Overview

overview

10

Static

static

10

Spoofer.exe

windows10-2004-x64

10

Resubmissions

10-08-2024 04:36

240810-e8ckhswdmk 10

22-07-2024 16:52

240722-vdflpaxcrg 10

Analysis

  • max time kernel
    160s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2024 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Spoofer.exe

  • Size

    46KB

  • MD5

    8462795ada587c3bccdb59c2f48e5bfe

  • SHA1

    ae155c1d78ba4adfbfe5aa022a2deb725fc1dc9a

  • SHA256

    b676dadc109d8b1322111502103a943073180b3daa78a04637448b148730736d

  • SHA512

    7860b4447fe17084e0225a052d9712b3fe332cdd6e4f59d1057e4613c07c416f1cfe36c1a49bf0f631a4289ac49fb24518c63fb03ed7a6df2af832361e764ff6

  • SSDEEP

    768:qdhO/poiiUcjlJInfFH9Xqk5nWEZ5SbTDa/WI7CPW5w:Mw+jjgnNH9XqcnW85SbT+WII

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

62.133.174.224

Mutex

RuntimeBroker

Attributes
  • delay

    500

  • install_path

    appdata

  • port

    3056

  • startup_name

    RuntimeBroker

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5176
    • C:\Users\Admin\AppData\Roaming\XenoManager\Spoofer.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\Spoofer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "RuntimeBroker" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCAC3.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:6036
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4512
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5256
    • C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
      "C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5288
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "RuntimeBroker" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFCFA.tmp" /F
        2⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4336
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault647f31c0h10cfh4e7eha53ch462522f4e2ae
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:5916
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8968646f8,0x7ff896864708,0x7ff896864718
        2⤵
          PID:5328
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,16598361677603917774,7014479437217917288,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
          2⤵
            PID:556
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,16598361677603917774,7014479437217917288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
            2⤵
              PID:1672
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,16598361677603917774,7014479437217917288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
              2⤵
                PID:6068
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:4308
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:3440

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Spoofer.exe.log
                  Filesize

                  226B

                  MD5

                  916851e072fbabc4796d8916c5131092

                  SHA1

                  d48a602229a690c512d5fdaf4c8d77547a88e7a2

                  SHA256

                  7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

                  SHA512

                  07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                  Filesize

                  152B

                  MD5

                  719923124ee00fb57378e0ebcbe894f7

                  SHA1

                  cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

                  SHA256

                  aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

                  SHA512

                  a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                  Filesize

                  6KB

                  MD5

                  83c75eb903b547d8d6214ed913a42a08

                  SHA1

                  2015ce05c20cc80a7d54f16b9b3bb05cae88c30d

                  SHA256

                  7efddac9e18f477235c14b6507687fc7b9b3cd097b529bacc99c4b38a2134029

                  SHA512

                  d3705a9dd1f5aa9952b75efc3a69baf1c224a7c32344e9ae2171d5729ac5b5f2923023351d73ed9bc5cd9517f8168d90a58a9e364e9856e570f886784dc64f1b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                  Filesize

                  8KB

                  MD5

                  1c5932cd38612d9e3f0a081f439ef0ac

                  SHA1

                  072fb6d3a893e802860cc0442c2e343791cd01d4

                  SHA256

                  0c47378223806b6d3e67a8f4b6560f82735cf504ac79046a075d6e7a9f49bdf7

                  SHA512

                  48ac3d99f1b95b4e7dbea932e6618ae3e6ca741056309324e4a74b1eb8ae58fa49f0ec2242f08ca96d6d6ddff6a79e18f2d797ddfdd8b4e5a18f77df8f01df12

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpCAC3.tmp
                  Filesize

                  1KB

                  MD5

                  09fbaabc7b71c07e7a69ad642ad06e6f

                  SHA1

                  476a704478db683f543761791888ffcbff864d01

                  SHA256

                  a51a98dfcc8710229d9c733ca72180add31445baae9cecd1ddf162af6dea0c8c

                  SHA512

                  74ca867319a4fe2c7dd6bcfb7da85c49fb33d0e7afec8bbc0373a6308f648025d08a2b60912e387ba921ea9164e3c3524627f020ea4ae0e7a696bea633869a7a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpFCFA.tmp
                  Filesize

                  1KB

                  MD5

                  cce4fe8ee91c1eb46d7c2df341389f13

                  SHA1

                  7d47b8019cc78b0ace3cd51ba20e70e2ded61c37

                  SHA256

                  4da6bc88148480b259bb47acd5838fd419dfc3b790575682c87125591746efb8

                  SHA512

                  e9c2c8656248a40583a29f004893950434a8efa07d56ef8a3b5d9d3a4d8846098f1777a3ca912b8d21dc2544c5d6f2ced81c9814c4ef6542ec692b93aabe7cab

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\XenoManager\Spoofer.exe
                  Filesize

                  46KB

                  MD5

                  8462795ada587c3bccdb59c2f48e5bfe

                  SHA1

                  ae155c1d78ba4adfbfe5aa022a2deb725fc1dc9a

                  SHA256

                  b676dadc109d8b1322111502103a943073180b3daa78a04637448b148730736d

                  SHA512

                  7860b4447fe17084e0225a052d9712b3fe332cdd6e4f59d1057e4613c07c416f1cfe36c1a49bf0f631a4289ac49fb24518c63fb03ed7a6df2af832361e764ff6

                  Download Submit

                • memory/2804-32-0x00000000746D0000-0x0000000074E80000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2804-15-0x00000000746D0000-0x0000000074E80000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2804-16-0x00000000746D0000-0x0000000074E80000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/4512-25-0x0000021A39B60000-0x0000021A39B61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4512-30-0x0000021A39B60000-0x0000021A39B61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4512-29-0x0000021A39B60000-0x0000021A39B61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4512-28-0x0000021A39B60000-0x0000021A39B61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4512-27-0x0000021A39B60000-0x0000021A39B61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4512-26-0x0000021A39B60000-0x0000021A39B61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4512-31-0x0000021A39B60000-0x0000021A39B61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4512-20-0x0000021A39B60000-0x0000021A39B61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4512-21-0x0000021A39B60000-0x0000021A39B61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4512-19-0x0000021A39B60000-0x0000021A39B61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5176-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5176-1-0x0000000000B00000-0x0000000000B12000-memory.dmp

                  Filesize

                  72KB

                  Download