Malware Analysis Report

2024-10-19 06:56

Sample ID 240627-txz9rssbkj
Target spoofer.exe
SHA256 d1cd9f41af57c0632d8a5ae662ebda9c31b53021302dccac6963858c64ad59a3
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1cd9f41af57c0632d8a5ae662ebda9c31b53021302dccac6963858c64ad59a3

Threat Level: Known bad

The file spoofer.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

Asyncrat family

AsyncRat

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-27 16:26

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 16:26

Reported

2024-06-27 16:29

Platform

win11-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"

Signatures

AsyncRat

rat asyncrat

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\spoofer.exe

"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.eu.ngrok.io13746 udp
US 8.8.8.8:53 cxcs.microsoft.net udp
NL 23.62.61.97:443 www.bing.com tcp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 2.18.66.163:443 tcp
US 13.89.178.26:443 browser.pipe.aria.microsoft.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
US 150.171.28.254:443 ax-ring.msedge.net tcp
US 52.123.129.254:443 dual-s-ring.msedge.net tcp
FR 152.199.21.118:443 static-ecst.licdn.com tcp
NL 23.62.61.106:443 www.bing.com tcp
BE 104.68.66.114:443 cxcs.microsoft.net tcp

Files

memory/1716-0-0x00007FFBAF1F3000-0x00007FFBAF1F5000-memory.dmp

memory/1716-1-0x0000000000030000-0x0000000000046000-memory.dmp

memory/1716-2-0x00007FFBAF1F0000-0x00007FFBAFCB2000-memory.dmp

memory/1716-3-0x00007FFBAF1F0000-0x00007FFBAFCB2000-memory.dmp

memory/1716-4-0x00007FFBAF1F3000-0x00007FFBAF1F5000-memory.dmp

memory/1716-5-0x00007FFBAF1F0000-0x00007FFBAFCB2000-memory.dmp

memory/1716-6-0x00007FFBAF1F0000-0x00007FFBAFCB2000-memory.dmp