Analysis
-
max time kernel
115s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-05-2021 10:46
Static task
static1
Behavioral task
behavioral1
Sample
SARS Documents.doc
Resource
win7v20210410
General
-
Target
SARS Documents.doc
-
Size
36KB
-
MD5
ea2c22c96421b40396d9d9a5ef2e4dc4
-
SHA1
77a04b21f8e8c57b7f24c6681fcac30ca09fd42b
-
SHA256
f8d44d7880640da690ec310d1d562a37f0f63e45503d8eb8710f40dd062cf401
-
SHA512
70068a330cbb1e368f941625649e0a5f0fc8f6da9def43a440ca9d19fece1f74a51ff03f7e430278f1cdf9c2c762f271f985b15cf96a40438d9a9bcc97b5814a
Malware Config
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3884-185-0x000000000040D0AE-mapping.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
ySWLi.exeySWLi.exepid process 2160 ySWLi.exe 3884 ySWLi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ySWLi.exedescription pid process target process PID 2160 set thread context of 3884 2160 ySWLi.exe ySWLi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 640 WINWORD.EXE 640 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ySWLi.exepid process 2160 ySWLi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ySWLi.exeySWLi.exedescription pid process Token: SeDebugPrivilege 2160 ySWLi.exe Token: SeDebugPrivilege 3884 ySWLi.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
WINWORD.EXEySWLi.exedescription pid process target process PID 640 wrote to memory of 2160 640 WINWORD.EXE ySWLi.exe PID 640 wrote to memory of 2160 640 WINWORD.EXE ySWLi.exe PID 640 wrote to memory of 2160 640 WINWORD.EXE ySWLi.exe PID 2160 wrote to memory of 768 2160 ySWLi.exe schtasks.exe PID 2160 wrote to memory of 768 2160 ySWLi.exe schtasks.exe PID 2160 wrote to memory of 768 2160 ySWLi.exe schtasks.exe PID 2160 wrote to memory of 3884 2160 ySWLi.exe ySWLi.exe PID 2160 wrote to memory of 3884 2160 ySWLi.exe ySWLi.exe PID 2160 wrote to memory of 3884 2160 ySWLi.exe ySWLi.exe PID 2160 wrote to memory of 3884 2160 ySWLi.exe ySWLi.exe PID 2160 wrote to memory of 3884 2160 ySWLi.exe ySWLi.exe PID 2160 wrote to memory of 3884 2160 ySWLi.exe ySWLi.exe PID 2160 wrote to memory of 3884 2160 ySWLi.exe ySWLi.exe PID 2160 wrote to memory of 3884 2160 ySWLi.exe ySWLi.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SARS Documents.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ySWLi.exeC:\Users\Admin\AppData\Local\Temp\ySWLi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JrBmDGuxgYcA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ySWLi.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmpMD5
21c5a9f46b2860a6bc25e49041973b29
SHA1af0ae0feecddda6d66c97d325451a377f2096dd4
SHA25622ab64792829bfe9e8ca250272bf032dbf10a2ea90f24915d5f65307d21c27b0
SHA512762e2cdf1898010e52b831268121b66b7b3ffb243d69efa225f0475dd6f096fb1c99f8417521a708722812101973fbe454265427528a85963fdfdb04b7bbca46
-
C:\Users\Admin\AppData\Local\Temp\ySWLi.exeMD5
5794b56493325993815144d377d06a2a
SHA1eebd6c8fab55d73b29e2093832eb6a9e2c71653e
SHA2568e7f1812d857f3cae2aa6a79c2d87f0e7987a786b1f15df31ee75513cb1156bf
SHA5121537d5c7e7a70130ee1af56a90c504ce4130d051906ad41d70e793bcced3893ee336e2cd6cb8165e997fa6e9b3c266f59eccd9b97aa15e2d19ea2c9385e3a324
-
C:\Users\Admin\AppData\Local\Temp\ySWLi.exeMD5
5794b56493325993815144d377d06a2a
SHA1eebd6c8fab55d73b29e2093832eb6a9e2c71653e
SHA2568e7f1812d857f3cae2aa6a79c2d87f0e7987a786b1f15df31ee75513cb1156bf
SHA5121537d5c7e7a70130ee1af56a90c504ce4130d051906ad41d70e793bcced3893ee336e2cd6cb8165e997fa6e9b3c266f59eccd9b97aa15e2d19ea2c9385e3a324
-
C:\Users\Admin\AppData\Local\Temp\ySWLi.exeMD5
5794b56493325993815144d377d06a2a
SHA1eebd6c8fab55d73b29e2093832eb6a9e2c71653e
SHA2568e7f1812d857f3cae2aa6a79c2d87f0e7987a786b1f15df31ee75513cb1156bf
SHA5121537d5c7e7a70130ee1af56a90c504ce4130d051906ad41d70e793bcced3893ee336e2cd6cb8165e997fa6e9b3c266f59eccd9b97aa15e2d19ea2c9385e3a324
-
memory/640-114-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmpFilesize
64KB
-
memory/640-115-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmpFilesize
64KB
-
memory/640-116-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmpFilesize
64KB
-
memory/640-117-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmpFilesize
64KB
-
memory/640-119-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmpFilesize
64KB
-
memory/640-118-0x00007FFAE58D0000-0x00007FFAE83F3000-memory.dmpFilesize
43.1MB
-
memory/640-122-0x00007FFAE04D0000-0x00007FFAE15BE000-memory.dmpFilesize
16.9MB
-
memory/640-123-0x00007FFADE5D0000-0x00007FFAE04C5000-memory.dmpFilesize
31.0MB
-
memory/768-183-0x0000000000000000-mapping.dmp
-
memory/2160-182-0x0000000007A80000-0x0000000007F7E000-memory.dmpFilesize
5.0MB
-
memory/2160-179-0x0000000000000000-mapping.dmp
-
memory/3884-185-0x000000000040D0AE-mapping.dmp
-
memory/3884-187-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB