Overview

overview

9

Static

static

3

PH Spoofer.exe

windows7-x64

9

PH Spoofer.exe

windows10-2004-x64

9

Resubmissions

28-04-2024 18:37

240428-w9rt9sed4s 9

28-04-2024 18:36

240428-w875vsea56 9

Analysis

  • max time kernel
    60s
  • max time network
    77s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PH Spoofer.exe

  • Size

    309KB

  • MD5

    ae570e5768742a572e36ac8d999c03f5

  • SHA1

    9eabf7fdc94adeb65248f7593cd6f0abd1448ef8

  • SHA256

    7db7e8ba889c41199e657fa9d263c5f18830a35bab6b810e267baadae1d938ae

  • SHA512

    8f46023ad4b561f9fcec5c62eba6a384e95b07dca8baeadcce9bf3039a07fb9adc6f2312a386689d291dad26d8f1476b72d8f5f7bc6a62220683f3ef221552e0

  • SSDEEP

    6144:qKjViFkFl/AAGbFd1cUp3AJEFzqlOcWluW4bLcCCQvjQL85d:2rA6Bl7GcCCQvjQL4d

Score
9/10
evasionpersistence

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PH Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\PH Spoofer.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Windows\map.exe C:\Windows\drv.sys
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\map.exe
        C:\Windows\map.exe C:\Windows\drv.sys
        3⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:5616
    • C:\Windows\SysWOW64\netsh.exe
      "netsh.exe" int set int name="Ethernet" disable
      2⤵
        PID:6000
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
      1⤵
      • Modifies data under HKEY_USERS
      PID:3292

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    5
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\drv.sys
      Filesize

      17KB

      MD5

      98da12a2fb220383b1cc34e34f8d9a75

      SHA1

      da8b9a7727e94be93119c794bdba19f0d6082a26

      SHA256

      6af2f917ce46c1ce0cf499d02b15d684c9f0f76018f281abb96d49f62371ffe4

      SHA512

      da173432bc03b4e72ba3e28287824af854fe1dc2ec6b78cd45803467a6e53ab660276acbcf2567f750710bcf35937c2e3b17b85a1140cf24e9f40c9e5f6c452c

      Download Submit
    • C:\Windows\map.exe
      Filesize

      151KB

      MD5

      90de08e941cab777451a9d3484d1038f

      SHA1

      dd236756bee1d6df670a5d16b0c7bfd555eb5680

      SHA256

      0cc27f375e388d45b4d970631815250487e4a58d95797f6d43bf56093695ec8c

      SHA512

      1b6930b621d76c2513f78b9c05eec58cb8c0fc53354fed2c7134d4ecfa7c2356008b92c5329d58052c8a474c1e5b0c153ffc2bb4971523d6083bfaf2c851dcdd

      Download Submit
    • memory/4216-4-0x00000000052F0000-0x0000000005356000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4216-1-0x0000000075340000-0x0000000075AF0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4216-0-0x00000000007E0000-0x0000000000836000-memory.dmp
      Filesize

      344KB

      Download
    • memory/4216-5-0x0000000005DA0000-0x0000000006344000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4216-6-0x0000000075340000-0x0000000075AF0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4216-7-0x00000000052E0000-0x00000000052F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4216-2-0x00000000052E0000-0x00000000052F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4216-3-0x0000000005160000-0x0000000005198000-memory.dmp
      Filesize

      224KB

      Download
    • memory/4216-0-0x00000000007E0000-0x0000000000836000-memory.dmp
      Filesize

      344KB

      Download
    • memory/4216-1-0x0000000075340000-0x0000000075AF0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4216-2-0x00000000052E0000-0x00000000052F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4216-3-0x0000000005160000-0x0000000005198000-memory.dmp
      Filesize

      224KB

      Download
    • memory/4216-4-0x00000000052F0000-0x0000000005356000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4216-5-0x0000000005DA0000-0x0000000006344000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4216-6-0x0000000075340000-0x0000000075AF0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4216-7-0x00000000052E0000-0x00000000052F0000-memory.dmp
      Filesize

      64KB

      Download