Analysis
-
max time kernel
1802s -
max time network
1137s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 11:23
Static task
static1
Behavioral task
behavioral1
Sample
sigma/CheatoSpoofer.exe
Resource
win7-20230831-en
General
-
Target
sigma/CheatoSpoofer.exe
-
Size
31.7MB
-
MD5
e089f7eb07b684126ffa1d105d675f4e
-
SHA1
688c59394b08c11f42f0d91a7c21d46cf4173d97
-
SHA256
c5a5752a69f7b8c3e6b0ef34befb3baa0ee237eec74de7f9c6eba42e19850b18
-
SHA512
b4a44cf5d100700d5a302d3873c0781b82420df0817f94a2dca20eabe945197e5ed3c47a8e9b42cee4fdb8b80efd656b4b17c81cd121ac8368843ceb0a74ccf7
-
SSDEEP
786432:AF6hldW39X3/s+3/Du5n10x5v2LawEYcnd:lrCRvLbu7AfhYcd
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral2/memory/1248-73-0x000001E0D34C0000-0x000001E0D36B6000-memory.dmp family_agenttesla -
Loads dropped DLL 2 IoCs
pid Process 1248 CheatoSpoofer.exe 4528 CheatoSpoofer.exe -
Obfuscated with Agile.Net obfuscator 24 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/1248-1-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-2-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-5-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-6-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-7-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-9-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-10-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-23-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-48-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-51-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-69-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-71-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-80-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-112-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/1248-113-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/4528-133-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/4528-134-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/4528-138-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/4528-139-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/4528-140-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/4528-164-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/4528-170-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/4528-176-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net behavioral2/memory/4528-177-0x0000000000700000-0x00000000050B4000-memory.dmp agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 4528 CheatoSpoofer.exe 4528 CheatoSpoofer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer CheatoSpoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion CheatoSpoofer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS CheatoSpoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer CheatoSpoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion CheatoSpoofer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS CheatoSpoofer.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe 1248 CheatoSpoofer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1224 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 1248 CheatoSpoofer.exe Token: SeSystemEnvironmentPrivilege 1248 CheatoSpoofer.exe Token: SeSecurityPrivilege 1248 CheatoSpoofer.exe Token: SeTakeOwnershipPrivilege 1248 CheatoSpoofer.exe Token: SeBackupPrivilege 1248 CheatoSpoofer.exe Token: SeRestorePrivilege 1248 CheatoSpoofer.exe Token: SeShutdownPrivilege 1248 CheatoSpoofer.exe Token: SeDebugPrivilege 1248 CheatoSpoofer.exe Token: SeAuditPrivilege 1248 CheatoSpoofer.exe Token: SeSystemEnvironmentPrivilege 1248 CheatoSpoofer.exe Token: SeManageVolumePrivilege 1248 CheatoSpoofer.exe Token: SeImpersonatePrivilege 1248 CheatoSpoofer.exe Token: SeDebugPrivilege 1224 taskmgr.exe Token: SeSystemProfilePrivilege 1224 taskmgr.exe Token: SeCreateGlobalPrivilege 1224 taskmgr.exe Token: SeDebugPrivilege 4528 CheatoSpoofer.exe Token: SeSystemEnvironmentPrivilege 4528 CheatoSpoofer.exe Token: SeSecurityPrivilege 4528 CheatoSpoofer.exe Token: SeTakeOwnershipPrivilege 4528 CheatoSpoofer.exe Token: SeBackupPrivilege 4528 CheatoSpoofer.exe Token: SeRestorePrivilege 4528 CheatoSpoofer.exe Token: SeShutdownPrivilege 4528 CheatoSpoofer.exe Token: SeDebugPrivilege 4528 CheatoSpoofer.exe Token: SeAuditPrivilege 4528 CheatoSpoofer.exe Token: SeSystemEnvironmentPrivilege 4528 CheatoSpoofer.exe Token: SeManageVolumePrivilege 4528 CheatoSpoofer.exe Token: SeImpersonatePrivilege 4528 CheatoSpoofer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe 1224 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4528 CheatoSpoofer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}1⤵PID:4008
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
PID:3296
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4120
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1224
-
C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36B
MD509eb424ba95dc8c3df5bc17d4cc6a823
SHA1ed9ab62320b1dca877852e841d77457d8adace53
SHA256d75e9a1253cc39c6511f70fad94f575daf8d3fb3bdf2caf9eba6531295a2a8ec
SHA512f970dbde017987e7f3c3d250280cd2406a5f71fb5ff14beabf4e15efc4ad64b67ab773996d9e200a9e27db75733d37e8530ce070b963dc8cf104f16c46b39d9f
-
Filesize
226KB
MD5519f34494d7484d85ecfad85f23bac05
SHA18f1be6ce8501ca1def6d02fde760d48169677bc5
SHA2561f7a51dd23092e70b8e323c86229de242568ffc7d27271aaf88d051662ba32f9
SHA512d9e34321e6d32c5da664200bb5609bb2d19fcd44d36f8109e7ad2e44b5dbf1cb46e3d5b8c529d90f051e6f4cc2891301f213c9d3faac8fc4a0f3b0b8d9a3f81b
-
Filesize
226KB
MD5519f34494d7484d85ecfad85f23bac05
SHA18f1be6ce8501ca1def6d02fde760d48169677bc5
SHA2561f7a51dd23092e70b8e323c86229de242568ffc7d27271aaf88d051662ba32f9
SHA512d9e34321e6d32c5da664200bb5609bb2d19fcd44d36f8109e7ad2e44b5dbf1cb46e3d5b8c529d90f051e6f4cc2891301f213c9d3faac8fc4a0f3b0b8d9a3f81b
-
Filesize
226KB
MD5519f34494d7484d85ecfad85f23bac05
SHA18f1be6ce8501ca1def6d02fde760d48169677bc5
SHA2561f7a51dd23092e70b8e323c86229de242568ffc7d27271aaf88d051662ba32f9
SHA512d9e34321e6d32c5da664200bb5609bb2d19fcd44d36f8109e7ad2e44b5dbf1cb46e3d5b8c529d90f051e6f4cc2891301f213c9d3faac8fc4a0f3b0b8d9a3f81b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82