Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Spoofer.exe
Resource
win7-20240220-en
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
Spoofer.exe
Resource
win10v2004-20240226-en
4 signatures
150 seconds
General
-
Target
Spoofer.exe
-
Size
2.1MB
-
MD5
382d1136a20e58b8bbcc7fffe5ce8d2b
-
SHA1
9779688fee4642fd0dde3d58f7d86dbeb8a4909e
-
SHA256
27fa9de0fad33e7dbed3a1d5d1c50fe843574062a87b34fb3617be1c77ba1391
-
SHA512
eaf873631e4f9f43eb2912d5b86c5d317e7042233e68dfb9b9efcd85d95b80f3e996b84ae312bbdb33f5e7d18218a5531225ca72ded7388fbb8fbc4a636a1990
-
SSDEEP
49152:QMdhRi0P2enkqXfd+/9ATrgBWBKH8jkDVFCNXODzWS9HfX0H:LdvtnkqXf0F9+KH4kpc+DX/0H
Score
9/10
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 2900 bcdedit.exe -
Stops running service(s) 3 TTPs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2704 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
pid Process 2892 taskkill.exe 2888 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2312 reg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2480 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2064 Spoofer.exe Token: SeDebugPrivilege 2888 taskkill.exe Token: SeDebugPrivilege 2892 taskkill.exe Token: SeDebugPrivilege 2480 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2064 Spoofer.exe 2064 Spoofer.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2576 2064 Spoofer.exe 28 PID 2064 wrote to memory of 2576 2064 Spoofer.exe 28 PID 2064 wrote to memory of 2576 2064 Spoofer.exe 28 PID 2064 wrote to memory of 2536 2064 Spoofer.exe 29 PID 2064 wrote to memory of 2536 2064 Spoofer.exe 29 PID 2064 wrote to memory of 2536 2064 Spoofer.exe 29 PID 2064 wrote to memory of 2660 2064 Spoofer.exe 30 PID 2064 wrote to memory of 2660 2064 Spoofer.exe 30 PID 2064 wrote to memory of 2660 2064 Spoofer.exe 30 PID 2064 wrote to memory of 2676 2064 Spoofer.exe 31 PID 2064 wrote to memory of 2676 2064 Spoofer.exe 31 PID 2064 wrote to memory of 2676 2064 Spoofer.exe 31 PID 2064 wrote to memory of 2680 2064 Spoofer.exe 32 PID 2064 wrote to memory of 2680 2064 Spoofer.exe 32 PID 2064 wrote to memory of 2680 2064 Spoofer.exe 32 PID 2064 wrote to memory of 2692 2064 Spoofer.exe 33 PID 2064 wrote to memory of 2692 2064 Spoofer.exe 33 PID 2064 wrote to memory of 2692 2064 Spoofer.exe 33 PID 2064 wrote to memory of 2688 2064 Spoofer.exe 34 PID 2064 wrote to memory of 2688 2064 Spoofer.exe 34 PID 2064 wrote to memory of 2688 2064 Spoofer.exe 34 PID 2064 wrote to memory of 2664 2064 Spoofer.exe 35 PID 2064 wrote to memory of 2664 2064 Spoofer.exe 35 PID 2064 wrote to memory of 2664 2064 Spoofer.exe 35 PID 2064 wrote to memory of 2588 2064 Spoofer.exe 36 PID 2064 wrote to memory of 2588 2064 Spoofer.exe 36 PID 2064 wrote to memory of 2588 2064 Spoofer.exe 36 PID 2536 wrote to memory of 2448 2536 cmd.exe 46 PID 2536 wrote to memory of 2448 2536 cmd.exe 46 PID 2536 wrote to memory of 2448 2536 cmd.exe 46 PID 2692 wrote to memory of 2480 2692 cmd.exe 47 PID 2692 wrote to memory of 2480 2692 cmd.exe 47 PID 2692 wrote to memory of 2480 2692 cmd.exe 47 PID 2660 wrote to memory of 2500 2660 cmd.exe 48 PID 2660 wrote to memory of 2500 2660 cmd.exe 48 PID 2660 wrote to memory of 2500 2660 cmd.exe 48 PID 2676 wrote to memory of 2332 2676 cmd.exe 49 PID 2676 wrote to memory of 2332 2676 cmd.exe 49 PID 2676 wrote to memory of 2332 2676 cmd.exe 49 PID 2664 wrote to memory of 2892 2664 cmd.exe 50 PID 2664 wrote to memory of 2892 2664 cmd.exe 50 PID 2664 wrote to memory of 2892 2664 cmd.exe 50 PID 2688 wrote to memory of 2704 2688 cmd.exe 51 PID 2688 wrote to memory of 2704 2688 cmd.exe 51 PID 2688 wrote to memory of 2704 2688 cmd.exe 51 PID 2576 wrote to memory of 2312 2576 cmd.exe 52 PID 2576 wrote to memory of 2312 2576 cmd.exe 52 PID 2576 wrote to memory of 2312 2576 cmd.exe 52 PID 2588 wrote to memory of 2888 2588 cmd.exe 53 PID 2588 wrote to memory of 2888 2588 cmd.exe 53 PID 2588 wrote to memory of 2888 2588 cmd.exe 53 PID 2680 wrote to memory of 2900 2680 cmd.exe 54 PID 2680 wrote to memory of 2900 2680 cmd.exe 54 PID 2680 wrote to memory of 2900 2680 cmd.exe 54
Processes
-
C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x000000 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x000000 /f3⤵
- Modifies registry key
PID:2312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f3⤵PID:2448
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f3⤵PID:2500
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f3⤵PID:2332
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set hypervisorlaunchtype off2⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off3⤵
- Modifies boot configuration data using bcdedit
PID:2900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell.exe -ExecutionPolicy Bypass -Command \"Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All2⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command \"Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop vgk2⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\sc.exesc stop vgk3⤵
- Launches sc.exe
PID:2704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im vgtray.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\taskkill.exetaskkill /f /im vgtray.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im FACEIT.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\system32\taskkill.exetaskkill /f /im FACEIT.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-