Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
invoice-INVR-2024012000.exe
Resource
win7-20231215-en
General
-
Target
invoice-INVR-2024012000.exe
-
Size
429KB
-
MD5
1ae050798555154c3c057598b0ccb3bf
-
SHA1
d570386aa83a9264794b5f562bdd92ad40a845c9
-
SHA256
923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
-
SHA512
50d970b0a7612a19a0dce40be5595a707912b65ca767e88661fcf693287cdf1e75c2ca00c81fa1c7ec46ea775b12b2126300c4a5ad62212447f32d9bd48c9fcd
-
SSDEEP
6144:4AMl3A4aHuEzu2pQ4lQPaQ7HnyHPMCQDw3RdoyPn3WSu9UxXVGYUML35q9k8Ljpn:LU3YlO4l4aQD2IEL7PGb9wl8Mid
Malware Config
Extracted
asyncrat
0.5.7B
Default
203.20.113.158:6606
203.20.113.158:7707
203.20.113.158:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
microsotf.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/528-21-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation invoice-INVR-2024012000.exe Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation invoice-INVR-2024012000.exe Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation microsotf.exe -
Executes dropped EXE 2 IoCs
pid Process 1700 microsotf.exe 3276 microsotf.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1524 set thread context of 528 1524 invoice-INVR-2024012000.exe 100 PID 1700 set thread context of 3276 1700 microsotf.exe 113 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4500 schtasks.exe 3108 schtasks.exe 2924 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2592 timeout.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1524 invoice-INVR-2024012000.exe 1524 invoice-INVR-2024012000.exe 1956 powershell.exe 1956 powershell.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 528 invoice-INVR-2024012000.exe 1700 microsotf.exe 708 powershell.exe 1700 microsotf.exe 708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1524 invoice-INVR-2024012000.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 528 invoice-INVR-2024012000.exe Token: SeDebugPrivilege 1700 microsotf.exe Token: SeDebugPrivilege 708 powershell.exe Token: SeDebugPrivilege 3276 microsotf.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1524 wrote to memory of 1956 1524 invoice-INVR-2024012000.exe 96 PID 1524 wrote to memory of 1956 1524 invoice-INVR-2024012000.exe 96 PID 1524 wrote to memory of 1956 1524 invoice-INVR-2024012000.exe 96 PID 1524 wrote to memory of 4500 1524 invoice-INVR-2024012000.exe 98 PID 1524 wrote to memory of 4500 1524 invoice-INVR-2024012000.exe 98 PID 1524 wrote to memory of 4500 1524 invoice-INVR-2024012000.exe 98 PID 1524 wrote to memory of 528 1524 invoice-INVR-2024012000.exe 100 PID 1524 wrote to memory of 528 1524 invoice-INVR-2024012000.exe 100 PID 1524 wrote to memory of 528 1524 invoice-INVR-2024012000.exe 100 PID 1524 wrote to memory of 528 1524 invoice-INVR-2024012000.exe 100 PID 1524 wrote to memory of 528 1524 invoice-INVR-2024012000.exe 100 PID 1524 wrote to memory of 528 1524 invoice-INVR-2024012000.exe 100 PID 1524 wrote to memory of 528 1524 invoice-INVR-2024012000.exe 100 PID 1524 wrote to memory of 528 1524 invoice-INVR-2024012000.exe 100 PID 528 wrote to memory of 1368 528 invoice-INVR-2024012000.exe 106 PID 528 wrote to memory of 1368 528 invoice-INVR-2024012000.exe 106 PID 528 wrote to memory of 1368 528 invoice-INVR-2024012000.exe 106 PID 528 wrote to memory of 312 528 invoice-INVR-2024012000.exe 105 PID 528 wrote to memory of 312 528 invoice-INVR-2024012000.exe 105 PID 528 wrote to memory of 312 528 invoice-INVR-2024012000.exe 105 PID 1368 wrote to memory of 3108 1368 cmd.exe 102 PID 1368 wrote to memory of 3108 1368 cmd.exe 102 PID 1368 wrote to memory of 3108 1368 cmd.exe 102 PID 312 wrote to memory of 2592 312 cmd.exe 103 PID 312 wrote to memory of 2592 312 cmd.exe 103 PID 312 wrote to memory of 2592 312 cmd.exe 103 PID 312 wrote to memory of 