Analysis Overview
SHA256
4ea1569208dbd652ec6bef2f841e17f82b708110edbfbb853961d35c364a7108
Threat Level: Known bad
The file spoofer-unlink.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Asyncrat family
Async RAT payload
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 16:23
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 16:23
Reported
2024-06-27 16:26
Platform
win11-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\spoofer.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\spoofer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\spoofer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe
"C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "spoofer" /tr '"C:\Users\Admin\AppData\Roaming\spoofer.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp72CE.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "spoofer" /tr '"C:\Users\Admin\AppData\Roaming\spoofer.exe"'
C:\Users\Admin\AppData\Roaming\spoofer.exe
"C:\Users\Admin\AppData\Roaming\spoofer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io13746 | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io13746 | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io13746 | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io13746 | udp |
Files
memory/2152-0-0x0000000000DC0000-0x0000000000DD6000-memory.dmp
memory/2152-1-0x00007FFF60E53000-0x00007FFF60E55000-memory.dmp
memory/2152-2-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp
memory/2152-3-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp
memory/2152-8-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp72CE.tmp.bat
| MD5 | e65c0ce0c6c742f6aa0e1ca5e25369cf |
| SHA1 | 178c2db67e1fb0d13758be5a8dcfa852ead2e152 |
| SHA256 | b5dab9b57d8dd4eb8bbe0d329989ae537927bd93d3456292a7ace2e50006b136 |
| SHA512 | dc74f75de4e57ca721bf3c3185cb68cd146587188efeadf0de3f5f015ddd3b8f9d83998a59356f0a4df39a74de11a49ac32a084046367a876a46c2b99aaa5dd0 |
C:\Users\Admin\AppData\Roaming\spoofer.exe
| MD5 | 49a5f1932378fabb00711adf84d5582d |
| SHA1 | 1006e995a77d51759c8f58c901e4a3556a4a2170 |
| SHA256 | 4ea1569208dbd652ec6bef2f841e17f82b708110edbfbb853961d35c364a7108 |
| SHA512 | 08d4c7ee8935b9ee2c0cd74f1dd49bc6ef58c7ff62fdd1a91b73fa0c157fc28d903a3c70f467ba6f979cc49bb4b959bef67669056998597311f25da96c0c7b61 |