Analysis

  • max time kernel
    142s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2023 01:47

General

  • Target

    PROFORMA INVOICE.exe

  • Size

    169KB

  • MD5

    ea3090debf7241bf0c754c6e30c4a46c

  • SHA1

    f238fbb8bfe0e8c417e9b7ba8e192cd9948c88d2

  • SHA256

    0f757aaa17a6d470967a7e011d6016985dafeaaf409d72a008f970e827894065

  • SHA512

    4f50447ae754e839d9ea8b013ee0a5fe51ce3996e1745c18fe87c70fad3bdab3d2cdf38e4e77d057671d8c470523c329758ee09cc3e55af9c2a1560d9ffd9a74

  • SSDEEP

    3072:hR+GZNq7KCQBvB4jvA6gMqEqF2A0K0jyzWiPAwHsrUYMP4qY:h3e+fvBMI6gTTF2A07jy+wMoYJq

Score
10/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

79.134.225.113:9346

Mutex

KωUORNيקzXשuZ伊Ufo开MΖ

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe
    "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    0cdd6ee36f188b92db38740d05c7577b

    SHA1

    f044cb89b2a3699adc06206a47876f9d4e047a58

    SHA256

    8a97340ad2d2d238744d7a477dd1270d6799b23904ac28b701afcd803e852b83

    SHA512

    2269561ea830bc1323b950b1df6c0866cef252f55907759fb447c262af5007e792fcd28285e40c70f8ad64073edc91ee742591fc5ec70aaca0e6f4c4bd41af29

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    d9fc8204e92f1bb31f00b8a19a499b1a

    SHA1

    a30ad565f4a36869da1644188723d4556e142c9d

    SHA256

    bda7a3b1cce197526432cff97f6c83a0c31064b81c279b4c580563fe0e56e3db

    SHA512

    14a5fd177bda328a96282b8b79098dcd6899136d38791cb9869685be7846b66cc8a38212dbcf04f6fd0785355107c5cfb5ab2f330ba6c6b5411cc2304219c4f6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    8ca9070146931dbd4612304547deb3de

    SHA1

    ed23cba466efc38ea95f86807aebea4752bdd0fe

    SHA256

    b979622c9f9297a7390b2f9d95db6639883c696da837928ceef763317b848769

    SHA512

    a492b00f5fed2adc4866e9a98fc7288b4499c05b285cd31bca3a19e5196fd32318cbc9e6722cbd2950ab4f72e5841c7faaac948695e9d2eeee19c59888d481f7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    7a339cb58715c86ca3036332cb5898cd

    SHA1

    3ffdc69fe9e84d9b2985c276b6bc4141bcb4724f

    SHA256

    443aa6f14679bc42314abebe329a5158ded709dbc49f311c44335e40a81f1368

    SHA512

    d2a92646f46efce78701528450cecc9e45526b5b998a91a20b23386b83ff55eff9789cced4a5f9f84c5e69285c24cbb3aad7a91fa669857d1df65ea570400f66

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    72d9fd08f8bf627c8d2ab88b6c176969

    SHA1

    85848a3531a1cfb2f24e7982353ae6aad77546b8

    SHA256

    faf33d28c755a3ed088a224865329a034d945c973790627d1b910c0f4f9e8abc

    SHA512

    8db10df8901b85f16f2847349085569f8b936f9852076da864f77b911503f8d2a144aca0bb30d8df22e71ef24e883c42f242c5df6c2a025606ff5cdaa8420875

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    930bd4356417732d96d5603e734dc02b

    SHA1

    62893fa6f4efdbcd996d958686fa6e076964f2d7

    SHA256

    1e0abcaeb341bae212f56a6e292299cdcda4438a6fd0ebe77b0aba29af6e79c3

    SHA512

    288cf38c865aebad3d1ce94d716ca558a029ac255c96e0a517cda0b33ad530eb08bfc874866910bdbdcbdebbc6e69edee021cf23c2b87a66ff2c2dbe1125e782

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    f3b62cfb5095984ae744d10012ab8af6

    SHA1

    7b23886a196e06db66bcb253ff4a245eb091852d

    SHA256

    e452a2a2ca5b6dc6e5a506f71ef8e494daeb66c1200f0ddd1bae6f7121ebfc3d

    SHA512

    0447be44e4dd4d32c37fe0f41ac1882ae4be0f3596510265991c153e9354e527e70b2cf9c53413fe36d9d186975acb0356aa49e7adc4a1f5462b860db21fcc30

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    2239d812c70709414dc78a95226ad191

    SHA1

    259eebd87572a5d30613fe1aae1288939fa2b287

    SHA256

    923ea01ff21fd74e00d98f7928ba2569aa8cf48faacb98b6db0854b29dba85b3

    SHA512

    285a484dc274609b1d709d810d301cc73284da34b7d287c10e97685727bc9dcc187b4a657c219e2ab3feb53b36c754915c2b554ee17bc21e96111c22dfcee46d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    f54bb4c86fb49b638d4d352c5ced24fa

    SHA1

    e05a42d973943d4385880b6da641ccbda1654eff

    SHA256

    ea2a78c5e090eaa114e1258e2ad0dda9f6f4f13081178946f0c6e6d853bd9727

    SHA512

    1badfdaac128525a4e65bbcf39b8e527aa1b01b28af403d30af9873f25a05c0efcf386964fe96fda7a2da960293833260639bf4bf0ba30bba33dd626afdfc05f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    3a9aadb27863aa8977d2fdfe97d118c1

    SHA1

    323ecab0b72d92cf698c6ec31ab16123cd3bec1f

    SHA256

    c72eb2c60badfe4de71cc7e79d72409c21265ace722d19959a7ee669632a8783

    SHA512

    d274fe63855fbcaac1aca60a301e8af68d4ee8a844d7bb7128f02e1b4239de1e26d691b5bc371db44540462c7c8d79c4c862086ea2a23d610521f6f24cac4da9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    fb16ee1e0909e2a67a0ee044c55489a5

