Analysis
-
max time kernel
60s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 18:37
Static task
static1
Behavioral task
behavioral1
Sample
PH Spoofer.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
PH Spoofer.exe
Resource
win10v2004-20240419-en
General
-
Target
PH Spoofer.exe
-
Size
309KB
-
MD5
ae570e5768742a572e36ac8d999c03f5
-
SHA1
9eabf7fdc94adeb65248f7593cd6f0abd1448ef8
-
SHA256
7db7e8ba889c41199e657fa9d263c5f18830a35bab6b810e267baadae1d938ae
-
SHA512
8f46023ad4b561f9fcec5c62eba6a384e95b07dca8baeadcce9bf3039a07fb9adc6f2312a386689d291dad26d8f1476b72d8f5f7bc6a62220683f3ef221552e0
-
SSDEEP
6144:qKjViFkFl/AAGbFd1cUp3AJEFzqlOcWluW4bLcCCQvjQL85d:2rA6Bl7GcCCQvjQL4d
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
PH Spoofer.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions PH Spoofer.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
PH Spoofer.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools PH Spoofer.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
map.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" map.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PH Spoofer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PH Spoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PH Spoofer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PH Spoofer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation PH Spoofer.exe -
Executes dropped EXE 2 IoCs
Processes:
map.exepid process 5616 map.exe 5616 map.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PH Spoofer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PH Spoofer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PH Spoofer.exe -
Drops file in Windows directory 2 IoCs
Processes:
PH Spoofer.exedescription ioc process File created C:\Windows\fqasf.bin PH Spoofer.exe File created C:\Windows\asdf.bin PH Spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
PH Spoofer.exepid process 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe 4216 PH Spoofer.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
map.exepid process 5616 map.exe 5616 map.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PH Spoofer.exemap.exedescription pid process Token: SeDebugPrivilege 4216 PH Spoofer.exe Token: SeLoadDriverPrivilege 5616 map.exe Token: SeDebugPrivilege 4216 PH Spoofer.exe Token: SeLoadDriverPrivilege 5616 map.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
PH Spoofer.execmd.exedescription pid process target process PID 4216 wrote to memory of 1740 4216 PH Spoofer.exe cmd.exe PID 4216 wrote to memory of 1740 4216 PH Spoofer.exe cmd.exe PID 4216 wrote to memory of 1740 4216 PH Spoofer.exe cmd.exe PID 1740 wrote to memory of 5616 1740 cmd.exe map.exe PID 1740 wrote to memory of 5616 1740 cmd.exe map.exe PID 4216 wrote to memory of 6000 4216 PH Spoofer.exe netsh.exe PID 4216 wrote to memory of 6000 4216 PH Spoofer.exe netsh.exe PID 4216 wrote to memory of 6000 4216 PH Spoofer.exe netsh.exe PID 4216 wrote to memory of 1740 4216 PH Spoofer.exe cmd.exe PID 4216 wrote to memory of 1740 4216 PH Spoofer.exe cmd.exe PID 4216 wrote to memory of 1740 4216 PH Spoofer.exe cmd.exe PID 1740 wrote to memory of 5616 1740 cmd.exe map.exe PID 1740 wrote to memory of 5616 1740 cmd.exe map.exe PID 4216 wrote to memory of 6000 4216 PH Spoofer.exe netsh.exe PID 4216 wrote to memory of 6000 4216 PH Spoofer.exe netsh.exe PID 4216 wrote to memory of 6000 4216 PH Spoofer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PH Spoofer.exe"C:\Users\Admin\AppData\Local\Temp\PH Spoofer.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\map.exe C:\Windows\drv.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\map.exeC:\Windows\map.exe C:\Windows\drv.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"netsh.exe" int set int name="Ethernet" disable2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\drv.sysFilesize
17KB
MD598da12a2fb220383b1cc34e34f8d9a75
SHA1da8b9a7727e94be93119c794bdba19f0d6082a26
SHA2566af2f917ce46c1ce0cf499d02b15d684c9f0f76018f281abb96d49f62371ffe4
SHA512da173432bc03b4e72ba3e28287824af854fe1dc2ec6b78cd45803467a6e53ab660276acbcf2567f750710bcf35937c2e3b17b85a1140cf24e9f40c9e5f6c452c
-
C:\Windows\map.exeFilesize
151KB
MD590de08e941cab777451a9d3484d1038f
SHA1dd236756bee1d6df670a5d16b0c7bfd555eb5680
SHA2560cc27f375e388d45b4d970631815250487e4a58d95797f6d43bf56093695ec8c
SHA5121b6930b621d76c2513f78b9c05eec58cb8c0fc53354fed2c7134d4ecfa7c2356008b92c5329d58052c8a474c1e5b0c153ffc2bb4971523d6083bfaf2c851dcdd
-
memory/4216-4-0x00000000052F0000-0x0000000005356000-memory.dmpFilesize
408KB
-
memory/4216-1-0x0000000075340000-0x0000000075AF0000-memory.dmpFilesize
7.7MB
-
memory/4216-0-0x00000000007E0000-0x0000000000836000-memory.dmpFilesize
344KB
-
memory/4216-5-0x0000000005DA0000-0x0000000006344000-memory.dmpFilesize
5.6MB
-
memory/4216-6-0x0000000075340000-0x0000000075AF0000-memory.dmpFilesize
7.7MB
-
memory/4216-7-0x00000000052E0000-0x00000000052F0000-memory.dmpFilesize
64KB
-
memory/4216-2-0x00000000052E0000-0x00000000052F0000-memory.dmpFilesize
64KB
-
memory/4216-3-0x0000000005160000-0x0000000005198000-memory.dmpFilesize
224KB
-
memory/4216-0-0x00000000007E0000-0x0000000000836000-memory.dmpFilesize
344KB
-
memory/4216-1-0x0000000075340000-0x0000000075AF0000-memory.dmpFilesize
7.7MB
-
memory/4216-2-0x00000000052E0000-0x00000000052F0000-memory.dmpFilesize
64KB
-
memory/4216-3-0x0000000005160000-0x0000000005198000-memory.dmpFilesize
224KB
-
memory/4216-4-0x00000000052F0000-0x0000000005356000-memory.dmpFilesize
408KB
-
memory/4216-5-0x0000000005DA0000-0x0000000006344000-memory.dmpFilesize
5.6MB
-
memory/4216-6-0x0000000075340000-0x0000000075AF0000-memory.dmpFilesize
7.7MB
-
memory/4216-7-0x00000000052E0000-0x00000000052F0000-memory.dmpFilesize
64KB