Analysis
-
max time kernel
10s -
max time network
12s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2023 12:56
Behavioral task
behavioral1
Sample
Spoof.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
4 signatures
300 seconds
General
-
Target
Spoof.exe
-
Size
6.7MB
-
MD5
be2fb7083265a28606ee1a4842818936
-
SHA1
7e0c124692ae0ad69c545aee936fa9d88049289f
-
SHA256
638f8d580ead5433ba0dd375e4d4cce3062f9e930ae201f8cb3d83d1d6906a4d
-
SHA512
2f3204c483178324573b240febb73c56de73c293de59fd8e926202206b187bc2dd844f345539aa74ec0ec508672fd7fd26f3558a27499c774b31febecfbf085d
-
SSDEEP
196608:rG5Heio40dbTvZm0mgVyhAFiI6KpqpQ9TAn0/q5s0DjewyWRaY+VPD:6lo40NB2gVyBIJEQhY0C5tvewDRO
Score
7/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2440-135-0x00007FF6A9710000-0x00007FF6AA2E8000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Spoof.exepid process 2440 Spoof.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Spoof.exepid process 2440 Spoof.exe 2440 Spoof.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Spoof.execmd.exedescription pid process target process PID 2440 wrote to memory of 1804 2440 Spoof.exe cmd.exe PID 2440 wrote to memory of 1804 2440 Spoof.exe cmd.exe PID 1804 wrote to memory of 1584 1804 cmd.exe certutil.exe PID 1804 wrote to memory of 1584 1804 cmd.exe certutil.exe PID 1804 wrote to memory of 4732 1804 cmd.exe find.exe PID 1804 wrote to memory of 4732 1804 cmd.exe find.exe PID 1804 wrote to memory of 3284 1804 cmd.exe find.exe PID 1804 wrote to memory of 3284 1804 cmd.exe find.exe PID 2440 wrote to memory of 2552 2440 Spoof.exe cmd.exe PID 2440 wrote to memory of 2552 2440 Spoof.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Spoof.exe"C:\Users\Admin\AppData\Local\Temp\Spoof.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Spoof.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Spoof.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