Overview

overview

8

Static

static

1

SpyHunter-...er.exe

windows7-x64

8

SpyHunter-...er.exe

windows10-2004-x64

1

Resubmissions

30-05-2023 03:52

230530-ee6lhafa88 8

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2023 03:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SpyHunter-5.13-6-5285-Installer.exe

  • Size

    6.6MB

  • MD5

    3ce9158024e74733de9ab2232fb73dcb

  • SHA1

    5fc8ed33206ab5b93f736114ba99bf47f81bfef6

  • SHA256

    e7dd3449cb2fd81c06e0f5c19e20b280c80fc4533356f3bf67fdfcb6ce238056

  • SHA512

    ac2e9d45a992513d8f4efee73f5a7166071b837302fc91888122d6a211b0437de75776d509b308809751b7c9fad69ebca5f8c6835d66b6fcb467f4cd434f06bb

  • SSDEEP

    98304:qzCgxMDk3jEO+F7qxBO7j/11ajr5pJ+9PbES9qCJV03oJT2wIZx3oIODbhHMxvTk:qHMOjEO++CqFpJ+9PbxXV0YJzD9HMxvY

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Patched UPX-packed file 4 IoCs

    Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 49 IoCs
  • Drops file in Windows directory 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 9 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SpyHunter-5.13-6-5285-Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\SpyHunter-5.13-6-5285-Installer.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\System32\sc.exe
      C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"
      2⤵
      • Launches sc.exe
      PID:1264
    • C:\Windows\System32\sc.exe
      C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel"
      2⤵
      • Launches sc.exe
      PID:1628
    • C:\Windows\System32\sc.exe
      C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor"
      2⤵
      • Launches sc.exe
      PID:1552
    • C:\Windows\System32\sc.exe
      C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor"
      2⤵
      • Launches sc.exe
      PID:1540
    • C:\Windows\System32\sc.exe
      C:\Windows\System32\sc.exe config ShMonitor start= auto
      2⤵
      • Launches sc.exe
      PID:1936
    • C:\Windows\System32\sc.exe
      C:\Windows\System32\sc.exe config EsgShKernel start= auto
      2⤵
      • Launches sc.exe
      PID:2000
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:1340
    • C:\Windows\System32\sc.exe
      C:\Windows\System32\sc.exe start EsgShKernel -tt_on
      2⤵
      • Launches sc.exe
      PID:1236
    • C:\Windows\System32\sc.exe
      C:\Windows\System32\sc.exe start ShMonitor
      2⤵
      • Launches sc.exe
      PID:752
  • C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
    "C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:832
  • C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe
    "C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:1580
  • C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
    "C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Checks processor information in registry
    PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat
    Filesize

    8KB

    MD5

    f0d12083b3230a11fa8e676b602c689d

    SHA1

    86e11395c07353806a1280b08f00697c3125e83f

    SHA256

    d2d92b055993440feb75f162f65691f19cd8881864d4bc92fcea176b86c6add5

    SHA512

    c713416cc02a8eae72e83d1c3f298f09d1362cc396713a4fa93cc1353342556a3bed02440a5d5c017ca3ae6bff67e2f5bdc90a59d53e1c43de39d46306b8cbc9

    Download Submit
  • C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def
    Filesize

    3.3MB

    MD5

    c0a88f0c5a95c3722eec705c24dea5ee

    SHA1

    10ce0fead776f531f61cbd59a41af5a6e4f9bb1f

    SHA256

    4122eabebde6bb77bd35a1fcce398e98f4281666df888e1014c1de8767db8a38

    SHA512

    9d3f8821822f096ba1eb2bb445b9c4ee54d672b71f6b6f7a711b34ee17ae00a82344de3fdffdc1d54621155536460bb7018e3f15ccb955b97c352081f4a215f2

    Download Submit
  • C:\Program Files\EnigmaSoft\SpyHunter\Logs\20230530_055409.krn.log
    Filesize

    9KB

    MD5

    403c1e20358c450fb996a4e7eecef89f

    SHA1

    37b6de2b05e52650b132caafa8a730962321c297

    SHA256

    20313e4c527f29890a9ec21266c94bf6b58838bd61646ea2e6d1e9a9223d467d

    SHA512

    041358689b3e10d54b793fa5960915a40fe186ddab6cdf99f29e1fe018230fee1024c967b86fda3c522005d8e51fe744308ce5d983c94f5ad0bc6d2c15a651dd

    Download Submit
  • C:\Program Files\EnigmaSoft\SpyHunter\Logs\ShMonitor.log
    Filesize

    2KB

    MD5

    f9df0d1556eb6897c0f52946633cd212

    SHA1

    0c2424950649e4e650d71bf8f5a3225499de5ba4

    SHA256

    4e867ec6d4ef237fcb5de67698318221b3b08081319c05ba23e494d8dacd5c00

    SHA512

    e4ccbbb8979acdc1ec1bbb2d29424c7d696a6b55561188fa8b30afa905e9310b5be14f1fbc295ce8cd28e4c4abf5aa569ef8895979c0070289d3413438e5306f

