Analysis

  • max time kernel
    208s
  • max time network
    231s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 20:00

General

  • Target

    944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe

  • Size

    12.7MB

  • MD5

    2f54c844bf90892fde210329fbacad48

  • SHA1

    3544376cc1f6785b9b76afe09ce72af3c1913218

  • SHA256

    944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821

  • SHA512

    9e419eb085ef56cbe021dbdb6335df463666b0f30885cf24cc8f7e942b83259383ebe7a26c33aa6f4435739d39cc82faad9745c7a17007c44f721a2307f33ecc

  • SSDEEP

    196608:VcmdOPbQYGlZm+Uw1WgnmGH+7r7qQVYmGWqEVgM2mCM08bnlXsNbcAHo4GGU5Q/U:YbQp1hXH+7rOuSM/CMRbne2WO5Q/U

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe
    "C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\dogspoofer\start.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c Fixer-obf.bat
        3⤵
          PID:4952
      • C:\ProgramData\dogspoofer\dogspoofer.exe
        "C:\ProgramData\dogspoofer\dogspoofer.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\dogspoofer\dogspoofer.exe

      Filesize

      12.4MB

      MD5

      82f84cc34f16c05b67812823777a72de

      SHA1

      74594ba6fefcd3f9690d4852732ecb7e6619bff7

      SHA256

      94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86

      SHA512

      fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

    • C:\ProgramData\dogspoofer\dogspoofer.exe

      Filesize

      12.4MB

      MD5

      82f84cc34f16c05b67812823777a72de

      SHA1

      74594ba6fefcd3f9690d4852732ecb7e6619bff7

      SHA256

      94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86

      SHA512

      fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

    • C:\ProgramData\dogspoofer\dogspoofer.exe

      Filesize

      12.4MB

      MD5

      82f84cc34f16c05b67812823777a72de

      SHA1

      74594ba6fefcd3f9690d4852732ecb7e6619bff7

      SHA256

      94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86

      SHA512

      fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

    • C:\ProgramData\dogspoofer\start.vbs

      Filesize

      116B

      MD5

      352d6901cba440f85d84f13c24dfc302

      SHA1

      68d4be78fcaa36d4976aef75eed2b1d579684e08

      SHA256

      0633a17dceb02cc2052fb46846fc838e954d04cebf244121cecd29cdcf76aa91

      SHA512

      7f5b637dcf9cc453d335fb997f6aa761d16b1ef2f8fd934bc22c2d9c16ec90ec05ef8399b0982d5172b692ca85337c72433eff7847ad6c15a187c6c1e00d2308

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ycfgvewz.5ot.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/2436-20-0x00007FFFC08D0000-0x00007FFFC1391000-memory.dmp

      Filesize

      10.8MB

    • memory/2436-21-0x0000000003830000-0x0000000003840000-memory.dmp

      Filesize

      64KB

    • memory/2436-22-0x00007FFFC08D0000-0x00007FFFC1391000-memory.dmp

      Filesize

      10.8MB

    • memory/2436-23-0x0000000003830000-0x0000000003840000-memory.dmp

      Filesize

      64KB

    • memory/2436-19-0x0000000000A30000-0x00000000016A4000-memory.dmp

      Filesize

      12.5MB

    • memory/4612-33-0x00007FFFC08D0000-0x00007FFFC1391000-memory.dmp

      Filesize

      10.8MB

    • memory/4612-34-0x000002ACBC280000-0x000002ACBC290000-memory.dmp

      Filesize

      64KB

    • memory/4612-35-0x000002ACD6A40000-0x000002ACD6A62000-memory.dmp

      Filesize

      136KB

    • memory/4612-36-0x000002ACBC280000-0x000002ACBC290000-memory.dmp

      Filesize

      64KB