    SHA1

    5f92483c6db9c98dc3732784d5422ec814d0c702

    SHA256

    2f2061faa14e02b18c3fef74fa1806e5f0405aa7a19af28f16df3c9e0361af48

    SHA512

    cba0a189ff30608017895f834e174ded27be7b6960116d5dd95924006aedc1febf44db9b5187ad0c3e2dd689e0bf22ddcb1bc5697cde22772e4f2eb41888d0f8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    5e4ac3b6ce3e13fcded1969496b61254

    SHA1

    3ed53a415de2a141f93a5d5d6cddb34653a7cbdc

    SHA256

    c96aac358357561d07651727b95a268585020d550df42a9f33d728eeb16a231d

    SHA512

    b88263cb18458a437ba05204e873bc476008b28b904039a287adf348386a407de1284d0c0f2fefe02dcb986a650c09023044369ee7605aaf379adc33660e577e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    8cbf9c2dbb20464245a098d6046890d9

    SHA1

    e9d26d99caea088579a0e639359e0f36efa229e2

    SHA256

    41d213e787588a6149a23ad82ece82895a9ae9bd450e828b9e75b05e993eadec

    SHA512

    4ae0bd62f232bddd89982acc48e3ff225cd2b7bd272a119376b87812e55f0f92876bbafd902417ed49344a10890703f38696c6c40fa283619841b6db076eaab7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    663e83b10f50894d3815a55ddb70663d

    SHA1

    db7bbbde5e4b805add8c9cb73a216d1f5957136a

    SHA256

    a6b104d47469c309a803e8010385241cc6dd4f9948e037cb92215b392c962caa

    SHA512

    104b7b6269f57bd355abed38cd8093bc369d5e4bf31c601d5a7e469ca36a8ac104da669d60948e6d0443c3da1cd2c788fd1f4eb75f6f1fe48151a6abbd0420cf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    40708b0eb6eab6975151c12d52ef84f3

    SHA1

    fa5b3a4ea5bf8acca85f6205f85e76e09fca9707

    SHA256

    6517cbc333014b43bff637bb300220d18b570c7d849fad5b37ed4e1742218b48

    SHA512

    0b89448fdcdc6204216bc22c04cb4247b0cf65553952b639e5592307da9e1a3aed136ef55fa7b124ed5be1a4c81a132b35c8e615fac5f17d4df48cba3b5aeb15

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    18069ab3a443e6fde608861d2e99ec2c

    SHA1

    57668c998392ed349c153b0ec7a84544733e4d71

    SHA256

    7ab0ba901c28271918f5e393e5aa36160b72459388843ace7ff910113245a1e6

    SHA512

    7951362f64ec1e1314d137d13b7c6bd398e252ca4b37488727a179dc25f50b3f3f7ba451782caff933c7a265cc891f78c1ecbe15890ad6b7ba8da3fa32ae4e8e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    d440b9321eb35150cc78baeae3b2fa6a

    SHA1

    fd3fee950e273fee1fba632a50fc15c03642b048

    SHA256

    7be056c0174197075ca15fb6730b9fc1158de729e0cfa4fbb430129c20173c6a

    SHA512

    6d2fbfcf24a66510f99453539179067750402bfd44e66e96b29b08037bf6103b748f31955981758d085fa2cdf901346404b7e3b0d361a01de4e8a7ec1949949d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    e5eeafa9136ffedda531d8ca4d17b8bf

    SHA1

    745f8c4665e0fe8396df3b6d3ff0b1ff7494ebb7

    SHA256

    ea627d0c3fa5397a665265c533362fa70a78a416103a2b0c0b1470b6d2d7b36d

    SHA512

    59ad96ed16acb3bb21167c9e93f77f1e3af9bbccdbd8ba192a8e6752832048503c9a7e1b73c617638d745573b0476f12e05e791ae2b640e5520b6025d217f416

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    5ace79420c8049399bbf5114f5a69a93

    SHA1

    934947c4faa91cd567b42f150452341222f57502

    SHA256

    ab831285c2cd9523a2a34fe0d4d1dd3918f6eb47609dfdf1960a7b129c5bb1d4

    SHA512

    6fd674823947e5ea88f5ee7ae8f38acc44eb75e5cfa5f5a4c53ce7ecc97c4325779ade65c3418a5d887e926ce67d2fa9476a423696ade22fc5a459aa1ef3dc6c

  • C:\Users\Admin\AppData\Local\Temp\Cab6E2F.tmp

    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

  • C:\Users\Admin\AppData\Local\Temp\Tar6F1E.tmp

    Filesize

    163KB

    MD5

    9441737383d21192400eca82fda910ec

    SHA1

    725e0d606a4fc9ba44aa8ffde65bed15e65367e4

    SHA256

    bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

    SHA512

    7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

  • memory/1200-7-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/1200-5-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/1200-9-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/1368-0-0x0000000000160000-0x0000000000190000-memory.dmp

    Filesize

    192KB

  • memory/1368-1-0x0000000074AF0000-0x00000000751DE000-memory.dmp

    Filesize

    6.9MB

  • memory/1368-2-0x0000000004640000-0x0000000004680000-memory.dmp

    Filesize

    256KB

  • memory/1368-3-0x00000000004B0000-0x00000000004D8000-memory.dmp

    Filesize

    160KB

  • memory/1368-4-0x0000000000580000-0x000000000059A000-memory.dmp

    Filesize

    104KB

  • memory/1368-10-0x0000000074AF0000-0x00000000751DE000-memory.dmp

    Filesize

    6.9MB