Malware Analysis Report

2024-10-19 06:56

Sample ID 240627-tv1shssaln
Target spoofer-unlink.exe
SHA256 4ea1569208dbd652ec6bef2f841e17f82b708110edbfbb853961d35c364a7108
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ea1569208dbd652ec6bef2f841e17f82b708110edbfbb853961d35c364a7108

Threat Level: Known bad

The file spoofer-unlink.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

AsyncRat

Async RAT payload

Asyncrat family

Async RAT payload

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 16:23

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 16:23

Reported

2024-06-27 16:26

Platform

win11-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\spoofer.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe

"C:\Users\Admin\AppData\Local\Temp\spoofer-unlink.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "spoofer" /tr '"C:\Users\Admin\AppData\Roaming\spoofer.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp72CE.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "spoofer" /tr '"C:\Users\Admin\AppData\Roaming\spoofer.exe"'

C:\Users\Admin\AppData\Roaming\spoofer.exe

"C:\Users\Admin\AppData\Roaming\spoofer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.eu.ngrok.io13746 udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io13746 udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io13746 udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io13746 udp

Files

memory/2152-0-0x0000000000DC0000-0x0000000000DD6000-memory.dmp

memory/2152-1-0x00007FFF60E53000-0x00007FFF60E55000-memory.dmp

memory/2152-2-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp

memory/2152-3-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp

memory/2152-8-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp72CE.tmp.bat

MD5 e65c0ce0c6c742f6aa0e1ca5e25369cf
SHA1 178c2db67e1fb0d13758be5a8dcfa852ead2e152
SHA256 b5dab9b57d8dd4eb8bbe0d329989ae537927bd93d3456292a7ace2e50006b136
SHA512 dc74f75de4e57ca721bf3c3185cb68cd146587188efeadf0de3f5f015ddd3b8f9d83998a59356f0a4df39a74de11a49ac32a084046367a876a46c2b99aaa5dd0

C:\Users\Admin\AppData\Roaming\spoofer.exe

MD5 49a5f1932378fabb00711adf84d5582d
SHA1 1006e995a77d51759c8f58c901e4a3556a4a2170
SHA256 4ea1569208dbd652ec6bef2f841e17f82b708110edbfbb853961d35c364a7108
SHA512 08d4c7ee8935b9ee2c0cd74f1dd49bc6ef58c7ff62fdd1a91b73fa0c157fc28d903a3c70f467ba6f979cc49bb4b959bef67669056998597311f25da96c0c7b61