Overview

overview

10

Static

static

3

ElitecutSetup.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    678s
  • max time network
    423s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    21-11-2024 23:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ElitecutSetup.exe

  • Size

    7.2MB

  • MD5

    9b7d706bac6f21d08f43b62f993933a5

  • SHA1

    b6794baa320f187d239d40e949f5aaf8aeff6c62

  • SHA256

    38ed1513b169db909595c0f37d660ebbeeb87946ad9ada15d1ebb45f7ed4ee06

  • SHA512

    f61ce99033e2e5af55d1aa425fcf69a4a4009220411d2320733430b717d2a60fd59f4df1205d4ff0b15e3f65302835a592559789bcdbbb6aaf933f28f8920bf8

  • SSDEEP

    196608:XT9a8z0a7oXwmIaKF39LQzl99MatTxRStt5dr/:J1zHvaKFNL2l9WaInr/

Score
10/10
asyncratstealeriumstormkittyfurrycollectiondiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Furry

C2

193.161.193.99:36700

Attributes
  • delay

    1

  • install

    true

  • install_file

    syskprvalor.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Stealerium family
    stealerium
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ElitecutSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\ElitecutSetup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Users\Admin\AppData\Local\Temp\ElitecutSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\ElitecutSetup.exe"
      2⤵
        PID:1780
      • C:\Users\Admin\AppData\Local\Temp\ElitecutSetup.exe
        "C:\Users\Admin\AppData\Local\Temp\ElitecutSetup.exe"
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "syskprvalor" /tr '"C:\Users\Admin\AppData\Roaming\syskprvalor.exe"' & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3496
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "syskprvalor" /tr '"C:\Users\Admin\AppData\Roaming\syskprvalor.exe"'
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:380
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp179A.tmp.bat""
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:752
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:232
          • C:\Users\Admin\AppData\Roaming\syskprvalor.exe
            "C:\Users\Admin\AppData\Roaming\syskprvalor.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1132
            • C:\Users\Admin\AppData\Roaming\syskprvalor.exe
              "C:\Users\Admin\AppData\Roaming\syskprvalor.exe"
              5⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook profiles
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • outlook_office_path
              • outlook_win_path
              PID:3844
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Wi-Fi Discovery
                • Suspicious use of WriteProcessMemory
                PID:2648
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:5160
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show profile
                  7⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Wi-Fi Discovery
                  PID:5184
                • C:\Windows\SysWOW64\findstr.exe
                  findstr All
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:5200
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:5268
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:5356
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  7⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:5376
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 30768
                6⤵
                • Program crash
                PID:6096
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 3844 -ip 3844
      1⤵
        PID:6068

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Wi-Fi Discovery

      1
      T1016.002

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Email Collection

      1
      T1114

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\3072856a832695e8e81b8e0465c8f07e\Admin@CCSIZKYM_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt
        Filesize

        105B

        MD5

        2e9d094dda5cdc3ce6519f75943a4ff4

        SHA1

        5d989b4ac8b699781681fe75ed9ef98191a5096c

        SHA256

        c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

        SHA512

        d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

        Download Submit

      • C:\Users\Admin\AppData\Local\3072856a832695e8e81b8e0465c8f07e\Admin@CCSIZKYM_en-US\System\Process.txt
        Filesize

        2KB

        MD5

        e28f34dc5011bbdc569cd1452fa10027

        SHA1

        a394042c5adde259248f57b6b7edc1429b2bfdd8

        SHA256

        5893d5031fbeb19fb9fe8745bb1a08c359226740af74d2325d5cb28932cbaa8a

        SHA512

        1d19cb5d9049446330c8732c3b475c45209c8a680d868713f12c959498c6cfcae4b11756f6ac4046852768d7290d0750bde1b79ccd251abdce8fe6c7ae2f4301

        Download Submit

      • C:\Users\Admin\AppData\Local\3072856a832695e8e81b8e0465c8f07e\Admin@CCSIZKYM_en-US\System\Process.txt
        Filesize

