Analysis
-
max time kernel
104s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
12-05-2021 13:01
Static task
static1
Behavioral task
behavioral1
Sample
Letter of Demand.doc
Resource
win7v20210408
General
-
Target
Letter of Demand.doc
-
Size
36KB
-
MD5
55fc048da179b62b3bb1ba86120ed35d
-
SHA1
55b2f166b64ff820287bf7dd27ee6249df73cbc2
-
SHA256
fc15f958384227e0df809fe1f0e043c2c596d88d0de5b6c799799529626a414c
-
SHA512
101d32109ddcbdfcbd5955281809cf078a95cac2be962585bb2f85590dbab475210439a9fcad605ab4950bfbee526b6c40e046a904c46759a04eca9df7f8ac95
Malware Config
Extracted
asyncrat
0.5.7B
185.136.169.24:6606
185.136.169.24:7707
185.136.169.24:8808
AsyncMutex_6SI8OkPnk
-
aes_key
LGDVTniOeH5YeueYvvfJNtR2bIW9Ox7U
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Em-Gee
-
host
185.136.169.24
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606,7707,8808
-
version
0.5.7B
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-78-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2036-79-0x000000000040C71E-mapping.dmp asyncrat behavioral1/memory/2036-81-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
qQFHf.exeqQFHf.exepid process 1012 qQFHf.exe 2036 qQFHf.exe -
Loads dropped DLL 2 IoCs
Processes:
WINWORD.EXEqQFHf.exepid process 1632 WINWORD.EXE 1012 qQFHf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
qQFHf.exedescription pid process target process PID 1012 set thread context of 2036 1012 qQFHf.exe qQFHf.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1632 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
qQFHf.exepid process 1012 qQFHf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
qQFHf.exeqQFHf.exedescription pid process Token: SeDebugPrivilege 1012 qQFHf.exe Token: SeDebugPrivilege 2036 qQFHf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1632 WINWORD.EXE 1632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
WINWORD.EXEqQFHf.exedescription pid process target process PID 1632 wrote to memory of 1216 1632 WINWORD.EXE splwow64.exe PID 1632 wrote to memory of 1216 1632 WINWORD.EXE splwow64.exe PID 1632 wrote to memory of 1216 1632 WINWORD.EXE splwow64.exe PID 1632 wrote to memory of 1216 1632 WINWORD.EXE splwow64.exe PID 1632 wrote to memory of 1012 1632 WINWORD.EXE qQFHf.exe PID 1632 wrote to memory of 1012 1632 WINWORD.EXE qQFHf.exe PID 1632 wrote to memory of 1012 1632 WINWORD.EXE qQFHf.exe PID 1632 wrote to memory of 1012 1632 WINWORD.EXE qQFHf.exe PID 1012 wrote to memory of 564 1012 qQFHf.exe schtasks.exe PID 1012 wrote to memory of 564 1012 qQFHf.exe schtasks.exe PID 1012 wrote to memory of 564 1012 qQFHf.exe schtasks.exe PID 1012 wrote to memory of 564 1012 qQFHf.exe schtasks.exe PID 1012 wrote to memory of 2036 1012 qQFHf.exe qQFHf.exe PID 1012 wrote to memory of 2036 1012 qQFHf.exe qQFHf.exe PID 1012 wrote to memory of 2036 1012 qQFHf.exe qQFHf.exe PID 1012 wrote to memory of 2036 1012 qQFHf.exe qQFHf.exe PID 1012 wrote to memory of 2036 1012 qQFHf.exe qQFHf.exe PID 1012 wrote to memory of 2036 1012 qQFHf.exe qQFHf.exe PID 1012 wrote to memory of 2036 1012 qQFHf.exe qQFHf.exe PID 1012 wrote to memory of 2036 1012 qQFHf.exe qQFHf.exe PID 1012 wrote to memory of 2036 1012 qQFHf.exe qQFHf.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Letter of Demand.doc"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\qQFHf.exeC:\Users\Admin\AppData\Local\Temp\qQFHf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\azzBJWZB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp"3⤵
- Creates scheduled task(s)
PID:564 -
