Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 18:20
Behavioral task
behavioral1
Sample
Xeno Temp Spoofer.exe
Resource
win7-20240903-en
General
-
Target
Xeno Temp Spoofer.exe
-
Size
48KB
-
MD5
ae54752c7443d6ad7823c7d53378fad9
-
SHA1
857798291622e0f266687e92d78cf8b2fca59476
-
SHA256
65f7aca2ea89920e1feacd898ca2245eee6d20e4da9e8c966379ff6477cb4d39
-
SHA512
8ece3fcdc15951ce96703b10d02e8d5f3d820d7c50f1e9cc8159faf73955b7911396b91312a30ca5a7602554a8dcf85e7efbffc9573e135b4d5c4a0e75238942
-
SSDEEP
768:j1gpLqIL8Goo+jitcKK/rgibI98YbBguA0ecy5cvEgK/JuqVc6KN:j1CSgtclrkzbuHnc0cnkJuqVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
dll.sys
-
delay
1
-
install
true
-
install_file
XenoTemp Spoofer.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Xeno Temp Spoofer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Xeno Temp Spoofer.exe -
Executes dropped EXE 1 IoCs
Processes:
XenoTemp Spoofer.exepid process 3544 XenoTemp Spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 684 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
Xeno Temp Spoofer.exepid process 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe 2584 Xeno Temp Spoofer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Xeno Temp Spoofer.exeXenoTemp Spoofer.exedescription pid process Token: SeDebugPrivilege 2584 Xeno Temp Spoofer.exe Token: SeDebugPrivilege 3544 XenoTemp Spoofer.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Xeno Temp Spoofer.execmd.execmd.exedescription pid process target process PID 2584 wrote to memory of 4016 2584 Xeno Temp Spoofer.exe cmd.exe PID 2584 wrote to memory of 4016 2584 Xeno Temp Spoofer.exe cmd.exe PID 2584 wrote to memory of 3536 2584 Xeno Temp Spoofer.exe cmd.exe PID 2584 wrote to memory of 3536 2584 Xeno Temp Spoofer.exe cmd.exe PID 4016 wrote to memory of 3172 4016 cmd.exe schtasks.exe PID 4016 wrote to memory of 3172 4016 cmd.exe schtasks.exe PID 3536 wrote to memory of 684 3536 cmd.exe timeout.exe PID 3536 wrote to memory of 684 3536 cmd.exe timeout.exe PID 3536 wrote to memory of 3544 3536 cmd.exe XenoTemp Spoofer.exe PID 3536 wrote to memory of 3544 3536 cmd.exe XenoTemp Spoofer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xeno Temp Spoofer.exe"C:\Users\Admin\AppData\Local\Temp\Xeno Temp Spoofer.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "XenoTemp Spoofer" /tr '"C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "XenoTemp Spoofer" /tr '"C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:3172 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp80E8.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:684 -
C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe"C:\Users\Admin\AppData\Roaming\XenoTemp Spoofer.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD50f0b6c11c9338dd7d9b991c0fb0eb616
SHA166841b27ca0a6fc32d8022dc8a63eea8dba0d700
SHA256dfdf29dc4dd72eac3eb6bf9851962789d51a9a3018954ee1611597622cca065f
SHA512e211e42eecdbcf0dd67e6aa19b3358916e94ef61b50242c56feb664553ba5fc4cb85cacec5ae547b08c546a1e088d357cfed05b6c350a89cef5a192bc6d35e15
-
Filesize
48KB
MD5ae54752c7443d6ad7823c7d53378fad9
SHA1857798291622e0f266687e92d78cf8b2fca59476
SHA25665f7aca2ea89920e1feacd898ca2245eee6d20e4da9e8c966379ff6477cb4d39
SHA5128ece3fcdc15951ce96703b10d02e8d5f3d820d7c50f1e9cc8159faf73955b7911396b91312a30ca5a7602554a8dcf85e7efbffc9573e135b4d5c4a0e75238942