c18e046caa74cde4eafb00a085ca3fc71cca1fa64dadce301f2a4c5e850a7006

Analysis

max time kernel
16s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TITAN Spoofer.exe
Size

753KB
MD5

aa088716be4170c4b9b1bab7dbaae40d
SHA1

28f4242dd702feb68189f19f11917cc034ca5b4e
SHA256

78d8fd6dabbdfe8a2cf86bafcbcd3957fed7b45e5c3b74943443ea4b6f4cdfc8
SHA512

0ea26f50558e36347ffe16d2e4391cac90cf32c8d568dd9c6d69aaf6b0c86b04e10b0a38f35268d60a207dc428d9d59d6adc96974d7b86b4a83b5008885d451a
SSDEEP

12288:kTyXmyzxcv/heevzIe5mLDdP9wBgoEJ0GkZVoP+T41jBM2NQn+:fXmyOvZeeb35mLJ1w

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5048	TITAN Spoofer.exe
5048	TITAN Spoofer.exe
5048	TITAN Spoofer.exe
5048	TITAN Spoofer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	TITAN Spoofer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4112	5048	TITAN Spoofer.exe	88
PID 5048 wrote to memory of 4112	5048	TITAN Spoofer.exe	88
PID 4112 wrote to memory of 5040	4112	cmd.exe	89
PID 4112 wrote to memory of 5040	4112	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\TITAN Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\TITAN Spoofer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh interface set interface name="Realtek RTL8139C+ Fast Ethernet NIC" admin=disable >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\system32\netsh.exe
    netsh interface set interface name="Realtek RTL8139C+ Fast Ethernet NIC" admin=disable
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads