Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:20

General

  • Target

    Spoofer.exe

  • Size

    2.1MB

  • MD5

    382d1136a20e58b8bbcc7fffe5ce8d2b

  • SHA1

    9779688fee4642fd0dde3d58f7d86dbeb8a4909e

  • SHA256

    27fa9de0fad33e7dbed3a1d5d1c50fe843574062a87b34fb3617be1c77ba1391

  • SHA512

    eaf873631e4f9f43eb2912d5b86c5d317e7042233e68dfb9b9efcd85d95b80f3e996b84ae312bbdb33f5e7d18218a5531225ca72ded7388fbb8fbc4a636a1990

  • SSDEEP

    49152:QMdhRi0P2enkqXfd+/9ATrgBWBKH8jkDVFCNXODzWS9HfX0H:LdvtnkqXf0F9+KH4kpc+DX/0H

Score
9/10

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
  • Stops running service(s) 3 TTPs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x000000 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\system32\reg.exe
        reg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x000000 /f
        3⤵
        • Modifies registry key
        PID:2312
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\system32\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f
        3⤵
          PID:2448
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\system32\reg.exe
          reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
          3⤵
            PID:2500
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\system32\reg.exe
            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
            3⤵
              PID:2332
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c bcdedit /set hypervisorlaunchtype off
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set hypervisorlaunchtype off
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:2900
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c powershell.exe -ExecutionPolicy Bypass -Command \"Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -ExecutionPolicy Bypass -Command \"Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2480
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c sc stop vgk
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\system32\sc.exe
              sc stop vgk
              3⤵
              • Launches sc.exe
              PID:2704
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c taskkill /f /im vgtray.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2664
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im vgtray.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2892
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c taskkill /f /im FACEIT.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im FACEIT.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2888

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2064-10-0x000000001BAF0000-0x000000001BB70000-memory.dmp

                Filesize

                512KB

              • memory/2064-0-0x0000000000310000-0x0000000000536000-memory.dmp

                Filesize

                2.1MB

              • memory/2064-2-0x000000001BAF0000-0x000000001BB70000-memory.dmp

                Filesize

                512KB

              • memory/2064-3-0x000000001C570000-0x000000001C976000-memory.dmp

                Filesize

                4.0MB

              • memory/2064-4-0x000000001BAF0000-0x000000001BB70000-memory.dmp

                Filesize

                512KB

              • memory/2064-5-0x000000001BAF0000-0x000000001BB70000-memory.dmp

                Filesize

                512KB

              • memory/2064-6-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

                Filesize

                9.9MB

              • memory/2064-7-0x000000001BAF0000-0x000000001BB70000-memory.dmp

                Filesize

                512KB

              • memory/2064-8-0x000000001BAF0000-0x000000001BB70000-memory.dmp

                Filesize

                512KB

              • memory/2064-9-0x000000001BAF0000-0x000000001BB70000-memory.dmp

                Filesize

                512KB

              • memory/2064-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

                Filesize

                9.9MB

              • memory/2064-24-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

                Filesize

                9.9MB

              • memory/2480-15-0x000000001B6A0000-0x000000001B982000-memory.dmp

                Filesize

                2.9MB

              • memory/2480-16-0x0000000002890000-0x0000000002898000-memory.dmp

                Filesize

                32KB

              • memory/2480-18-0x0000000002290000-0x0000000002310000-memory.dmp

                Filesize

                512KB

              • memory/2480-20-0x0000000002290000-0x0000000002310000-memory.dmp

                Filesize

                512KB

              • memory/2480-19-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

                Filesize

                9.6MB

              • memory/2480-21-0x0000000002290000-0x0000000002310000-memory.dmp

                Filesize

                512KB

              • memory/2480-22-0x0000000002290000-0x0000000002310000-memory.dmp

                Filesize

                512KB

              • memory/2480-23-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

                Filesize

                9.6MB

              • memory/2480-17-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

                Filesize

                9.6MB