1700 312 cmd.exe 107 PID 312 wrote to memory of 1700 312 cmd.exe 107 PID 312 wrote to memory of 1700 312 cmd.exe 107 PID 1700 wrote to memory of 708 1700 microsotf.exe 109 PID 1700 wrote to memory of 708 1700 microsotf.exe 109 PID 1700 wrote to memory of 708 1700 microsotf.exe 109 PID 1700 wrote to memory of 2924 1700 microsotf.exe 111 PID 1700 wrote to memory of 2924 1700 microsotf.exe 111 PID 1700 wrote to memory of 2924 1700 microsotf.exe 111 PID 1700 wrote to memory of 3276 1700 microsotf.exe 113 PID 1700 wrote to memory of 3276 1700 microsotf.exe 113 PID 1700 wrote to memory of 3276 1700 microsotf.exe 113 PID 1700 wrote to memory of 3276 1700 microsotf.exe 113 PID 1700 wrote to memory of 3276 1700 microsotf.exe 113 PID 1700 wrote to memory of 3276 1700 microsotf.exe 113 PID 1700 wrote to memory of 3276 1700 microsotf.exe 113 PID 1700 wrote to memory of 3276 1700 microsotf.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpADF3.tmp"2⤵
- Creates scheduled task(s)
PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Users\Admin\AppData\Roaming\microsotf.exe"C:\Users\Admin\AppData\Roaming\microsotf.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:708
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EA.tmp"5⤵
- Creates scheduled task(s)
PID:2924
-
-
C:\Users\Admin\AppData\Roaming\microsotf.exe"C:\Users\Admin\AppData\Roaming\microsotf.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1368
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"'1⤵
- Creates scheduled task(s)
PID:3108
-
C:\Windows\SysWOW64\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
PID:2592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5105dfa28d0ddd1a1805e6896c8920034
SHA19fe9d273add147e154e9b02303db545c72df8f4a
SHA25670423328450efa9ab5db14995a2648e815c526118fdf7313d537dfc3138d5287
SHA51221c7edaf1b56a38b9c2a1ba0bee7e8065ea12479bdb85ee86c05e641923f89a445b89790d2db9bd2a9da799b3bcb7de4df32fb6fc6e011aa48bd1c0091e75943
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD58617e8cb59c0ae115057557b72a499cd
SHA1e712f3034b25c1ff6a7ff4e855791227b114836a
SHA256d6ffb678f979e911abcd4492f054f41af805abb2f3017df2300d0921f9e6f48a
SHA512e53f141c66b6c4ca1605f59093e3d34d21bd13b2c5eaaeb9514cbfb35905a8ec2932ea7a6cae94e4060b5da60f3f058a560f6fb658594bcb906512daaca67570
-
Filesize
153B
MD577d817e681eb2d7c2149f321c872f5d7
SHA191cd5355e16ba3f89a57730cb19c1a405b2b2070
SHA25671f2990827ffe257fc3f24b863d93ac3fd5fa79003073a9f7213b2ca8dd5d454
SHA51204b21d984baa9726d00263507286eaf5370ce82d237072c78f138d60520d95bebeca1b961d767003a3f54fb08053a13df1b8d8875406bbe4546b17ad61fd7e21
-
Filesize
204KB
MD5ec5d1c15200aacaaba32d179f4bc3f54
SHA11832e60a4c1fbe745eca0c6a88d3abbe6207c9d5
SHA25643e86b88e28fd0de3babc34b019c64ade6ac3ea6ae5d93d47177aa0016896137
SHA5126d5e16f8d648844b7e7071204d447a3a1498d81b889af08d0f34fddfc10c0282af844ed5b05cd9c5c3f4517fd1af8c643551f272eb97473b45b8ed241f655ff9
-
Filesize
420KB
MD5c5c0201fff9f1e5ff412e94bfc52663a
SHA1268dd02109971903cd0f7cc8d9e95f8cb2628ee0
SHA256126935d5511c09259a12b8a79b771da5ca53e8d3fbbd5cd5e74919689644471a
SHA512233bae1bb91358f2d28af182a1b2dd0fe8bb1b5ac1570f58185dddf56f5c1f5fa796d504e30443db7488699ec287a78973a7f59a0ed6736b7107a6701aa9ade7
-
Filesize
255KB
MD510b1595ec906e23650edd19cad7d7e2f
SHA1f529fb6fc8faa86d5f8056f1f061b0b2157cd7ba
SHA256be6959d1c3aaceac0cef6fd025fcbaf4e0eae1186032a230d0d56e6f7c53f805
SHA51264c29fac7fd6d70cd39b7b876f37d0a773b67cc0b38814dce108001ab96325cf08cd3782296150d3832d0b8f1e51442f6fb84770a973ae348bd1f1a85931f464
-
Filesize
429KB
MD51ae050798555154c3c057598b0ccb3bf
SHA1d570386aa83a9264794b5f562bdd92ad40a845c9
SHA256923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
SHA51250d970b0a7612a19a0dce40be5595a707912b65ca767e88661fcf693287cdf1e75c2ca00c81fa1c7ec46ea775b12b2126300c4a5ad62212447f32d9bd48c9fcd