Analysis
-
max time kernel
122s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23/01/2024, 11:56
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe
Resource
win7-20231129-en
General
-
Target
INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe
-
Size
542KB
-
MD5
0b97309812b9b2941e5512e12095960e
-
SHA1
8fc625372ccea9b23c3c3585e1a86a06479eb630
-
SHA256
1714faef50d0127645ce3540480623cf619f9b10c0364c67ca22db0f604e2381
-
SHA512
8f0568c9cea86cd33c089ec6f9f32581563d03edbc5ab9a82fd83b81c57ecd4556248a58d40dd315732187a213218a5a4e0af458aec0bde4a6b647b906dfa65b
-
SSDEEP
12288:eP7R2iNPBJI3AZp/UurrtqinZfTLatVX2wGlY:MV1xuAPH3A6natVX2wG
Malware Config
Extracted
asyncrat
0.5.8
Default
72.11.158.94:8808
9Qbxs7iA1JpF
-
delay
3
-
install
true
-
install_file
vidextra.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 8 IoCs
resource yara_rule behavioral1/memory/2660-13-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2660-15-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2660-19-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2660-23-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2660-21-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2660-26-0x0000000004D50000-0x0000000004D90000-memory.dmp asyncrat behavioral1/memory/1300-54-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1300-57-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
pid Process 1904 vidextra.exe 1300 vidextra.exe -
Loads dropped DLL 1 IoCs
pid Process 2684 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2088 set thread context of 2660 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 29 PID 1904 set thread context of 1300 1904 vidextra.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2508 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2532 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2660 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2660 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe Token: SeDebugPrivilege 2660 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe Token: SeDebugPrivilege 1300 vidextra.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2588 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 28 PID 2088 wrote to memory of 2588 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 28 PID 2088 wrote to memory of 2588 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 28 PID 2088 wrote to memory of 2588 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 28 PID 2088 wrote to memory of 2660 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 29 PID 2088 wrote to memory of 2660 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 29 PID 2088 wrote to memory of 2660 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 29 PID 2088 wrote to memory of 2660 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 29 PID 2088 wrote to memory of 2660 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 29 PID 2088 wrote to memory of 2660 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 29 PID 2088 wrote to memory of 2660 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 29 PID 2088 wrote to memory of 2660 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 29 PID 2088 wrote to memory of 2660 2088 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 29 PID 2660 wrote to memory of 2484 2660 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 30 PID 2660 wrote to memory of 2484 2660 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 30 PID 2660 wrote to memory of 2484 2660 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 30 PID 2660 wrote to memory of 2484 2660 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 30 PID 2660 wrote to memory of 2684 2660 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 32 PID 2660 wrote to memory of 2684 2660 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 32 PID 2660 wrote to memory of 2684 2660 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 32 PID 2660 wrote to memory of 2684 2660 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 32 PID 2684 wrote to memory of 2532 2684 cmd.exe 34 PID 2684 wrote to memory of 2532 2684 cmd.exe 34 PID 2684 wrote to memory of 2532 2684 cmd.exe 34 PID 2684 wrote to memory of 2532 2684 cmd.exe 34 PID 2484 wrote to memory of 2508 2484 cmd.exe 35 PID 2484 wrote to memory of 2508 2484 cmd.exe 35 PID 2484 wrote to memory of 2508 2484 cmd.exe 35 PID 2484 wrote to memory of 2508 2484 cmd.exe 35 PID 2684 wrote to memory of 1904 2684 cmd.exe 36 PID 2684 wrote to memory of 1904 2684 cmd.exe 36 PID 2684 wrote to memory of 1904 2684 cmd.exe 36 PID 2684 wrote to memory of 1904 2684 cmd.exe 36 PID 1904 wrote to memory of 1300 1904 vidextra.exe 39 PID 1904 wrote to memory of 1300 1904 vidextra.exe 39 PID 1904 wrote to memory of 1300 1904 vidextra.exe 39 PID 1904 wrote to memory of 1300 1904 vidextra.exe 39 PID 1904 wrote to memory of 1300 1904 vidextra.exe 39 PID 1904 wrote to memory of 1300 1904 vidextra.exe 39 PID 1904 wrote to memory of 1300 1904 vidextra.exe 39 PID 1904 wrote to memory of 1300 1904 vidextra.exe 39 PID 1904 wrote to memory of 1300 1904 vidextra.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe"2⤵PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vidextra" /tr '"C:\Users\Admin\AppData\Roaming\vidextra.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "vidextra" /tr '"C:\Users\Admin\AppData\Roaming\vidextra.exe"'4⤵
- Creates scheduled task(s)
PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp787A.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2532
-
-
C:\Users\Admin\AppData\Roaming\vidextra.exe"C:\Users\Admin\AppData\Roaming\vidextra.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Roaming\vidextra.exe"C:\Users\Admin\AppData\Roaming\vidextra.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e0d4a149ec0d7b59ca97df8c124a0dc8
SHA1a381555dfd37ee2d4c7593526e136b46c071a178
SHA2564cbe4076d02d15459c66a97c8dddd68caa266ce722a63f3cbf19ae65f1692921
SHA512b03631dc4b3c52ca0d97ec553cfddd405585780fc04a0374a10993240f776a71aa9ffb6014512c6429d4d701f08e2aff97e1b7fee3e44ec4cb00ed063159f3da
-
Filesize
542KB
MD50b97309812b9b2941e5512e12095960e
SHA18fc625372ccea9b23c3c3585e1a86a06479eb630
SHA2561714faef50d0127645ce3540480623cf619f9b10c0364c67ca22db0f604e2381
SHA5128f0568c9cea86cd33c089ec6f9f32581563d03edbc5ab9a82fd83b81c57ecd4556248a58d40dd315732187a213218a5a4e0af458aec0bde4a6b647b906dfa65b