Analysis
-
max time kernel
107s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2024, 11:56
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe
Resource
win7-20231129-en
General
-
Target
INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe
-
Size
542KB
-
MD5
0b97309812b9b2941e5512e12095960e
-
SHA1
8fc625372ccea9b23c3c3585e1a86a06479eb630
-
SHA256
1714faef50d0127645ce3540480623cf619f9b10c0364c67ca22db0f604e2381
-
SHA512
8f0568c9cea86cd33c089ec6f9f32581563d03edbc5ab9a82fd83b81c57ecd4556248a58d40dd315732187a213218a5a4e0af458aec0bde4a6b647b906dfa65b
-
SSDEEP
12288:eP7R2iNPBJI3AZp/UurrtqinZfTLatVX2wGlY:MV1xuAPH3A6natVX2wG
Malware Config
Extracted
asyncrat
0.5.8
Default
72.11.158.94:8808
9Qbxs7iA1JpF
-
delay
3
-
install
true
-
install_file
vidextra.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2368-13-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe -
Executes dropped EXE 2 IoCs
pid Process 452 vidextra.exe 1720 vidextra.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1864 set thread context of 2368 1864 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 95 PID 452 set thread context of 1720 452 vidextra.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4200 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2052 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe Token: SeDebugPrivilege 1720 vidextra.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1864 wrote to memory of 2368 1864 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 95 PID 1864 wrote to memory of 2368 1864 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 95 PID 1864 wrote to memory of 2368 1864 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 95 PID 1864 wrote to memory of 2368 1864 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 95 PID 1864 wrote to memory of 2368 1864 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 95 PID 1864 wrote to memory of 2368 1864 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 95 PID 1864 wrote to memory of 2368 1864 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 95 PID 1864 wrote to memory of 2368 1864 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 95 PID 2368 wrote to memory of 4252 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 96 PID 2368 wrote to memory of 4252 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 96 PID 2368 wrote to memory of 4252 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 96 PID 2368 wrote to memory of 4652 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 98 PID 2368 wrote to memory of 4652 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 98 PID 2368 wrote to memory of 4652 2368 INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe 98 PID 4652 wrote to memory of 2052 4652 cmd.exe 100 PID 4652 wrote to memory of 2052 4652 cmd.exe 100 PID 4652 wrote to memory of 2052 4652 cmd.exe 100 PID 4252 wrote to memory of 4200 4252 cmd.exe 101 PID 4252 wrote to memory of 4200 4252 cmd.exe 101 PID 4252 wrote to memory of 4200 4252 cmd.exe 101 PID 4652 wrote to memory of 452 4652 cmd.exe 103 PID 4652 wrote to memory of 452 4652 cmd.exe 103 PID 4652 wrote to memory of 452 4652 cmd.exe 103 PID 452 wrote to memory of 1720 452 vidextra.exe 104 PID 452 wrote to memory of 1720 452 vidextra.exe 104 PID 452 wrote to memory of 1720 452 vidextra.exe 104 PID 452 wrote to memory of 1720 452 vidextra.exe 104 PID 452 wrote to memory of 1720 452 vidextra.exe 104 PID 452 wrote to memory of 1720 452 vidextra.exe 104 PID 452 wrote to memory of 1720 452 vidextra.exe 104 PID 452 wrote to memory of 1720 452 vidextra.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vidextra" /tr '"C:\Users\Admin\AppData\Roaming\vidextra.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "vidextra" /tr '"C:\Users\Admin\AppData\Roaming\vidextra.exe"'4⤵
- Creates scheduled task(s)
PID:4200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC5C1.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2052
-
-
C:\Users\Admin\AppData\Roaming\vidextra.exe"C:\Users\Admin\AppData\Roaming\vidextra.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Roaming\vidextra.exe"C:\Users\Admin\AppData\Roaming\vidextra.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INQUIRYs#37567JAN2024NEWORDERMATERIALSPRODs.e.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
152B
MD5ade8be5fd04f6088d9e878ad1f15cc98
SHA17311dbcb2df8ac0f4cec901751eda910778ca867
SHA256e0670d09545c7cb1e57c4dfa3f875375310c8bcd6fc405a08671d973bea23e27
SHA51283a5903ab7d8e00a782c70e933dc85b37365ad021809180f5b9794eda64c09166dd0505b6190440d92fcf94178a1c2aac88aedc03deb4e0dbd92ee83a2d2c0ed
-
Filesize
542KB
MD50b97309812b9b2941e5512e12095960e
SHA18fc625372ccea9b23c3c3585e1a86a06479eb630
SHA2561714faef50d0127645ce3540480623cf619f9b10c0364c67ca22db0f604e2381
SHA5128f0568c9cea86cd33c089ec6f9f32581563d03edbc5ab9a82fd83b81c57ecd4556248a58d40dd315732187a213218a5a4e0af458aec0bde4a6b647b906dfa65b