Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/11/2024, 06:50
Behavioral task
behavioral1
Sample
sisis.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
General
-
Target
sisis.exe
-
Size
47KB
-
MD5
6e8119a20c8195715a468daf068e84e2
-
SHA1
a066f876a57c9aa2a4c5428fa185495adc968ed0
-
SHA256
1647c7b25a2d5682c054558b1750de3f586d105e0ae5fa240b711c1958fa339e
-
SHA512
270d27d46f8ea579922a889763b73e3eabb83c6f003f0885d5f9faa1b704ef31a9dc3e68d031e3055f5805990457954d27d842e1b52faf333f079abd2a35b991
-
SSDEEP
768:8u/dRTUo0HQbWUnmjSmo2qMqUnPMqXfqlPIe+ajU0bgZMQHuDe3/BYDUsqE+TTI6:8u/dRTUPE2uUPRXCie+azbgZVuCa5iCg
Malware Config
Extracted
Family
asyncrat
Version
0.5.8
Botnet
Default
C2
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
Mutex
8Lyp08vgvo79
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Asyncrat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sisis.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2752 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2540 sisis.exe Token: SeDebugPrivilege 2540 sisis.exe Token: SeDebugPrivilege 2752 taskmgr.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe -
Suspicious use of SendNotifyMessage 42 IoCs
pid Process 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sisis.exe"C:\Users\Admin\AppData\Local\Temp\sisis.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2752