Analysis
-
max time kernel
117s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/01/2024, 14:52
Static task
static1
Behavioral task
behavioral1
Sample
invoice-INVR-2024012000.exe
Resource
win7-20231215-en
General
-
Target
invoice-INVR-2024012000.exe
-
Size
429KB
-
MD5
1ae050798555154c3c057598b0ccb3bf
-
SHA1
d570386aa83a9264794b5f562bdd92ad40a845c9
-
SHA256
923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
-
SHA512
50d970b0a7612a19a0dce40be5595a707912b65ca767e88661fcf693287cdf1e75c2ca00c81fa1c7ec46ea775b12b2126300c4a5ad62212447f32d9bd48c9fcd
-
SSDEEP
6144:4AMl3A4aHuEzu2pQ4lQPaQ7HnyHPMCQDw3RdoyPn3WSu9UxXVGYUML35q9k8Ljpn:LU3YlO4l4aQD2IEL7PGb9wl8Mid
Malware Config
Extracted
asyncrat
0.5.7B
Default
203.20.113.158:6606
203.20.113.158:7707
203.20.113.158:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
microsotf.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 9 IoCs
resource yara_rule behavioral1/memory/2700-15-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2700-16-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2700-20-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2700-22-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2700-24-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2700-35-0x0000000004BA0000-0x0000000004BE0000-memory.dmp asyncrat behavioral1/memory/1404-75-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1404-77-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1404-80-0x0000000004860000-0x00000000048A0000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
pid Process 1760 microsotf.exe 1404 microsotf.exe -
Loads dropped DLL 1 IoCs
pid Process 1712 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1740 set thread context of 2700 1740 invoice-INVR-2024012000.exe 32 PID 1760 set thread context of 1404 1760 microsotf.exe 46 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2724 schtasks.exe 2148 schtasks.exe 2044 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 824 timeout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1740 invoice-INVR-2024012000.exe 1740 invoice-INVR-2024012000.exe 2020 powershell.exe 2700 invoice-INVR-2024012000.exe 2700 invoice-INVR-2024012000.exe 1760 microsotf.exe 2184 powershell.exe 1760 microsotf.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1740 invoice-INVR-2024012000.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 2700 invoice-INVR-2024012000.exe Token: SeDebugPrivilege 1760 microsotf.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 1404 microsotf.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2020 1740 invoice-INVR-2024012000.exe 28 PID 1740 wrote to memory of 2020 1740 invoice-INVR-2024012000.exe 28 PID 1740 wrote to memory of 2020 1740 invoice-INVR-2024012000.exe 28 PID 1740 wrote to memory of 2020 1740 invoice-INVR-2024012000.exe 28 PID 1740 wrote to memory of 2724 1740 invoice-INVR-2024012000.exe 30 PID 1740 wrote to memory of 2724 1740 invoice-INVR-2024012000.exe 30 PID 1740 wrote to memory of 2724 1740 invoice-INVR-2024012000.exe 30 PID 1740 wrote to memory of 2724 1740 invoice-INVR-2024012000.exe 30 PID 1740 wrote to memory of 2700 1740 invoice-INVR-2024012000.exe 32 PID 1740 wrote to memory of 2700 1740 invoice-INVR-2024012000.exe 32 PID 1740 wrote to memory of 2700 1740 invoice-INVR-2024012000.exe 32 PID 1740 wrote to memory of 2700 1740 invoice-INVR-2024012000.exe 32 PID 1740 wrote to memory of 2700 1740 invoice-INVR-2024012000.exe 32 PID 1740 wrote to memory of 2700 1740 invoice-INVR-2024012000.exe 32 PID 1740 wrote to memory of 2700 1740 invoice-INVR-2024012000.exe 32 PID 1740 wrote to memory of 2700 1740 invoice-INVR-2024012000.exe 32 PID 1740 wrote to memory of 2700 1740 invoice-INVR-2024012000.exe 32 PID 2700 wrote to memory of 2352 2700 invoice-INVR-2024012000.exe 33 PID 2700 wrote to memory of 2352 2700 invoice-INVR-2024012000.exe 33 PID 2700 wrote to memory of 2352 2700 invoice-INVR-2024012000.exe 33 PID 2700 wrote to memory of 2352 2700 invoice-INVR-2024012000.exe 33 PID 2700 wrote to memory of 1712 2700 invoice-INVR-2024012000.exe 35 PID 2700 wrote to memory of 1712 2700 invoice-INVR-2024012000.exe 35 PID 2700 wrote to memory of 1712 2700 invoice-INVR-2024012000.exe 35 PID 2700 wrote to memory of 1712 2700 invoice-INVR-2024012000.exe 35 PID 2352 wrote to memory of 2148 2352 cmd.exe 37 PID 2352 wrote to memory of 2148 2352 cmd.exe 37 PID 2352 wrote to memory of 2148 2352 cmd.exe 37 PID 2352 wrote to memory of 2148 2352 cmd.exe 37 PID 1712 wrote to memory of 824 1712 cmd.exe 38 PID 1712 wrote to memory of 824 1712 cmd.exe 38 PID 1712 wrote to memory of 824 1712 cmd.exe 38 PID 1712 wrote to memory of 824 1712 cmd.exe 38 PID 1712 wrote to memory of 1760 1712 cmd.exe 39 PID 1712 wrote to memory of 1760 1712 cmd.exe 39 PID 1712 wrote to memory of 1760 1712 cmd.exe 39 PID 1712 wrote to memory of 1760 1712 cmd.exe 39 PID 1760 wrote to memory of 2184 1760 microsotf.exe 42 PID 1760 wrote to memory of 2184 1760 microsotf.exe 42 PID 1760 wrote to memory of 2184 1760 microsotf.exe 42 PID 1760 wrote to memory of 2184 1760 microsotf.exe 42 PID 1760 wrote to memory of 2044 1760 microsotf.exe 44 PID 1760 wrote to memory of 2044 1760 microsotf.exe 44 PID 1760 wrote to memory of 2044 1760 microsotf.exe 44 PID 1760 wrote to memory of 2044 1760 microsotf.exe 44 PID 1760 wrote to memory of 1404 1760 microsotf.exe 46 PID 1760 wrote to memory of 1404 1760 microsotf.exe 46 PID 1760 wrote to memory of 1404 1760 microsotf.exe 46 PID 1760 wrote to memory of 1404 1760 microsotf.exe 46 PID 1760 wrote to memory of 1404 1760 microsotf.exe 46 PID 1760 wrote to memory of 1404 1760 microsotf.exe 46 PID 1760 wrote to memory of 1404 1760 microsotf.exe 46 PID 1760 wrote to memory of 1404 1760 microsotf.exe 46 PID 1760 wrote to memory of 1404 1760 microsotf.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D61.tmp"2⤵
- Creates scheduled task(s)
PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"'4⤵
- Creates scheduled task(s)
PID:2148
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA12F.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:824
-
-
C:\Users\Admin\AppData\Roaming\microsotf.exe"C:\Users\Admin\AppData\Roaming\microsotf.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE485.tmp"5⤵
- Creates scheduled task(s)
PID:2044
-
-
C:\Users\Admin\AppData\Roaming\microsotf.exe"C:\Users\Admin\AppData\Roaming\microsotf.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
1KB
MD5004b45ca8dd8e6df86f86cfca513bd4a
SHA1a318146459027397fe0fc51251f03d6a2f35c7a9
SHA256dceb73d7849fa32c35fcf395a1c5711cac76abdcacf52683c5eb918f08e1dfdc
SHA5124d37ba0d925b097a95825077d042eb909a6e7ce882224831926968335180174e739f3dc876a85c796fe2f4f47a598526c9b893a316150cb79f90ac7339dbb0a5
-
Filesize
153B
MD53c9d65e5dc199618d0b2372a0e178505
SHA1a1ac060b92989a2aec1045ee80538d5f6cc05ab4
SHA2568a1b2bab7baa563ffca78e40891923765ef9cc4f9faa295b13c771b09660917b
SHA5121a31925f069dcca2667849411af447687a6531871b11d0e901a03c5708887de3aafe29ebb295277dea45060e4b6636e87c4e4c232481be52c77560ec7acde817
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d6d2b26b785bdab047befea2c1cd725e
SHA1be7a132f3e04f24b57fc51666c3b3b88b2a37f90
SHA25664adcdc6f0813fb5635ddea369c3fede6e3d7606d8d4da326b38499fbf42c88d
SHA512f0468f81adf9e6bb4f64c15c14d3191f5b2bfefe7467e30c1dba8ee0028b022d11942dd59ac862a0a9efe4876c553defbf8e3bb0fade68c5786fa6e8e611d3d6
-
Filesize
429KB
MD51ae050798555154c3c057598b0ccb3bf
SHA1d570386aa83a9264794b5f562bdd92ad40a845c9
SHA256923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
SHA51250d970b0a7612a19a0dce40be5595a707912b65ca767e88661fcf693287cdf1e75c2ca00c81fa1c7ec46ea775b12b2126300c4a5ad62212447f32d9bd48c9fcd