Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 08:03
Behavioral task
behavioral1
Sample
InvoicePrinting-MUM02322_22-23.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
InvoicePrinting-MUM02322_22-23.js
Resource
win10v2004-20220812-en
General
-
Target
InvoicePrinting-MUM02322_22-23.js
-
Size
244KB
-
MD5
0afa9ad6977e7cfed21f642361e9bcef
-
SHA1
61301fd144aac65ab7fdc847e7ef3cb5c339dcd1
-
SHA256
7cdb69e4725d8cd97ba8e9b8d9e072e71cb3b796951dd6e4a0c92dea771a5686
-
SHA512
c6acddf460b3eda7aed7fed654120d94899f76e382df3a96c007029e7653cbacd6e5efecc20ff25e1b5a2099f1494936c2f704a53bf278d65cb2f680f2bce438
-
SSDEEP
6144:Gp8xbeXigeXfd1LH3dV6zMovRCBeGKWAklgF2GuuZmDuh5wTaR:42d1Lj65vfGKel029lDufwTo
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
172.93.220.135:6606
172.93.220.135:7707
172.93.220.135:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
shh.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
resource yara_rule behavioral2/files/0x0006000000022637-133.dat asyncrat behavioral2/files/0x0006000000022637-134.dat asyncrat behavioral2/memory/4544-135-0x0000000000940000-0x0000000000952000-memory.dmp asyncrat behavioral2/files/0x0006000000022e35-143.dat asyncrat behavioral2/files/0x0006000000022e35-144.dat asyncrat -
Blocklisted process makes network request 13 IoCs
flow pid Process 6 1544 wscript.exe 8 1544 wscript.exe 14 1544 wscript.exe 17 1544 wscript.exe 23 1544 wscript.exe 26 1544 wscript.exe 29 1544 wscript.exe 40 1544 wscript.exe 41 1544 wscript.exe 48 1544 wscript.exe 50 1544 wscript.exe 59 1544 wscript.exe 63 1544 wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 4544 err.exe 4896 shh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation err.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InvoicePrinting-MUM02322_22-23 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\InvoicePrinting-MUM02322_22-23.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InvoicePrinting-MUM02322_22-23 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\InvoicePrinting-MUM02322_22-23.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2808 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3816 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe 4544 err.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4544 err.exe Token: SeDebugPrivilege 4896 shh.exe Token: SeDebugPrivilege 4896 shh.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1544 wrote to memory of 4544 1544 wscript.exe 80 PID 1544 wrote to memory of 4544 1544 wscript.exe 80 PID 1544 wrote to memory of 4544 1544 wscript.exe 80 PID 4544 wrote to memory of 1352 4544 err.exe 85 PID 4544 wrote to memory of 1352 4544 err.exe 85 PID 4544 wrote to memory of 1352 4544 err.exe 85 PID 4544 wrote to memory of 2484 4544 err.exe 87 PID 4544 wrote to memory of 2484 4544 err.exe 87 PID 4544 wrote to memory of 2484 4544 err.exe 87 PID 1352 wrote to memory of 2808 1352 cmd.exe 89 PID 1352 wrote to memory of 2808 1352 cmd.exe 89 PID 1352 wrote to memory of 2808 1352 cmd.exe 89 PID 2484 wrote to memory of 3816 2484 cmd.exe 90 PID 2484 wrote to memory of 3816 2484 cmd.exe 90 PID 2484 wrote to memory of 3816 2484 cmd.exe 90 PID 2484 wrote to memory of 4896 2484 cmd.exe 92 PID 2484 wrote to memory of 4896 2484 cmd.exe 92 PID 2484 wrote to memory of 4896 2484 cmd.exe 92
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\InvoicePrinting-MUM02322_22-23.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\err.exe"C:\Users\Admin\AppData\Local\Temp\err.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "shh" /tr '"C:\Users\Admin\AppData\Roaming\shh.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "shh" /tr '"C:\Users\Admin\AppData\Roaming\shh.exe"'4⤵
- Creates scheduled task(s)
PID:2808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C93.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:3816
-
-
C:\Users\Admin\AppData\Roaming\shh.exe"C:\Users\Admin\AppData\Roaming\shh.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5a1e6c547b3d494b82c0aec8e08cb444e
SHA17b851492a93cd9ebb9ceb88a77ee48634c0e82e7
SHA256a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51
SHA512e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27
-
Filesize
45KB
MD5a1e6c547b3d494b82c0aec8e08cb444e
SHA17b851492a93cd9ebb9ceb88a77ee48634c0e82e7
SHA256a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51
SHA512e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27
-
Filesize
147B
MD5648c44a9e8a1dd288cf934d9f788f17a
SHA188c2db5f6eafbb7d305793b4e7b7a1513f2340db
SHA256d63e0d5e466c4391ab7cb690a775cf7df1d9da9d7603be574f83954aeb326582
SHA51278e1f51a6ca69cff158f7dade9e5ce920667cb1a360418c0f9116b3bea0ab7d83b7f46e8f0335ab4c742057f6cd5a82881340dfd600770f6f6fa64cacb7ac4b2
-
Filesize
45KB
MD5a1e6c547b3d494b82c0aec8e08cb444e
SHA17b851492a93cd9ebb9ceb88a77ee48634c0e82e7
SHA256a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51
SHA512e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27
-
Filesize
45KB
MD5a1e6c547b3d494b82c0aec8e08cb444e
SHA17b851492a93cd9ebb9ceb88a77ee48634c0e82e7
SHA256a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51
SHA512e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27