Overview
overview
10Static
static
10Astral Spoofer.zip
windows7-x64
1Astral Spoofer.zip
windows10-2004-x64
1Astral Spo...er.exe
windows7-x64
10Astral Spo...er.exe
windows10-2004-x64
10Astral Spo...er.exe
windows7-x64
8Astral Spo...er.exe
windows10-2004-x64
8Astral Spo...ME.txt
windows7-x64
1Astral Spo...ME.txt
windows10-2004-x64
1Astral Spo...gs.vbs
windows7-x64
1Astral Spo...gs.vbs
windows10-2004-x64
1Astral Spo...ol.exe
windows7-x64
7Astral Spo...ol.exe
windows10-2004-x64
7out.exe
windows7-x64
out.exe
windows10-2004-x64
Astral Spo...ol.ini
windows7-x64
1Astral Spo...ol.ini
windows10-2004-x64
1Astral Spo...I2.dll
windows7-x64
1Astral Spo...I2.dll
windows10-2004-x64
1Astral Spo...on.dll
windows7-x64
1Astral Spo...on.dll
windows10-2004-x64
1Astral Spo...on.xml
windows7-x64
3Astral Spo...on.xml
windows10-2004-x64
1Astral Spo...NS.txt
windows7-x64
1Astral Spo...NS.txt
windows10-2004-x64
1Astral Spo...er.bat
windows7-x64
1Astral Spo...er.bat
windows10-2004-x64
1Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-08-2024 20:29
Behavioral task
behavioral1
Sample
Astral Spoofer.zip
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Astral Spoofer.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Astral Spoofer/Astral Spoofer.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Astral Spoofer/Astral Spoofer.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Astral Spoofer/Bootstrapper/Bootstrapper.exe
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
Astral Spoofer/Bootstrapper/Bootstrapper.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Astral Spoofer/Bootstrapper/READ ME.txt
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
Astral Spoofer/Bootstrapper/READ ME.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Astral Spoofer/Disable windows defender/Defender_Settings.vbs
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
Astral Spoofer/Disable windows defender/Defender_Settings.vbs
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Astral Spoofer/Disable windows defender/dControl.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
Astral Spoofer/Disable windows defender/dControl.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
out.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
out.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Astral Spoofer/Disable windows defender/dControl.ini
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
Astral Spoofer/Disable windows defender/dControl.ini
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Astral Spoofer/Guna.UI2.dll
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
Astral Spoofer/Guna.UI2.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Astral Spoofer/Newtonsoft.Json.dll
Resource
win7-20240705-en
Behavioral task
behavioral20
Sample
Astral Spoofer/Newtonsoft.Json.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Astral Spoofer/Newtonsoft.Json.xml
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
Astral Spoofer/Newtonsoft.Json.xml
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
Astral Spoofer/READ ME INSTRUCIONS.txt
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
Astral Spoofer/READ ME INSTRUCIONS.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
Astral Spoofer/Serialchecker.bat
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
Astral Spoofer/Serialchecker.bat
Resource
win10v2004-20240802-en
General
-
Target
Astral Spoofer/Serialchecker.bat
-
Size
2KB
-
MD5
75e8ac5bdef839ba34532b69e1f3feb4
-
SHA1
beae4fe06294e10fc2831a45f2f8436cae449bf2
-
SHA256
c7a86fb9f079249b3bd525ea13128da103fc0bdb4764cdbbc48c8e505b0f1429
-
SHA512
1525242c0ae50ec12312eef0ce8be4dcf166ffb3162963e6f81f1fa230e2038a70a19f82501118ada5fef48fa8d32c1c24b2aebf08a096da8b8dcf393aed4509
