d368affea0a01110ea586f81ffe7582e888adb21faccc2f983153ce8bac6e873

Analysis

max time kernel
144s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25/02/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spare Proxy v1.9.46/Spare Proxy.exe
Size

2.0MB
MD5

cbd26ae01a0fc576c118a2b97f9fc72d
SHA1

46de546bad1b6102e3766adab138bd167f3835d5
SHA256

4dc4637e16765a5a241bc7526521b849fab1cb7ff0ff12bd6a8606e63bb648fb
SHA512

8ef26bad319de21d90583489db8b239e58e42433531733a336c4a154d8bd9916d6c23597dea0dbbb8a53ca642e471ed15f46f341ffc52be75823dff360a5ad11
SSDEEP

49152:LxAP8Kg+OrIGTeq4zGcuLGI7aKAdk79bwaj+Y4XG4dA:04rvLs

Score

1^/10

Malware Config

Signatures

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\discord-1176163342818222143	Spare Proxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\discord-1176163342818222143\ = "URL:Run game 1176163342818222143 protocol"	Spare Proxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\discord-1176163342818222143\URL Protocol	Spare Proxy.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\discord-1176163342818222143\DefaultIcon	Spare Proxy.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\discord-1176163342818222143\shell\open	Spare Proxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\discord-1176163342818222143\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Spare Proxy v1.9.46\\Spare Proxy.exe"	Spare Proxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\discord-1176163342818222143\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Spare Proxy v1.9.46\\Spare Proxy.exe"	Spare Proxy.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\discord-1176163342818222143\shell\open\command	Spare Proxy.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\discord-1176163342818222143\shell	Spare Proxy.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3380	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2244	1708	Spare Proxy.exe	78
PID 1708 wrote to memory of 2244	1708	Spare Proxy.exe	78
PID 1708 wrote to memory of 1448	1708	Spare Proxy.exe	79
PID 1708 wrote to memory of 1448	1708	Spare Proxy.exe	79
PID 1448 wrote to memory of 4648	1448	cmd.exe	80
PID 1448 wrote to memory of 4648	1448	cmd.exe	80
PID 1448 wrote to memory of 3888	1448	cmd.exe	82
PID 1448 wrote to memory of 3888	1448	cmd.exe	82
PID 1448 wrote to memory of 2228	1448	cmd.exe	81
PID 1448 wrote to memory of 2228	1448	cmd.exe	81

C:\Users\Admin\AppData\Local\Temp\Spare Proxy v1.9.46\Spare Proxy.exe
"C:\Users\Admin\AppData\Local\Temp\Spare Proxy v1.9.46\Spare Proxy.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Color 0A
  2⤵
  PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Spare Proxy v1.9.46\Spare Proxy.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Spare Proxy v1.9.46\Spare Proxy.exe" MD5
    3⤵
    PID:4648
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2228
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:3888

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
bfa79d7a546b5ac60f5a8562b2c86799

SHA1
f3509bbf7224a4e35e92c453cf13d8c522a0219c

SHA256
f23d82f15277079aab16232383cf5829c9f53bc997e98e9bd3b5599cfa80df83

SHA512
32d99ab686be4e39ab1206e048f8fa566948adeff1b2f97e74bc27e85eece45047736e1779aea97fc1d142dcfb7472f3f12650532b86a2d3fe547c7334307366

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
ae9795843ff54860f7ebb5569f434e83

SHA1
3bdcba3b4e7ea0f191c90d4211395d5a6e3c8cab

SHA256
b46781bfff93fe6a51f19337b2c0f68c940a8a1497f56ffbc5e66688073abfbd

SHA512
6a6c20f0f39710bb93868d61d7222e5082ceb06c07f1fe685a41e96fd52a6b8d8e568d4cd134b2824e416e8b819b7c94ffae2c7b68c7ec25f411c48943cc2357

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads