Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 18:23
Behavioral task
behavioral1
Sample
XenoTempSpoofer.exe
Resource
win7-20240903-en
General
-
Target
XenoTempSpoofer.exe
-
Size
48KB
-
MD5
ae54752c7443d6ad7823c7d53378fad9
-
SHA1
857798291622e0f266687e92d78cf8b2fca59476
-
SHA256
65f7aca2ea89920e1feacd898ca2245eee6d20e4da9e8c966379ff6477cb4d39
-
SHA512
8ece3fcdc15951ce96703b10d02e8d5f3d820d7c50f1e9cc8159faf73955b7911396b91312a30ca5a7602554a8dcf85e7efbffc9573e135b4d5c4a0e75238942
-
SSDEEP
768:j1gpLqIL8Goo+jitcKK/rgibI98YbBguA0ecy5cvEgK/JuqVc6KN:j1CSgtclrkzbuHnc0cnkJuqVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
dll.sys
-
delay
1
-
install
true
-
install_file
XenoTemp Spoofer.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
XenoTemp Spoofer.exepid process 2820 XenoTemp Spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2688 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
XenoTempSpoofer.exepid process 2116 XenoTempSpoofer.exe 2116 XenoTempSpoofer.exe 2116 XenoTempSpoofer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
XenoTempSpoofer.exeXenoTemp Spoofer.exedescription pid process Token: SeDebugPrivilege 2116 XenoTempSpoofer.exe Token: SeDebugPrivilege 2820 XenoTemp Spoofer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
XenoTempSpoofer.execmd.execmd.exedescription pid process target process PID 2116 wrote to memory of 2372 2116 XenoTempSpoofer.exe cmd.exe PID 2116 wrote to memory of 2372 2116 XenoTempSpoofer.exe cmd.exe PID 2116 wrote to memory of 2372 2116 XenoTempSpoofer.exe cmd.exe PID 2116 wrote to memory of 1488 2116 XenoTempSpoofer.exe cmd.exe PID 2116 wrote to memory of 1488 2116 XenoTempSpoofer.exe cmd.exe PID 2116 wrote to memory of 1488 2116 XenoTempSpoofer.exe cmd.exe PID 2372 wrote to memory of 2868 2372 cmd.exe schtasks.exe PID 2372 wrote to memory of 2868 2372 cmd.exe schtasks.exe PID 2372 wrote to memory of 2868 2372 cmd.exe schtasks.exe PID 1488 wrote to memory of 2688 1488 cmd.exe timeout.exe PID 1488 wrote to memory of 2688 1488 cmd.exe timeout.exe PID 1488 wrote to memory of 2688 1488 cmd.exe timeout.exe PID 1488 wrote to memory of 2820 1488 cmd.exe XenoTemp Spoofer.exe PID 1488 wrote to memory of 2820 1488 cmd.exe XenoTemp Spoofer.exe PID 1488 wrote to memory of 2820 1488 cmd.exe XenoTemp Spoofer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XenoTempSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\XenoTempSpoofer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "XenoTemp Spoofer" /tr '"C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "XenoTemp Spoofer" /tr '"C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2868 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCD2E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2688 -
C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe"C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD562a13950b953a04c521d84741715b83e
SHA107d75f3b4a5014b24d3a7200cfa73d825e98ee24
SHA25650e71bf3581b92f355a166f4131f63619d384ff2b04020071e86eb40152ddf1e
SHA512c3f9deea7da3b4d9dc14430a3d88f9a1711081be7c923c159d30a3d25b2e7b5b42e4d8b5607400c32ee3e1b75e1f8122a9f5f07a38b69b7192792d72e965a13f
-
Filesize
48KB
MD5ae54752c7443d6ad7823c7d53378fad9
SHA1857798291622e0f266687e92d78cf8b2fca59476
SHA25665f7aca2ea89920e1feacd898ca2245eee6d20e4da9e8c966379ff6477cb4d39
SHA5128ece3fcdc15951ce96703b10d02e8d5f3d820d7c50f1e9cc8159faf73955b7911396b91312a30ca5a7602554a8dcf85e7efbffc9573e135b4d5c4a0e75238942