Malware Analysis Report

2025-08-11 01:08

Sample ID 240404-qlks6ahe82
Target Spoofer.exe
SHA256 27fa9de0fad33e7dbed3a1d5d1c50fe843574062a87b34fb3617be1c77ba1391
Tags
persistence evasion ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

27fa9de0fad33e7dbed3a1d5d1c50fe843574062a87b34fb3617be1c77ba1391

Threat Level: Likely malicious

The file Spoofer.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence evasion ransomware

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Stops running service(s)

Adds Run key to start application

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:20

Reported

2024-04-04 13:23

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"

Signatures

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RebrandPanel = "C:\\ProgramData\\MonsterLoader\\DRae8u8OCyxP8i0tFpC8GxWBoKCzOSwi.exe" C:\Users\Admin\AppData\Local\Temp\Spoofer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Spoofer.exe

"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 store.monsterservice.xyz udp
VN 103.200.22.212:443 store.monsterservice.xyz tcp
US 8.8.8.8:53 212.22.200.103.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/2332-0-0x000001CBEA580000-0x000001CBEA7A6000-memory.dmp

memory/2332-3-0x000001CBECE90000-0x000001CBECEA0000-memory.dmp

memory/2332-1-0x00007FFF169A0000-0x00007FFF17461000-memory.dmp

memory/2332-2-0x000001CBECEA0000-0x000001CBED2A6000-memory.dmp

memory/2332-4-0x000001CBECE90000-0x000001CBECEA0000-memory.dmp

memory/2332-5-0x000001CBECE90000-0x000001CBECEA0000-memory.dmp

memory/2332-6-0x000001CBECE90000-0x000001CBECEA0000-memory.dmp

C:\Users\Admin\AppData\Local\RebrandPanel\Spoofer.exe_Url_rzimjvkqzs3p25w0ufvllpw5uauqzjcy\1.0.0.0\user.config

MD5 536a33ecf0fb78cfb1fcd47a4383f3be
SHA1 fbeb0fd002dfb9275a7ca907469b5ba7ef49912a
SHA256 39de6fc661b8668d4a390e1b6cf7738aa1d92de643979faedda77f42233bd718
SHA512 e755ee08a771748418054e6a879eedfa47998dba3a5fea86a20f44eb2d31ad43dc4649039d9fe5248c7b66f5f85e97fa7d0defd3de9691bdca9b4faecbda3f13

C:\Users\Admin\AppData\Local\RebrandPanel\Spoofer.exe_Url_rzimjvkqzs3p25w0ufvllpw5uauqzjcy\1.0.0.0\user.config

MD5 05c3e4429f24328a7f1d975027291a6f
SHA1 e056876d6d73f20cd2c84bc34ed83f921a7da10a
SHA256 f2075f63ad8eca2f767e295064d157d32c627267ad6cac1eb73992f9c6f09c88
SHA512 e062658cff25d7a01b203f5ed60cf34fdd6f9fb7ab4189c046f0c6288e6951d0c680de77596e8bd86debf0738385a6f3438913bee861cd0e68f8c62b22ee497d

memory/2332-20-0x000001CBECE90000-0x000001CBECEA0000-memory.dmp

memory/2332-23-0x00007FFF169A0000-0x00007FFF17461000-memory.dmp

memory/2332-25-0x00007FFF169A0000-0x00007FFF17461000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:20

Reported

2024-04-04 13:23

Platform

win7-20240220-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"

Signatures

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Stops running service(s)

evasion

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2064 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 2448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2536 wrote to memory of 2448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2536 wrote to memory of 2448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2692 wrote to memory of 2480 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2480 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2480 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2660 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2660 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2676 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2676 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2676 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2664 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2664 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2688 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2688 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2688 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2576 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2576 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2576 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2588 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2588 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2588 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2680 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2680 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2680 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Spoofer.exe

"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x000000 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set hypervisorlaunchtype off

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell.exe -ExecutionPolicy Bypass -Command \"Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop vgk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /f /im vgtray.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /f /im FACEIT.exe

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -Command \"Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

C:\Windows\system32\taskkill.exe

taskkill /f /im vgtray.exe

C:\Windows\system32\sc.exe

sc stop vgk

C:\Windows\system32\reg.exe

reg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x000000 /f

C:\Windows\system32\taskkill.exe

taskkill /f /im FACEIT.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set hypervisorlaunchtype off

Network

Country Destination Domain Proto
US 8.8.8.8:53 store.monsterservice.xyz udp
VN 103.200.22.212:443 store.monsterservice.xyz tcp

Files

memory/2064-0-0x0000000000310000-0x0000000000536000-memory.dmp

memory/2064-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2064-2-0x000000001BAF0000-0x000000001BB70000-memory.dmp

memory/2064-3-0x000000001C570000-0x000000001C976000-memory.dmp

memory/2064-4-0x000000001BAF0000-0x000000001BB70000-memory.dmp

memory/2064-5-0x000000001BAF0000-0x000000001BB70000-memory.dmp

memory/2064-6-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2064-7-0x000000001BAF0000-0x000000001BB70000-memory.dmp

memory/2064-8-0x000000001BAF0000-0x000000001BB70000-memory.dmp

memory/2064-9-0x000000001BAF0000-0x000000001BB70000-memory.dmp

memory/2064-10-0x000000001BAF0000-0x000000001BB70000-memory.dmp

memory/2480-15-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/2480-17-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

memory/2480-16-0x0000000002890000-0x0000000002898000-memory.dmp

memory/2480-18-0x0000000002290000-0x0000000002310000-memory.dmp

memory/2480-20-0x0000000002290000-0x0000000002310000-memory.dmp

memory/2480-19-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

memory/2480-21-0x0000000002290000-0x0000000002310000-memory.dmp

memory/2480-22-0x0000000002290000-0x0000000002310000-memory.dmp

memory/2480-23-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

memory/2064-24-0x000007FEF5690000-0x000007FEF607C000-memory.dmp