0382b5119ec9a6eea3dfd171bbd459c1c3a6588b1af3ad628239ca21f22a818c

General

Target

Payment_Invoice.xls
Size

473KB
MD5

bb2e7e44ba95cb90cbb138fcbadaac3d
SHA1

450f9c1101e66affdd6f28e0f8a369f1b6d86f9b
SHA256

5e7ddcc8aa2977cceac204ed424e05270874e2b0da94eb5b056e968126fc9902
SHA512

b087b074198e50f87d570ad8f8a45fbe2237a7088e8f96e8dad02db4a9f1e9a5997ace053b1777a529dcde6e28de2868af83ac11cbfd866fb4d7d6ce28ea8b25

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

AsyncClient.exe

pid process

752 AsyncClient.exe

pid	process
752	AsyncClient.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4124 timeout.exe

pid	process
4124	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{F79233CC-AAE7-4486-937F-2D877C4D24D0}\AsyncClient.exe:Zone.Identifier	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

460 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AsyncClient.exe

description pid process

Token: SeDebugPrivilege 752 AsyncClient.exe

description	pid	process
Token: SeDebugPrivilege	752	AsyncClient.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
460	EXCEL.EXE
460	EXCEL.EXE
460	EXCEL.EXE
460	EXCEL.EXE
460	EXCEL.EXE
460	EXCEL.EXE
460	EXCEL.EXE
460	EXCEL.EXE
460	EXCEL.EXE
460	EXCEL.EXE
460	EXCEL.EXE
460	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXEAsyncClient.exe

description	pid	process	target process
PID 460 wrote to memory of 752	460	EXCEL.EXE	AsyncClient.exe
PID 460 wrote to memory of 752	460	EXCEL.EXE	AsyncClient.exe
PID 460 wrote to memory of 752	460	EXCEL.EXE	AsyncClient.exe
PID 752 wrote to memory of 4124	752	AsyncClient.exe	timeout.exe
PID 752 wrote to memory of 4124	752	AsyncClient.exe	timeout.exe
PID 752 wrote to memory of 4124	752	AsyncClient.exe	timeout.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Payment_Invoice.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:460

C:\Users\Admin\AppData\Local\AsyncClient.exe
"C:\Users\Admin\AppData\Local\AsyncClient.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\timeout.exe
timeout
3⤵
- Delays execution with timeout.exe
PID:4124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AsyncClient.exe
Filesize
382KB

MD5
120e11300c537b3f627f58294e9dec48

SHA1
b51e6df331358cb1ea81833049e3b736763760b4

SHA256
c8337902f1e43092f1abeff4e20d1543cb581566c70f31165b88974b90cda8f6

SHA512
143d034d79d348a9099a0504c3c92c18a4fd7ce1622de51ee55e28bc51ab1785a69450cce7defc90acc620125d07ed85a4372edc09ae7dc41ad940900e74fc88

Download Submit
C:\Users\Admin\AppData\Local\AsyncClient.exe
Filesize
382KB

MD5
120e11300c537b3f627f58294e9dec48

SHA1
b51e6df331358cb1ea81833049e3b736763760b4

SHA256
c8337902f1e43092f1abeff4e20d1543cb581566c70f31165b88974b90cda8f6

SHA512
143d034d79d348a9099a0504c3c92c18a4fd7ce1622de51ee55e28bc51ab1785a69450cce7defc90acc620125d07ed85a4372edc09ae7dc41ad940900e74fc88

Download Submit
memory/460-133-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

Filesize
64KB

Download
memory/460-130-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

Filesize
64KB

Download
memory/460-134-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

Filesize
64KB

Download
memory/460-135-0x00007FFB31F80000-0x00007FFB31F90000-memory.dmp

Filesize
64KB

Download
memory/460-136-0x00007FFB31F80000-0x00007FFB31F90000-memory.dmp

Filesize
64KB

Download
memory/460-132-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

Filesize
64KB

Download
memory/460-131-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

Filesize
64KB

Download
memory/752-137-0x0000000000000000-mapping.dmp

Download
memory/752-140-0x0000000000460000-0x00000000004C6000-memory.dmp

Filesize
408KB

Download
memory/752-141-0x0000000004EA0000-0x0000000004F3C000-memory.dmp

Filesize
624KB

Download
memory/752-142-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/4124-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads