Overview

overview

10

Static

static

10

invoice.exe

windows7-x64

10

invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 22:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice.exe

  • Size

    48KB

  • MD5

    8396e6f6cd0b1745d38e136ada381831

  • SHA1

    640ab13f6791b51718f484c6bb2fc637f4b51fdf

  • SHA256

    11a11d95827f52fc174de321bdd183ee2e8cfbfc4019a3650d95ccbf1719e54f

  • SHA512

    111e548cc8949bd11191df92c82297a684d9231dacfbf0ea5c8de4768749ddfb2241c8879aea613c3ae30327dcb0272fc2d8bca04b102c6a2c526fd6e70f12e0

  • SSDEEP

    768:/dhivTBBPTc0g9A7W06aa9MAefRmGPUkbMZy7tuhzA6qPJiHh9KvtnMW+:lhiA9EF6alE07bM47tuhc6atnMW+

Score
10/10
asyncratredlinedefaulthexo-softwarediscoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

54.84.208.91:52643

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

HEXO-SOFTWARE

C2

amrican-sport-live-stream.cc:4581

Attributes
  • auth_value

    fea440ffae02b6f56d7b00fe8105ccb8

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\invoice.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Users\Admin\AppData\Roaming\CheckSystemT.exe
      "C:\Users\Admin\AppData\Roaming\CheckSystemT.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2096
    • C:\Users\Admin\AppData\Roaming\CheckMemoryB.exe
      "C:\Users\Admin\AppData\Roaming\CheckMemoryB.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        3⤵
          PID:3636
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          3⤵
            PID:4104
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4680

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
        Filesize

        2KB

        MD5

        00ed77f0198ef7fb2943623375e62be5

        SHA1

        d3b8ba7ab5189e20776fd8c5c5807a64899e19cd

        SHA256

        0b98d99267b9343be223f17fbcedc608f803a7193ee7fe3b662902e96a7c65e5

        SHA512

        eddf083b0173f8109d633c8c5d4b557da24621d160a80a144bac1db375f5ae656444bc608ac5379aa1573d3555cfed7f0834f9c8ede3a059948d672f0ad9c1b8

        Download Submit
      • C:\Users\Admin\AppData\Roaming\CheckMemoryB.exe
        Filesize

        1.8MB

        MD5

        43f735e99626467bcec0895ddc51ee14

        SHA1

        cfbd389da2a60e4e39b8ce3bb56ca57506985465

        SHA256

        79208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b

        SHA512

        467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\CheckMemoryB.exe
        Filesize

        1.8MB

        MD5

        43f735e99626467bcec0895ddc51ee14

        SHA1

        cfbd389da2a60e4e39b8ce3bb56ca57506985465

        SHA256

        79208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b

        SHA512

        467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\CheckSystemT.exe
        Filesize

        1.8MB

        MD5

        43f735e99626467bcec0895ddc51ee14

        SHA1

        cfbd389da2a60e4e39b8ce3bb56ca57506985465

        SHA256

        79208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b

        SHA512

        467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\CheckSystemT.exe
        Filesize

        1.8MB

        MD5

        43f735e99626467bcec0895ddc51ee14

        SHA1

        cfbd389da2a60e4e39b8ce3bb56ca57506985465

        SHA256

        79208f5bcd29a83d75bb073d3f48a483cd51dbd53e9cee5472ab4947a1ede05b

        SHA512

        467f650679e5170b2387fdf16087b3d114d2ec980b194d2e3ab233ce53497a57356fff195a8d222c946070b6e5d929b88fa33f776a5158343cf1fa259c73ddf4

        Download Submit
      • memory/1496-154-0x0000000006980000-0x0000000006A1C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/1496-132-0x0000000000F90000-0x0000000000FA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2096-146-0x0000000000400000-0x0000000000460000-memory.dmp
        Filesize

        384KB

        Download
      • memory/2096-144-0x0000000000000000-mapping.dmp
        Download
      • memory/2096-157-0x0000000006F40000-0x0000000006FB6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2096-156-0x0000000008860000-0x0000000008D8C000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/2096-152-0x00000000050F0000-0x0000000005102000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2096-151-0x00000000051C0000-0x00000000052CA000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2536-137-0x0000000000000000-mapping.dmp
        Download
      • memory/2536-142-0x000000003FC10000-0x000000003FCA2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2536-140-0x0000000005A10000-0x0000000005A32000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2536-141-0x000000003F760000-0x000000003F7C6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3636-145-0x0000000000000000-mapping.dmp
        Download
      • memory/4104-147-0x0000000000000000-mapping.dmp
        Download
      • memory/4428-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4428-143-0x000000003F160000-0x000000003F704000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4428-136-0x0000000000C80000-0x0000000000E50000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4680-150-0x0000000005F40000-0x0000000006558000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/4680-155-0x0000000007470000-0x0000000007632000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4680-153-0x0000000005A20000-0x0000000005A5C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/4680-158-0x0000000006E60000-0x0000000006EB0000-memory.dmp
        Filesize

        320KB

        Download
      • memory/4680-148-0x0000000000000000-mapping.dmp
        Download