70b41cce6374eff0ca9eb628a3382ecee8606648edb1e09a3cb0ccc19664889a

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spoofer.exe
Size

7.1MB
MD5

4870de8e69ae71b5bb7e6f963485eb6d
SHA1

fae7344db02e3ffe39c9541c64fde514935e3b70
SHA256

70b41cce6374eff0ca9eb628a3382ecee8606648edb1e09a3cb0ccc19664889a
SHA512

47f7f78fdd6f037460c44619090f43dbf463eeb59e402199a4f39388c0248a183a4627c93a02fbf192b01a290665f38a5cf077fcf244fcb8b72020df0e882d00
SSDEEP

196608:mHw0FtCBAQ0ykKHvQ+0y/ZWmKGYfQhlIM:m/yPPQ+XRWmxYKIM

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
1940	msedge.exe
1940	msedge.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	taskmgr.exe
Token: SeSystemProfilePrivilege	3788	taskmgr.exe
Token: SeCreateGlobalPrivilege	3788	taskmgr.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe
3788	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 4060	1940	msedge.exe	96
PID 1940 wrote to memory of 4060	1940	msedge.exe	96
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 3136	1940	msedge.exe	97
PID 1940 wrote to memory of 5112	1940	msedge.exe	98
PID 1940 wrote to memory of 5112	1940	msedge.exe	98
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99
PID 1940 wrote to memory of 3408	1940	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
1⤵
PID:2116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff12ef46f8,0x7fff12ef4708,0x7fff12ef4718
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,10910256639692242853,16567556859354199738,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,10910256639692242853,16567556859354199738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,10910256639692242853,16567556859354199738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,10910256639692242853,16567556859354199738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,10910256639692242853,16567556859354199738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,10910256639692242853,16567556859354199738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,10910256639692242853,16567556859354199738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4756

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
07e76a441e65e326ff52cde00a348617

SHA1
0d83e48220f044b788956aae1250528317b33f0e

SHA256
e98793a85bc0beb2f5ad3c8aaf70da3bf1bc086d64c9edb37f2981be2a337deb

SHA512
6d006baa39836edd14809daff05ff0e312f06ab20dcabc7a0f26f30e5eb46dd3f2c6ae214b81539f9488a02f2a786e6880a1cf799615320cc5348b7dcb86e1f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25dfb3778efbd421908b2dd5eba9ba29

SHA1
11892c72cc2f4fa10db5d04b8dee81d611d0317b

SHA256
8d028e806dbb7adad3c49a448017ea325cae38e70540e03f2e330ea8e7cee6d7

SHA512
f2b5262ddb1e610f86daa969d07df99bc5f5f242af9f303839ab6d2b7593d0077d741ffd77129cfe735c0233c1878702526bd861c091faad6ddf973e1a631506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
50b3c23b04286d51be5875c72a785241

SHA1
07ec96a8718436e474a4ff50da03f616323a8840

SHA256
2a5a45b16eababaa4be3166aa52c20046fd1a39db409b0acb5c728cab4ee57c6

SHA512
1cedef39049a68ab3b67d8fccbb63269a52441a7180c96266e6c69fa62ebab518d57dbee484cb7a39d9669a37d2fce1a43c8ce055ea7d6cb6bd54c68b0272a90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/3788-99-0x000001FB22F50000-0x000001FB22F51000-memory.dmp

Filesize
4KB

Download
memory/3788-98-0x000001FB22F50000-0x000001FB22F51000-memory.dmp

Filesize
4KB

Download
memory/3788-100-0x000001FB22F50000-0x000001FB22F51000-memory.dmp

Filesize
4KB

Download
memory/3788-104-0x000001FB22F50000-0x000001FB22F51000-memory.dmp

Filesize
4KB

Download
memory/3788-105-0x000001FB22F50000-0x000001FB22F51000-memory.dmp

Filesize
4KB

Download
memory/3788-108-0x000001FB22F50000-0x000001FB22F51000-memory.dmp

Filesize
4KB

Download
memory/3788-110-0x000001FB22F50000-0x000001FB22F51000-memory.dmp

Filesize
4KB

Download
memory/3788-109-0x000001FB22F50000-0x000001FB22F51000-memory.dmp

Filesize
4KB

Download
memory/3788-107-0x000001FB22F50000-0x000001FB22F51000-memory.dmp

Filesize
4KB

Download
memory/3788-106-0x000001FB22F50000-0x000001FB22F51000-memory.dmp

Filesize
4KB

Download