Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 23:41
Behavioral task
behavioral1
Sample
SenoxPermSpoofer.exe
Resource
win7-20240903-en
General
-
Target
SenoxPermSpoofer.exe
-
Size
66KB
-
MD5
c8e8287c2b1d18e37a6ac07f507ca836
-
SHA1
4e5d2f99740477a0c06b00049e59e1bfbefb65c7
-
SHA256
fb7649dccc42200527879f8f34eacb68479dde81c1fec24c75dc974cac37e0c0
-
SHA512
9ce42e8488004bfe321c532437f3ff175fd0af28b94c6742f13934ac18c1f52828d8bdf54d7391bdea041f077670fd8d03957da85469e518dbe6f600893d707e
-
SSDEEP
1536:O5w/ntlY+c6ENTTIUK3TIU0KvGbbbwEoxv7GI9+9999999d999b999K9y96J999F:O5w/ntlY+c6ENTTIbTIU0gGbbbbKv2zY
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
safe
-
delay
1
-
install
true
-
install_file
Senox Perm Spoofer.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Senox Perm Spoofer.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
Senox Perm Spoofer.exepid process 2852 Senox Perm Spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2728 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SenoxPermSpoofer.exepid process 1788 SenoxPermSpoofer.exe 1788 SenoxPermSpoofer.exe 1788 SenoxPermSpoofer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SenoxPermSpoofer.exeSenox Perm Spoofer.exedescription pid process Token: SeDebugPrivilege 1788 SenoxPermSpoofer.exe Token: SeDebugPrivilege 2852 Senox Perm Spoofer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SenoxPermSpoofer.execmd.execmd.exedescription pid process target process PID 1788 wrote to memory of 2508 1788 SenoxPermSpoofer.exe cmd.exe PID 1788 wrote to memory of 2508 1788 SenoxPermSpoofer.exe cmd.exe PID 1788 wrote to memory of 2508 1788 SenoxPermSpoofer.exe cmd.exe PID 1788 wrote to memory of 2920 1788 SenoxPermSpoofer.exe cmd.exe PID 1788 wrote to memory of 2920 1788 SenoxPermSpoofer.exe cmd.exe PID 1788 wrote to memory of 2920 1788 SenoxPermSpoofer.exe cmd.exe PID 2508 wrote to memory of 2692 2508 cmd.exe schtasks.exe PID 2508 wrote to memory of 2692 2508 cmd.exe schtasks.exe PID 2508 wrote to memory of 2692 2508 cmd.exe schtasks.exe PID 2920 wrote to memory of 2728 2920 cmd.exe timeout.exe PID 2920 wrote to memory of 2728 2920 cmd.exe timeout.exe PID 2920 wrote to memory of 2728 2920 cmd.exe timeout.exe PID 2920 wrote to memory of 2852 2920 cmd.exe Senox Perm Spoofer.exe PID 2920 wrote to memory of 2852 2920 cmd.exe Senox Perm Spoofer.exe PID 2920 wrote to memory of 2852 2920 cmd.exe Senox Perm Spoofer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SenoxPermSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\SenoxPermSpoofer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Senox Perm Spoofer" /tr '"C:\Users\Admin\AppData\Roaming\Senox Perm Spoofer.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Senox Perm Spoofer" /tr '"C:\Users\Admin\AppData\Roaming\Senox Perm Spoofer.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2692 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB08A.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2728 -
C:\Users\Admin\AppData\Roaming\Senox Perm Spoofer.exe"C:\Users\Admin\AppData\Roaming\Senox Perm Spoofer.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162B
MD5c6b82a8b1be0dd7e671a89440fe801c4
SHA1a02cad4043069001dc2b4552b5bea3330791d56b
SHA256ba527288a8b9fc015a3955586e78c9aec42dc5663db7405a7ea9fcbf363de889
SHA512e4e4a8fa294f3ef6eda14bd18642cff681bfed1628eac038079b9c28c0670951e8261ad31e0657b8a7cc52b4e0f13df35955b403d1ac3c1311a751593bca3c31
-
Filesize
66KB
MD5c8e8287c2b1d18e37a6ac07f507ca836
SHA14e5d2f99740477a0c06b00049e59e1bfbefb65c7
SHA256fb7649dccc42200527879f8f34eacb68479dde81c1fec24c75dc974cac37e0c0
SHA5129ce42e8488004bfe321c532437f3ff175fd0af28b94c6742f13934ac18c1f52828d8bdf54d7391bdea041f077670fd8d03957da85469e518dbe6f600893d707e