Overview
overview
10Static
static
7SpySheriff.zip
windows7-x64
1IESecurity.dll
windows7-x64
6ProcMon.dll
windows7-x64
1ReadME.txt
windows7-x64
1SpySheriff.dvm
windows7-x64
3SpySheriff.exe
windows7-x64
7Uninstall.exe
windows7-x64
1base.avd
windows7-x64
3base001.avd
windows7-x64
3base002.avd
windows7-x64
3found.wav
windows7-x64
1heur000.dll
windows7-x64
1heur001.dll
windows7-x64
1heur002.dll
windows7-x64
4heur003.dll
windows7-x64
10notfound.wav
windows7-x64
1removed.wav
windows7-x64
1General
-
Target
SpySheriff.zip
-
Size
1.3MB
-
Sample
240423-wp4y4aae79
-
MD5
5ec70a62b7fa20507ab4b70c3389bb37
-
SHA1
68ee641337d66b3d6c31dd7f0729afbf2bbdc069
-
SHA256
d16dddc1e9ad69c5ef67afd93eb801c74ca5b95ec8b46741786c8c8ec47b1b1d
-
SHA512
0a11577e6ca68124741cf9d3f9357839cd28e83b60a074b06065a962102c14401ecd7035042b9197263ca42626b14e18356d4d413fb2217f52cfe93009cb56e8
-
SSDEEP
24576:VNgDMZ96GXyY03689pDhw0Ifxpa+7FLzMrn7a7gIWAxZjD9YenhEdNxA1P:7c05yY2vDhAraskS7p/NY2KA1P
Behavioral task
behavioral1
Sample
SpySheriff.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
IESecurity.dll
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
ProcMon.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
ReadME.txt
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
SpySheriff.dvm
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
SpySheriff.exe
Resource
win7-20240215-en
Behavioral task
behavioral7
Sample
Uninstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
base.avd
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
base001.avd
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
base002.avd
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
found.wav
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
heur000.dll
Resource
win7-20240215-en
Behavioral task
behavioral13
Sample
heur001.dll
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
heur002.dll
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
heur003.dll
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
notfound.wav
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
removed.wav
Resource
win7-20240221-en
Malware Config
Targets
-
-
Target
SpySheriff.zip
-
Size
1.3MB
-
MD5
5ec70a62b7fa20507ab4b70c3389bb37
-
SHA1
68ee641337d66b3d6c31dd7f0729afbf2bbdc069
-
SHA256
d16dddc1e9ad69c5ef67afd93eb801c74ca5b95ec8b46741786c8c8ec47b1b1d
-
SHA512
0a11577e6ca68124741cf9d3f9357839cd28e83b60a074b06065a962102c14401ecd7035042b9197263ca42626b14e18356d4d413fb2217f52cfe93009cb56e8
-
SSDEEP
24576:VNgDMZ96GXyY03689pDhw0Ifxpa+7FLzMrn7a7gIWAxZjD9YenhEdNxA1P:7c05yY2vDhAraskS7p/NY2KA1P
Score1/10 -
-
-
Target
IESecurity.dll
-
Size
41KB
-
MD5
04ea7f07722c9c03cf932876a841183a
-
SHA1
cfb77d3970be7037dcdd887e862d7bbbf4855640
-
SHA256
f407f96d71d6fa7597ce85abb9ba4bdd95d02fe7f2ef46f0c343a4a0d6115c0d
-
SHA512
bc70b4a7fc5cf8a6edc01a53e8a0c216ea3c7c81daa6020b35326dfe2db28d1851b7d558e023af2295aa58ab10285ba016aea9fe950f9bbc3a3722f3ae5beea9
-
SSDEEP
768:VgTrL1xJddyW9QtPW1pVHkmTHzHtCo9vQDbUGTO:VS/JGUQtPWhEmTHzHAo1QDbUGTO
-
-
-
Target
ProcMon.dll
-
Size
32KB
-
MD5
894745b78819bfe885a068b5412dd192
-
SHA1
75d24b9c7bee65f2b088f58f4e422c744f7eeeba
-
SHA256