        2KB

        MD5

        c8e4daa5c43ff2d61232acde49cac3de

        SHA1

        c3d6a29b3fdea242360c0adb2f70cf0bb0de0d03

        SHA256

        f6e827e0189dd718f3c5c1693bf760cb88e861da08782bb59faf8a119a44d7f3

        SHA512

        c17ead7474dd9b4504b05a5ecd08b352a4755fed334ca1dd54ecfafaa3f8f10015ca1588bba1c7f9bb528f524b155ad5eb29ae08aa0f6a245fe2a81f9c43852c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ElitecutSetup.exe.log
        Filesize

        1KB

        MD5

        bd76295661516015cc654d284dc2c276

        SHA1

        66f835bf0b154292d8ad17212a0feabc5f4f1a18

        SHA256

        aeef561f6ece2de3d114091d2304534b65152dfee9e195c80876477344422f12

        SHA512

        0aa544e8684fe8b668623d5668a82abc590938c60fbbfd4959a8e8b1cb16d96858824d170a174b2084569b2756a97ce1b825d588a8a5b3cd4ed040182bcad5fc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp179A.tmp.bat
        Filesize

        155B

        MD5

        c46823f7f059bb7df3903ffc8080169e

        SHA1

        230a0767f0ffffc436f6641f4e7a05bba264f240

        SHA256

        d5b5a72d6f1274c2e1b0a7dda75ca3ca8976ec2c12ef65e04bf242d5aad085bc

        SHA512

        cc1f6356f1cff9380a912a19a51b267a52318c790c40f98ea2786130d08f89b420dea6709ff8a49e2c4307bd7fd8bdbea0fbc43d7729bbac3eb3f5cd9463ef2e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\syskprvalor.exe
        Filesize

        7.2MB

        MD5

        9b7d706bac6f21d08f43b62f993933a5

        SHA1

        b6794baa320f187d239d40e949f5aaf8aeff6c62

        SHA256

        38ed1513b169db909595c0f37d660ebbeeb87946ad9ada15d1ebb45f7ed4ee06

        SHA512

        f61ce99033e2e5af55d1aa425fcf69a4a4009220411d2320733430b717d2a60fd59f4df1205d4ff0b15e3f65302835a592559789bcdbbb6aaf933f28f8920bf8

        Download Submit

      • memory/916-4-0x0000000005BC0000-0x0000000005BCA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/916-7-0x000000007519E000-0x000000007519F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/916-8-0x0000000075190000-0x0000000075941000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/916-9-0x0000000008170000-0x0000000008878000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/916-10-0x0000000005E40000-0x0000000005E5E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/916-6-0x0000000005D10000-0x0000000005D86000-memory.dmp

        Filesize

        472KB

        Download

      • memory/916-5-0x0000000075190000-0x0000000075941000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/916-15-0x0000000075190000-0x0000000075941000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/916-3-0x0000000005BF0000-0x0000000005C82000-memory.dmp

        Filesize

        584KB

        Download

      • memory/916-2-0x00000000060C0000-0x0000000006666000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/916-0-0x000000007519E000-0x000000007519F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/916-1-0x0000000000A90000-0x00000000011CC000-memory.dmp

        Filesize

        7.2MB

        Download

      • memory/1556-17-0x0000000075190000-0x0000000075941000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1556-11-0x0000000000400000-0x0000000000448000-memory.dmp

        Filesize

        288KB

        Download

      • memory/1556-21-0x0000000075190000-0x0000000075941000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1556-14-0x0000000075190000-0x0000000075941000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1556-16-0x0000000075190000-0x0000000075941000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3844-33-0x0000000000010000-0x0000000000198000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3844-38-0x0000000000220000-0x000000000022A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3844-32-0x0000000006D20000-0x0000000006D54000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3844-31-0x0000000005E70000-0x0000000005ED6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3844-157-0x0000000000310000-0x000000000038A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/3844-30-0x0000000005D60000-0x0000000005DFC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3844-192-0x0000000006980000-0x00000000069A4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/3844-193-0x00000000060A0000-0x00000000061C2000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3844-194-0x00000000069A0000-0x00000000069C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3844-195-0x00000000081F0000-0x0000000008547000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3844-196-0x0000000006B70000-0x0000000006BBC000-memory.dmp

        Filesize

        304KB

        Download