483e02070a99b6810672383e592acf1b4be875d4ae79ba7edfa2ee4ebe34397c

Analysis

max time kernel
55s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BW-Spoofer.exe
Size

608KB
MD5

bea156d9a83554610312d0c21bdfb1b9
SHA1

d38a692bab49d99192a671bbbde9725df94aaf95
SHA256

483e02070a99b6810672383e592acf1b4be875d4ae79ba7edfa2ee4ebe34397c
SHA512

c546916ea4d3fcbe0f1f846709ab6ff5aadd3d1d96371e47f66ae97dbbc4d8907b5015ee79f9c05b7fa2358263cf4f73050797b10a5a70ebff64c093ce6d3a86
SSDEEP

12288:JbjerP5mgxqAALa4UVCwvjnATXzWwJyiqdCyER:JbaVmgxbAOqwvjArzWwIdCyER

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
63	discord.com
64	discord.com
65	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe
1600	BW-Spoofer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 3488	1600	BW-Spoofer.exe	93
PID 1600 wrote to memory of 3488	1600	BW-Spoofer.exe	93
PID 3488 wrote to memory of 1640	3488	cmd.exe	94
PID 3488 wrote to memory of 1640	3488	cmd.exe	94
PID 3488 wrote to memory of 1160	3488	cmd.exe	95
PID 3488 wrote to memory of 1160	3488	cmd.exe	95
PID 3488 wrote to memory of 1632	3488	cmd.exe	96
PID 3488 wrote to memory of 1632	3488	cmd.exe	96
PID 1600 wrote to memory of 2028	1600	BW-Spoofer.exe	97
PID 1600 wrote to memory of 2028	1600	BW-Spoofer.exe	97
PID 1600 wrote to memory of 4612	1600	BW-Spoofer.exe	98
PID 1600 wrote to memory of 4612	1600	BW-Spoofer.exe	98
PID 1600 wrote to memory of 1780	1600	BW-Spoofer.exe	99
PID 1600 wrote to memory of 1780	1600	BW-Spoofer.exe	99
PID 1600 wrote to memory of 4912	1600	BW-Spoofer.exe	100
PID 1600 wrote to memory of 4912	1600	BW-Spoofer.exe	100

C:\Users\Admin\AppData\Local\Temp\BW-Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\BW-Spoofer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\BW-Spoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\BW-Spoofer.exe" MD5
    3⤵
    PID:1640
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1160
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color D
  2⤵
  PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://beatware.xyz/discord
  2⤵
  PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3760 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:1
1⤵
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=1036 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:1
1⤵
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5680 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:1
1⤵
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5892 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:1
1⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=6020 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:1
1⤵
PID:3984

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\01f0a5a070724797acf25ae702dabab2 /t 3180 /p 2448
1⤵
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2e0,0x7ff97c662e98,0x7ff97c662ea4,0x7ff97c662eb0
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2700 --field-trial-handle=2704,i,17122568515844153901,5287079611511860595,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3312 --field-trial-handle=2704,i,17122568515844153901,5287079611511860595,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3420 --field-trial-handle=2704,i,17122568515844153901,5287079611511860595,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2704,i,17122568515844153901,5287079611511860595,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2704,i,17122568515844153901,5287079611511860595,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=2704,i,17122568515844153901,5287079611511860595,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4624 --field-trial-handle=2704,i,17122568515844153901,5287079611511860595,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4652 --field-trial-handle=2704,i,17122568515844153901,5287079611511860595,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
869d07c16da277576b919f499177b7d7

SHA1
7237b4b26bf2a5d8994d1bf1bc06080dfd90c4d4

SHA256
8345b8d698393d39f9e6f5ffe640ac43d89dfb8c373ac42f753e7c519534ce61

SHA512
77f9f62ca6cccca792d3b0019d5ca3355b724847b6356a878661c7d183b4c1a983c21aefb1844c96ddb64ca06bac53a0655c93fa16936c9961f665b9aaf43943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
287f271a60827b5a1cc141004b9a5063

SHA1
88e8cb433a50a66216471764c694bb5e70b55bbc

SHA256
00e1e1283f568157b7eb6d95bc9bbb72c28ac88ac8860db0e185d65a14fb6bcd

SHA512
ff9c5be7b7c095790bf09fa08cc35daacd9ffc2ea741f43fc3074bed3e7c81d41790a4b4aa3ab67901bdfce186e2a8ab2ff2484b03220285122556666cea574c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
a698fb825c46d25efe9f7df917c17579

SHA1
4ee9dfb36db4984fc7ed568283bc511a4a328470

SHA256
b8ae64d8aafb8f25ddea7823fa8fcf12583d1e15c94ecd12b94788380ad11415

SHA512
783f79b29e97bd968038b6e9b069785f669a944cc57404ec5f3387fed37ecae064d941bdc32bc3b8cff7eb2b3af7db38abebb086bdedeb0bb743d408eb359755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
067b22ddee5340b0632b29c8c83f6b87

SHA1
283291d018e2f9911827b1ecc922ff9819f7cb9f

SHA256
a70d5cbd9b8b1060dcac318b1cab40b0437b6be2d550c33272e6de1e43141474

SHA512
041f9a379defa51bbce231674f878abccc8ee25e198c6a61daece03b702aa391c7d0884fa28cad0d645756eabd60f0eb2259035d669bcc993b69cd44e9f79fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
798db9fcbfc438ade7e4dba26cea8a0b

SHA1
0b2aeeb277d1beb64634091164a856a38a29401a

SHA256
23a42c5f34aa1852a99849bf1da9eb606dbad5e600b95bb963a2116b610607b9

SHA512
ed7ab73b08136a057ba7401d944856207fd1302abcdca26aa50680d9c27a778d4a3ca5802aa627bfe83f0200b006a573041b31657f0b932ba9a747612cb1b38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
4cf0a7b58ff34f3e4f6c469d735fd7c5

SHA1
acb17bb074ac3c38709d77bc581b86883f3fd4de

SHA256
efd0348e72e8f6569c626879cc96dff235f99ca471cc7b3bd567230de8ef4540

SHA512
6157554458f5323e341646cc408fe1f2ada8cb6f389b4d58d4fe4e8d7cf7a4291be6d8557831adb6deb0b6889a326a3c0cd6d799525926e1d1d857c7d25e0870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
60KB

MD5
97e3528297b764684fd18bcfe1201a41

SHA1
8dd0efab5d6874c7870fdf607c6ede683706890e

SHA256
6ea8d8303fc2192980c9b4800a0b91f6ff6a9b3f9043cb40ff55b267922c3f9c

SHA512
8f2bfc952996ad0f9f1665adde2b7134d2b225dcb7a6fef8dc0fc269ab6bb0f3a53ef61f82b12ae84734f29f6757c42ef883c8baf08b9f0cbc0b93c3c89579dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
f704820d3037c0ddbc0c87ca6e2d267a

SHA1
4a4b420ac6fc5c0342e50621224d62639293e1cf

SHA256
d2bd0a4ebcaa548867c7b20bc9009a6998f8a91c0a113d6494474d7b884858bd

SHA512
2e1800eb8c2e164a5de455e31512ff61a718ccc0b3f194258b6be23389586ca0303ba90548360590c296521075051a3f43475f6b214f068e18c277e339dcb90f

Download Submit