acb1ceb5a01227cb6506c30c5693387441be1c3af0e69eae3d07092075c995a8
-
SHA512
3a8f311dad8abeb772531779592df96a18d1e5cfd643692e3b2485f5fbf381f91406ab12e121e8bdb2867b1a7d5b59a86e5e73e34d3a0ef792069fdac2a30a12
-
SSDEEP
384:vQHejeETXLLxJ507mlvZysfqy7XJxo99p4jB+k/:TjeETXvR0WRi8XJxo99p4jB+
Score1/10 -
-
-
Target
ReadME.txt
-
Size
438B
-
MD5
31815edae18113dd40e47953fbd86a5c
-
SHA1
179e36a58b1d3d9a212d6385d9adac39950b9577
-
SHA256
435ee366a17ea1a2c29473928f77a6ce9c7e0745c57982afdc3629240f58ea87
-
SHA512
e9565fea21206a89e3dd5ea23684cfe60aa6921fefb57c6100a44335e777fbfabb7616ccdaefa441045e02ce8cf3e54b9edca98590641b844a7c5f1fa75ad336
Score1/10 -
-
-
Target
SpySheriff.dvm
-
Size
100B
-
MD5
4a656c63897ca241f5b162b885510c82
-
SHA1
63b6590ee77ca9f52570d79fda2c6043d3dc112b
-
SHA256
e36b521029b99d1698724aa08c817d15382a27a81a7c736c12145364e2e94432
-
SHA512
a7001315e46f0478731e8f42f02ec25fa84f5e332477fb1517dd4a7fec1bd53ec15f9c177e280a9c513815f9496e94bd1674e504260d200b54cdeee4756e4f31
Score3/10 -
-
-
Target
SpySheriff.exe
-
Size
403KB
-
MD5
c899f93e8b753fedd068ef3fe2edb0fd
-
SHA1
144b1f18d0e307d14937c21ca1d7cbfc91828a10
-
SHA256
5c2a85fb56de2e0a1a1d260ef2177e0209477586c8a6740494bbaf40a9785f47
-
SHA512
1aceacb4eba0815322dd3fcd273d8703408362eee3b2d2b5981d2abbe4c2b02852608f46b2e7ce46a50e921871d445c239014b5957c6ba0606bd0334ce7bd41b
-
SSDEEP
12288:eBMDMf+ztV53y2k9I68iXDycz+rYIYsVRSHsDr:eS4S53h68eIZjD
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
Uninstall.exe
-
Size
36KB
-
MD5
a846e764e1b11edda7b233eed37b60f3
-
SHA1
7c072ff57e369705cd64801c87c3618951890f53
-
SHA256
af0d7f1a4388da8050f3d3612513f5e0e190f783179502dc7fd099e1b3db8015
-
SHA512
b6363ccbe1bf2c9bfdcaa1afc6a9cbe22886abc32107c94dbcd74bd8de4146a466bc2d0bfeb1db1b5f036462cd31653f73e6273ed39ac4bd82a16e1f4c1621b9
-
SSDEEP
384:4l1fU0XdOGml1ZWyyRnBnZWOh6ohsEeR0B958XCq4:AxdZys9Nh6oC0z55z
Score1/10 -
-
-
Target
base.avd
-
Size
401KB
-
MD5
5ce1bb147548e1424ee4794a03ffb252
-
SHA1
a47a088e3fbdf7c3885e7f4b30af24f51f495e64
-
SHA256
6a20b1d7772edda460ff20333983eee22df3c6090c0128027e44692b623c6b14
-
SHA512
3f62a70074a238b4aa8a3f980ffa88414e6aa4cea2cbad4646a3581e99827c0156a1dc45232efe7f0642745d5ce1204c5c5569694788cce0cb2f6fdac24cfdc7
-
SSDEEP
12288:DBdq3/2agl3HgBzXOvOacnFp0wNl4MQpM1OeKAM0:TkuZyXOvyowUOOeLM0
Score3/10 -
-
-
Target
base001.avd
-
Size
268B
-
MD5
275c9b3d643f138225d0982245f54f9b
-
SHA1
a201aa1b25f0236630f190b1f088cad1a7aa2105
-
SHA256
31b2a7ba93c459ef724e664505240ec8c0dfb495045ca3dda1094ab50f47d2ed
-
SHA512
9c28ddc3cd080a9ab9a0a0a0bffd38fdea4e76ec2844b909a96db52824714f6b753a4d8fb55d10319cff348b59950812471f77694e90cb234593b5e09b9beba6
Score3/10 -
-
-
Target
base002.avd
-
Size
15KB
-
MD5
0c81faaf2e8a8668734e159e31367059
-
SHA1
7a8f9f679c25de849b7185de7e5302bdeedea55b
-
SHA256
5d68981bf1c14119b05b57a59ec918566c71e11da24a5b425e1d00a0324e9f95
-
SHA512
e59c03c4f70e3dbf0a043a1f9cac8f680738fd4b68527bf2be3070ed95429b460608f47c4261ab9672d9f0ee94edc42bae921370f3427a4e4870ac938b705e86
-
SSDEEP
384:2GroxvfRKLZy6XxbV1pj071IzRqMx14pPtbeQVRNWONm+R:xGvp8xbvpASqE1eRM70
Score3/10 -
-
-
Target
found.wav
-
Size
7KB
-
MD5
3faef40d30921bd14fc16d8df716b930
-
SHA1
88bff644c535012d4a0f306f5ab06b8e835086bd
