Overview

overview

8

Static

static

3

PermSpoofer.exe

windows7-x64

8

PermSpoofer.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/09/2024, 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PermSpoofer.exe

  • Size

    669KB

  • MD5

    8eb70959830bbe2a7d2fff2d1a361a8f

  • SHA1

    09f115500da658766c31588c0beaa9b96b99f645

  • SHA256

    b44edf50616943f8a2b94e5ca860ccf5f628db03c2bd0e3bec341539f1bbe0ca

  • SHA512

    872838a53c90ccf2fbfd2b1429ed0a8066dfc5fe761a44ba0647ecbcced8ca9fe7f1620f9fede0bafcdadc7d6ec05e4146121f76a5882b830cbe1ef4ef08f78d

  • SSDEEP

    12288:uL9TxTU252j76IdIEjmo1LtnMqE51S9VWqjD:CTUq2vOEjmohtMqy9sD

Score
8/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Downloads MZ/PE file
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Loads dropped DLL 18 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PermSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\PermSpoofer.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\PermSpoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\PermSpoofer.exe" MD5
        3⤵
        • Loads dropped DLL
        PID:820
      • C:\Windows\system32\find.exe
        find /i /v "md5"
        3⤵
          PID:3552
        • C:\Windows\system32\find.exe
          find /i /v "certutil"
          3⤵
            PID:4828

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\system32\Update.dll
        Filesize

        182KB

        MD5

        c5f60f585659bd91aae43c813fb4e270

        SHA1

        f0b70bbf9b1f3bd6d4b64057cfe15e24678a8846

        SHA256

        07634263cef343e066a249f6d8c161137354a9a57c18bea24c589c26acf9198a

        SHA512

        686ed41ca4a0450724136dd2e446035612345f7b4a4aae0d3a8fb4746d81d98f30edb42e041f3b31ef3b845938a5169a77d00a55f8cd33d07729dbfca775a15e

        Download Submit

      • C:\Windows\system32\libcurl.dll
        Filesize

        557KB

        MD5

        d38a9d652cccade6a55a7a596fe599fd

        SHA1

        7138eed6a42da921585acea27f5b3c6dc716537c

        SHA256

        c2ec5ee6d93d85e396c971d026731c354402be2029ac4f0deb2515dc2ae1c61b

        SHA512

        bce04101536a2c6c6945ec2206bcc9974ee75bd34c554fbe0a2ff6d49e2807894bb1b8d51a9a6c5dcb87103c9915c817791f0372a8063c6de94359f1e1851a41

        Download Submit

      • C:\Windows\system32\zlib1.dll
        Filesize

        88KB

        MD5

        f647da5c0665cd44a85c2f2e06dad122

        SHA1

        b58626f113fa720e149ec0e0c8624597661ba77e

        SHA256

        3ffb0110c5a46fa372c025f7d5c393ad364feafe38aabd5e7f91fe64c0409dc0

        SHA512

        274e2d004248a39a4bc50641727652d283b6e618bf16a5bfd1ff73bdab2eb9dd92ef217a65ed451efcaf31ccf58054dc10c6a213f4287db16e25803ce3f97759

        Download Submit