Analysis
-
max time kernel
1053s -
max time network
1050s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
23-11-2024 23:12
Static task
static1
1 signatures
General
-
Target
ElitecutSetup.exe
-
Size
700.0MB
-
MD5
684d827e57153c735d7d6ec157dd54a7
-
SHA1
55ebf7510b8030e6478be2898a5994f4278db971
-
SHA256
1b51ab9e393420ec75ad75433d8cefa00d0a3768d97054b78028a5b6e185388d
-
SHA512
90725dd61d8926afbe0a00a7a3046a889162c8b41ca036c139dc2f25798229fb5ed5c8274954d541495ebdd6fc2437abea4e9153ccadeb0893a1dd2e703b1ab6
-
SSDEEP
196608:XT9a8z0a7oXwmIaKF39LQzl99MatTxRStt5dr/:J1zHvaKFNL2l9WaInr/
Malware Config
Extracted
Family
asyncrat
Botnet
Furry
C2
193.161.193.99:36700
Attributes
-
delay
1
-
install
true
-
install_file
syskprvalor.exe
-
install_folder
%AppData%
aes.plain
Signatures
-
Asyncrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation ElitecutSetup.exe -
Executes dropped EXE 2 IoCs
pid Process 2596 syskprvalor.exe 1720 syskprvalor.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4584 set thread context of 3172 4584 ElitecutSetup.exe 94 PID 2596 set thread context of 1720 2596 syskprvalor.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ElitecutSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ElitecutSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language syskprvalor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language syskprvalor.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5020 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1648 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 4584 ElitecutSetup.exe 4584 ElitecutSetup.exe 3920 taskmgr.exe 3920 taskmgr.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe 3172 ElitecutSetup.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 3920 taskmgr.exe Token: SeSystemProfilePrivilege 3920 taskmgr.exe Token: SeCreateGlobalPrivilege 3920 taskmgr.exe Token: SeDebugPrivilege 4584 ElitecutSetup.exe Token: SeDebugPrivilege 3172 ElitecutSetup.exe Token: SeDebugPrivilege 1340 taskmgr.exe Token: SeSystemProfilePrivilege 1340 taskmgr.exe Token: SeCreateGlobalPrivilege 1340 taskmgr.exe Token: SeDebugPrivilege 1720 syskprvalor.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4584 wrote to memory of 3168 4584 ElitecutSetup.exe 93 PID 4584 wrote to memory of 3168 4584 ElitecutSetup.exe 93 PID 4584 wrote to memory of 3168 4584 ElitecutSetup.exe 93 PID 4584 wrote to memory of 3172 4584 ElitecutSetup.exe 94 PID 4584 wrote to memory of 3172 4584 ElitecutSetup.exe 94 PID 4584 wrote to memory of 3172 4584 ElitecutSetup.exe 94 PID 4584 wrote to memory of 3172 4584 ElitecutSetup.exe 94 PID 4584 wrote to memory of 3172 4584 ElitecutSetup.exe 94 PID 4584 wrote to memory of 3172 4584 ElitecutSetup.exe 94 PID 4584 wrote to memory of 3172 4584 ElitecutSetup.exe 94 PID 4584 wrote to memory of 3172 4584 ElitecutSetup.exe 94 PID 3172 wrote to memory of 4572 3172 ElitecutSetup.exe 95 PID 3172 wrote to memory of 4572 3172 ElitecutSetup.exe 95 PID 3172 wrote to memory of 4572 3172 ElitecutSetup.exe 95 PID 4572 wrote to memory of 1648 4572 cmd.exe 97 PID 4572 wrote to memory of 1648 4572 cmd.exe 97 PID 4572 wrote to memory of 1648 4572 cmd.exe 97 PID 3172 wrote to memory of 4492 3172 ElitecutSetup.exe 98 PID 3172 wrote to memory of 4492 3172 ElitecutSetup.exe 98 PID 3172 wrote to memory of 4492 3172 ElitecutSetup.exe 98 PID 4492 wrote to memory of 5020 4492 cmd.exe 100 PID 4492 wrote to memory of 5020 4492 cmd.exe 100 PID 4492 wrote to memory of 5020 4492 cmd.exe 100 PID 4492 wrote to memory of 2596 4492 cmd.exe 101 PID 4492 wrote to memory of 2596 4492 cmd.exe 101 PID 4492 wrote to memory of 2596 4492 cmd.exe 101 PID 2596 wrote to memory of 1720 2596 syskprvalor.exe 103 PID 2596 wrote to memory of 1720 2596 syskprvalor.exe 103 PID 2596 wrote to memory of 1720 2596 syskprvalor.exe 103 PID 2596 wrote to memory of 1720 2596 syskprvalor.exe 103 PID 2596 wrote to memory of 1720 2596 syskprvalor.exe 103 PID 2596 wrote to memory of 1720 2596 syskprvalor.exe 103 PID 2596 wrote to memory of 1720 2596 syskprvalor.exe 103 PID 2596 wrote to memory of 1720 2596 syskprvalor.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ElitecutSetup.exe"C:\Users\Admin\AppData\Local\Temp\ElitecutSetup.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\ElitecutSetup.exe"C:\Users\Admin\AppData\Local\Temp\ElitecutSetup.exe"2⤵PID:3168
-
-
C:\Users\Admin\AppData\Local\Temp\ElitecutSetup.exe"C:\Users\Admin\AppData\Local\Temp\ElitecutSetup.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "syskprvalor" /tr '"C:\Users\Admin\AppData\Roaming\syskprvalor.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "syskprvalor" /tr '"C:\Users\Admin\AppData\Roaming\syskprvalor.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF647.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5020
-
-
C:\Users\Admin\AppData\Roaming\syskprvalor.exe"C:\Users\Admin\AppData\Roaming\syskprvalor.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Roaming\syskprvalor.exe"C:\Users\Admin\AppData\Roaming\syskprvalor.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3920
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:232
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
1KB
MD5bd76295661516015cc654d284dc2c276
SHA166f835bf0b154292d8ad17212a0feabc5f4f1a18
SHA256aeef561f6ece2de3d114091d2304534b65152dfee9e195c80876477344422f12
SHA5120aa544e8684fe8b668623d5668a82abc590938c60fbbfd4959a8e8b1cb16d96858824d170a174b2084569b2756a97ce1b825d588a8a5b3cd4ed040182bcad5fc
-
Filesize
155B
MD5b415c207567b9e2223b53643e8802144
SHA1a6d23fb5c7c4316f199821deda4b36caacd6eaf8
SHA25655f153179bf4c489e1ccf87baa60f4f75ad397238ffac0d7dc8a0c11a3a46b17
SHA512f5b7dd2c33b701262600d7fb95b51ca9936fe922385084f18e555197a94f066b4961c76ec727a493fc4b6871e697ce9199ed707b8aba8f9002eae93e029fca1b