Analysis
-
max time kernel
77s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 20:00
Static task
static1
Behavioral task
behavioral1
Sample
944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe
Resource
win10v2004-20230915-en
General
-
Target
944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe
-
Size
12.7MB
-
MD5
2f54c844bf90892fde210329fbacad48
-
SHA1
3544376cc1f6785b9b76afe09ce72af3c1913218
-
SHA256
944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821
-
SHA512
9e419eb085ef56cbe021dbdb6335df463666b0f30885cf24cc8f7e942b83259383ebe7a26c33aa6f4435739d39cc82faad9745c7a17007c44f721a2307f33ecc
-
SSDEEP
196608:VcmdOPbQYGlZm+Uw1WgnmGH+7r7qQVYmGWqEVgM2mCM08bnlXsNbcAHo4GGU5Q/U:YbQp1hXH+7rOuSM/CMRbne2WO5Q/U
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2660 dogspoofer.exe 2240 svchost.exe 864 dogspoofer.exe 2572 dogspoofer.exe -
Loads dropped DLL 8 IoCs
pid Process 1796 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 1796 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 1796 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 1796 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 2660 dogspoofer.exe 2240 svchost.exe 864 dogspoofer.exe 2572 dogspoofer.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x000c000000003d5a-45.dat agile_net behavioral1/files/0x000c000000003d5a-44.dat agile_net behavioral1/memory/2240-46-0x0000000000E00000-0x0000000001506000-memory.dmp agile_net -
resource yara_rule behavioral1/files/0x0006000000016d74-75.dat themida behavioral1/files/0x0006000000016d74-73.dat themida behavioral1/memory/2240-88-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp themida behavioral1/memory/2240-87-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp themida behavioral1/memory/2240-91-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp themida behavioral1/memory/2240-117-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp themida behavioral1/memory/2240-118-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2240 svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svchost.exe dogspoofer.exe File opened for modification C:\Windows\svchost.exe dogspoofer.exe -
Detects Pyinstaller 5 IoCs
resource yara_rule behavioral1/files/0x0004000000004ed6-54.dat pyinstaller behavioral1/files/0x0004000000004ed6-53.dat pyinstaller behavioral1/files/0x0004000000004ed6-51.dat pyinstaller behavioral1/files/0x0004000000004ed6-82.dat pyinstaller behavioral1/files/0x0004000000004ed6-83.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1528 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2716 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2660 dogspoofer.exe Token: SeDebugPrivilege 2716 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1796 wrote to memory of 2120 1796 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 28 PID 1796 wrote to memory of 2120 1796 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 28 PID 1796 wrote to memory of 2120 1796 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 28 PID 1796 wrote to memory of 2120 1796 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 28 PID 1796 wrote to memory of 2660 1796 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 29 PID 1796 wrote to memory of 2660 1796 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 29 PID 1796 wrote to memory of 2660 1796 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 29 PID 1796 wrote to memory of 2660 1796 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 29 PID 2120 wrote to memory of 2768 2120 WScript.exe 30 PID 2120 wrote to memory of 2768 2120 WScript.exe 30 PID 2120 wrote to memory of 2768 2120 WScript.exe 30 PID 2120 wrote to memory of 2768 2120 WScript.exe 30 PID 2660 wrote to memory of 2716 2660 dogspoofer.exe 36 PID 2660 wrote to memory of 2716 2660 dogspoofer.exe 36 PID 2660 wrote to memory of 2716 2660 dogspoofer.exe 36 PID 2660 wrote to memory of 2240 2660 dogspoofer.exe 37 PID 2660 wrote to memory of 2240 2660 dogspoofer.exe 37 PID 2660 wrote to memory of 2240 2660 dogspoofer.exe 37 PID 2660 wrote to memory of 864 2660 dogspoofer.exe 38 PID 2660 wrote to memory of 864 2660 dogspoofer.exe 38 PID 2660 wrote to memory of 864 2660 dogspoofer.exe 38 PID 2660 wrote to memory of 700 2660 dogspoofer.exe 40 PID 2660 wrote to memory of 700 2660 dogspoofer.exe 40 PID 2660 wrote to memory of 700 2660 dogspoofer.exe 40 PID 864 wrote to memory of 2572 864 dogspoofer.exe 43 PID 864 wrote to memory of 2572 864 dogspoofer.exe 43 PID 864 wrote to memory of 2572 864 dogspoofer.exe 43 PID 700 wrote to memory of 1528 700 cmd.exe 42 PID 700 wrote to memory of 1528 700 cmd.exe 42 PID 700 wrote to memory of 1528 700 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe"C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\dogspoofer\start.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Fixer-obf.bat3⤵PID:2768
-
-
-
