Overview
overview
7Static
static
394caad77d4...c0.exe
windows7-x64
94caad77d4...c0.exe
windows10-2004-x64
$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1Spacetherapy.exe
windows7-x64
7Spacetherapy.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1swiftshade...GL.dll
windows7-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows7-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
154s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12/02/2024, 05:01
Static task
static1
Behavioral task
behavioral1
Sample
94caad77d4dbb16061a78f418c49f445f7855ede2cd2ca27fd5fb454aecc6ec0.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
94caad77d4dbb16061a78f418c49f445f7855ede2cd2ca27fd5fb454aecc6ec0.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Spacetherapy.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral10
Sample
Spacetherapy.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
resources/elevate.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral19
Sample
resources/elevate.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
swiftshader/libEGL.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral21
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
swiftshader/libGLESv2.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral23
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
vk_swiftshader.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral25
Sample
vk_swiftshader.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
vulkan-1.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral27
Sample
vulkan-1.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
General
-
Target
Spacetherapy.exe
-
Size
140.1MB
-
MD5
acd88cdf7c30231a298c5eb919390c17
-
SHA1
583d47d1186d84642b56b6e130b44315d96901d6
-
SHA256
09636887b5fe1c9a9d09b5ee5b44e09bf498b0effb345b587548d6e919cc0898
-
SHA512
e4d0f98b7698a2f479273344a40525afc2f001297ac1180a58055d9dd298faa5d00cbc6cb5bfd6edb4306e888751a6f11eb4ca045deea76151e4c2e26270c76d
-
SSDEEP
1572864:A2Cm7gJKfVjsPawuFHNwczWTeMkF7ZEk8bCkKbj:XaodJFek8+k
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\International\Geo\Nation Spacetherapy.exe -
Loads dropped DLL 2 IoCs
pid Process 2504 Spacetherapy.exe 2504 Spacetherapy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ipinfo.io 2 ipinfo.io -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Spacetherapy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Spacetherapy.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Spacetherapy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz Spacetherapy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Spacetherapy.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Spacetherapy.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Spacetherapy.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1484 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2132 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2504 Spacetherapy.exe 2504 Spacetherapy.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2132 tasklist.exe Token: SeShutdownPrivilege 2504 Spacetherapy.exe Token: SeShutdownPrivilege 2504 Spacetherapy.exe Token: SeIncreaseQuotaPrivilege 2964 WMIC.exe Token: SeSecurityPrivilege 2964 WMIC.exe Token: SeTakeOwnershipPrivilege 2964 WMIC.exe Token: SeLoadDriverPrivilege 2964 WMIC.exe Token: SeSystemProfilePrivilege 2964 WMIC.exe Token: SeSystemtimePrivilege 2964 WMIC.exe Token: SeProfSingleProcessPrivilege 2964 WMIC.exe Token: SeIncBasePriorityPrivilege 2964 WMIC.exe Token: SeCreatePagefilePrivilege 2964 WMIC.exe Token: SeBackupPrivilege 2964 WMIC.exe Token: SeRestorePrivilege 2964 WMIC.exe Token: SeShutdownPrivilege 2964 WMIC.exe Token: SeDebugPrivilege 2964 WMIC.exe Token: SeSystemEnvironmentPrivilege 2964 WMIC.exe Token: SeRemoteShutdownPrivilege 2964 WMIC.exe Token: SeUndockPrivilege 2964 WMIC.exe Token: SeManageVolumePrivilege 2964 WMIC.exe Token: 33 2964 WMIC.exe Token: 34 2964 WMIC.exe Token: 35 2964 WMIC.exe Token: SeIncreaseQuotaPrivilege 2964 WMIC.exe Token: SeSecurityPrivilege 2964 WMIC.exe Token: SeTakeOwnershipPrivilege 2964 WMIC.exe Token: SeLoadDriverPrivilege 2964 WMIC.exe Token: SeSystemProfilePrivilege 2964 WMIC.exe Token: SeSystemtimePrivilege 2964 WMIC.exe Token: SeProfSingleProcessPrivilege 2964 WMIC.exe Token: SeIncBasePriorityPrivilege 2964 WMIC.exe Token: SeCreatePagefilePrivilege 2964 WMIC.exe Token: SeBackupPrivilege 2964 WMIC.exe Token: SeRestorePrivilege 2964 WMIC.exe Token: SeShutdownPrivilege 2964 WMIC.exe Token: SeDebugPrivilege 2964 WMIC.exe Token: SeSystemEnvironmentPrivilege 2964 WMIC.exe Token: SeRemoteShutdownPrivilege 2964 WMIC.exe Token: SeUndockPrivilege 2964 WMIC.exe Token: SeManageVolumePrivilege 2964 WMIC.exe Token: 33 2964 WMIC.exe Token: 34 2964 WMIC.exe Token: 35 2964 WMIC.exe Token: SeIncreaseQuotaPrivilege 1484 WMIC.exe Token: SeSecurityPrivilege 1484 WMIC.exe Token: SeTakeOwnershipPrivilege 1484 WMIC.exe Token: SeLoadDriverPrivilege 1484 WMIC.exe Token: SeSystemProfilePrivilege 1484 WMIC.exe Token: SeSystemtimePrivilege 1484 WMIC.exe Token: SeProfSingleProcessPrivilege 1484 WMIC.exe Token: SeIncBasePriorityPrivilege 1484 WMIC.exe Token: SeCreatePagefilePrivilege 1484 WMIC.exe Token: SeBackupPrivilege 1484 WMIC.exe Token: SeRestorePrivilege 1484 WMIC.exe Token: SeShutdownPrivilege 1484 WMIC.exe Token: SeDebugPrivilege 1484 WMIC.exe Token: SeSystemEnvironmentPrivilege 1484 WMIC.exe Token: SeRemoteShutdownPrivilege 1484 WMIC.exe Token: SeUndockPrivilege 1484 WMIC.exe Token: SeManageVolumePrivilege 1484 WMIC.exe Token: 33 1484 WMIC.exe Token: 34 1484 WMIC.exe Token: 35 1484 WMIC.exe Token: SeIncreaseQuotaPrivilege 1484 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2504 Spacetherapy.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2828 2504 Spacetherapy.exe 28 PID 2504 wrote to memory of 2372 2504 Spacetherapy.exe 37 PID 2504 wrote to memory of 2372 2504 Spacetherapy.exe 37 PID 2504 wrote to memory of 2372 2504 Spacetherapy.exe 37 PID 2504 wrote to memory of 312 2504 Spacetherapy.exe 33 PID 2504 wrote to memory of 312 2504 Spacetherapy.exe 33 PID 2504 wrote to memory of 312 2504 Spacetherapy.exe 33 PID 2504 wrote to memory of 1972 2504 Spacetherapy.exe 32 PID 2504 wrote to memory of 1972 2504 Spacetherapy.exe 32 PID 2504 wrote to memory of 1972 2504 Spacetherapy.exe 32 PID 2372 wrote to memory of 2920 2372 cmd.exe 36 PID 2372 wrote to memory of 2920 2372 cmd.exe 36 PID 2372 wrote to memory of 2920 2372 cmd.exe 36 PID 1972 wrote to memory of 2132 1972 cmd.exe 34 PID 1972 wrote to memory of 2132 1972 cmd.exe 34 PID 1972 wrote to memory of 2132 1972 cmd.exe 34 PID 312 wrote to memory of 1884 312 cmd.exe 35 PID 312 wrote to memory of 1884 312 cmd.exe 35 PID 312 wrote to memory of 1884 312 cmd.exe 35 PID 2504 wrote to memory of 2896 2504 Spacetherapy.exe 40 PID 2504 wrote to memory of 2896 2504 Spacetherapy.exe 40 PID 2504 wrote to memory of 2896 2504 Spacetherapy.exe 40 PID 2896 wrote to memory of 2964 2896 cmd.exe 41 PID 2896 wrote to memory of 2964 2896 cmd.exe 41 PID 2896 wrote to memory of 2964 2896 cmd.exe 41 PID 2504 wrote to memory of 524 2504 Spacetherapy.exe 42 PID 2504 wrote to memory of 524 2504 Spacetherapy.exe 42 PID 2504 wrote to memory of 524 2504 Spacetherapy.exe 42 PID 524 wrote to memory of 1484 524 cmd.exe 44 PID 524 wrote to memory of 1484 524 cmd.exe 44 PID 524 wrote to memory of 1484 524 cmd.exe 44 PID 2504 wrote to memory of 1332 2504 Spacetherapy.exe 45 PID 2504 wrote to memory of 1332 2504 Spacetherapy.exe 45 PID 2504 wrote to memory of 1332 2504 Spacetherapy.exe 45 PID 1332 wrote to memory of 1176 1332 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\Spacetherapy.exe"C:\Users\Admin\AppData\Local\Temp\Spacetherapy.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\Spacetherapy.exe"C:\Users\Admin\AppData\Local\Temp\Spacetherapy.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Spacetherapy is a game" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1268,i,16987589911795286766,18130698034120732644,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"2⤵
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath3⤵PID:1884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""2⤵
- Suspicious use of WriteProcessMemory
PID:2372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"2⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"2⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\system32\cmd.execmd /c chcp 650013⤵PID:1176
-
C:\Windows\system32\chcp.comchcp 650014⤵PID:980
-
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵PID:1236
-
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"1⤵PID:2920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231B
MD5dec2be4f1ec3592cea668aa279e7cc9b
SHA1327cf8ab0c895e10674e00ea7f437784bb11d718
SHA256753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc
SHA51281728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66
-
Filesize
249B
MD5cf7e4a12f932a3fddddacc8b10e1f1b0
SHA1db6f9bc2be5e0905086b7b7b07109ef8d67b24ee
SHA2561b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b
SHA512fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
285KB
MD52a691163363aedda4e1bed0448daf0c4
SHA11c42ecd46a4f8e644561e975bc46d541fa86ce59
SHA25663cacff1172fe1c1aa7b9dae9a1a48c0bdfb1c3ba8c7e413a5ca9bca5a11ae47
SHA5126cf293243e038abf43f16ef3ceb2f69256d0b0a56ec3d4602107c13acf89698080d45f06ccc29b3a2b56caf76f0847ad4bc9d832d404229371aa4e0f6555003a
-
Filesize
641KB
MD5dda2aef5ebb257d45540b7f0e0689a2b
SHA1047eca7e2910ad495cdcbfd3e48487bcefcd6cf5
SHA256ae009abe61c4eab96bd3be1683b5009069342eec123e0899f37137b57c1f7604
SHA51270f2dfed4d161fc9465303806a73ffa0ccbd235a10a1378a282638a80112578d2deb37956dc7493adec187ac75611fd9a82797f2f308e195c0206c28e2eefcb2