Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30-10-2022 08:03
Behavioral task
behavioral1
Sample
InvoicePrinting-MUM02322_22-23.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
InvoicePrinting-MUM02322_22-23.js
Resource
win10v2004-20220812-en
General
-
Target
InvoicePrinting-MUM02322_22-23.js
-
Size
244KB
-
MD5
0afa9ad6977e7cfed21f642361e9bcef
-
SHA1
61301fd144aac65ab7fdc847e7ef3cb5c339dcd1
-
SHA256
7cdb69e4725d8cd97ba8e9b8d9e072e71cb3b796951dd6e4a0c92dea771a5686
-
SHA512
c6acddf460b3eda7aed7fed654120d94899f76e382df3a96c007029e7653cbacd6e5efecc20ff25e1b5a2099f1494936c2f704a53bf278d65cb2f680f2bce438
-
SSDEEP
6144:Gp8xbeXigeXfd1LH3dV6zMovRCBeGKWAklgF2GuuZmDuh5wTaR:42d1Lj65vfGKel029lDufwTo
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
172.93.220.135:6606
172.93.220.135:7707
172.93.220.135:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
shh.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 7 IoCs
resource yara_rule behavioral1/files/0x000500000000b2d2-56.dat asyncrat behavioral1/files/0x000500000000b2d2-57.dat asyncrat behavioral1/memory/716-58-0x0000000000E50000-0x0000000000E62000-memory.dmp asyncrat behavioral1/files/0x00090000000122f5-66.dat asyncrat behavioral1/files/0x00090000000122f5-65.dat asyncrat behavioral1/files/0x00090000000122f5-68.dat asyncrat behavioral1/memory/1184-69-0x0000000001090000-0x00000000010A2000-memory.dmp asyncrat -
Blocklisted process makes network request 20 IoCs
flow pid Process 4 1064 wscript.exe 6 1064 wscript.exe 7 1064 wscript.exe 9 1064 wscript.exe 12 1064 wscript.exe 14 1064 wscript.exe 17 1064 wscript.exe 20 1064 wscript.exe 22 1064 wscript.exe 24 1064 wscript.exe 27 1064 wscript.exe 29 1064 wscript.exe 31 1064 wscript.exe 34 1064 wscript.exe 35 1064 wscript.exe 38 1064 wscript.exe 41 1064 wscript.exe 43 1064 wscript.exe 45 1064 wscript.exe 48 1064 wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 716 err.exe 1184 shh.exe -
Loads dropped DLL 1 IoCs
pid Process 1100 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\InvoicePrinting-MUM02322_22-23 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\InvoicePrinting-MUM02322_22-23.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InvoicePrinting-MUM02322_22-23 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\InvoicePrinting-MUM02322_22-23.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1984 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2040 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 716 err.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 716 err.exe Token: SeDebugPrivilege 1184 shh.exe Token: SeDebugPrivilege 1184 shh.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1064 wrote to memory of 716 1064 wscript.exe 28 PID 1064 wrote to memory of 716 1064 wscript.exe 28 PID 1064 wrote to memory of 716 1064 wscript.exe 28 PID 1064 wrote to memory of 716 1064 wscript.exe 28 PID 716 wrote to memory of 784 716 err.exe 31 PID 716 wrote to memory of 784 716 err.exe 31 PID 716 wrote to memory of 784 716 err.exe 31 PID 716 wrote to memory of 784 716 err.exe 31 PID 716 wrote to memory of 1100 716 err.exe 33 PID 716 wrote to memory of 1100 716 err.exe 33 PID 716 wrote to memory of 1100 716 err.exe 33 PID 716 wrote to memory of 1100 716 err.exe 33 PID 784 wrote to memory of 1984 784 cmd.exe 35 PID 784 wrote to memory of 1984 784 cmd.exe 35 PID 784 wrote to memory of 1984 784 cmd.exe 35 PID 784 wrote to memory of 1984 784 cmd.exe 35 PID 1100 wrote to memory of 2040 1100 cmd.exe 36 PID 1100 wrote to memory of 2040 1100 cmd.exe 36 PID 1100 wrote to memory of 2040 1100 cmd.exe 36 PID 1100 wrote to memory of 2040 1100 cmd.exe 36 PID 1100 wrote to memory of 1184 1100 cmd.exe 37 PID 1100 wrote to memory of 1184 1100 cmd.exe 37 PID 1100 wrote to memory of 1184 1100 cmd.exe 37 PID 1100 wrote to memory of 1184 1100 cmd.exe 37
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\InvoicePrinting-MUM02322_22-23.js1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\err.exe"C:\Users\Admin\AppData\Local\Temp\err.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "shh" /tr '"C:\Users\Admin\AppData\Roaming\shh.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "shh" /tr '"C:\Users\Admin\AppData\Roaming\shh.exe"'4⤵
- Creates scheduled task(s)
PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp235A.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2040
-
-
C:\Users\Admin\AppData\Roaming\shh.exe"C:\Users\Admin\AppData\Roaming\shh.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5a1e6c547b3d494b82c0aec8e08cb444e
SHA17b851492a93cd9ebb9ceb88a77ee48634c0e82e7
SHA256a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51
SHA512e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27
-
Filesize
45KB
MD5a1e6c547b3d494b82c0aec8e08cb444e
SHA17b851492a93cd9ebb9ceb88a77ee48634c0e82e7
SHA256a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51
SHA512e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27
-
Filesize
147B
MD59fb9f70497a02f248f013ac78b5c1144
SHA14d6360a627d12ca9ff588437a48d9d2f6ba93679
SHA25693c86b02e823cca2e0a6cf07f98418551072dc67c4eaef7dc1e34e8a3c03a506
SHA512b1f5823543e8a36f9db3eedf5d86f5fe4c43cb040c1103e89bd34212d85f466a4968fe0e4df4f66452d2319bfa3dc647c9b7f6a4b162584b926af78efd27c1a2
-
Filesize
45KB
MD5a1e6c547b3d494b82c0aec8e08cb444e
SHA17b851492a93cd9ebb9ceb88a77ee48634c0e82e7
SHA256a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51
SHA512e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27
-
Filesize
45KB
MD5a1e6c547b3d494b82c0aec8e08cb444e
SHA17b851492a93cd9ebb9ceb88a77ee48634c0e82e7
SHA256a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51
SHA512e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27
-
Filesize
45KB
MD5a1e6c547b3d494b82c0aec8e08cb444e
SHA17b851492a93cd9ebb9ceb88a77ee48634c0e82e7
SHA256a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51
SHA512e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27