f2e2d8ca503155683d3b33a134b9f243b05ec74bffc1abbec4b9435d1ae0370b

General

Target

Lethility Spoofer.exe
Size

540KB
MD5

067bf653c546b1fdfbf1bff16ecc7e5e
SHA1

5d2f058754a942e5f84ed6d926eb415a8a8731f1
SHA256

f2e2d8ca503155683d3b33a134b9f243b05ec74bffc1abbec4b9435d1ae0370b
SHA512

f964b5ffe063150e88bad31905569bb8ea92061c8082e64ee3c9ae5e1add1c255b9359770f2dc882bfbb0bf368954fb54f2d02bc3f9588c9dfb2334e1dc7cdf5
SSDEEP

12288:4uGj5je69oqAmj5oMqKyKAuqOAP0wu7eMb01JQntLOCHao0H0:4Xhe29AmjkKuu7emHaxU

Score

1^/10

Malware Config

Signatures

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows	dfsvc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "92657K47YO36D1LM7X5XTTKZ"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "RGG6YKQ07JLTZ5QV6KWJQLE5"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "ONATC498AO07LN6C34ML3TM6"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	dfsvc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	dfsvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1364	1912	Lethility Spoofer.exe	28
PID 1912 wrote to memory of 1364	1912	Lethility Spoofer.exe	28
PID 1912 wrote to memory of 1364	1912	Lethility Spoofer.exe	28
PID 1912 wrote to memory of 1364	1912	Lethility Spoofer.exe	28

C:\Users\Admin\AppData\Local\Temp\Lethility Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Lethility Spoofer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1364-56-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/1364-57-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1364-58-0x000000001B137000-0x000000001B156000-memory.dmp

Filesize
124KB

Download
memory/1364-59-0x000000001B137000-0x000000001B156000-memory.dmp

Filesize
124KB

Download
memory/1912-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads