Overview

overview

8

Static

static

SpyHunter ...et.rar

windows7-x64

8

SpyHunter ...et.rar

windows10-2004-x64

8

Resubmissions

16/10/2022, 22:57

221016-2xmyfaaddp 8

16/10/2022, 22:50

221016-2sk82sada9 1

Analysis

  • max time kernel
    158s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    16/10/2022, 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SpyHunter by windowsactivation.net.rar

  • Size

    3.0MB

  • MD5

    767feaffce5aa556d4dfe68be2e7bb45

  • SHA1

    43d74e509e15b2961a15d924abf2294b918537a8

  • SHA256

    d1fb85e63f1d1b46efaf9790fec6157ae1fc169d8b4a05290ebdff0205dcac1e

  • SHA512

    fc3ae140c6829d828ab9faed903533c9f857307a5f279ba95b764f4a19f4bb59da1110561e6ac278567b34291a1280141fc12d92fd06886283c0c374777c1a2d

  • SSDEEP

    49152:OY8JwzJ9M6oZ+gv6FjRAeYt7pkaTWRZ4B/e6dJhAiNyH7vlrXCNGozvN5d:OY8GzJ9/k+giFXWpkv0J/kUyHZbwvN

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\SpyHunter by windowsactivation.net.rar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SpyHunter by windowsactivation.net.rar
      2⤵
      • Modifies registry class
      PID:1716
  • C:\Windows\system32\verclsid.exe
    "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
    1⤵
      PID:384
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x484
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1536
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\SpyHunter by windowsactivation.net\" -spe -an -ai#7zMap32141:126:7zEvent10372
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1076
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1224
    • C:\Users\Admin\Desktop\SpyHunter by windowsactivation.net\SpyHunter by windowsactivation.net.exe
      "C:\Users\Admin\Desktop\SpyHunter by windowsactivation.net\SpyHunter by windowsactivation.net.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:652

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
      Filesize

      5KB

      MD5

      445da50b6e19a65dad621feade74b210

      SHA1

      338b776af781349256b0796c659b6f3c0087d7a1

      SHA256

      bc5bbcae7aebb8cb00b6e019a5db64694f0c7b4a2d9449ee2d231e3dea7cc875

      SHA512

      02026a50444908cbe710e7f27ec9e2a6d4f0209757dfc3945d473bda295db5b5e65a04b48c09aff934929c2c6bac16460783dcfe31a322810bf8656f339d0f3b

      Download Submit

    • C:\Users\Admin\Desktop\SpyHunter by windowsactivation.net\SpyHunter by windowsactivation.net.exe
      Filesize

      6.2MB

      MD5

      7e47be258b69eaadd7341aeaca43959a

      SHA1

      2159b3bf9360ae6b4028efab6963d49dded0820a

      SHA256

      9996c01d79ce10f82189ef43f069c7440178f3051ba49e40c9a6f7dbf6b5a268

      SHA512

      8dddbf4f9b300e30500a05e37054a0f50dd47687bbb7b7ac0d8c0af11b5534ec278e09d761ca1fdec3a059350eee637312c664d7a0821c9eee61437ad0512009

      Download Submit

    • C:\Users\Admin\Desktop\SpyHunter by windowsactivation.net\SpyHunter by windowsactivation.net.exe
      Filesize

      6.2MB

      MD5

      7e47be258b69eaadd7341aeaca43959a

      SHA1

      2159b3bf9360ae6b4028efab6963d49dded0820a

      SHA256

      9996c01d79ce10f82189ef43f069c7440178f3051ba49e40c9a6f7dbf6b5a268

      SHA512

      8dddbf4f9b300e30500a05e37054a0f50dd47687bbb7b7ac0d8c0af11b5534ec278e09d761ca1fdec3a059350eee637312c664d7a0821c9eee61437ad0512009

      Download Submit

    • C:\Users\Admin\Desktop\SpyHunter by windowsactivation.net\windowsactivation.net.url
      Filesize

      118B

      MD5

      87e62bf1797b5e0081d78a61568939fd

      SHA1

      5a0f346c6c380766333f68d39d413bd20336978d

      SHA256

      a75a691c8d902eab99cf2ae3785d1e5ff035ec4dc0d860e1a492a0b441d74835

      SHA512

      67832b2d860d8408db98f89979534db9238fe41b93d1002550c8889b2e910584ed81c5c712ac50e8928cc145c56f601ec71ffd225bbccc6e1e3446ba716f488a

      Download Submit

    • memory/652-86-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1976-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

      Filesize

      8KB

      Download