exe RegAsm.exe PID 2536 wrote to memory of 4680 2536 CheckMemoryB.exe RegAsm.exe PID 2536 wrote to memory of 4680 2536 CheckMemoryB.exe RegAsm.exe PID 2536 wrote to memory of 4680 2536 CheckMemoryB.exe RegAsm.exe PID 2536 wrote to memory of 4680 2536 CheckMemoryB.exe RegAsm.exe PID 2536 wrote to memory of 4680 2536 CheckMemoryB.exe RegAsm.exe PID 2536 wrote to memory of 4680 2536 CheckMemoryB.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CheckSystemT.exe"C:\Users\Admin\AppData\Roaming\CheckSystemT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\CheckMemoryB.exe"C:\Users\Admin\AppData\Roaming\CheckMemoryB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logFilesize
2KB
MD500ed77f0198ef7fb2943623375e62be5
SHA1d3b8ba7ab5189e20776fd8c5c5807a64899e19cd
SHA2560b98d99267b9343be223f17fbcedc608f803a7193ee7fe3b662902e96a7c65e5
SHA512eddf083b0173f8109d633c8c5d4b557da24621d160a80a144bac1db375f5ae656444bc608ac5379aa1573d3555cfed7f0834f9c8ede3a059948d672f0ad9c1b8
-
C:\Users\Admin\AppData\Roaming\CheckMemoryB.exeFilesize
1.8MB
MD543f735e99626467bcec0895ddc51ee14
SHA1cfbd389da2a60e4e39b8ce3bb56ca57506985465
SHA25679208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b
SHA512467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4
-
C:\Users\Admin\AppData\Roaming\CheckMemoryB.exeFilesize
1.8MB
MD543f735e99626467bcec0895ddc51ee14
SHA1cfbd389da2a60e4e39b8ce3bb56ca57506985465
SHA25679208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b
SHA512467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4
-
C:\Users\Admin\AppData\Roaming\CheckSystemT.exeFilesize
1.8MB
MD543f735e99626467bcec0895ddc51ee14
SHA1cfbd389da2a60e4e39b8ce3bb56ca57506985465
SHA25679208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b
SHA512467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4
-
C:\Users\Admin\AppData\Roaming\CheckSystemT.exeFilesize
1.8MB
MD543f735e99626467bcec0895ddc51ee14
SHA1cfbd389da2a60e4e39b8ce3bb56ca57506985465
SHA25679208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b
SHA512467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4
-
memory/1496-154-0x0000000006980000-0x0000000006A1C000-memory.dmpFilesize
624KB
-
memory/1496-132-0x0000000000F90000-0x0000000000FA2000-memory.dmpFilesize
72KB
-
memory/2096-146-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/2096-144-0x0000000000000000-mapping.dmp
-
memory/2096-157-0x0000000006F40000-0x0000000006FB6000-memory.dmpFilesize
472KB
-
memory/2096-156-0x0000000008860000-0x0000000008D8C000-memory.dmpFilesize
5.2MB
-
memory/2096-152-0x00000000050F0000-0x0000000005102000-memory.dmpFilesize
72KB
-
memory/2096-151-0x00000000051C0000-0x00000000052CA000-memory.dmpFilesize
1.0MB
-
memory/2536-137-0x0000000000000000-mapping.dmp
-
memory/2536-142-0x000000003FC10000-0x000000003FCA2000-memory.dmpFilesize
584KB
-
memory/2536-140-0x0000000005A10000-0x0000000005A32000-memory.dmpFilesize
136KB
-
memory/2536-141-0x000000003F760000-0x000000003F7C6000-memory.dmpFilesize
408KB
-
memory/3636-145-0x0000000000000000-mapping.dmp
-
memory/4104-147-0x0000000000000000-mapping.dmp
-
memory/4428-133-0x0000000000000000-mapping.dmp
-
memory/4428-143-0x000000003F160000-0x000000003F704000-memory.dmpFilesize
5.6MB
-
memory/4428-136-0x0000000000C80000-0x0000000000E50000-memory.dmpFilesize
1.8MB
-
memory/4680-150-0x0000000005F40000-0x0000000006558000-memory.dmpFilesize
6.1MB
-
memory/4680-155-0x0000000007470000-0x0000000007632000-memory.dmpFilesize
1.8MB
-
memory/4680-153-0x0000000005A20000-0x0000000005A5C000-memory.dmpFilesize
240KB
-
memory/4680-158-0x0000000006E60000-0x0000000006EB0000-memory.dmpFilesize
320KB
-
memory/4680-148-0x0000000000000000-mapping.dmp