Resubmissions
23/04/2024, 17:35
240423-v53wasac31 611/04/2024, 12:44
240411-pyy1waeh5v 611/04/2024, 12:19
240411-phjagsee51 611/04/2024, 11:59
240411-n5sa8seb81 6Analysis
-
max time kernel
922s -
max time network
962s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2024, 17:35
Static task
static1
General
-
Target
SparkControl_V3.2.0.4663_Setup.exe
-
Size
434.6MB
-
MD5
9c348b6a69eacdcc17417f3901b1e53d
-
SHA1
2c61a15c4876644cc3ddab44700b13654c065cf8
-
SHA256
a5a1dc28621d755a63091c586d1637e035af4da1751c98afbedd667fba61c526
-
SHA512
2f8aa3c8add398fee7201fcfe6e737bb05428bdce0e87dc58195ff2027ea013dbb3d00a41dba962d3d898d15755d13b72f4ddf8c741831dde4283225a4a55e61
-
SSDEEP
12582912:xx5xH3JoQ9m2IP0P49BkZXPBk4TeKIQr1ww4F7aLvoTOLAmErCcxBAvm5W4qEe5I:xxjH3JoQ9m2IP0A9BkZ5k4THr1wHF7a8
Malware Config
Signatures
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SparkControl_V3.2.0.4663_Setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 1 IoCs
pid Process 216 SparkControl_V3.2.0.4663_Setup.exe -
Loads dropped DLL 5 IoCs
pid Process 216 SparkControl_V3.2.0.4663_Setup.exe 216 SparkControl_V3.2.0.4663_Setup.exe 216 SparkControl_V3.2.0.4663_Setup.exe 216 SparkControl_V3.2.0.4663_Setup.exe 216 SparkControl_V3.2.0.4663_Setup.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3784 216 WerFault.exe 92 1696 216 WerFault.exe 92 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4184 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4184 taskmgr.exe Token: SeSystemProfilePrivilege 4184 taskmgr.exe Token: SeCreateGlobalPrivilege 4184 taskmgr.exe Token: 33 4184 taskmgr.exe Token: SeIncBasePriorityPrivilege 4184 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2252 wrote to memory of 216 2252 SparkControl_V3.2.0.4663_Setup.exe 92 PID 2252 wrote to memory of 216 2252 SparkControl_V3.2.0.4663_Setup.exe 92 PID 2252 wrote to memory of 216 2252 SparkControl_V3.2.0.4663_Setup.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\SparkControl_V3.2.0.4663_Setup.exe"C:\Users\Admin\AppData\Local\Temp\SparkControl_V3.2.0.4663_Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\{D3505325-C46C-451C-AB31-501716C81EFA}\.cr\SparkControl_V3.2.0.4663_Setup.exe"C:\Users\Admin\AppData\Local\Temp\{D3505325-C46C-451C-AB31-501716C81EFA}\.cr\SparkControl_V3.2.0.4663_Setup.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\SparkControl_V3.2.0.4663_Setup.exe"2⤵
- Checks whether UAC is enabled
- Executes dropped EXE
- Loads dropped DLL
PID:216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 14323⤵
- Program crash
PID:3784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 14963⤵
- Program crash
PID:1696
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 216 -ip 2161⤵PID:1784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 216 -ip 2161⤵PID:3092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3920 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:3100
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5832 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\{D3505325-C46C-451C-AB31-501716C81EFA}\.cr\SparkControl_V3.2.0.4663_Setup.exe
Filesize718KB
MD57f87b65007018d8a50d451593303bc62
SHA178888623b648f4ae8f4a74817e3ff1bbf2f15b4f
SHA256e828e5f8177258cba473621f7d254ccce9466c9660ffaba0aa08ae33278e8cb7
SHA5127087ab18f94f5d535b216df8f09f3d40e5c21aa055ad8c43a404e308aab35642b09a5d883e3219de4f928e5ac45c3f5e2c6bde5e0758732186134c611b5d1869
-
C:\Users\Admin\AppData\Local\Temp\{DE44B95A-B59B-46E4-AC07-CC8936AA902F}\.ba\BootstrapperCore.config
Filesize723B
MD578ded86fd983e8038a10b45818156a20
SHA1d306f5ee3aec3c10a0888d9f9b0c7fe68ff8ba4c
SHA256555e73c5bce79c8b7173f00b402fe38c1e2b3bc54af318d5253461469ad2a704
SHA5128a83cd4539dfffa2fefd36e91519d95881c45d91fdd78c8da0744f377d88babc31c7c2ace8fa94bf84364d6c9a3c7c29fe00372b2392267be73853698650c537
-
Filesize
80KB
MD56ec4f758cf5aaff961998e3e91fda644
SHA134fb5a54ab65da1e11bbb8bce1e422e362338da7
SHA256e5b064589d741bdbac1f45be8867d62551ef3a36868db0cafe98f0ca483421ba
SHA512025fc05b0a9768354692624ad8db4fe4a80945dace304bf475f89d45873b2fe93fa464360d09b075d8ac81f60f9aba2b3d7933fb4272f649b496767d2727fe9c
-
C:\Users\Admin\AppData\Local\Temp\{DE44B95A-B59B-46E4-AC07-CC8936AA902F}\.ba\Tecan.At.Dragonfly.WixBundleUI.dll
Filesize111KB
MD53891be0e321acad81706080c842b6cf3
SHA1dc552f82aa4eb4ce53de04bf86d4a355bc1241b2
SHA256e95f9507b9625877ddec0e8878c3aa6e9058d19cd75a0636730aa903c5277b6e
SHA512f7a7a2696b4be513dd9b0e5b5556fef2a046100b9cec6b9a7274f3e16181c334863c59472197ece8ca8ce3094784df94ee2110c835043572486371555ae55956
-
Filesize
109KB
MD51256e752d8c35dd3c3e3563562879ddf
SHA1c4e8d13931f0e18bd6f6e9a8f618548fe4b58aea
SHA2566adc2a6b25dea73648e6df7c311d291862fca06b2a907af33b76fd2dd9ff12f7
SHA51200de447d37a2aa622fdba3eba18fa2ca6476127bde147f7aa82481eee3d8c43462439ef1d6892eaca85eaa111ba99f5771f5c8d9d8f7cdd591284ee02fd2fb3f