Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 21:47
Behavioral task
behavioral1
Sample
SpyderCrypter.exe
Resource
win7-20240221-en
General
-
Target
SpyderCrypter.exe
-
Size
4.8MB
-
MD5
b3fb79184d1097420fb68b0240df9660
-
SHA1
60fcb2b85867b247bb5c622f121e4ab208c7da9c
-
SHA256
8babb9a5318d0b2fa43d6c18e91a23a70de547243db91f866e50bb2ff1b7db8b
-
SHA512
130ecef6b8d4418784dafa341277b214693c0d1849e6cf04a87193eb413b3ae0cef7eeb3124494a8bca33ffb2d1b27f875adeadbae1aea3d2ff767710471807e
-
SSDEEP
98304:FYh322d2m5YhkvxW/gGfoq8Np9qAX7z3z9CW6dwFdkyRYq/:FYhGy2tqvpoT8NvzJTp/
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2952-21-0x0000000005750000-0x0000000005964000-memory.dmp family_agenttesla -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
SpyderCrypter.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SpyderCrypter.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SpyderCrypter.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SpyderCrypter.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SpyderCrypter.exe -
Executes dropped EXE 1 IoCs
Processes:
SpyderResources.exepid process 2992 SpyderResources.exe -
Loads dropped DLL 6 IoCs
Processes:
SpyderCrypter.exeWerFault.exepid process 2952 SpyderCrypter.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe -
Processes:
resource yara_rule behavioral1/memory/2952-18-0x0000000000E80000-0x000000000188C000-memory.dmp themida behavioral1/memory/2952-19-0x0000000000E80000-0x000000000188C000-memory.dmp themida -
Processes:
SpyderCrypter.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SpyderCrypter.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2664 2992 WerFault.exe SpyderResources.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
SpyderCrypter.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SpyderCrypter.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer SpyderCrypter.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion SpyderCrypter.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SpyderCrypter.exedescription pid process Token: SeDebugPrivilege 2952 SpyderCrypter.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SpyderCrypter.exeSpyderResources.exedescription pid process target process PID 2952 wrote to memory of 2992 2952 SpyderCrypter.exe SpyderResources.exe PID 2952 wrote to memory of 2992 2952 SpyderCrypter.exe SpyderResources.exe PID 2952 wrote to memory of 2992 2952 SpyderCrypter.exe SpyderResources.exe PID 2952 wrote to memory of 2992 2952 SpyderCrypter.exe SpyderResources.exe PID 2992 wrote to memory of 2664 2992 SpyderResources.exe WerFault.exe PID 2992 wrote to memory of 2664 2992 SpyderResources.exe WerFault.exe PID 2992 wrote to memory of 2664 2992 SpyderResources.exe WerFault.exe PID 2992 wrote to memory of 2664 2992 SpyderResources.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe"C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe"C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 5923⤵
- Loads dropped DLL
- Program crash
PID:2664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\SpyderResources.exeFilesize
11KB
MD5cc132ca7e1cf77db1a3e737260fcf14b
SHA1f6058656d44e95c23071251b278bc779a88083da
SHA2564c62d4e150f91dc3fdd1f29c955763c52f357045b1a2edf98ac272631dfdb210
SHA51252e64fdf7acf08525ddb352b0dd0b6ca3df8d8f13fa09dcd31c270c4e2040f2361c04ba56915cd05539f581df712562537239fbc942131cc725502af6d010fee
-
memory/2952-21-0x0000000005750000-0x0000000005964000-memory.dmpFilesize
2.1MB
-
memory/2952-42-0x0000000075F00000-0x0000000075F47000-memory.dmpFilesize
284KB
-
memory/2952-9-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-10-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-8-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-7-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-13-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-16-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-22-0x0000000006C80000-0x0000000006D30000-memory.dmpFilesize
704KB
-
memory/2952-14-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-12-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-11-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-6-0x0000000075F00000-0x0000000075F47000-memory.dmpFilesize
284KB
-
memory/2952-17-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2952-18-0x0000000000E80000-0x000000000188C000-memory.dmpFilesize
10.0MB
-
memory/2952-19-0x0000000000E80000-0x000000000188C000-memory.dmpFilesize
10.0MB
-
memory/2952-20-0x0000000005430000-0x0000000005470000-memory.dmpFilesize
256KB
-
memory/2952-0-0x0000000000E80000-0x000000000188C000-memory.dmpFilesize
10.0MB
-
memory/2952-15-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-23-0x0000000005430000-0x0000000005470000-memory.dmpFilesize
256KB
-
memory/2952-40-0x0000000000E80000-0x000000000188C000-memory.dmpFilesize
10.0MB
-
memory/2952-51-0x0000000005430000-0x0000000005470000-memory.dmpFilesize
256KB
-
memory/2952-49-0x0000000005430000-0x0000000005470000-memory.dmpFilesize
256KB
-
memory/2952-48-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2952-45-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-1-0x0000000075F00000-0x0000000075F47000-memory.dmpFilesize
284KB
-
memory/2952-43-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-44-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-2-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-47-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2952-46-0x0000000076030000-0x0000000076140000-memory.dmpFilesize
1.1MB
-
memory/2992-34-0x0000000000490000-0x000000000049A000-memory.dmpFilesize
40KB
-
memory/2992-33-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2992-31-0x0000000001300000-0x000000000130A000-memory.dmpFilesize
40KB
-
memory/2992-32-0x0000000000460000-0x000000000047A000-memory.dmpFilesize
104KB
-
memory/2992-52-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2992-53-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/2992-62-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB