Overview

overview

7

Static

static

3

ExternalSpoofer.exe

windows7-x64

7

ExternalSpoofer.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ExternalSpoofer.exe

  • Size

    3.0MB

  • MD5

    591b075aab81ac7df3d79cf617d4d7a7

  • SHA1

    eecc505f82677bcde7390a8c64ab41d8963403c6

  • SHA256

    f7a200f18c18f6d80fbf987e251ee96cc3eb08649f36ccdb4ee3c5110b0ebf17

  • SHA512

    7f16de3bd87e5a5a12515016f57fbcc7580f5003949c4270f434056b3e11306cd6d46364bec49cf62780b89159f8eb64a1b97a54da6d66f1bdf362186a1386e9

  • SSDEEP

    49152:wqsfSamq4jrhhWKwbr8PgwKMrNt5HQUuASCAVXx2DUtD6P6uG6VPKL:wHSamnPmKG8P0Mrf5HQt7aUtE6T6M

Score
7/10
agilenet

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 33 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ExternalSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\ExternalSpoofer.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c start cmd /C "color b && title Error && echo Application not found && timeout /t 5"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C "color b && title Error && echo Application not found && timeout /t 5"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3104
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 5
          4⤵
          • Delays execution with timeout.exe
          PID:1636
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    42f44c1e0bd04f225ad6b3c610dbb460

    SHA1

    ef4e841ce9cdb8d5601b42e464f797826b3db805

    SHA256

    edc95e34cad6a3493cd578c9c6b9fd20cd1507694c3252099dba91b13e9f84fe

    SHA512

    e7554ba173255cf9f8031abaf88b3426f69726402195b5b507b62825962d0d40e9ec131e21dbde6f3f583d770b3116c5e30535977eff13c142035e8eeb89b9b6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\CabF49E.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TarF5AE.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fe18e516-f12f-4073-bf13-52a839118bfb\GunaDotNetRT.dll
    Filesize

    136KB

    MD5

    9af5eb006bb0bab7f226272d82c896c7

    SHA1

    c2a5bb42a5f08f4dc821be374b700652262308f0

    SHA256

    77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

    SHA512

    7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

    Download Submit
  • memory/2508-23-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-59-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-12-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-55-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-53-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-51-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-49-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-47-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-45-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-43-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-41-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-39-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-37-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-35-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-33-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-31-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-17-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-27-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-25-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-2-0x0000000073F20000-0x000000007460E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2508-21-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-19-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-13-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-15-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-29-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-11-0x0000000073D20000-0x0000000073DA0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2508-10-0x00000000735E0000-0x0000000073617000-memory.dmp
    Filesize

    220KB

    Download
  • memory/2508-73-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-71-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-69-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-67-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-65-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-63-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-61-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-3-0x0000000005460000-0x000000000563C000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2508-57-0x0000000005460000-0x0000000005638000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2508-10934-0x0000000005AC0000-0x0000000005C0E000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2508-10937-0x0000000000AB0000-0x0000000000AC4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2508-1-0x0000000000DD0000-0x00000000010DA000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2508-0-0x0000000073F2E000-0x0000000073F2F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2508-10938-0x0000000000B30000-0x0000000000BC0000-memory.dmp
    Filesize

    576KB

    Download
  • memory/2508-11006-0x00000000735E0000-0x0000000073617000-memory.dmp
    Filesize

    220KB

    Download
  • memory/2508-11005-0x0000000073F20000-0x000000007460E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4696-10935-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/4696-10936-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/4696-11007-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download