Analysis Overview
SHA256
d1cd9f41af57c0632d8a5ae662ebda9c31b53021302dccac6963858c64ad59a3
Threat Level: Known bad
The file spoofer.exe was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Asyncrat family
AsyncRat
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-27 16:26
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 16:26
Reported
2024-06-27 16:29
Platform
win11-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
AsyncRat
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\spoofer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io13746 | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 2.18.66.163:443 | tcp | |
| US | 13.89.178.26:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| US | 150.171.28.254:443 | ax-ring.msedge.net | tcp |
| US | 52.123.129.254:443 | dual-s-ring.msedge.net | tcp |
| FR | 152.199.21.118:443 | static-ecst.licdn.com | tcp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
Files
memory/1716-0-0x00007FFBAF1F3000-0x00007FFBAF1F5000-memory.dmp
memory/1716-1-0x0000000000030000-0x0000000000046000-memory.dmp
memory/1716-2-0x00007FFBAF1F0000-0x00007FFBAFCB2000-memory.dmp
memory/1716-3-0x00007FFBAF1F0000-0x00007FFBAFCB2000-memory.dmp
memory/1716-4-0x00007FFBAF1F3000-0x00007FFBAF1F5000-memory.dmp
memory/1716-5-0x00007FFBAF1F0000-0x00007FFBAFCB2000-memory.dmp
memory/1716-6-0x00007FFBAF1F0000-0x00007FFBAFCB2000-memory.dmp