    Download Submit
  • C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
    Filesize

    16.6MB

    MD5

    89e6cb6c6578ee267f27df65bedce073

    SHA1

    748ca35a19db4f54f077c40e545ac985d74cceae

    SHA256

    20aa5a3498d490e522fcaae916c44a189686f4671bf03067454e4b6b34310c72

    SHA512

    e71c71d9d5452fe18e1bbb957e113f4c2035aee57d4b177c8ed355d80b0d58562680fe914552ddada26e92fb0651f9e3aae9322c8b4148e6491119928953ae46

    Download Submit
  • C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
    Filesize

    16.6MB

    MD5

    89e6cb6c6578ee267f27df65bedce073

    SHA1

    748ca35a19db4f54f077c40e545ac985d74cceae

    SHA256

    20aa5a3498d490e522fcaae916c44a189686f4671bf03067454e4b6b34310c72

    SHA512

    e71c71d9d5452fe18e1bbb957e113f4c2035aee57d4b177c8ed355d80b0d58562680fe914552ddada26e92fb0651f9e3aae9322c8b4148e6491119928953ae46

    Download Submit
  • C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
    Filesize

    16.6MB

    MD5

    89e6cb6c6578ee267f27df65bedce073

    SHA1

    748ca35a19db4f54f077c40e545ac985d74cceae

    SHA256

    20aa5a3498d490e522fcaae916c44a189686f4671bf03067454e4b6b34310c72

    SHA512

    e71c71d9d5452fe18e1bbb957e113f4c2035aee57d4b177c8ed355d80b0d58562680fe914552ddada26e92fb0651f9e3aae9322c8b4148e6491119928953ae46

    Download Submit
  • C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe
    Filesize

    2.4MB

    MD5

    906bd9b4f45431908ee5ca6821a254f0

    SHA1

    dc2d0684f65e6041d5860ebb8a17630b76953495

    SHA256

    0f400e4cd8c969a07c5a250bbd29d8dedaea60044ede2e7427ddd0ef2bbdcc3d

    SHA512

    4c10d0a89f1f947a3249ac62022faab79881f9657aca6bc2c89ca8581af3e4a85750d2a2702edb778e196adffa4eac4b4511052b047c78dd02efe7ca1e062c48

    Download Submit
  • C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll
    Filesize

    2.7MB

    MD5

    d247abcd02547a0843f6cbd354e7d77c

    SHA1

    bbb0e7255c7a4239fc31f0c631a7d67eef902d19

    SHA256

    baff569bd191de8798865e5acefb1be5356dad26ab9b6ac125f0f47cdff206d7

    SHA512

    7b6ed443e96e51ceb204a1563faf0345d415d7930a66cda2bf17db17c014f3f916dab09b9024233bcda19f8b376b7098c6e11a978ef4720b23227f8177d21c89

    Download Submit
  • C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
    Filesize

    18.5MB

    MD5

    f754c1a4e99eedc585febaf826419ab1

    SHA1

    82b56dc05de59a16f31263b40b7d3593728c1bc1

    SHA256

    521389c075689b125a4f29ca1782a4d680ea24dfa3fbc3b1f76003a83257dad3

    SHA512

    f171430c37ddc9903e631977b4a30bfec2a43667cb7f99358c841a6e5b84f50d16b2ec54a1eba559fd06c2cec7e96105bf4d8518cc52fe03300ca5eb2dcf40e7

    Download Submit
  • C:\Program Files\EnigmaSoft\SpyHunter\Temp\ShKernel.exe-5.15.9.313-x64.dmp
    Filesize

    14.9MB

    MD5

    502204babcee78f24c0d0c8a067399a3

    SHA1

    dacc1023a6fcdd023f0a77f3e03bdfe85c6b29a0

    SHA256

    e87da389eaee00f1184119ca88652c8eeb64955909bbf9ec4766d303d1da0f6e

    SHA512

    b881c22a151b2422281e6a9f43971672eb5d3760c2655f0404373a218bfbf5098063b27ed5321dd29147a62e436a7b443cc5494176e43b05296d21befcb9ca4b

    Download Submit
  • \Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
    Filesize

    16.6MB

    MD5

    89e6cb6c6578ee267f27df65bedce073

    SHA1

    748ca35a19db4f54f077c40e545ac985d74cceae

    SHA256

    20aa5a3498d490e522fcaae916c44a189686f4671bf03067454e4b6b34310c72

    SHA512

    e71c71d9d5452fe18e1bbb957e113f4c2035aee57d4b177c8ed355d80b0d58562680fe914552ddada26e92fb0651f9e3aae9322c8b4148e6491119928953ae46

    Download Submit
  • \Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe
    Filesize

    2.4MB

    MD5

    906bd9b4f45431908ee5ca6821a254f0

    SHA1

    dc2d0684f65e6041d5860ebb8a17630b76953495

    SHA256

    0f400e4cd8c969a07c5a250bbd29d8dedaea60044ede2e7427ddd0ef2bbdcc3d

    SHA512

    4c10d0a89f1f947a3249ac62022faab79881f9657aca6bc2c89ca8581af3e4a85750d2a2702edb778e196adffa4eac4b4511052b047c78dd02efe7ca1e062c48

