Overview
overview
10Static
static
10Perm Spoof...er.exe
windows7-x64
1Perm Spoof...er.exe
windows10-2004-x64
1Perm Spoof...on.dll
windows7-x64
1Perm Spoof...on.dll
windows10-2004-x64
1Perm Spoof...ec.dll
windows7-x64
1Perm Spoof...ec.dll
windows10-2004-x64
1Perm Spoofer/bz2.dll
windows7-x64
1Perm Spoofer/bz2.dll
windows10-2004-x64
1Perm Spoof...ed.exe
windows7-x64
1Perm Spoof...ed.exe
windows10-2004-x64
1Perm Spoof...F2.bat
windows7-x64
1Perm Spoof...F2.bat
windows10-2004-x64
5Perm Spoof...ck.exe
windows7-x64
1Perm Spoof...ck.exe
windows10-2004-x64
1Perm Spoof...hk.sys
windows10-2004-x64
1Perm Spoof...DF.bat
windows7-x64
1Perm Spoof...DF.bat
windows10-2004-x64
1Perm Spoof...64.dll
windows7-x64
1Perm Spoof...64.dll
windows10-2004-x64
1Perm Spoof...64.dll
windows7-x64
1Perm Spoof...64.dll
windows10-2004-x64
1Perm Spoof...64.dll
windows7-x64
1Perm Spoof...64.dll
windows10-2004-x64
1Perm Spoof...sk.bat
windows7-x64
1Perm Spoof...sk.bat
windows10-2004-x64
6Perm Spoof...ls.exe
windows7-x64
10Perm Spoof...ls.exe
windows10-2004-x64
10Perm Spoof...4e.sys
windows10-2004-x64
1Perm Spoof...ac.bat
windows7-x64
3Perm Spoof...ac.bat
windows10-2004-x64
3Perm Spoof...ss.exe
windows7-x64
1Perm Spoof...ss.exe
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-10-2024 08:38
Behavioral task
behavioral1
Sample
Perm Spoofer/Perm Spoofer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Perm Spoofer/Perm Spoofer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Perm Spoofer/brotlicommon.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Perm Spoofer/brotlicommon.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Perm Spoofer/brotlidec.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Perm Spoofer/brotlidec.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Perm Spoofer/bz2.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Perm Spoofer/bz2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Perm Spoofer/cracked.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Perm Spoofer/cracked.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Perm Spoofer/dumped files/ASUSPDF2.bat
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Perm Spoofer/dumped files/ASUSPDF2.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Perm Spoofer/dumped files/AsDeviceCheck.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Perm Spoofer/dumped files/AsDeviceCheck.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Perm Spoofer/dumped files/AsDeviceChk.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
Perm Spoofer/dumped files/AsusPDF.bat
Resource
win7-20240708-en
Behavioral task
behavioral17
Sample
Perm Spoofer/dumped files/AsusPDF.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
Perm Spoofer/dumped files/afuefix64.dll
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
Perm Spoofer/dumped files/afuefix64.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
Perm Spoofer/dumped files/amideefix64.dll
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
Perm Spoofer/dumped files/amideefix64.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
Perm Spoofer/dumped files/bootx64.dll
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
Perm Spoofer/dumped files/bootx64.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
Perm Spoofer/dumped files/disk.bat
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
Perm Spoofer/dumped files/disk.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
Perm Spoofer/dumped files/fixserials.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
Perm Spoofer/dumped files/fixserials.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
Perm Spoofer/dumped files/iqvw64e.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Perm Spoofer/dumped files/mac.bat
Resource
win7-20240729-en
Behavioral task
behavioral30
Sample
Perm Spoofer/dumped files/mac.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Perm Spoofer/dumped files/tpmbypass.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
Perm Spoofer/dumped files/tpmbypass.exe
Resource
win10v2004-20241007-en
General
-
Target
Perm Spoofer/dumped files/disk.bat
-
Size
13KB
-
MD5
0c345568b15f4163d3955388cfa615f4
-
SHA1
069c7b499e8f68fb90d316d6114440ef762507d6
-
SHA256
28dc4e8c24c16af0910f3542ec8ae12376e668e45ba310a7f25c87ab4bfb89e8
-
SHA512
d4619bbb7bfeccf0bb3ea7259fec6a8324aadd544017ee0df0390339d112fd0ced6707d91fc5036faf2c4cbcc9326c4ba57befbbdf909c2306c109acdba6c543
-
SSDEEP
192:dIo4yR9Y9A/r1/kMUnNLyCYSvGOqHQ28lh9YDpqWkSyt1ninmdKgZ:3xR9hjF/UnECROBClh9YDpDkSy3inlo
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI powershell.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI powershell.exe Key opened \REGISTRY\MACHINE\System\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK powershell.exe Key opened \REGISTRY\MACHINE\System\ControlSet001\Enum\SCSI powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2652 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2636 2248 cmd.exe 32 PID 2248 wrote to memory of 2636 2248 cmd.exe 32 PID 2248 wrote to memory of 2636 2248 cmd.exe 32 PID 2636 wrote to memory of 2184 2636 net.exe 33 PID 2636 wrote to memory of 2184 2636 net.exe 33 PID 2636 wrote to memory of 2184 2636 net.exe 33 PID 2248 wrote to memory of 2652 2248 cmd.exe 34 PID 2248 wrote to memory of 2652 2248 cmd.exe 34 PID 2248 wrote to memory of 2652 2248 cmd.exe 34
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Perm Spoofer\dumped files\disk.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\net.exeNET FILE2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 FILE3⤵PID:2184
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell /nologo /noprofile /command "&{[ScriptBlock]::Create((cat """C:\Users\Admin\AppData\Local\Temp\Perm Spoofer\dumped files\disk.bat""") -join [Char[]]10).Invoke(@(&{$args}))}"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-