Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-06-2024 16:26
General
-
Target
spoofer.exe
-
Size
63KB
-
MD5
7cfe4eb5ed54dc0a2cd85a7d6aff4b77
-
SHA1
ad24cedddc70fe94dc9bac7e05e3dd09e70ee48e
-
SHA256
d1cd9f41af57c0632d8a5ae662ebda9c31b53021302dccac6963858c64ad59a3
-
SHA512
1bf12ddb83d683a9841b228c609afa4f859d17d0c99247eeb638779452ceeb041eaba783c2d83bfe0a2e8b75452c053e6bac1a1d7803a48171aa2a17e4ec11c9
-
SSDEEP
1536:SEXign23dVdu3kYUbZhPbDUZNLguUdpqKmY7:SZO23dyUYUbZhNGz
Malware Config
Extracted
Family
asyncrat
Botnet
Default
C2
0.tcp.eu.ngrok.io13746:13746
Attributes
-
delay
1
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Drops file in Windows directory 4 IoCs
Processes:
UserOOBEBroker.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
spoofer.exepid process 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe 1716 spoofer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
spoofer.exedescription pid process Token: SeDebugPrivilege 1716 spoofer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4724
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:2260
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:4904