-
SHA256
7651066d2eca622e832125f0766d0aa7aecc6ff2fa72f07354f20abeb2b99208
-
SHA512
7707e436b620ccb3acc733b101860dcf8315fd0687397e61f4e5957458b09ebab8bc85b25243eb54392c2be7e109cb53cc0952602381398efec68499039cfd08
-
SSDEEP
192:jwwBnVSn6gGGywj1yhvdKgucgRk7KuhmKaV:jwwfpcj1yq/cdmuhmKaV
Score1/10 -
-
-
Target
heur000.dll
-
Size
124KB
-
MD5
ca4822789da674e2ae4658ee4250adb5
-
SHA1
58c3f3f15781cd775ce485f5c4d392b31bdbbe10
-
SHA256
16e8d6dc3e1c3562f8f7e98d492c152965fc08d7cc57e3846e35de11af49092e
-
SHA512
7022c63c100acc1cd2083f051ce37baa8a8e1dd1fad7c76e0ff90e05fc1c59356f9e2ae09402ca4f91bafece0c9ee52af804c52f05e6453d42bf3816542a61d7
-
SSDEEP
3072:prQm5MC1bRoAwOSxoPMVsf0nQla8vxgs2N+r3rk:Km53RRgPvSCsDr3r
Score1/10 -
-
-
Target
heur001.dll
-
Size
124KB
-
MD5
840c8e9d2aaccc87d6dad1d409e45a10
-
SHA1
41be046bf69a7a5bbf27b224554f42d81f5c9c47
-
SHA256
68fe6616070f5d5d20b12ff020a6197ae93a93ae06d24bf6e872cc35862f758f
-
SHA512
ed9bf5b7252e26035e1c5779f7f4a065315970e206dc23463cc7dec07a0e890e0757c757a6ff4d910cff639b911b54b20acd488a2190dcc4ee29628b39eb4012
-
SSDEEP
3072:WPJLnHOfXoAwOSxoPMVsf0nQla8vxgs2N+r3r+f:WPeRgPvSCsDr3r+f
Score1/10 -
-
-
Target
heur002.dll
-
Size
117KB
-
MD5
ee21fd7fa9a45453ed55ccb7ce7b9aaa
-
SHA1
335d0f3bad37dfc77cafa85b2f56c27688e64e7d
-
SHA256
1f6a5cd4ec1e361925b80b7b4f18b77ff70f0d27d5f6bc043f605363f1f2ef05
-
SHA512
d8c244c3f188a9a348cf32f1982fe4a7ff7c5a21e45ef8a5a69033b7287fd1b83bf83de2659f9cdcd516e4bef17d84cec2f0a0abcb59108127f2c2ab771f865d
-
SSDEEP
3072:p0WzeOMDsoAwOSxoPMVsf0nQla8vxgs2N+r3rYF:uWq/DsRgPvSCsDr3r
Score4/10 -
-
-
Target
heur003.dll
-
Size
118KB
-
MD5
bb06f2c0d34812d455aecc790aab74d4
-
SHA1
b206b3f29a3823ac4dad859c13e32dfa1f5f92f0
-
SHA256
45f6c21d358f56679acb89adeda25e296ab0eb5518eda33a175a1e22cfd71e19
-
SHA512
f5a4d616fa5e55072c360101216fee9a43c26572910d68ad2b7b68e8fbd3ad0f68aeaa84ffc6bbcbfb8c32e2e82eb2a6f0f5b51d33e640e70c4fd495222042ad
-
SSDEEP
3072:+CL0FKkhYyoAwOSxoPMVsf0nQla8vxgs2N+r3rWM:+4Q9/RgPvSCsDr3r
Score10/10-
Modifies WinLogon for persistence
-
Modifies AppInit DLL entries
-
Modifies system executable filetype association
-
-
-
Target
notfound.wav
-
Size
20KB
-
MD5
b6db2d81423853ca8e82bd42e04e9ab2
-
SHA1
cfe0832bd5b107c94a54dc3c64df930462955dcf
-
SHA256
05c118e5a69fb0603c4e4d6357d3b92e3aca6e93883955eb9ec08110edc65fd5
-
SHA512
56ab7ad06fa0e55f44674279e9957cb96b13b090c0a61dd613c062654c37da2bff3dcf4a7d765db313de7fa19bb859794d3c06dfdadca23e45acf7c5c5fa6c19
-
SSDEEP
384:fWkYjsRliyvEwE5KDNYRcxHw6m6PV7WnG2q5FN2Kli+C:fuj04yvEwEM6Rcxjt4Bm0
Score1/10 -
-
-
Target
removed.wav
-
Size
17KB
-
MD5
082d41155c2566a41ddf75a8002ac6ee
-
SHA1
8e0d5b0b6741701160eaff298c945ce7a4be6b9c
-
SHA256
168e1e5ec4deb7183700a6ddebf65ab71621d704b89c8403c44f60b845680654
-
SHA512
27a7e6c4bf743a261e83b9f209529cf3469aab27b8de87efdd4bdae64f2d7e3cd9474c9e80068e51aaa927d2920dfddac8e21e9e17b7ca9e6a333da029f819ec
-
SSDEEP
384:BOwOlgh4l6wrh9UrlserAku2r64EXTMvJiRxC/1Gag9iNIaeOTX:BOwBUx2r64mTMAxCtng8NLpX
Score1/10 -
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Browser Extensions
1Event Triggered Execution
2Change Default File Association
2Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1