Overview

overview

3

Static

static

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

3

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

3

moonspoofe...up.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

3

moonspoofe...er.exe

windows10-2004-x64

3

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

3

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

3

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

3

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...er.exe

windows10-2004-x64

1

moonspoofe...up.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    38s
  • max time network
    62s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2022, 13:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    moonspoofer-main/moonspoofer/bin/Release/MoonSpoofer.exe

  • Size

    366KB

  • MD5

    05a818e32cabf2959b6a163b3f24cdf4

  • SHA1

    4ce4103680a0a654bc24be1a561292656fe59005

  • SHA256

    01bfe4c5b557c60274cc43624b637c52f20584d8e4aa24d780e547c4b2ba1059

  • SHA512

    8ff7351e2b0f67662e687466a4bff6661a89858b66b8975b535d942175ce48ce7c9bf7ee007d02d3d4c6fb6011661c1a5d95ceb7afa89e277f1675674333be1d

  • SSDEEP

    6144:hXnxbPLaA9v7xpKpLo/3Ew/uo27pUogiDsZAEw/uo2uEw/uo2uEw/uo23ja:RWs0K527lsZK52hK52hK52Ta

Score
1/10

Malware Config

Signatures

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\moonspoofer-main\moonspoofer\bin\Release\MoonSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\moonspoofer-main\moonspoofer\bin\Release\MoonSpoofer.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c start cmd /C "color b && title Error && echo Application not found && timeout /t 5"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C "color b && title Error && echo Application not found && timeout /t 5"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4560
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 5
          4⤵
          • Delays execution with timeout.exe
          PID:384

Network

  • flag-unknown
    DNS
    keyauth.win
    MoonSpoofer.exe
    Remote address:
    8.8.8.8:53
    Request
    keyauth.win
    IN A
    Response
    keyauth.win
    IN A
    188.114.96.1
    keyauth.win
    IN A
    188.114.97.1
  • flag-unknown
    POST
    https://keyauth.win/api/1.0/
    MoonSpoofer.exe
    Remote address:
    188.114.96.1:443
    Request
    POST /api/1.0/ HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: keyauth.win
    Content-Length: 386
    Expect: 100-continue
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 18 Dec 2022 13:40:57 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 77b8502c9883b8c0-AMS
    Access-Control-Allow-Origin: *
    CF-Cache-Status: DYNAMIC
    Server-Timing: cf-q-config;dur=8.9999957708642e-06
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=9s%2BHHP%2FTprkaIeh4vUyE3uH8z1XcjNT3R16RP70C3yoRJxPBPZ%2Fziv9UhDnOz%2BaYmVA%2FQeCUb5Jild%2F3vP58ZGrQlwHeLEFt3wtiroMS2efpYvmumI%2F9KvfWnfk9lg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • 93.184.220.29:80
    322 B
     7
  • 188.114.96.1:443
    https://keyauth.win/api/1.0/
    tls, http
    MoonSpoofer.exe
    1.3kB
     4.1kB
     10
    10

    HTTP Request

    POST https://keyauth.win/api/1.0/

    HTTP Response

    200
  • 20.42.65.84:443
    322 B
     7
  • 8.253.208.113:80
    276 B
     6
  • 8.253.208.113:80
    276 B
     6
  • 104.80.225.205:443
    276 B
     6
  • 8.8.8.8:53
    keyauth.win
    dns
    MoonSpoofer.exe
    57 B
     89 B
     1
    1

    DNS Request

    keyauth.win

    DNS Response

    188.114.96.1
    188.114.97.1

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4940-132-0x00000000003E0000-0x0000000000440000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4940-133-0x0000000005300000-0x00000000058A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4940-134-0x0000000004DF0000-0x0000000004E82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4940-135-0x0000000004F90000-0x0000000004F9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4940-136-0x00000000058B0000-0x00000000059FE000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4940-137-0x0000000005F30000-0x00000000062F0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4940-138-0x00000000093A0000-0x00000000093B2000-memory.dmp

    Filesize

    72KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.