Analysis
-
max time kernel
147s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 18:23
Behavioral task
behavioral1
Sample
XenoTempSpoofer.exe
Resource
win7-20240903-en
General
-
Target
XenoTempSpoofer.exe
-
Size
48KB
-
MD5
ae54752c7443d6ad7823c7d53378fad9
-
SHA1
857798291622e0f266687e92d78cf8b2fca59476
-
SHA256
65f7aca2ea89920e1feacd898ca2245eee6d20e4da9e8c966379ff6477cb4d39
-
SHA512
8ece3fcdc15951ce96703b10d02e8d5f3d820d7c50f1e9cc8159faf73955b7911396b91312a30ca5a7602554a8dcf85e7efbffc9573e135b4d5c4a0e75238942
-
SSDEEP
768:j1gpLqIL8Goo+jitcKK/rgibI98YbBguA0ecy5cvEgK/JuqVc6KN:j1CSgtclrkzbuHnc0cnkJuqVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
dll.sys
-
delay
1
-
install
true
-
install_file
XenoTemp Spoofer.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XenoTempSpoofer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation XenoTempSpoofer.exe -
Executes dropped EXE 1 IoCs
Processes:
XenoTemp Spoofer.exepid process 1416 XenoTemp Spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4816 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
XenoTempSpoofer.exepid process 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe 4572 XenoTempSpoofer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
XenoTempSpoofer.exeXenoTemp Spoofer.exedescription pid process Token: SeDebugPrivilege 4572 XenoTempSpoofer.exe Token: SeDebugPrivilege 1416 XenoTemp Spoofer.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
XenoTempSpoofer.execmd.execmd.exedescription pid process target process PID 4572 wrote to memory of 488 4572 XenoTempSpoofer.exe cmd.exe PID 4572 wrote to memory of 488 4572 XenoTempSpoofer.exe cmd.exe PID 4572 wrote to memory of 3200 4572 XenoTempSpoofer.exe cmd.exe PID 4572 wrote to memory of 3200 4572 XenoTempSpoofer.exe cmd.exe PID 488 wrote to memory of 3068 488 cmd.exe schtasks.exe PID 488 wrote to memory of 3068 488 cmd.exe schtasks.exe PID 3200 wrote to memory of 4816 3200 cmd.exe timeout.exe PID 3200 wrote to memory of 4816 3200 cmd.exe timeout.exe PID 3200 wrote to memory of 1416 3200 cmd.exe XenoTemp Spoofer.exe PID 3200 wrote to memory of 1416 3200 cmd.exe XenoTemp Spoofer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XenoTempSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\XenoTempSpoofer.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "XenoTemp Spoofer" /tr '"C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "XenoTemp Spoofer" /tr '"C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:3068 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8DE8.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4816 -
C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe"C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD58dccb6279e7cedd3b820ec3a88589506
SHA1b59bd2f22f03ec92640d7c2bcab697a310e7cd35
SHA2566779c0d5093aec1534f6426ac515d495da79ec9b0d66827ee275084231527a75
SHA512de1b7eb27043797c4c258bd2ca406a04587f596ed9a3fc357cb75d20e2f90c896ad4510f01e6fa5fe5fc06239519b630c89b1e00d00b599b032f5178799eec76
-
Filesize
48KB
MD5ae54752c7443d6ad7823c7d53378fad9
SHA1857798291622e0f266687e92d78cf8b2fca59476
SHA25665f7aca2ea89920e1feacd898ca2245eee6d20e4da9e8c966379ff6477cb4d39
SHA5128ece3fcdc15951ce96703b10d02e8d5f3d820d7c50f1e9cc8159faf73955b7911396b91312a30ca5a7602554a8dcf85e7efbffc9573e135b4d5c4a0e75238942