Analysis
-
max time kernel
165s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24-05-2024 21:48
General
-
Target
SpySheriff.exe
-
Size
403KB
-
MD5
c899f93e8b753fedd068ef3fe2edb0fd
-
SHA1
144b1f18d0e307d14937c21ca1d7cbfc91828a10
-
SHA256
5c2a85fb56de2e0a1a1d260ef2177e0209477586c8a6740494bbaf40a9785f47
-
SHA512
1aceacb4eba0815322dd3fcd273d8703408362eee3b2d2b5981d2abbe4c2b02852608f46b2e7ce46a50e921871d445c239014b5957c6ba0606bd0334ce7bd41b
-
SSDEEP
12288:eBMDMf+ztV53y2k9I68iXDycz+rYIYsVRSHsDr:eS4S53h68eIZjD
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 29 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpySheriff\SpySheriff.lnkFilesize
1KB
MD5eae27256599687d54e0dbb9253b3d5e0
SHA18c69dffff1952fe4050d6da8a28c1e307037f5ab
SHA256dec524a0e047255455e07e0afaa0e188a7123fb45df0919079e1f0649da7a501
SHA51234f0827566ef47dff7eb0b2d0d887ebed073e095a8b5d62db3613f3637106a8f8befc20a9540208a5690916d5a893b564b032e8175a8c6cedcea48d95c834b78
-
memory/1728-9-0x00000000210A0000-0x00000000210C4000-memory.dmpFilesize
144KB
-
memory/1728-8-0x0000000020700000-0x0000000020723000-memory.dmpFilesize
140KB
-
memory/1728-7-0x000000001F220000-0x000000001F246000-memory.dmpFilesize
152KB
-
memory/1728-6-0x000000001DF20000-0x000000001DF48000-memory.dmpFilesize
160KB
-
memory/1728-5-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1728-30-0x00000000210A0000-0x00000000210C4000-memory.dmpFilesize
144KB
-
memory/1728-29-0x0000000020700000-0x0000000020723000-memory.dmpFilesize
140KB
-
memory/1728-26-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1728-28-0x000000001F220000-0x000000001F246000-memory.dmpFilesize
152KB
-
memory/1728-27-0x000000001DF20000-0x000000001DF48000-memory.dmpFilesize
160KB
-
memory/1728-46-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB