Overview
overview
10Static
static
10Astral Spoofer.zip
windows7-x64
1Astral Spoofer.zip
windows10-2004-x64
1Astral Spo...er.exe
windows7-x64
10Astral Spo...er.exe
windows10-2004-x64
10Astral Spo...er.exe
windows7-x64
8Astral Spo...er.exe
windows10-2004-x64
8Astral Spo...ME.txt
windows7-x64
1Astral Spo...ME.txt
windows10-2004-x64
1Astral Spo...gs.vbs
windows7-x64
1Astral Spo...gs.vbs
windows10-2004-x64
1Astral Spo...ol.exe
windows7-x64
7Astral Spo...ol.exe
windows10-2004-x64
7out.exe
windows7-x64
out.exe
windows10-2004-x64
Astral Spo...ol.ini
windows7-x64
1Astral Spo...ol.ini
windows10-2004-x64
1Astral Spo...I2.dll
windows7-x64
1Astral Spo...I2.dll
windows10-2004-x64
1Astral Spo...on.dll
windows7-x64
1Astral Spo...on.dll
windows10-2004-x64
1Astral Spo...on.xml
windows7-x64
3Astral Spo...on.xml
windows10-2004-x64
1Astral Spo...NS.txt
windows7-x64
1Astral Spo...NS.txt
windows10-2004-x64
1Astral Spo...er.bat
windows7-x64
1Astral Spo...er.bat
windows10-2004-x64
1Analysis
-
max time kernel
137s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-08-2024 20:29
Behavioral task
behavioral1
Sample
Astral Spoofer.zip
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
Astral Spoofer.zip
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Astral Spoofer/Astral Spoofer.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Astral Spoofer/Astral Spoofer.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Astral Spoofer/Bootstrapper/Bootstrapper.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
Astral Spoofer/Bootstrapper/Bootstrapper.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Astral Spoofer/Bootstrapper/READ ME.txt
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
Astral Spoofer/Bootstrapper/READ ME.txt
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Astral Spoofer/Disable windows defender/Defender_Settings.vbs
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
Astral Spoofer/Disable windows defender/Defender_Settings.vbs
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Astral Spoofer/Disable windows defender/dControl.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
Astral Spoofer/Disable windows defender/dControl.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
out.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
out.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Astral Spoofer/Disable windows defender/dControl.ini
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
Astral Spoofer/Disable windows defender/dControl.ini
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Astral Spoofer/Guna.UI2.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
Astral Spoofer/Guna.UI2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Astral Spoofer/Newtonsoft.Json.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral20
Sample
Astral Spoofer/Newtonsoft.Json.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Astral Spoofer/Newtonsoft.Json.xml
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
Astral Spoofer/Newtonsoft.Json.xml
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Astral Spoofer/READ ME INSTRUCIONS.txt
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
Astral Spoofer/READ ME INSTRUCIONS.txt
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Astral Spoofer/Serialchecker.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
Astral Spoofer/Serialchecker.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
Astral Spoofer/Serialchecker.bat
-
Size
2KB
-
MD5
75e8ac5bdef839ba34532b69e1f3feb4
-
SHA1
beae4fe06294e10fc2831a45f2f8436cae449bf2
-
SHA256
c7a86fb9f079249b3bd525ea13128da103fc0bdb4764cdbbc48c8e505b0f1429
-
SHA512
1525242c0ae50ec12312eef0ce8be4dcf166ffb3162963e6f81f1fa230e2038a70a19f82501118ada5fef48fa8d32c1c24b2aebf08a096da8b8dcf393aed4509
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3948 WMIC.exe Token: SeSecurityPrivilege 3948 WMIC.exe Token: SeTakeOwnershipPrivilege 3948 WMIC.exe Token: SeLoadDriverPrivilege 3948 WMIC.exe Token: SeSystemProfilePrivilege 3948 WMIC.exe Token: SeSystemtimePrivilege 3948 WMIC.exe Token: SeProfSingleProcessPrivilege 3948 WMIC.exe Token: SeIncBasePriorityPrivilege 3948 WMIC.exe Token: SeCreatePagefilePrivilege 3948 WMIC.exe Token: SeBackupPrivilege 3948 WMIC.exe Token: SeRestorePrivilege 3948 WMIC.exe Token: SeShutdownPrivilege 3948 WMIC.exe Token: SeDebugPrivilege 3948 WMIC.exe Token: SeSystemEnvironmentPrivilege 3948 WMIC.exe Token: SeRemoteShutdownPrivilege 3948 WMIC.exe Token: SeUndockPrivilege 3948 WMIC.exe Token: SeManageVolumePrivilege 3948 WMIC.exe Token: 33 3948 WMIC.exe Token: 34 3948 WMIC.exe Token: 35 3948 WMIC.exe Token: 36 3948 WMIC.exe Token: SeIncreaseQuotaPrivilege 3948 WMIC.exe Token: SeSecurityPrivilege 3948 WMIC.exe Token: SeTakeOwnershipPrivilege 3948 WMIC.exe Token: SeLoadDriverPrivilege 3948 WMIC.exe Token: SeSystemProfilePrivilege 3948 WMIC.exe Token: SeSystemtimePrivilege 3948 WMIC.exe Token: SeProfSingleProcessPrivilege 3948 WMIC.exe Token: SeIncBasePriorityPrivilege 3948 WMIC.exe Token: SeCreatePagefilePrivilege 3948 WMIC.exe Token: SeBackupPrivilege 3948 WMIC.exe Token: SeRestorePrivilege 3948 WMIC.exe Token: SeShutdownPrivilege 3948 WMIC.exe Token: SeDebugPrivilege 3948 WMIC.exe Token: SeSystemEnvironmentPrivilege 3948 WMIC.exe Token: SeRemoteShutdownPrivilege 3948 WMIC.exe Token: SeUndockPrivilege 3948 WMIC.exe Token: SeManageVolumePrivilege 3948 WMIC.exe Token: 33 3948 WMIC.exe Token: 34 3948 WMIC.exe Token: 35 3948 WMIC.exe Token: 36 3948 WMIC.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe Token: SeSystemProfilePrivilege 1768 WMIC.exe Token: SeSystemtimePrivilege 1768 WMIC.exe Token: SeProfSingleProcessPrivilege 1768 WMIC.exe Token: SeIncBasePriorityPrivilege 1768 WMIC.exe Token: SeCreatePagefilePrivilege 1768 WMIC.exe Token: SeBackupPrivilege 1768 WMIC.exe Token: SeRestorePrivilege 1768 WMIC.exe Token: SeShutdownPrivilege 1768 WMIC.exe Token: SeDebugPrivilege 1768 WMIC.exe Token: SeSystemEnvironmentPrivilege 1768 WMIC.exe Token: SeRemoteShutdownPrivilege 1768 WMIC.exe Token: SeUndockPrivilege 1768 WMIC.exe Token: SeManageVolumePrivilege 1768 WMIC.exe Token: 33 1768 WMIC.exe Token: 34 1768 WMIC.exe Token: 35 1768 WMIC.exe Token: 36 1768 WMIC.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3892 wrote to memory of 4084 3892 cmd.exe 85 PID 3892 wrote to memory of 4084 3892 cmd.exe 85 PID 3892 wrote to memory of 3948 3892 cmd.exe 94 PID 3892 wrote to memory of 3948 3892 cmd.exe 94 PID 3892 wrote to memory of 1768 3892 cmd.exe 95 PID 3892 wrote to memory of 1768 3892 cmd.exe 95 PID 3892 wrote to memory of 3052 3892 cmd.exe 96 PID 3892 wrote to memory of 3052 3892 cmd.exe 96 PID 3892 wrote to memory of 1244 3892 cmd.exe 97 PID 3892 wrote to memory of 1244 3892 cmd.exe 97 PID 3892 wrote to memory of 1056 3892 cmd.exe 98 PID 3892 wrote to memory of 1056 3892 cmd.exe 98 PID 3892 wrote to memory of 1696 3892 cmd.exe 99 PID 3892 wrote to memory of 1696 3892 cmd.exe 99 PID 3892 wrote to memory of 3960 3892 cmd.exe 100 PID 3892 wrote to memory of 3960 3892 cmd.exe 100
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Astral Spoofer\Serialchecker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\system32\cscript.execscript //nologo "C:\temp\popup.vbs"2⤵PID:4084
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
C:\Windows\System32\Wbem\WMIC.exewmic systemenclosure get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid2⤵PID:3052
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵PID:1244
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber2⤵PID:1056
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductID2⤵PID:1696
-
-
C:\Windows\system32\getmac.exegetmac2⤵PID:3960
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70B
MD59fe33444e664a4246806a7161b132ff0
SHA12eb9f6c328b9d6606334488caf58900abb10a63e
SHA25601b4547b1bedd429f4affc1e3014bf3fd415d491a0c2208f625fa2ddf95883bc
SHA512d1a9d6f9612c8ce56c81df7684b9b774483e9cd717a64f310b23d44efc4a657fd903e4cfa207ebfb7a938cdf657be3e94344eed9bef26a1ddb886c4b5ced7bc2