Overview

overview

9

Static

static

3

Free Temp Spoofer.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    24s
  • max time network
    32s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2024, 16:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Free Temp Spoofer.exe

  • Size

    309KB

  • MD5

    ae570e5768742a572e36ac8d999c03f5

  • SHA1

    9eabf7fdc94adeb65248f7593cd6f0abd1448ef8

  • SHA256

    7db7e8ba889c41199e657fa9d263c5f18830a35bab6b810e267baadae1d938ae

  • SHA512

    8f46023ad4b561f9fcec5c62eba6a384e95b07dca8baeadcce9bf3039a07fb9adc6f2312a386689d291dad26d8f1476b72d8f5f7bc6a62220683f3ef221552e0

  • SSDEEP

    6144:qKjViFkFl/AAGbFd1cUp3AJEFzqlOcWluW4bLcCCQvjQL85d:2rA6Bl7GcCCQvjQL4d

Score
9/10
evasionpersistence

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Free Temp Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Free Temp Spoofer.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Windows\map.exe C:\Windows\drv.sys
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:784
      • C:\Windows\map.exe
        C:\Windows\map.exe C:\Windows\drv.sys
        3⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        PID:4824
    • C:\Windows\SysWOW64\netsh.exe
      "netsh.exe" int set int name="Ethernet" disable
      2⤵
        PID:2384
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
      1⤵
      • Modifies data under HKEY_USERS
      PID:4544

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\map.exe
            Filesize

            151KB

            MD5

            90de08e941cab777451a9d3484d1038f

            SHA1

            dd236756bee1d6df670a5d16b0c7bfd555eb5680

            SHA256

            0cc27f375e388d45b4d970631815250487e4a58d95797f6d43bf56093695ec8c

            SHA512

            1b6930b621d76c2513f78b9c05eec58cb8c0fc53354fed2c7134d4ecfa7c2356008b92c5329d58052c8a474c1e5b0c153ffc2bb4971523d6083bfaf2c851dcdd

            Download Submit

          • memory/3176-3-0x0000000005430000-0x0000000005468000-memory.dmp

            Filesize

            224KB

            Download

          • memory/3176-1-0x00000000748A0000-0x0000000075050000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3176-1-0x00000000748A0000-0x0000000075050000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3176-4-0x0000000005680000-0x00000000056E6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3176-5-0x0000000006190000-0x0000000006734000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3176-0-0x0000000000BF0000-0x0000000000C46000-memory.dmp

            Filesize

            344KB

            Download

          • memory/3176-14-0x00000000748A0000-0x0000000075050000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3176-2-0x0000000005500000-0x0000000005510000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3176-0-0x0000000000BF0000-0x0000000000C46000-memory.dmp

            Filesize

            344KB

            Download

          • memory/3176-2-0x0000000005500000-0x0000000005510000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3176-3-0x0000000005430000-0x0000000005468000-memory.dmp

            Filesize

            224KB

            Download

          • memory/3176-4-0x0000000005680000-0x00000000056E6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3176-5-0x0000000006190000-0x0000000006734000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3176-14-0x00000000748A0000-0x0000000075050000-memory.dmp

            Filesize

            7.7MB

            Download