Analysis
-
max time kernel
208s -
max time network
231s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 20:00
Static task
static1
Behavioral task
behavioral1
Sample
944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe
Resource
win10v2004-20230915-en
General
-
Target
944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe
-
Size
12.7MB
-
MD5
2f54c844bf90892fde210329fbacad48
-
SHA1
3544376cc1f6785b9b76afe09ce72af3c1913218
-
SHA256
944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821
-
SHA512
9e419eb085ef56cbe021dbdb6335df463666b0f30885cf24cc8f7e942b83259383ebe7a26c33aa6f4435739d39cc82faad9745c7a17007c44f721a2307f33ecc
-
SSDEEP
196608:VcmdOPbQYGlZm+Uw1WgnmGH+7r7qQVYmGWqEVgM2mCM08bnlXsNbcAHo4GGU5Q/U:YbQp1hXH+7rOuSM/CMRbne2WO5Q/U
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation dogspoofer.exe -
Executes dropped EXE 1 IoCs
pid Process 2436 dogspoofer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 56 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4612 powershell.exe 4612 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2436 dogspoofer.exe Token: SeDebugPrivilege 4612 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2172 2524 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 89 PID 2524 wrote to memory of 2172 2524 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 89 PID 2524 wrote to memory of 2172 2524 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 89 PID 2524 wrote to memory of 2436 2524 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 90 PID 2524 wrote to memory of 2436 2524 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe 90 PID 2172 wrote to memory of 4952 2172 WScript.exe 91 PID 2172 wrote to memory of 4952 2172 WScript.exe 91 PID 2172 wrote to memory of 4952 2172 WScript.exe 91 PID 2436 wrote to memory of 4612 2436 dogspoofer.exe 98 PID 2436 wrote to memory of 4612 2436 dogspoofer.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe"C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\dogspoofer\start.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Fixer-obf.bat3⤵PID:4952
-
-
-
C:\ProgramData\dogspoofer\dogspoofer.exe"C:\ProgramData\dogspoofer\dogspoofer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.4MB
MD582f84cc34f16c05b67812823777a72de
SHA174594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA25694e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183
-
Filesize
12.4MB
MD582f84cc34f16c05b67812823777a72de
SHA174594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA25694e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183
-
Filesize
12.4MB
MD582f84cc34f16c05b67812823777a72de
SHA174594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA25694e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183
-
Filesize
116B
MD5352d6901cba440f85d84f13c24dfc302
SHA168d4be78fcaa36d4976aef75eed2b1d579684e08
SHA2560633a17dceb02cc2052fb46846fc838e954d04cebf244121cecd29cdcf76aa91
SHA5127f5b637dcf9cc453d335fb997f6aa761d16b1ef2f8fd934bc22c2d9c16ec90ec05ef8399b0982d5172b692ca85337c72433eff7847ad6c15a187c6c1e00d2308
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82