Overview

overview

9

Static

static

SPOOFER.exe

windows7-x64

9

SPOOFER.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    89s
  • max time network
    82s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2022 18:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SPOOFER.exe

  • Size

    18.4MB

  • MD5

    d6766c49efc4deebc2d23175b921e5a1

  • SHA1

    baa214bf07abe899999ab4831780078767201bba

  • SHA256

    2cf44b30026d86372f690373d99012b3d63f63ca76bc86020d50679520b2fc5d

  • SHA512

    230dd9a78cc8ed0b46d777b1d5405697938d7bbc7fa7199431c59e569d6075c4b9a30aa9fda2f1a59831c35adf7a55dd67053a4370a74ac2d9c39083975c1ef9

  • SSDEEP

    393216:tH6k6pNB/jBNdFDyKs/K/oQ7XW2mxb+jGEjc3H8R62r1SCsbydGFw:taTNdvdF+Ks/sX65+fY3H8R1BJsb/Fw

Score
9/10

Malware Config

Signatures

  • Nirsoft 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 3 IoCs
    evasion
  • Runs ping.exe 1 TTPs 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
    "C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FF56.tmp\FF57.tmp\FF58.bat C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe
        "C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:784
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1881.tmp\1882.tmp\1883.bat C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1376
          • C:\Windows\system32\PING.EXE
            ping /n 1 localhost
            5⤵
            • Runs ping.exe
            PID:1124
          • C:\Windows\system32\PING.EXE
            ping /n 1 localhost
            5⤵
            • Runs ping.exe
            PID:1748
          • C:\Windows\system32\PING.EXE
            ping /n 1 localhost
            5⤵
            • Runs ping.exe
            PID:1224
          • C:\Windows\system32\PING.EXE
            ping /n 2 localhost
            5⤵
            • Runs ping.exe
            PID:1220
      • C:\Windows\system32\PING.EXE
        PING localhost -n 3
        3⤵
        • Runs ping.exe
        PID:1572
      • C:\Windows\system32\PING.EXE
        PING localhost -n 3
        3⤵
        • Runs ping.exe
        PID:300
      • C:\Users\Admin\AppData\Roaming\DevManView.exe
        ""DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:560
      • C:\Windows\system32\PING.EXE
        PING localhost -n 3
        3⤵
        • Runs ping.exe
        PID:592
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im DevManView.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1208
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im DeviceCleanupCmd.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1588
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im DriveCleanup.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1936
      • C:\Windows\system32\PING.EXE
        ping 1.2.3.4 -n 1 -w 1000
        3⤵
        • Runs ping.exe
        PID:880
      • C:\Windows\system32\PING.EXE
        ping www.google.com -n 1
        3⤵
        • Runs ping.exe
        PID:856
      • C:\Windows\system32\find.exe
        find "TTL="
        3⤵
          PID:1244
        • C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe
          "C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1076
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3257.tmp\3258.tmp\3259.bat C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1040
            • C:\Windows\system32\PING.EXE
              ping /n 1 localhost
              5⤵
              • Runs ping.exe
              PID:1472
            • C:\Windows\system32\PING.EXE
              ping /n 1 localhost
              5⤵
              • Runs ping.exe
              PID:1432
            • C:\Windows\system32\PING.EXE
              ping /n 1 localhost
              5⤵
              • Runs ping.exe
              PID:916
            • C:\Windows\system32\PING.EXE
              ping /n 2 localhost
              5⤵
              • Runs ping.exe
              PID:1836
        • C:\Windows\system32\PING.EXE
          PING localhost -n 2
          3⤵
          • Runs ping.exe
          PID:1748
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
      1⤵
        PID:1504

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1881.tmp\1882.tmp\1883.bat
        Filesize

        845B

        MD5

        54d18c0e0a34808017e53029d7875c09

        SHA1

        bca96014c545bd02f964cc3dd368b5c6ce9f2963

        SHA256

        6be64439c492ac7d840e56b01ba9691f30fbad8e9b296bfe55d0abbb2edc5fae

        SHA512

        95712df3c3bb07e561d778b0f95f9ab0a93def2d7111123dff22898565d059b10dc0ca13b1d528ed00ec77c511451d452b033bf8bf40898cb53eb9378f32a6b2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3257.tmp\3258.tmp\3259.bat
        Filesize

