Analysis
-
max time kernel
133s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 16:19
Static task
static1
Behavioral task
behavioral1
Sample
Payment Invoice Copy.exe
Resource
win7-20240903-en
General
-
Target
Payment Invoice Copy.exe
-
Size
578KB
-
MD5
e3bbcd9ecd0c7a43d84c42f47877d766
-
SHA1
d2fea2b4fa4ded44078f641932d8399af76a9370
-
SHA256
142615d8e77bb22a168f6f26f374b99b06fa2bc6942627c4170e0983ebdc60ed
-
SHA512
e3bf21da59e7446c28e28777c4629d9003615e5b5e31b80635b47b6f34220f240875de0340f08dabbefaedccbaf1e792d5ce0e5d51131074cfdf849a38db4e66
-
SSDEEP
12288:yk/2L2IW2iN/2iNL3uMLdsiqoGksTLCu5ZkbzUH:yQ2Y1J153uM4oaLGzc
Malware Config
Extracted
asyncrat
0.5.7B
Default
23.92.209.138:6606
23.92.209.138:7707
23.92.209.138:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2684 set thread context of 2604 2684 Payment Invoice Copy.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment Invoice Copy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment Invoice Copy.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2604 2684 Payment Invoice Copy.exe 31 PID 2684 wrote to memory of 2604 2684 Payment Invoice Copy.exe 31 PID 2684 wrote to memory of 2604 2684 Payment Invoice Copy.exe 31 PID 2684 wrote to memory of 2604 2684 Payment Invoice Copy.exe 31 PID 2684 wrote to memory of 2604 2684 Payment Invoice Copy.exe 31 PID 2684 wrote to memory of 2604 2684 Payment Invoice Copy.exe 31 PID 2684 wrote to memory of 2604 2684 Payment Invoice Copy.exe 31 PID 2684 wrote to memory of 2604 2684 Payment Invoice Copy.exe 31 PID 2684 wrote to memory of 2604 2684 Payment Invoice Copy.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice Copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice Copy.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\Payment Invoice Copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice Copy.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2604
-