Analysis
-
max time kernel
66s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2023, 04:22
Static task
static1
Behavioral task
behavioral1
Sample
CheatoSpoofer (1).exe
Resource
win10v2004-20230703-en
General
-
Target
CheatoSpoofer (1).exe
-
Size
32.3MB
-
MD5
7a8f3ff6b456e153499088a103d51145
-
SHA1
30f1fc37c25cd368594c0b8c9e416b3c5ed31d6f
-
SHA256
93d8134fa11201cecedac89d6c6af96afa83783aebf347ea3f6aefc925df8ceb
-
SHA512
e295568d314d88355ca1d681602ea00ac3419d3f583e6773eae74d6fd1eaa16789b01af8e35d4af9941ff57055d688d153bf9b2c14ffb8961c5359f2a11e31f0
-
SSDEEP
786432:BYMfV94+jxjRtMCKIvIGviTq1LZw2OhEyKYEVwSppnu:BYAVRxNWuQGviU1JzyKFV/
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2688 CheatoSpoofer (1).exe -
Obfuscated with Agile.Net obfuscator 11 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2688-137-0x0000000000EC0000-0x0000000005958000-memory.dmp agile_net behavioral1/memory/2688-138-0x0000000000EC0000-0x0000000005958000-memory.dmp agile_net behavioral1/memory/2688-140-0x0000000000EC0000-0x0000000005958000-memory.dmp agile_net behavioral1/memory/2688-141-0x0000000000EC0000-0x0000000005958000-memory.dmp agile_net behavioral1/memory/2688-142-0x0000000000EC0000-0x0000000005958000-memory.dmp agile_net behavioral1/memory/2688-143-0x0000000000EC0000-0x0000000005958000-memory.dmp agile_net behavioral1/memory/2688-144-0x0000000000EC0000-0x0000000005958000-memory.dmp agile_net behavioral1/memory/2688-161-0x0000000000EC0000-0x0000000005958000-memory.dmp agile_net behavioral1/memory/2688-178-0x0000000000EC0000-0x0000000005958000-memory.dmp agile_net behavioral1/memory/2688-185-0x0000000000EC0000-0x0000000005958000-memory.dmp agile_net behavioral1/memory/2688-186-0x0000000000EC0000-0x0000000005958000-memory.dmp agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe 2688 CheatoSpoofer (1).exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2688 CheatoSpoofer (1).exe Token: SeSystemEnvironmentPrivilege 2688 CheatoSpoofer (1).exe Token: SeSecurityPrivilege 2688 CheatoSpoofer (1).exe Token: SeTakeOwnershipPrivilege 2688 CheatoSpoofer (1).exe Token: SeBackupPrivilege 2688 CheatoSpoofer (1).exe Token: SeRestorePrivilege 2688 CheatoSpoofer (1).exe Token: SeShutdownPrivilege 2688 CheatoSpoofer (1).exe Token: SeDebugPrivilege 2688 CheatoSpoofer (1).exe Token: SeAuditPrivilege 2688 CheatoSpoofer (1).exe Token: SeSystemEnvironmentPrivilege 2688 CheatoSpoofer (1).exe Token: SeManageVolumePrivilege 2688 CheatoSpoofer (1).exe Token: SeImpersonatePrivilege 2688 CheatoSpoofer (1).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CheatoSpoofer (1).exe"C:\Users\Admin\AppData\Local\Temp\CheatoSpoofer (1).exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2036
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
285KB
MD5c204468635ab30602dea443c445e1821
SHA1c1fa917a4604f956ef15bb53655d368c6b19d042
SHA2567bdc755921404ec6bca532790460523873c3169091020f117ad3ee79d395b6f7
SHA512d1558e916f31f19ab5a86f3b07aab951cb0fa2df14d5ec4f8f704b146a6e2b117c108bc68afce17859a2c81048cabb1b0510b0c43b45839dc4d82d3aea61dc5b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82