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1464 WMIC.exe Token: SeSecurityPrivilege 1464 WMIC.exe Token: SeTakeOwnershipPrivilege 1464 WMIC.exe Token: SeLoadDriverPrivilege 1464 WMIC.exe Token: SeSystemProfilePrivilege 1464 WMIC.exe Token: SeSystemtimePrivilege 1464 WMIC.exe Token: SeProfSingleProcessPrivilege 1464 WMIC.exe Token: SeIncBasePriorityPrivilege 1464 WMIC.exe Token: SeCreatePagefilePrivilege 1464 WMIC.exe Token: SeBackupPrivilege 1464 WMIC.exe Token: SeRestorePrivilege 1464 WMIC.exe Token: SeShutdownPrivilege 1464 WMIC.exe Token: SeDebugPrivilege 1464 WMIC.exe Token: SeSystemEnvironmentPrivilege 1464 WMIC.exe Token: SeRemoteShutdownPrivilege 1464 WMIC.exe Token: SeUndockPrivilege 1464 WMIC.exe Token: SeManageVolumePrivilege 1464 WMIC.exe Token: 33 1464 WMIC.exe Token: 34 1464 WMIC.exe Token: 35 1464 WMIC.exe Token: SeIncreaseQuotaPrivilege 1464 WMIC.exe Token: SeSecurityPrivilege 1464 WMIC.exe Token: SeTakeOwnershipPrivilege 1464 WMIC.exe Token: SeLoadDriverPrivilege 1464 WMIC.exe Token: SeSystemProfilePrivilege 1464 WMIC.exe Token: SeSystemtimePrivilege 1464 WMIC.exe Token: SeProfSingleProcessPrivilege 1464 WMIC.exe Token: SeIncBasePriorityPrivilege 1464 WMIC.exe Token: SeCreatePagefilePrivilege 1464 WMIC.exe Token: SeBackupPrivilege 1464 WMIC.exe Token: SeRestorePrivilege 1464 WMIC.exe Token: SeShutdownPrivilege 1464 WMIC.exe Token: SeDebugPrivilege 1464 WMIC.exe Token: SeSystemEnvironmentPrivilege 1464 WMIC.exe Token: SeRemoteShutdownPrivilege 1464 WMIC.exe Token: SeUndockPrivilege 1464 WMIC.exe Token: SeManageVolumePrivilege 1464 WMIC.exe Token: 33 1464 WMIC.exe Token: 34 1464 WMIC.exe Token: 35 1464 WMIC.exe Token: SeIncreaseQuotaPrivilege 2988 WMIC.exe Token: SeSecurityPrivilege 2988 WMIC.exe Token: SeTakeOwnershipPrivilege 2988 WMIC.exe Token: SeLoadDriverPrivilege 2988 WMIC.exe Token: SeSystemProfilePrivilege 2988 WMIC.exe Token: SeSystemtimePrivilege 2988 WMIC.exe Token: SeProfSingleProcessPrivilege 2988 WMIC.exe Token: SeIncBasePriorityPrivilege 2988 WMIC.exe Token: SeCreatePagefilePrivilege 2988 WMIC.exe Token: SeBackupPrivilege 2988 WMIC.exe Token: SeRestorePrivilege 2988 WMIC.exe Token: SeShutdownPrivilege 2988 WMIC.exe Token: SeDebugPrivilege 2988 WMIC.exe Token: SeSystemEnvironmentPrivilege 2988 WMIC.exe Token: SeRemoteShutdownPrivilege 2988 WMIC.exe Token: SeUndockPrivilege 2988 WMIC.exe Token: SeManageVolumePrivilege 2988 WMIC.exe Token: 33 2988 WMIC.exe Token: 34 2988 WMIC.exe Token: 35 2988 WMIC.exe Token: SeIncreaseQuotaPrivilege 2988 WMIC.exe Token: SeSecurityPrivilege 2988 WMIC.exe Token: SeTakeOwnershipPrivilege 2988 WMIC.exe Token: SeLoadDriverPrivilege 2988 WMIC.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1892 wrote to memory of 2368 1892 cmd.exe 31 PID 1892 wrote to memory of 2368 1892 cmd.exe 31 PID 1892 wrote to memory of 2368 1892 cmd.exe 31 PID 1892 wrote to memory of 1464 1892 cmd.exe 32 PID 1892 wrote to memory of 1464 1892 cmd.exe 32 PID 1892 wrote to memory of 1464 1892 cmd.exe 32 PID 1892 wrote to memory of 2988 1892 cmd.exe 34 PID 1892 wrote to memory of 2988 1892 cmd.exe 34 PID 1892 wrote to memory of 2988 1892 cmd.exe 34 PID 1892 wrote to memory of 2160 1892 cmd.exe 35 PID 1892 wrote to memory of 2160 1892 cmd.exe 35 PID 1892 wrote to memory of 2160 1892 cmd.exe 35 PID 1892 wrote to memory of 2912 1892 cmd.exe 36 PID 1892 wrote to memory of 2912 1892 cmd.exe 36 PID 1892 wrote to memory of 2912 1892 cmd.exe 36 PID 1892 wrote to memory of 2928 1892 cmd.exe 37 PID 1892 wrote to memory of 2928 1892 cmd.exe 37 PID 1892 wrote to memory of 2928 1892 cmd.exe 37 PID 1892 wrote to memory of 2888 1892 cmd.exe 38 PID 1892 wrote to memory of 2888 1892 cmd.exe 38 PID 1892 wrote to memory of 2888 1892 cmd.exe 38 PID 1892 wrote to memory of 2600 1892 cmd.exe 39 PID 1892 wrote to memory of 2600 1892 cmd.exe 39 PID 1892 wrote to memory of 2600 1892 cmd.exe 39
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Astral Spoofer\Serialchecker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\system32\cscript.execscript //nologo "C:\temp\popup.vbs"2⤵PID:2368
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\System32\Wbem\WMIC.exewmic systemenclosure get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid2⤵PID:2160
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵PID:2912
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber2⤵PID:2928
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductID2⤵PID:2888
-
-
C:\Windows\system32\getmac.exegetmac2⤵PID:2600
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70B
MD59fe33444e664a4246806a7161b132ff0
SHA12eb9f6c328b9d6606334488caf58900abb10a63e
SHA25601b4547b1bedd429f4affc1e3014bf3fd415d491a0c2208f625fa2ddf95883bc
SHA512d1a9d6f9612c8ce56c81df7684b9b774483e9cd717a64f310b23d44efc4a657fd903e4cfa207ebfb7a938cdf657be3e94344eed9bef26a1ddb886c4b5ced7bc2