Analysis
-
max time kernel
301s -
max time network
324s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
07/10/2023, 11:23
Static task
static1
Behavioral task
behavioral1
Sample
sigma/CheatoSpoofer.exe
Resource
win7-20230831-en
Errors
General
-
Target
sigma/CheatoSpoofer.exe
-
Size
31.7MB
-
MD5
e089f7eb07b684126ffa1d105d675f4e
-
SHA1
688c59394b08c11f42f0d91a7c21d46cf4173d97
-
SHA256
c5a5752a69f7b8c3e6b0ef34befb3baa0ee237eec74de7f9c6eba42e19850b18
-
SHA512
b4a44cf5d100700d5a302d3873c0781b82420df0817f94a2dca20eabe945197e5ed3c47a8e9b42cee4fdb8b80efd656b4b17c81cd121ac8368843ceb0a74ccf7
-
SSDEEP
786432:AF6hldW39X3/s+3/Du5n10x5v2LawEYcnd:lrCRvLbu7AfhYcd
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2456 CheatoSpoofer.exe -
Obfuscated with Agile.Net obfuscator 13 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2456-1-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net behavioral1/memory/2456-2-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net behavioral1/memory/2456-5-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net behavioral1/memory/2456-6-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net behavioral1/memory/2456-7-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net behavioral1/memory/2456-10-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net behavioral1/memory/2456-11-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net behavioral1/memory/2456-12-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net behavioral1/memory/2456-16-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net behavioral1/memory/2456-18-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net behavioral1/memory/2456-34-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net behavioral1/memory/2456-51-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net behavioral1/memory/2456-65-0x0000000000EA0000-0x0000000005854000-memory.dmp agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe 2456 CheatoSpoofer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2456 CheatoSpoofer.exe Token: 33 1764 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1764 AUDIODG.EXE Token: 33 1764 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1764 AUDIODG.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1088
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc41⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1960
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226KB
MD5519f34494d7484d85ecfad85f23bac05
SHA18f1be6ce8501ca1def6d02fde760d48169677bc5
SHA2561f7a51dd23092e70b8e323c86229de242568ffc7d27271aaf88d051662ba32f9
SHA512d9e34321e6d32c5da664200bb5609bb2d19fcd44d36f8109e7ad2e44b5dbf1cb46e3d5b8c529d90f051e6f4cc2891301f213c9d3faac8fc4a0f3b0b8d9a3f81b