Analysis
-
max time kernel
119s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/01/2024, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
invoice-INVR-2024012000.exe
Resource
win7-20231215-en
General
-
Target
invoice-INVR-2024012000.exe
-
Size
429KB
-
MD5
1ae050798555154c3c057598b0ccb3bf
-
SHA1
d570386aa83a9264794b5f562bdd92ad40a845c9
-
SHA256
923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
-
SHA512
50d970b0a7612a19a0dce40be5595a707912b65ca767e88661fcf693287cdf1e75c2ca00c81fa1c7ec46ea775b12b2126300c4a5ad62212447f32d9bd48c9fcd
-
SSDEEP
6144:4AMl3A4aHuEzu2pQ4lQPaQ7HnyHPMCQDw3RdoyPn3WSu9UxXVGYUML35q9k8Ljpn:LU3YlO4l4aQD2IEL7PGb9wl8Mid
Malware Config
Extracted
asyncrat
0.5.7B
Default
203.20.113.158:6606
203.20.113.158:7707
203.20.113.158:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
microsotf.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 8 IoCs
resource yara_rule behavioral1/memory/560-18-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/560-20-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/560-24-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/560-26-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/560-29-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/560-36-0x0000000000B80000-0x0000000000BC0000-memory.dmp asyncrat behavioral1/memory/2584-78-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2584-80-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Executes dropped EXE 4 IoCs
pid Process 1748 microsotf.exe 1444 microsotf.exe 1256 microsotf.exe 2584 microsotf.exe -
Loads dropped DLL 1 IoCs
pid Process 2272 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1696 set thread context of 560 1696 invoice-INVR-2024012000.exe 32 PID 1748 set thread context of 2584 1748 microsotf.exe 48 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 540 schtasks.exe 3060 schtasks.exe 340 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 320 timeout.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1696 invoice-INVR-2024012000.exe 1696 invoice-INVR-2024012000.exe 600 powershell.exe 560 invoice-INVR-2024012000.exe 560 invoice-INVR-2024012000.exe 560 invoice-INVR-2024012000.exe 1748 microsotf.exe 1748 microsotf.exe 1748 microsotf.exe 1748 microsotf.exe 1748 microsotf.exe 2152 powershell.exe 1748 microsotf.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1696 invoice-INVR-2024012000.exe Token: SeDebugPrivilege 600 powershell.exe Token: SeDebugPrivilege 560 invoice-INVR-2024012000.exe Token: SeDebugPrivilege 1748 microsotf.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 2584 microsotf.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 1696 wrote to memory of 600 1696 invoice-INVR-2024012000.exe 28 PID 1696 wrote to memory of 600 1696 invoice-INVR-2024012000.exe 28 PID 1696 wrote to memory of 600 1696 invoice-INVR-2024012000.exe 28 PID 1696 wrote to memory of 600 1696 invoice-INVR-2024012000.exe 28 PID 1696 wrote to memory of 540 1696 invoice-INVR-2024012000.exe 30 PID 1696 wrote to memory of 540 1696 invoice-INVR-2024012000.exe 30 PID 1696 wrote to memory of 540 1696 invoice-INVR-2024012000.exe 30 PID 1696 wrote to memory of 540 1696 invoice-INVR-2024012000.exe 30 PID 1696 wrote to memory of 560 1696 invoice-INVR-2024012000.exe 32 PID 1696 wrote to memory of 560 1696 invoice-INVR-2024012000.exe 32 PID 1696 wrote to memory of 560 1696 invoice-INVR-2024012000.exe 32 PID 1696 wrote to memory of 560 1696 invoice-INVR-2024012000.exe 32 PID 1696 wrote to memory of 560 1696 invoice-INVR-2024012000.exe 32 PID 1696 wrote to memory of 560 1696 invoice-INVR-2024012000.exe 32 PID 1696 wrote to memory of 560 1696 invoice-INVR-2024012000.exe 32 PID 1696 wrote to memory of 560 1696 invoice-INVR-2024012000.exe 32 PID 1696 wrote to memory of 560 1696 invoice-INVR-2024012000.exe 32 PID 560 wrote to memory of 2512 560 invoice-INVR-2024012000.exe 40 PID 560 wrote to memory of 2512 560 invoice-INVR-2024012000.exe 40 PID 560 wrote to memory of 2512 560 invoice-INVR-2024012000.exe 40 PID 560 wrote to memory of 2512 560 invoice-INVR-2024012000.exe 40 PID 560 wrote to memory of 2272 560 invoice-INVR-2024012000.exe 38 PID 560 wrote to memory of 2272 560 invoice-INVR-2024012000.exe 38 PID 560 wrote to memory of 2272 560 invoice-INVR-2024012000.exe 38 PID 560 wrote to memory of 2272 560 invoice-INVR-2024012000.exe 38 PID 2512 wrote to memory of 3060 2512 cmd.exe 36 PID 2512 wrote to memory of 3060 2512 cmd.exe 36 PID 2512 wrote to memory of 3060 2512 cmd.exe 36 PID 2512 wrote to memory of 3060 2512 cmd.exe 36 PID 2272 wrote to memory of 320 2272 cmd.exe 35 PID 2272 wrote to memory of 320 2272 cmd.exe 35 PID 2272 wrote to memory of 320 2272 cmd.exe 35 PID 2272 wrote to memory of 320 2272 cmd.exe 35 PID 2272 wrote to memory of 1748 2272 cmd.exe 41 PID 2272 wrote to memory of 1748 2272 cmd.exe 41 PID 2272 wrote to memory of 1748 2272 cmd.exe 41 PID 2272 wrote to memory of 1748 2272 cmd.exe 41 PID 1748 wrote to memory of 2152 1748 microsotf.exe 42 PID 1748 wrote to memory of 2152 1748 microsotf.exe 42 PID 1748 wrote to memory of 2152 1748 microsotf.exe 42 PID 1748 wrote to memory of 2152 1748 microsotf.exe 42 PID 1748 wrote to memory of 340 1748 microsotf.exe 44 PID 1748 wrote to memory of 340 1748 microsotf.exe 44 PID 1748 wrote to memory of 340 1748 microsotf.exe 44 PID 1748 wrote to memory of 340 1748 microsotf.exe 44 PID 1748 wrote to memory of 1444 1748 microsotf.exe 46 PID 1748 wrote to memory of 1444 1748 microsotf.exe 46 PID 1748 wrote to memory of 1444 1748 microsotf.exe 46 PID 1748 wrote to memory of 1444 1748 microsotf.exe 46 PID 1748 wrote to memory of 1256 1748 microsotf.exe 47 PID 1748 wrote to memory of 1256 1748 microsotf.exe 47 PID 1748 wrote to memory of 1256 1748 microsotf.exe 47 PID 1748 wrote to memory of 1256 1748 microsotf.exe 47 PID 1748 wrote to memory of 2584 1748 microsotf.exe 48 PID 1748 wrote to memory of 2584 1748 microsotf.exe 48 PID 1748 wrote to memory of 2584 1748 microsotf.exe 48 PID 1748 wrote to memory of 2584 1748 microsotf.exe 48 PID 1748 wrote to memory of 2584 1748 microsotf.exe 48 PID 1748 wrote to memory of 2584 1748 microsotf.exe 48 PID 1748 wrote to memory of 2584 1748 microsotf.exe 48 PID 1748 wrote to memory of 2584 1748 microsotf.exe 48 PID 1748 wrote to memory of 2584 1748 microsotf.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC0CF.tmp"2⤵
- Creates scheduled task(s)
PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD0C7.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Roaming\microsotf.exe"C:\Users\Admin\AppData\Roaming\microsotf.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp147A.tmp"5⤵
- Creates scheduled task(s)
PID:340
-
-
C:\Users\Admin\AppData\Roaming\microsotf.exe"C:\Users\Admin\AppData\Roaming\microsotf.exe"5⤵
- Executes dropped EXE
PID:1444
-
-
C:\Users\Admin\AppData\Roaming\microsotf.exe"C:\Users\Admin\AppData\Roaming\microsotf.exe"5⤵
- Executes dropped EXE
PID:1256
-
-
C:\Users\Admin\AppData\Roaming\microsotf.exe"C:\Users\Admin\AppData\Roaming\microsotf.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2512
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
PID:320
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"'1⤵
- Creates scheduled task(s)
PID:3060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
1KB
MD50ee4bfb4600152f5d9306e023ab8fdde
SHA1f38323cf349580e6733500e3cd43c0eff4c5eb2a
SHA256a6d95ba3771817cf85d9db9bc99a07a297d5e26dce5f713b5f601b8c27d60bba
SHA51238790713425f6334286ed68d02359986a2c56c174d8db9c62b27d924a09db307e05be71dfdcba65b2fe5705ba32cd570ed125d0d9b01c958252641f9c700b347
-
Filesize
153B
MD51a761df95b36e064c4c01b082cdb48e1
SHA1eea1c5317cc635331e2141e58ef5cc0ac1bb77f8
SHA256e78943139b1c71b41ee3a264c43b7c747f834e61b33da21593a3a96052b7fd2c
SHA51214365d5e432ffe3ac731ff6ec156068a541497735f0bf344c54f877f3ea3144d59e5f463a77f3b7cf0aea55f230a970460f9ae339e7439801597e309f3afa800
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ZYAE4QG0R93SNYSWXHA.temp
Filesize7KB
MD5f9834a578094745d84117a702502d5d8
SHA1b1e6a112077a2a3e53a10da625104d04065b2a41
SHA25697c1410511227626914b086377dfc74db167a351dd2cf75713ae329ef14b98c4
SHA512d6b468cc15ae3a9706eaf05ff03cd43defd89a0931e0a3af98224e65b55bae6f7824f4013bcae4d0c64057951ea10740ec96aafa30199becd7796e7b3ad3e14a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD531c64c57e8d6702edde993ea0f3a5c85
SHA19d7e39461acfa009b7a93e47f8fd035ca0941bc3
SHA2562ae9fa487f3566553673a1ce24a03dbaa6fbeb1a3d532b3ec4b379ca6ca60328
SHA5129c863244807c08c07bc37794d19649cb51d6035d29aca7c8ddd2988c9b1ab4b66f700d399f9789708b2ed8b43ccec2b02bde391f0a3ec1ec1cb1bba2762f8817
-
Filesize
429KB
MD51ae050798555154c3c057598b0ccb3bf
SHA1d570386aa83a9264794b5f562bdd92ad40a845c9
SHA256923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
SHA51250d970b0a7612a19a0dce40be5595a707912b65ca767e88661fcf693287cdf1e75c2ca00c81fa1c7ec46ea775b12b2126300c4a5ad62212447f32d9bd48c9fcd