    Download Submit
  • \Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll
    Filesize

    2.7MB

    MD5

    d247abcd02547a0843f6cbd354e7d77c

    SHA1

    bbb0e7255c7a4239fc31f0c631a7d67eef902d19

    SHA256

    baff569bd191de8798865e5acefb1be5356dad26ab9b6ac125f0f47cdff206d7

    SHA512

    7b6ed443e96e51ceb204a1563faf0345d415d7930a66cda2bf17db17c014f3f916dab09b9024233bcda19f8b376b7098c6e11a978ef4720b23227f8177d21c89

    Download Submit
  • \Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
    Filesize

    18.5MB

    MD5

    f754c1a4e99eedc585febaf826419ab1

    SHA1

    82b56dc05de59a16f31263b40b7d3593728c1bc1

    SHA256

    521389c075689b125a4f29ca1782a4d680ea24dfa3fbc3b1f76003a83257dad3

    SHA512

    f171430c37ddc9903e631977b4a30bfec2a43667cb7f99358c841a6e5b84f50d16b2ec54a1eba559fd06c2cec7e96105bf4d8518cc52fe03300ca5eb2dcf40e7

    Download Submit
  • \Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
    Filesize

    18.5MB

    MD5

    f754c1a4e99eedc585febaf826419ab1

    SHA1

    82b56dc05de59a16f31263b40b7d3593728c1bc1

    SHA256

    521389c075689b125a4f29ca1782a4d680ea24dfa3fbc3b1f76003a83257dad3

    SHA512

    f171430c37ddc9903e631977b4a30bfec2a43667cb7f99358c841a6e5b84f50d16b2ec54a1eba559fd06c2cec7e96105bf4d8518cc52fe03300ca5eb2dcf40e7

    Download Submit
  • \Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
    Filesize

    18.5MB

    MD5

    f754c1a4e99eedc585febaf826419ab1

    SHA1

    82b56dc05de59a16f31263b40b7d3593728c1bc1

    SHA256

    521389c075689b125a4f29ca1782a4d680ea24dfa3fbc3b1f76003a83257dad3

    SHA512

    f171430c37ddc9903e631977b4a30bfec2a43667cb7f99358c841a6e5b84f50d16b2ec54a1eba559fd06c2cec7e96105bf4d8518cc52fe03300ca5eb2dcf40e7

    Download Submit
  • \Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
    Filesize

    18.5MB

    MD5

    f754c1a4e99eedc585febaf826419ab1

    SHA1

    82b56dc05de59a16f31263b40b7d3593728c1bc1

    SHA256

    521389c075689b125a4f29ca1782a4d680ea24dfa3fbc3b1f76003a83257dad3

    SHA512

    f171430c37ddc9903e631977b4a30bfec2a43667cb7f99358c841a6e5b84f50d16b2ec54a1eba559fd06c2cec7e96105bf4d8518cc52fe03300ca5eb2dcf40e7

    Download Submit
  • \Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
    Filesize

    18.5MB

    MD5

    f754c1a4e99eedc585febaf826419ab1

    SHA1

    82b56dc05de59a16f31263b40b7d3593728c1bc1

    SHA256

    521389c075689b125a4f29ca1782a4d680ea24dfa3fbc3b1f76003a83257dad3

    SHA512

    f171430c37ddc9903e631977b4a30bfec2a43667cb7f99358c841a6e5b84f50d16b2ec54a1eba559fd06c2cec7e96105bf4d8518cc52fe03300ca5eb2dcf40e7

    Download Submit
  • \Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
    Filesize

    18.5MB

    MD5

    f754c1a4e99eedc585febaf826419ab1

    SHA1

    82b56dc05de59a16f31263b40b7d3593728c1bc1

    SHA256

    521389c075689b125a4f29ca1782a4d680ea24dfa3fbc3b1f76003a83257dad3

    SHA512

    f171430c37ddc9903e631977b4a30bfec2a43667cb7f99358c841a6e5b84f50d16b2ec54a1eba559fd06c2cec7e96105bf4d8518cc52fe03300ca5eb2dcf40e7

    Download Submit
  • \Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
    Filesize

    18.5MB

    MD5

    f754c1a4e99eedc585febaf826419ab1

    SHA1

    82b56dc05de59a16f31263b40b7d3593728c1bc1

    SHA256

    521389c075689b125a4f29ca1782a4d680ea24dfa3fbc3b1f76003a83257dad3

    SHA512

    f171430c37ddc9903e631977b4a30bfec2a43667cb7f99358c841a6e5b84f50d16b2ec54a1eba559fd06c2cec7e96105bf4d8518cc52fe03300ca5eb2dcf40e7

    Download Submit
  • memory/2044-54-0x0000000000200000-0x0000000000201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2044-57-0x0000000000200000-0x0000000000201000-memory.dmp
    Filesize

    4KB

    Download