Analysis
-
max time kernel
147s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 23:41
Behavioral task
behavioral1
Sample
SenoxPermSpoofer.exe
Resource
win7-20240903-en
General
-
Target
SenoxPermSpoofer.exe
-
Size
66KB
-
MD5
c8e8287c2b1d18e37a6ac07f507ca836
-
SHA1
4e5d2f99740477a0c06b00049e59e1bfbefb65c7
-
SHA256
fb7649dccc42200527879f8f34eacb68479dde81c1fec24c75dc974cac37e0c0
-
SHA512
9ce42e8488004bfe321c532437f3ff175fd0af28b94c6742f13934ac18c1f52828d8bdf54d7391bdea041f077670fd8d03957da85469e518dbe6f600893d707e
-
SSDEEP
1536:O5w/ntlY+c6ENTTIUK3TIU0KvGbbbwEoxv7GI9+9999999d999b999K9y96J999F:O5w/ntlY+c6ENTTIbTIU0gGbbbbKv2zY
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
safe
-
delay
1
-
install
true
-
install_file
Senox Perm Spoofer.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Senox Perm Spoofer.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SenoxPermSpoofer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SenoxPermSpoofer.exe -
Executes dropped EXE 1 IoCs
Processes:
Senox Perm Spoofer.exepid process 1020 Senox Perm Spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2892 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
SenoxPermSpoofer.exepid process 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe 4432 SenoxPermSpoofer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SenoxPermSpoofer.exeSenox Perm Spoofer.exedescription pid process Token: SeDebugPrivilege 4432 SenoxPermSpoofer.exe Token: SeDebugPrivilege 1020 Senox Perm Spoofer.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SenoxPermSpoofer.execmd.execmd.exedescription pid process target process PID 4432 wrote to memory of 4928 4432 SenoxPermSpoofer.exe cmd.exe PID 4432 wrote to memory of 4928 4432 SenoxPermSpoofer.exe cmd.exe PID 4432 wrote to memory of 4152 4432 SenoxPermSpoofer.exe cmd.exe PID 4432 wrote to memory of 4152 4432 SenoxPermSpoofer.exe cmd.exe PID 4928 wrote to memory of 708 4928 cmd.exe schtasks.exe PID 4928 wrote to memory of 708 4928 cmd.exe schtasks.exe PID 4152 wrote to memory of 2892 4152 cmd.exe timeout.exe PID 4152 wrote to memory of 2892 4152 cmd.exe timeout.exe PID 4152 wrote to memory of 1020 4152 cmd.exe Senox Perm Spoofer.exe PID 4152 wrote to memory of 1020 4152 cmd.exe Senox Perm Spoofer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SenoxPermSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\SenoxPermSpoofer.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Senox Perm Spoofer" /tr '"C:\Users\Admin\AppData\Roaming\Senox Perm Spoofer.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Senox Perm Spoofer" /tr '"C:\Users\Admin\AppData\Roaming\Senox Perm Spoofer.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:708 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2892 -
C:\Users\Admin\AppData\Roaming\Senox Perm Spoofer.exe"C:\Users\Admin\AppData\Roaming\Senox Perm Spoofer.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162B
MD501357e44dd9bf7f47b831383b9cfb072
SHA1825ea4ae07b4abf22e40f215d930049febe199de
SHA256dcfa99ec16312d733f6cfd66803ea56deb19f8e8aae173c5177748f650d22f0d
SHA51253e95aa7a924451121258f23d1a4f1ee6de067c3b8c530b76d22e2781680b5f5549725b906104c8ef014926b5a839b338dc9f2b4ad0228b0052fc9c18cabc4e5
-
Filesize
66KB
MD5c8e8287c2b1d18e37a6ac07f507ca836
SHA14e5d2f99740477a0c06b00049e59e1bfbefb65c7
SHA256fb7649dccc42200527879f8f34eacb68479dde81c1fec24c75dc974cac37e0c0
SHA5129ce42e8488004bfe321c532437f3ff175fd0af28b94c6742f13934ac18c1f52828d8bdf54d7391bdea041f077670fd8d03957da85469e518dbe6f600893d707e