C:\ProgramData\dogspoofer\dogspoofer.exe"C:\ProgramData\dogspoofer\dogspoofer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2240
-
-
C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe"C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe"C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3553.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1528
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.4MB
MD582f84cc34f16c05b67812823777a72de
SHA174594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA25694e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183
-
Filesize
12.4MB
MD582f84cc34f16c05b67812823777a72de
SHA174594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA25694e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183
-
Filesize
12.4MB
MD582f84cc34f16c05b67812823777a72de
SHA174594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA25694e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183
-
Filesize
116B
MD5352d6901cba440f85d84f13c24dfc302
SHA168d4be78fcaa36d4976aef75eed2b1d579684e08
SHA2560633a17dceb02cc2052fb46846fc838e954d04cebf244121cecd29cdcf76aa91
SHA5127f5b637dcf9cc453d335fb997f6aa761d16b1ef2f8fd934bc22c2d9c16ec90ec05ef8399b0982d5172b692ca85337c72433eff7847ad6c15a187c6c1e00d2308
-
Filesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
Filesize
5.6MB
MD55c53f19c749a497ab5bcbe6212c4ad32
SHA1f6d637d48f29f147fc36079c13307a328316aebe
SHA25613d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab
SHA512e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6
-
Filesize
5.6MB
MD55c53f19c749a497ab5bcbe6212c4ad32
SHA1f6d637d48f29f147fc36079c13307a328316aebe
SHA25613d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab
SHA512e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6
-
Filesize
5.6MB
MD55c53f19c749a497ab5bcbe6212c4ad32
SHA1f6d637d48f29f147fc36079c13307a328316aebe
SHA25613d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab
SHA512e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6
-
Filesize
4.2MB
MD505b012457488a95a05d0541e0470d392
SHA174f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA2561f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA5126d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6
-
Filesize
154B
MD5bec3af95a006c661e78ab974843f8f59
SHA127061fee3bf4b83c72cb7dd2f25f559ea4259dbb
SHA256a456d038505b622c8093950802bf68c910bfec0b5749d06fe2d652079434f188
SHA51267bd5d3ac1456b9a20cf17d6997b46a9cdf2bac34ad291e86d94caed8ec9334420aa59150dfb5819ed178f4641f2310855e1de921c02adadaeef45b38c005673
-
Filesize
154B
MD5bec3af95a006c661e78ab974843f8f59
SHA127061fee3bf4b83c72cb7dd2f25f559ea4259dbb
SHA256a456d038505b622c8093950802bf68c910bfec0b5749d06fe2d652079434f188
SHA51267bd5d3ac1456b9a20cf17d6997b46a9cdf2bac34ad291e86d94caed8ec9334420aa59150dfb5819ed178f4641f2310855e1de921c02adadaeef45b38c005673
-
Filesize
7.0MB
MD5b6ad80e1f76cc416cb10abad3d28993b
SHA10006bf448e403858a37a760c9c76634c2f8b90ac
SHA256521e27b8da9701ebd1c3391f4c150a3829d84febd1930a45a45f6743ca39fb88
SHA512ad34c09b378d2172200a7a18fa5a20d8c4b4760c20b7ed96cf08900d6376a9057f0715c188a3e2205a2f53518d028f772caaad5d01c01ea9d19b91e005a285c9
-
Filesize
7.0MB
MD5b6ad80e1f76cc416cb10abad3d28993b
SHA10006bf448e403858a37a760c9c76634c2f8b90ac
SHA256521e27b8da9701ebd1c3391f4c150a3829d84febd1930a45a45f6743ca39fb88
SHA512ad34c09b378d2172200a7a18fa5a20d8c4b4760c20b7ed96cf08900d6376a9057f0715c188a3e2205a2f53518d028f772caaad5d01c01ea9d19b91e005a285c9
-
Filesize
12.4MB
MD582f84cc34f16c05b67812823777a72de
SHA174594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA25694e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183
-
Filesize
12.4MB
MD582f84cc34f16c05b67812823777a72de
SHA174594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA25694e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183
-
Filesize
12.4MB
MD582f84cc34f16c05b67812823777a72de
SHA174594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA25694e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183
-
Filesize
12.4MB
MD582f84cc34f16c05b67812823777a72de
SHA174594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA25694e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183
-
Filesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
Filesize
5.6MB
MD55c53f19c749a497ab5bcbe6212c4ad32
SHA1f6d637d48f29f147fc36079c13307a328316aebe
SHA25613d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab
SHA512e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6
-
Filesize
5.6MB
MD55c53f19c749a497ab5bcbe6212c4ad32
SHA1f6d637d48f29f147fc36079c13307a328316aebe
SHA25613d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab
SHA512e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6
-
Filesize
4.2MB
MD505b012457488a95a05d0541e0470d392
SHA174f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA2561f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA5126d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6