Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-06-2024 16:23
General
-
Target
spoofer-unlink.exe
-
Size
63KB
-
MD5
49a5f1932378fabb00711adf84d5582d
-
SHA1
1006e995a77d51759c8f58c901e4a3556a4a2170
-
SHA256
4ea1569208dbd652ec6bef2f841e17f82b708110edbfbb853961d35c364a7108
-
SHA512
08d4c7ee8935b9ee2c0cd74f1dd49bc6ef58c7ff62fdd1a91b73fa0c157fc28d903a3c70f467ba6f979cc49bb4b959bef67669056998597311f25da96c0c7b61
-
SSDEEP
1536:feQPcLwiTUz5mYUb7v9aLfBlHG0uwdpqKmY7:feDcmUMYUb7oBIyGz
Malware Config
Extracted
asyncrat
Default
0.tcp.eu.ngrok.io13746:13746
-
delay
1
-
install
true
-
install_file
spoofer.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\spoofer.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
spoofer.exepid process 4464 spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4724 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
spoofer-unlink.exespoofer.exepid process 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 2152 spoofer-unlink.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe 4464 spoofer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
spoofer-unlink.exespoofer.exedescription pid process Token: SeDebugPrivilege 2152 spoofer-unlink.exe Token: SeDebugPrivilege 2152 spoofer-unlink.exe Token: SeDebugPrivilege 4464 spoofer.exe Token: SeDebugPrivilege 4464 spoofer.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
spoofer-unlink.execmd.execmd.exedescription pid process target process PID 2152 wrote to memory of 4944 2152 spoofer-unlink.exe cmd.exe PID 2152 wrote to memory of 4944 2152 spoofer-unlink.exe cmd.exe PID 2152 wrote to memory of 624 2152 spoofer-unlink.exe cmd.exe PID 2152 wrote to memory of 624 2152 spoofer-unlink.exe cmd.exe PID 624 wrote to memory of 4724 624 cmd.exe timeout.exe PID 624 wrote to memory of 4724 624 cmd.exe timeout.exe PID 4944 wrote to memory of 3264 4944 cmd.exe schtasks.exe PID 4944 wrote to memory of 3264 4944 cmd.exe schtasks.exe PID 624 wrote to memory of 4464 624 cmd.exe spoofer.exe PID 624 wrote to memory of 4464 624 cmd.exe spoofer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe"C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "spoofer" /tr '"C:\Users\Admin\AppData\Roaming\spoofer.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "spoofer" /tr '"C:\Users\Admin\AppData\Roaming\spoofer.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:3264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp72CE.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4724 -
C:\Users\Admin\AppData\Roaming\spoofer.exe"C:\Users\Admin\AppData\Roaming\spoofer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5e65c0ce0c6c742f6aa0e1ca5e25369cf
SHA1178c2db67e1fb0d13758be5a8dcfa852ead2e152
SHA256b5dab9b57d8dd4eb8bbe0d329989ae537927bd93d3456292a7ace2e50006b136
SHA512dc74f75de4e57ca721bf3c3185cb68cd146587188efeadf0de3f5f015ddd3b8f9d83998a59356f0a4df39a74de11a49ac32a084046367a876a46c2b99aaa5dd0
-
Filesize
63KB
MD549a5f1932378fabb00711adf84d5582d
SHA11006e995a77d51759c8f58c901e4a3556a4a2170
SHA2564ea1569208dbd652ec6bef2f841e17f82b708110edbfbb853961d35c364a7108
SHA51208d4c7ee8935b9ee2c0cd74f1dd49bc6ef58c7ff62fdd1a91b73fa0c157fc28d903a3c70f467ba6f979cc49bb4b959bef67669056998597311f25da96c0c7b61