Analysis Overview
SHA256
27fa9de0fad33e7dbed3a1d5d1c50fe843574062a87b34fb3617be1c77ba1391
Threat Level: Likely malicious
The file Spoofer.exe was found to be: Likely malicious.
Malicious Activity Summary
Modifies boot configuration data using bcdedit
Downloads MZ/PE file
Stops running service(s)
Adds Run key to start application
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 13:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 13:20
Reported
2024-04-04 13:23
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Downloads MZ/PE file
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RebrandPanel = "C:\\ProgramData\\MonsterLoader\\DRae8u8OCyxP8i0tFpC8GxWBoKCzOSwi.exe" | C:\Users\Admin\AppData\Local\Temp\Spoofer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store.monsterservice.xyz | udp |
| VN | 103.200.22.212:443 | store.monsterservice.xyz | tcp |
| US | 8.8.8.8:53 | 212.22.200.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/2332-0-0x000001CBEA580000-0x000001CBEA7A6000-memory.dmp
memory/2332-3-0x000001CBECE90000-0x000001CBECEA0000-memory.dmp
memory/2332-1-0x00007FFF169A0000-0x00007FFF17461000-memory.dmp
memory/2332-2-0x000001CBECEA0000-0x000001CBED2A6000-memory.dmp
memory/2332-4-0x000001CBECE90000-0x000001CBECEA0000-memory.dmp
memory/2332-5-0x000001CBECE90000-0x000001CBECEA0000-memory.dmp
memory/2332-6-0x000001CBECE90000-0x000001CBECEA0000-memory.dmp
C:\Users\Admin\AppData\Local\RebrandPanel\Spoofer.exe_Url_rzimjvkqzs3p25w0ufvllpw5uauqzjcy\1.0.0.0\user.config
| MD5 | 536a33ecf0fb78cfb1fcd47a4383f3be |
| SHA1 | fbeb0fd002dfb9275a7ca907469b5ba7ef49912a |
| SHA256 | 39de6fc661b8668d4a390e1b6cf7738aa1d92de643979faedda77f42233bd718 |
| SHA512 | e755ee08a771748418054e6a879eedfa47998dba3a5fea86a20f44eb2d31ad43dc4649039d9fe5248c7b66f5f85e97fa7d0defd3de9691bdca9b4faecbda3f13 |
C:\Users\Admin\AppData\Local\RebrandPanel\Spoofer.exe_Url_rzimjvkqzs3p25w0ufvllpw5uauqzjcy\1.0.0.0\user.config
| MD5 | 05c3e4429f24328a7f1d975027291a6f |
| SHA1 | e056876d6d73f20cd2c84bc34ed83f921a7da10a |
| SHA256 | f2075f63ad8eca2f767e295064d157d32c627267ad6cac1eb73992f9c6f09c88 |
| SHA512 | e062658cff25d7a01b203f5ed60cf34fdd6f9fb7ab4189c046f0c6288e6951d0c680de77596e8bd86debf0738385a6f3438913bee861cd0e68f8c62b22ee497d |
memory/2332-20-0x000001CBECE90000-0x000001CBECEA0000-memory.dmp
memory/2332-23-0x00007FFF169A0000-0x00007FFF17461000-memory.dmp
memory/2332-25-0x00007FFF169A0000-0x00007FFF17461000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 13:20
Reported
2024-04-04 13:23
Platform
win7-20240220-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Stops running service(s)
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x000000 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set hypervisorlaunchtype off
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell.exe -ExecutionPolicy Bypass -Command \"Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop vgk
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im vgtray.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im FACEIT.exe
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command \"Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
C:\Windows\system32\taskkill.exe
taskkill /f /im vgtray.exe
C:\Windows\system32\sc.exe
sc stop vgk
C:\Windows\system32\reg.exe
reg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x000000 /f
C:\Windows\system32\taskkill.exe
taskkill /f /im FACEIT.exe
C:\Windows\system32\bcdedit.exe
bcdedit /set hypervisorlaunchtype off
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | store.monsterservice.xyz | udp |
| VN | 103.200.22.212:443 | store.monsterservice.xyz | tcp |
Files
memory/2064-0-0x0000000000310000-0x0000000000536000-memory.dmp
memory/2064-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/2064-2-0x000000001BAF0000-0x000000001BB70000-memory.dmp
memory/2064-3-0x000000001C570000-0x000000001C976000-memory.dmp
memory/2064-4-0x000000001BAF0000-0x000000001BB70000-memory.dmp
memory/2064-5-0x000000001BAF0000-0x000000001BB70000-memory.dmp
memory/2064-6-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/2064-7-0x000000001BAF0000-0x000000001BB70000-memory.dmp
memory/2064-8-0x000000001BAF0000-0x000000001BB70000-memory.dmp
memory/2064-9-0x000000001BAF0000-0x000000001BB70000-memory.dmp
memory/2064-10-0x000000001BAF0000-0x000000001BB70000-memory.dmp
memory/2480-15-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/2480-17-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp
memory/2480-16-0x0000000002890000-0x0000000002898000-memory.dmp
memory/2480-18-0x0000000002290000-0x0000000002310000-memory.dmp
memory/2480-20-0x0000000002290000-0x0000000002310000-memory.dmp
memory/2480-19-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp
memory/2480-21-0x0000000002290000-0x0000000002310000-memory.dmp
memory/2480-22-0x0000000002290000-0x0000000002310000-memory.dmp
memory/2480-23-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp
memory/2064-24-0x000007FEF5690000-0x000007FEF607C000-memory.dmp