        845B

        MD5

        54d18c0e0a34808017e53029d7875c09

        SHA1

        bca96014c545bd02f964cc3dd368b5c6ce9f2963

        SHA256

        6be64439c492ac7d840e56b01ba9691f30fbad8e9b296bfe55d0abbb2edc5fae

        SHA512

        95712df3c3bb07e561d778b0f95f9ab0a93def2d7111123dff22898565d059b10dc0ca13b1d528ed00ec77c511451d452b033bf8bf40898cb53eb9378f32a6b2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\FF56.tmp\FF57.tmp\FF58.bat
        Filesize

        39B

        MD5

        a9832ef693180ebedb5b6ed08f0b3227

        SHA1

        b4ebcabbafcb1dcd113cbb7f996c3ea6443ce2b2

        SHA256

        9f32b3a95a985d2022d6926411a54c8f2518da0d92ac4bb213f723eb7dd09567

        SHA512

        fb227ed1d0fc39c28981b2c8c3a7f6bdd74e19aabdb4a8209f7e1b5de16bea554a0f6e8580109097a5894b305c2d23fb3d68f65d009c28696fe1d6ee7ae8345b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\3combined.bat
        Filesize

        4KB

        MD5

        6df9535d2df5e0b6b1cd4d06f8a05a49

        SHA1

        86bb295155aa0749d16250c53ca6f8d35f4d10f1

        SHA256

        7b302fcb1c84ecf717fbc5d613fc909625864276daa526bbd601b72422efedb9

        SHA512

        42cecf51cc5e293defb6694d3771c1810a417341d4cc9c65e57be076ade29c8c82500d5a1bbbfa1431ea612e802b169f473c5d9a9952ade92af3d854d3cd0d3d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\DevManView.cfg
        Filesize

        1KB

        MD5

        c397462965258ee0bbe4742f83d7c977

        SHA1

        7a12c6504184c38b9e8096357f651a04c170b59c

        SHA256

        59f1e9118a106e15b2c151080e4167c4c1dc5fd33d2443ca160511ac7d9b781e

        SHA512

        9ccff5046bfc41e50707d36d0a9f0654f6ef86525a26656d6bc9f5759455a2b328525f4b79ed6102d5e3cf3300027264830067c6b22891a92ccfc7fc33bc9ce2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\DevManView.exe
        Filesize

        162KB

        MD5

        33d7a84f8ef67fd005f37142232ae97e

        SHA1

        1f560717d8038221c9b161716affb7cd6b14056e

        SHA256

        a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b

        SHA512

        c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe
        Filesize

        219KB

        MD5

        303dbf6d5ce6b658919091240d5a4a80

        SHA1

        d45946e1d3c4d973042e0c1bdd88fbc1774f1385

        SHA256

        70ef91b18f6532b065712b31cd667d64d9fa4248baabaea3d33297250df0fd18

        SHA512

        666c82cb9ac94fa16739c2c34a23a9ade83f4ac3cad528109c2f255b8eeda6a31c00613346db3e9a0e3d46dc978df00d02bc4483001282bfd4f6861b44e1d408

        Download Submit

      • C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe
        Filesize

        219KB

        MD5

        303dbf6d5ce6b658919091240d5a4a80

        SHA1

        d45946e1d3c4d973042e0c1bdd88fbc1774f1385

        SHA256

        70ef91b18f6532b065712b31cd667d64d9fa4248baabaea3d33297250df0fd18

        SHA512

        666c82cb9ac94fa16739c2c34a23a9ade83f4ac3cad528109c2f255b8eeda6a31c00613346db3e9a0e3d46dc978df00d02bc4483001282bfd4f6861b44e1d408

        Download Submit

      • \Users\Admin\AppData\Roaming\DevManView.exe
        Filesize

        162KB

        MD5

        33d7a84f8ef67fd005f37142232ae97e

        SHA1

        1f560717d8038221c9b161716affb7cd6b14056e

        SHA256

        a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b

        SHA512

        c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

        Download Submit

      • \Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe
        Filesize

        219KB

        MD5

        303dbf6d5ce6b658919091240d5a4a80

        SHA1

        d45946e1d3c4d973042e0c1bdd88fbc1774f1385

        SHA256

        70ef91b18f6532b065712b31cd667d64d9fa4248baabaea3d33297250df0fd18

        SHA512

        666c82cb9ac94fa16739c2c34a23a9ade83f4ac3cad528109c2f255b8eeda6a31c00613346db3e9a0e3d46dc978df00d02bc4483001282bfd4f6861b44e1d408

        Download Submit

      • memory/288-54-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

        Filesize

        8KB

        Download