Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 14:52
Static task
static1
Behavioral task
behavioral1
Sample
invoice-INVR-2024012000.exe
Resource
win7-20231215-en
General
-
Target
invoice-INVR-2024012000.exe
-
Size
429KB
-
MD5
1ae050798555154c3c057598b0ccb3bf
-
SHA1
d570386aa83a9264794b5f562bdd92ad40a845c9
-
SHA256
923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
-
SHA512
50d970b0a7612a19a0dce40be5595a707912b65ca767e88661fcf693287cdf1e75c2ca00c81fa1c7ec46ea775b12b2126300c4a5ad62212447f32d9bd48c9fcd
-
SSDEEP
6144:4AMl3A4aHuEzu2pQ4lQPaQ7HnyHPMCQDw3RdoyPn3WSu9UxXVGYUML35q9k8Ljpn:LU3YlO4l4aQD2IEL7PGb9wl8Mid
Malware Config
Extracted
asyncrat
0.5.7B
Default
203.20.113.158:6606
203.20.113.158:7707
203.20.113.158:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
microsotf.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3500-21-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation invoice-INVR-2024012000.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation invoice-INVR-2024012000.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation microsotf.exe -
Executes dropped EXE 2 IoCs
pid Process 4356 microsotf.exe 4992 microsotf.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4436 set thread context of 3500 4436 invoice-INVR-2024012000.exe 100 PID 4356 set thread context of 4992 4356 microsotf.exe 113 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1548 schtasks.exe 5108 schtasks.exe 1816 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3548 timeout.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 4436 invoice-INVR-2024012000.exe 4436 invoice-INVR-2024012000.exe 948 powershell.exe 948 powershell.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 3500 invoice-INVR-2024012000.exe 4356 microsotf.exe 3456 powershell.exe 4356 microsotf.exe 3456 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4436 invoice-INVR-2024012000.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 3500 invoice-INVR-2024012000.exe Token: SeDebugPrivilege 4356 microsotf.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeDebugPrivilege 4992 microsotf.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 4436 wrote to memory of 948 4436 invoice-INVR-2024012000.exe 96 PID 4436 wrote to memory of 948 4436 invoice-INVR-2024012000.exe 96 PID 4436 wrote to memory of 948 4436 invoice-INVR-2024012000.exe 96 PID 4436 wrote to memory of 1548 4436 invoice-INVR-2024012000.exe 98 PID 4436 wrote to memory of 1548 4436 invoice-INVR-2024012000.exe 98 PID 4436 wrote to memory of 1548 4436 invoice-INVR-2024012000.exe 98 PID 4436 wrote to memory of 3500 4436 invoice-INVR-2024012000.exe 100 PID 4436 wrote to memory of 3500 4436 invoice-INVR-2024012000.exe 100 PID 4436 wrote to memory of 3500 4436 invoice-INVR-2024012000.exe 100 PID 4436 wrote to memory of 3500 4436 invoice-INVR-2024012000.exe 100 PID 4436 wrote to memory of 3500 4436 invoice-INVR-2024012000.exe 100 PID 4436 wrote to memory of 3500 4436 invoice-INVR-2024012000.exe 100 PID 4436 wrote to memory of 3500 4436 invoice-INVR-2024012000.exe 100 PID 4436 wrote to memory of 3500 4436 invoice-INVR-2024012000.exe 100 PID 3500 wrote to memory of 4404 3500 invoice-INVR-2024012000.exe 104 PID 3500 wrote to memory of 4404 3500 invoice-INVR-2024012000.exe 104 PID 3500 wrote to memory of 4404 3500 invoice-INVR-2024012000.exe 104 PID 3500 wrote to memory of 3568 3500 invoice-INVR-2024012000.exe 101 PID 3500 wrote to memory of 3568 3500 invoice-INVR-2024012000.exe 101 PID 3500 wrote to memory of 3568 3500 invoice-INVR-2024012000.exe 101 PID 4404 wrote to memory of 5108 4404 cmd.exe 105 PID 4404 wrote to memory of 5108 4404 cmd.exe 105 PID 4404 wrote to memory of 5108 4404 cmd.exe 105 PID 3568 wrote to memory of 3548 3568 cmd.exe 106 PID 3568 wrote to memory of 3548 3568 cmd.exe 106 PID 3568 wrote to memory of 3548 3568 cmd.exe 106 PID 3568 wrote to memory of 4356 3568 cmd.exe 107 PID 3568 wrote to memory of 4356 3568 cmd.exe 107 PID 3568 wrote to memory of 4356 3568 cmd.exe 107 PID 4356 wrote to memory of 3456 4356 microsotf.exe 109 PID 4356 wrote to memory of 3456 4356 microsotf.exe 109 PID 4356 wrote to memory of 3456 4356 microsotf.exe 109 PID 4356 wrote to memory of 1816 4356 microsotf.exe 111 PID 4356 wrote to memory of 1816 4356 microsotf.exe 111 PID 4356 wrote to memory of 1816 4356 microsotf.exe 111 PID 4356 wrote to memory of 4992 4356 microsotf.exe 113 PID 4356 wrote to memory of 4992 4356 microsotf.exe 113 PID 4356 wrote to memory of 4992 4356 microsotf.exe 113 PID 4356 wrote to memory of 4992 4356 microsotf.exe 113 PID 4356 wrote to memory of 4992 4356 microsotf.exe 113 PID 4356 wrote to memory of 4992 4356 microsotf.exe 113 PID 4356 wrote to memory of 4992 4356 microsotf.exe 113 PID 4356 wrote to memory of 4992 4356 microsotf.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8453.tmp"2⤵
- Creates scheduled task(s)
PID:1548
-
-
C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp93E3.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:3548
-
-
C:\Users\Admin\AppData\Roaming\microsotf.exe"C:\Users\Admin\AppData\Roaming\microsotf.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp"5⤵
- Creates scheduled task(s)
PID:1816
-
-
C:\Users\Admin\AppData\Roaming\microsotf.exe"C:\Users\Admin\AppData\Roaming\microsotf.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"'4⤵
- Creates scheduled task(s)
PID:5108
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5d86ca6a6596435e126a7bb908248682f
SHA1dcf052cf2918e0c47d0ec05e75319cb77ab82681
SHA25643f50ddad44bfa778c9900ab7db6c97ecfe195d7d13a31955e3f730112889206
SHA512db385bc4a476f7ee3761661f34eed1d07785863f8f1c508c26c7613bb66f5fb4b4d86c43e5d32f952051394eaf49b15812272b161e45e1121915eabc532a9830
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5dfc637ba13d0455db4203f555d307918
SHA1e220bbe82521fba12a4020a405df2bd895cc31ef
SHA25682031e208a1e9dbac2754b565eb1f1417594e7c52131463e1744320ee591481c
SHA512d996f101ea2516c7c1bd6fd39bb685cdbc137ca5d4e7ae3fecd6c3a098a3ffb9ebeeb56105332f668f53dc034f05a634413cac10469003f7f3292434ad723cde
-
Filesize
153B
MD553d2ddb3c230a473e76ac6ad2717e15b
SHA1643bc4acf43744438bc889935d98cef4d58dbe79
SHA256e529028725cbaeb574e1e89e93f043f572afd4611885994dc445d9dbbc43c465
SHA5127b42bf10d30ee7c8ebb72516d7091b28da5a266b127c2e7e90090abc01b6eeb56c49490bf1dc7c205698b65255d218c748f8abad21f97d71cda034ef72729c59
-
Filesize
429KB
MD51ae050798555154c3c057598b0ccb3bf
SHA1d570386aa83a9264794b5f562bdd92ad40a845c9
SHA256923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
SHA51250d970b0a7612a19a0dce40be5595a707912b65ca767e88661fcf693287cdf1e75c2ca00c81fa1c7ec46ea775b12b2126300c4a5ad62212447f32d9bd48c9fcd
-
Filesize
314KB
MD533ddcd65b290809414bec9e792887c85
SHA10b1bbf97f4c08d5bf6d31cf7000a557e7ff49310
SHA25690b165cf1b787cb4c1bd79ea4d85663dc80b33355463d45c9d211ba9951ac1f9
SHA512951180eee07478c57251bdc3af3de931ecc2e14815d665c98a8e6e520aca48156124e3c86b2e1c8362e31bfd04ac606bcc29356bb97cf72ba759bd2b13ab7cae
-
Filesize
360KB
MD529651ff5cfd6e1b36dbb53b9a754fb03
SHA1c5b1fa4b9dac302304ae50936bbfa8ff6350f6e5
SHA256bfa3c820f8075c3424e100abd38047ac7269559a37830675176c2b93a17f40c4
SHA5121170906030aea24aa03506b29725ce5049a26f0e074928f8b0035814e6c45a4ce2672ad388c0d0f5fb35849dd01549f18b43891330e815bb215803d6e0e72d1a