20e8702a052a16ab091c1b24da58832efdcc7eca02d3f74448fc2eec98f53d92

Analysis

max time kernel
141s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 16:14

Target

VEX SPOOFER/Poofer.exe
Size

1.2MB
MD5

d406a0693d263ed93bf082b8cf9f1ea6
SHA1

c8fefc408181d4cbd98acd8fabee8561aa8bfcb0
SHA256

a73a8dab43ba92dc9e7474d980f367b70250956fae95ae16ff0c8b5c275fb459
SHA512

f968c2f6e8392e89b25db15927309224b4bab47150f3da2ef6decbb03efb32d74f557301eadd6b0fbc7927adba0f5cd9d3c4465bd46942fbb18d5b36e78754de
SSDEEP

24576:pqDEvCTbMWu7rQYlBQcBiT6rprG8aozCCViE7fSW/J4DU8ee8Ub:pTvC/MTQYxsWR7ao+TWB6ew

Score

8^/10

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Drivers\Etc\hosts	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2988	LoaderPoof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1124	2988	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of FindShellTrayWindow 3 IoCs

Suspicious use of SendNotifyMessage 3 IoCs

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2988	2716	Poofer.exe	85
PID 2716 wrote to memory of 2988	2716	Poofer.exe	85
PID 2716 wrote to memory of 4320	2716	Poofer.exe	87
PID 2716 wrote to memory of 4320	2716	Poofer.exe	87
PID 2716 wrote to memory of 4320	2716	Poofer.exe	87
PID 2988 wrote to memory of 2260	2988	LoaderPoof.exe	89
PID 2988 wrote to memory of 2260	2988	LoaderPoof.exe	89
PID 2988 wrote to memory of 208	2988	LoaderPoof.exe	92
PID 2988 wrote to memory of 208	2988	LoaderPoof.exe	92
PID 208 wrote to memory of 3572	208	cmd.exe	93
PID 208 wrote to memory of 3572	208	cmd.exe	93
PID 208 wrote to memory of 728	208	cmd.exe	94
PID 208 wrote to memory of 728	208	cmd.exe	94
PID 208 wrote to memory of 1120	208	cmd.exe	95
PID 208 wrote to memory of 1120	208	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\VEX SPOOFER\Poofer.exe
"C:\Users\Admin\AppData\Local\Temp\VEX SPOOFER\Poofer.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\LoaderPoof.exe
  C:\Users\Admin\AppData\Local\Temp/LoaderPoof.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\LoaderPoof.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\LoaderPoof.exe" MD5
      4⤵
      PID:3572
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:728
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:1120
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2988 -s 1248
    3⤵
    - Program crash
    PID:1124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp/host.bat
  2⤵
  - Drops file in Drivers directory
  PID:4320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 2988 -ip 2988
1⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\LoaderPoof.exe

Filesize
892KB

MD5
a233f3c7989ee7f2bd86f8077e3fc332

SHA1
8433b621aaab5fda6d7223068c01fce66250a15f

SHA256
54a0f3b57a8d605dc00078d99e37148f84c5cd2aff38190d6b400c12b4b29846

SHA512
74cbe8487bcdeae0134061fbdd0aff7cc834ce6a650ab5981f7961466980ed21c37c03581a919127681e646f438e81486d001f6cf9a61f05edc53bff4c117e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoaderPoof.exe

Filesize
892KB

MD5
a233f3c7989ee7f2bd86f8077e3fc332

SHA1
8433b621aaab5fda6d7223068c01fce66250a15f

SHA256
54a0f3b57a8d605dc00078d99e37148f84c5cd2aff38190d6b400c12b4b29846

SHA512
74cbe8487bcdeae0134061fbdd0aff7cc834ce6a650ab5981f7961466980ed21c37c03581a919127681e646f438e81486d001f6cf9a61f05edc53bff4c117e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\host.bat

Filesize
173B

MD5
2d60ad1f974f5265f663a3bf905a614c

SHA1
7df61cb3348a56298095bbfed4a0a8fd03ca29ee

SHA256
0ccb031ebeb8b01822903e23807230c959902526a231535d73d07f76858706dc

SHA512
57e00ee7a55668cb42cf1835d4f827e09a4362685a8e28bfd0380f2e34a9da3958d64d1292213564919cdd5a379e203f00888be8eb7794404f8e56fc59fc7706

Download Submit