C:\Users\Admin\AppData\Local\Temp\qQFHf.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qQFHf.exeMD5
d2090d6b03c4c37de4e1e8e615d578b2
SHA1b18d58d947d4f0ea9a215bed4b279b555c299270
SHA256cd933deed6ad151dbc88561ea55dc128b464843b481a474b94ab909e0bcef85d
SHA512a19478748f18957c9ff9c487d27f946faa1272c6fae4293393a133156e2793b4cf0d827757cfd07014c81842b4c02117f1a6e2d443af46f4b345d0ec4bb9621a
-
C:\Users\Admin\AppData\Local\Temp\qQFHf.exeMD5
d2090d6b03c4c37de4e1e8e615d578b2
SHA1b18d58d947d4f0ea9a215bed4b279b555c299270
SHA256cd933deed6ad151dbc88561ea55dc128b464843b481a474b94ab909e0bcef85d
SHA512a19478748f18957c9ff9c487d27f946faa1272c6fae4293393a133156e2793b4cf0d827757cfd07014c81842b4c02117f1a6e2d443af46f4b345d0ec4bb9621a
-
C:\Users\Admin\AppData\Local\Temp\qQFHf.exeMD5
d2090d6b03c4c37de4e1e8e615d578b2
SHA1b18d58d947d4f0ea9a215bed4b279b555c299270
SHA256cd933deed6ad151dbc88561ea55dc128b464843b481a474b94ab909e0bcef85d
SHA512a19478748f18957c9ff9c487d27f946faa1272c6fae4293393a133156e2793b4cf0d827757cfd07014c81842b4c02117f1a6e2d443af46f4b345d0ec4bb9621a
-
C:\Users\Admin\AppData\Local\Temp\tmp166E.tmpMD5
5eb656fbce8cfac0fe07ea3a131f3182
SHA1976d1a73078365fc25d17e2398444123ce6c4b17
SHA256ec45a74791ecda33d31df88cd5fa1fafac3d2f2f2183c3e96832ac8a617f5e89
SHA5126b048a2d16f260c47d281f60ec70e07b84f1197375247989f388b2d1a894a4cf2f9d1bd648039e8d56b695b88800e359086a2cf6c093f13a4adcd717d70599b1
-
\Users\Admin\AppData\Local\Temp\qQFHf.exeMD5
d2090d6b03c4c37de4e1e8e615d578b2
SHA1b18d58d947d4f0ea9a215bed4b279b555c299270
SHA256cd933deed6ad151dbc88561ea55dc128b464843b481a474b94ab909e0bcef85d
SHA512a19478748f18957c9ff9c487d27f946faa1272c6fae4293393a133156e2793b4cf0d827757cfd07014c81842b4c02117f1a6e2d443af46f4b345d0ec4bb9621a
-
\Users\Admin\AppData\Local\Temp\qQFHf.exeMD5
d2090d6b03c4c37de4e1e8e615d578b2
SHA1b18d58d947d4f0ea9a215bed4b279b555c299270
SHA256cd933deed6ad151dbc88561ea55dc128b464843b481a474b94ab909e0bcef85d
SHA512a19478748f18957c9ff9c487d27f946faa1272c6fae4293393a133156e2793b4cf0d827757cfd07014c81842b4c02117f1a6e2d443af46f4b345d0ec4bb9621a
-
memory/564-75-0x0000000000000000-mapping.dmp
-
memory/1012-69-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1012-71-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/1012-72-0x0000000000310000-0x000000000031E000-memory.dmpFilesize
56KB
-
memory/1012-73-0x00000000057A0000-0x0000000005819000-memory.dmpFilesize
484KB
-
memory/1012-74-0x0000000000780000-0x00000000007A9000-memory.dmpFilesize
164KB
-
memory/1012-66-0x0000000000000000-mapping.dmp
-
memory/1216-64-0x000007FEFC031000-0x000007FEFC033000-memory.dmpFilesize
8KB
-
memory/1216-63-0x0000000000000000-mapping.dmp
-
memory/1632-61-0x00000000705B1000-0x00000000705B3000-memory.dmpFilesize
8KB
-
memory/1632-60-0x0000000072B31000-0x0000000072B34000-memory.dmpFilesize
12KB
-
memory/1632-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1632-89-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2036-78-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2036-81-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2036-83-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/2036-84-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/2036-85-0x00000000056A0000-0x0000000005719000-memory.dmpFilesize
484KB
-
memory/2036-86-0x00000000005E0000-0x00000000005E4000-memory.dmpFilesize
16KB
-
memory/2036-87-0x0000000006310000-0x000000000639D000-memory.dmpFilesize
564KB
-
memory/2036-88-0x0000000005A90000-0x0000000005AE9000-memory.dmpFilesize
356KB
-
memory/2036-79-0x000000000040C71E-mapping.dmp