Analysis
-
max time kernel
120s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-05-2021 11:02
Static task
static1
Behavioral task
behavioral1
Sample
SARS Documents.doc
Resource
win7v20210408
General
-
Target
SARS Documents.doc
-
Size
36KB
-
MD5
ea2c22c96421b40396d9d9a5ef2e4dc4
-
SHA1
77a04b21f8e8c57b7f24c6681fcac30ca09fd42b
-
SHA256
f8d44d7880640da690ec310d1d562a37f0f63e45503d8eb8710f40dd062cf401
-
SHA512
70068a330cbb1e368f941625649e0a5f0fc8f6da9def43a440ca9d19fece1f74a51ff03f7e430278f1cdf9c2c762f271f985b15cf96a40438d9a9bcc97b5814a
Malware Config
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/860-185-0x000000000040D0AE-mapping.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
ySWLi.exeySWLi.exepid process 2488 ySWLi.exe 860 ySWLi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ySWLi.exedescription pid process target process PID 2488 set thread context of 860 2488 ySWLi.exe ySWLi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 740 WINWORD.EXE 740 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ySWLi.exepid process 2488 ySWLi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ySWLi.exeySWLi.exedescription pid process Token: SeDebugPrivilege 2488 ySWLi.exe Token: SeDebugPrivilege 860 ySWLi.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 740 WINWORD.EXE 740 WINWORD.EXE 740 WINWORD.EXE 740 WINWORD.EXE 740 WINWORD.EXE 740 WINWORD.EXE 740 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
WINWORD.EXEySWLi.exedescription pid process target process PID 740 wrote to memory of 2488 740 WINWORD.EXE ySWLi.exe PID 740 wrote to memory of 2488 740 WINWORD.EXE ySWLi.exe PID 740 wrote to memory of 2488 740 WINWORD.EXE ySWLi.exe PID 2488 wrote to memory of 636 2488 ySWLi.exe schtasks.exe PID 2488 wrote to memory of 636 2488 ySWLi.exe schtasks.exe PID 2488 wrote to memory of 636 2488 ySWLi.exe schtasks.exe PID 2488 wrote to memory of 860 2488 ySWLi.exe ySWLi.exe PID 2488 wrote to memory of 860 2488 ySWLi.exe ySWLi.exe PID 2488 wrote to memory of 860 2488 ySWLi.exe ySWLi.exe PID 2488 wrote to memory of 860 2488 ySWLi.exe ySWLi.exe PID 2488 wrote to memory of 860 2488 ySWLi.exe ySWLi.exe PID 2488 wrote to memory of 860 2488 ySWLi.exe ySWLi.exe PID 2488 wrote to memory of 860 2488 ySWLi.exe ySWLi.exe PID 2488 wrote to memory of 860 2488 ySWLi.exe ySWLi.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SARS Documents.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ySWLi.exeC:\Users\Admin\AppData\Local\Temp\ySWLi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JrBmDGuxgYcA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC10.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ySWLi.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCC10.tmpMD5
e9f1274e3aa5be17d5d3dea3e5ba297c
SHA13b92e22a600f4db8c2712dbc7cd7a0d65981b510
SHA25682e4124dadbdcf5f72c59c6d6738cf2c509b939537af5b657ca432993cb876c1
SHA51214bf5f431cd886e8f0f887464f67358c7b0b50f121bbb6cf301620b210e6110295c4edcf42106d56681cf178494059849d5a3c6125b74ffbada1788733a027d0
-
C:\Users\Admin\AppData\Local\Temp\ySWLi.exeMD5
5794b56493325993815144d377d06a2a
SHA1eebd6c8fab55d73b29e2093832eb6a9e2c71653e
SHA2568e7f1812d857f3cae2aa6a79c2d87f0e7987a786b1f15df31ee75513cb1156bf
SHA5121537d5c7e7a70130ee1af56a90c504ce4130d051906ad41d70e793bcced3893ee336e2cd6cb8165e997fa6e9b3c266f59eccd9b97aa15e2d19ea2c9385e3a324
-
C:\Users\Admin\AppData\Local\Temp\ySWLi.exeMD5
5794b56493325993815144d377d06a2a
SHA1eebd6c8fab55d73b29e2093832eb6a9e2c71653e
SHA2568e7f1812d857f3cae2aa6a79c2d87f0e7987a786b1f15df31ee75513cb1156bf
SHA5121537d5c7e7a70130ee1af56a90c504ce4130d051906ad41d70e793bcced3893ee336e2cd6cb8165e997fa6e9b3c266f59eccd9b97aa15e2d19ea2c9385e3a324
-
C:\Users\Admin\AppData\Local\Temp\ySWLi.exeMD5
5794b56493325993815144d377d06a2a
SHA1eebd6c8fab55d73b29e2093832eb6a9e2c71653e
SHA2568e7f1812d857f3cae2aa6a79c2d87f0e7987a786b1f15df31ee75513cb1156bf
SHA5121537d5c7e7a70130ee1af56a90c504ce4130d051906ad41d70e793bcced3893ee336e2cd6cb8165e997fa6e9b3c266f59eccd9b97aa15e2d19ea2c9385e3a324
-
memory/636-183-0x0000000000000000-mapping.dmp
-
memory/740-118-0x00007FFD56C40000-0x00007FFD59763000-memory.dmpFilesize
43.1MB
-
memory/740-117-0x00007FFD35790000-0x00007FFD357A0000-memory.dmpFilesize
64KB
-
memory/740-123-0x00007FFD4E340000-0x00007FFD50235000-memory.dmpFilesize
31.0MB
-
memory/740-115-0x00007FFD35790000-0x00007FFD357A0000-memory.dmpFilesize
64KB
-
memory/740-114-0x00007FFD35790000-0x00007FFD357A0000-memory.dmpFilesize
64KB
-
memory/740-119-0x00007FFD35790000-0x00007FFD357A0000-memory.dmpFilesize
64KB
-
memory/740-116-0x00007FFD35790000-0x00007FFD357A0000-memory.dmpFilesize
64KB
-
memory/740-122-0x00007FFD50240000-0x00007FFD5132E000-memory.dmpFilesize
16.9MB
-
memory/860-185-0x000000000040D0AE-mapping.dmp
-
memory/860-187-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/2488-150-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/2488-151-0x0000000007820000-0x0000000007821000-memory.dmpFilesize
4KB
-
memory/2488-152-0x0000000007620000-0x0000000007B1E000-memory.dmpFilesize
5.0MB
-
memory/2488-154-0x0000000009790000-0x0000000009791000-memory.dmpFilesize
4KB
-
memory/2488-167-0x0000000002A90000-0x0000000002A9E000-memory.dmpFilesize
56KB
-
memory/2488-149-0x0000000007B20000-0x0000000007B21000-memory.dmpFilesize
4KB
-
memory/2488-147-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/2488-144-0x0000000000000000-mapping.dmp