78bc1c088363f96eecd43f6c15337f143d8ba0ba6225aad875d0f29210a48f6b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpyNote_By 30Deep/Android Tester.exe
Size

1.2MB
MD5

b4011069f308adfd9aaf162a048af52a
SHA1

5bd8e0a87315fae31a00c686117fa9e68cf68028
SHA256

5a43db2cdbafc97ffaa72c5dfc8c806c03fe48205c2f1924e9fddc64e94a6a6f
SHA512

cde1f70a991d17cd284b40e34a45044104856672d0bed5b0d3da08271ec854d4669bf7e8289d8c9a1e94be485b424ba5c7752bd40d7b286453619897f3e5ab5b
SSDEEP

24576:O3cM3co+GmVct8O2rKRZE+qR9O08k8sVW40PyQ:O3cM3cLoRZENLr

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Android Tester.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Android Tester.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Android Tester.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Android Tester.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Internet Explorer\TypedURLs	Android Tester.exe

Modifies registry class 1 IoCs

Processes:

Android Tester.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings Android Tester.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	Android Tester.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Android Tester.exe

pid	process
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe
1240	Android Tester.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Android Tester.exe

description pid process

Token: SeDebugPrivilege 1240 Android Tester.exe

description	pid	process
Token: SeDebugPrivilege	1240	Android Tester.exe

C:\Users\Admin\AppData\Local\Temp\SpyNote_By 30Deep\Android Tester.exe
"C:\Users\Admin\AppData\Local\Temp\SpyNote_By 30Deep\Android Tester.exe"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-1-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/1240-0-0x00000000004F0000-0x0000000000634000-memory.dmp

Filesize
1.3MB

Download
memory/1240-2-0x0000000005090000-0x000000000512C000-memory.dmp

Filesize
624KB

Download
memory/1240-3-0x00000000056E0000-0x0000000005C84000-memory.dmp

Filesize
5.6MB

Download
memory/1240-4-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/1240-5-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/1240-6-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download
memory/1240-7-0x0000000005230000-0x0000000005286000-memory.dmp

Filesize
344KB

Download
memory/1240-8-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/1240-9-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/1240-10-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/1240-11-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/1240-12-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/1240-13-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download