Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
31/10/2024, 05:16
General
-
Target
plz work.exe
-
Size
45KB
-
MD5
8fd40d41785e503bd2c08e63eebf815f
-
SHA1
01f3b167cf9157d6457c7351ab603eb818909682
-
SHA256
facf720b58ff6b58dd854830b56fbe31cadd8e201d8c7794135ad79a49bbab13
-
SHA512
7cb1f77d0d0c6f522a11b39d9cbd3127dbdac31169d6f7ea3cd337379928ced7ca310b32ebd40ee817cd86c1d21038c226b3618703645a54442cd38887d898e3
-
SSDEEP
768:au/dRTUo0HQbWUnmjSmo2qMJxJaxrPHuPIHzjbJgm3iQk0SXVk/rLRBDZux:au/dRTUPE2VeR3H3bGmSQk0rPvdux
Malware Config
Extracted
Family
asyncrat
Version
0.5.8
Botnet
Default
C2
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
Mutex
mVH59AzvxdrQ
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Asyncrat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plz work.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2752 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2752 taskmgr.exe Token: SeSystemProfilePrivilege 2752 taskmgr.exe Token: SeCreateGlobalPrivilege 2752 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\plz work.exe"C:\Users\Admin\AppData\Local\Temp\plz work.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4376
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2752