Resubmissions
15-01-2022 17:03
220115-vks6cseha4 1015-01-2022 17:02
220115-vj9fysfbgj 715-01-2022 16:58
220115-vg7jksegh8 7Analysis
-
max time kernel
4265101s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15-01-2022 17:03
Static task
static1
Behavioral task
behavioral1
Sample
063822ca7966327be6a3dadb06e16d6c.exe.vir.exe
Resource
win10-en-20211208
Behavioral task
behavioral2
Sample
063822ca7966327be6a3dadb06e16d6c.exe.vir.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
063822ca7966327be6a3dadb06e16d6c.exe.vir.exe
Resource
win11
General
-
Target
063822ca7966327be6a3dadb06e16d6c.exe.vir.exe
-
Size
5MB
-
MD5
063822ca7966327be6a3dadb06e16d6c
-
SHA1
68f61f2bcf3c325adbb190b892297d78a4f75254
-
SHA256
515f555c06db60243a892bbdf57704792956569387482f6a7a001a782bb6bcd1
-
SHA512
8c6e0963f3d8c4510426e8cf7511e62cd65eb6873037e235f9b27ac52736f4535ccc1cf499e2c689285c4bc76a9e3cb276c6dc5144bf1bd1222714333e698be5
Malware Config
Extracted
bitrat
1.38
2.56.59.239:7355
-
communication_password
c7dd0cd2ba364f132afa1dc58698c64e
-
tor_process
tor
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
spoofer.exepid process 2876 spoofer.exe -
Processes:
resource yara_rule behavioral2/memory/2772-132-0x00000000006D0000-0x0000000000FD6000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
063822ca7966327be6a3dadb06e16d6c.exe.vir.exespoofer.exepid process 2772 063822ca7966327be6a3dadb06e16d6c.exe.vir.exe 2876 spoofer.exe 2876 spoofer.exe 2876 spoofer.exe 2876 spoofer.exe -
Drops file in Windows directory 1 IoCs
Processes:
063822ca7966327be6a3dadb06e16d6c.exe.vir.exedescription ioc process File created C:\Windows\spoofer.exe 063822ca7966327be6a3dadb06e16d6c.exe.vir.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotification.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
063822ca7966327be6a3dadb06e16d6c.exe.vir.exepid process 2772 063822ca7966327be6a3dadb06e16d6c.exe.vir.exe 2772 063822ca7966327be6a3dadb06e16d6c.exe.vir.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
063822ca7966327be6a3dadb06e16d6c.exe.vir.exepid process 2772 063822ca7966327be6a3dadb06e16d6c.exe.vir.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
MusNotification.exespoofer.exedescription pid process Token: SeShutdownPrivilege 2204 MusNotification.exe Token: SeCreatePagefilePrivilege 2204 MusNotification.exe Token: SeShutdownPrivilege 2876 spoofer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
spoofer.exepid process 2876 spoofer.exe 2876 spoofer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
063822ca7966327be6a3dadb06e16d6c.exe.vir.execmd.exedescription pid process target process PID 2772 wrote to memory of 2160 2772 063822ca7966327be6a3dadb06e16d6c.exe.vir.exe cmd.exe PID 2772 wrote to memory of 2160 2772 063822ca7966327be6a3dadb06e16d6c.exe.vir.exe cmd.exe PID 2772 wrote to memory of 2160 2772 063822ca7966327be6a3dadb06e16d6c.exe.vir.exe cmd.exe PID 2160 wrote to memory of 2876 2160 cmd.exe spoofer.exe PID 2160 wrote to memory of 2876 2160 cmd.exe spoofer.exe PID 2160 wrote to memory of 2876 2160 cmd.exe spoofer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\063822ca7966327be6a3dadb06e16d6c.exe.vir.exe"C:\Users\Admin\AppData\Local\Temp\063822ca7966327be6a3dadb06e16d6c.exe.vir.exe"
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C://Windows//spoofer.exe
- Suspicious use of WriteProcessMemory
-
C:\Windows\spoofer.exeC://Windows//spoofer.exe
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Downloads
-
C:\Windows\spoofer.exeMD5
647ca708578d150575f22990d4f59c80
SHA1444acf34db6264ac9612ae2a3c20546482f64070
SHA2567bb79061b7e9fe2e1149f524b99757604729d0195e56f737cf793c776b95a8aa
SHA5128d34bb271069773427690ce3a2a11ed4a8a7cacc83823dc58b895a6bc1c7198ca0f6b1f7113452355ac5952539813754563ba6203576d4376f4ca3940fdd828d
-
C:\Windows\spoofer.exeMD5
647ca708578d150575f22990d4f59c80
SHA1444acf34db6264ac9612ae2a3c20546482f64070
SHA2567bb79061b7e9fe2e1149f524b99757604729d0195e56f737cf793c776b95a8aa
SHA5128d34bb271069773427690ce3a2a11ed4a8a7cacc83823dc58b895a6bc1c7198ca0f6b1f7113452355ac5952539813754563ba6203576d4376f4ca3940fdd828d
-
memory/2160-134-0x0000000000000000-mapping.dmp
-
memory/2772-131-0x0000000003220000-0x0000000003221000-memory.dmpFilesize
4KB
-
memory/2772-132-0x00000000006D0000-0x0000000000FD6000-memory.dmpFilesize
9MB
-
memory/2772-133-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/2876-135-0x0000000000000000-mapping.dmp