Overview
overview
9Static
static
9Spoof Inst...ew.chm
windows7-x64
1Spoof Inst...ew.chm
windows10-2004-x64
1Spoof Inst...ew.exe
windows7-x64
6Spoof Inst...ew.exe
windows10-2004-x64
6Spoof Inst...pt.ps1
windows7-x64
3Spoof Inst...pt.ps1
windows10-2004-x64
3Spoof Inst...ID.cmd
windows7-x64
1Spoof Inst...ID.cmd
windows10-2004-x64
1Spoof Inst...id.exe
windows7-x64
3Spoof Inst...id.exe
windows10-2004-x64
3Spoof Inst...64.exe
windows7-x64
1Spoof Inst...64.exe
windows10-2004-x64
1Spoof Inst...me.bat
windows7-x64
3Spoof Inst...me.bat
windows10-2004-x64
7Spoof Inst...sk.exe
windows7-x64
5Spoof Inst...sk.exe
windows10-2004-x64
5Spoof Inst...ch.exe
windows7-x64
7Spoof Inst...ch.exe
windows10-2004-x64
7Spoof Inst...gs.vbs
windows7-x64
3Spoof Inst...gs.vbs
windows10-2004-x64
1Spoof Inst...ol.exe
windows7-x64
7Spoof Inst...ol.exe
windows10-2004-x64
7Spoof Inst...he.bat
windows7-x64
1Spoof Inst...he.bat
windows10-2004-x64
1Spoof Inst...or.url
windows7-x64
1Spoof Inst...or.url
windows10-2004-x64
1Spoof Inst...on.bat
windows7-x64
8Spoof Inst...on.bat
windows10-2004-x64
8Spoof Inst...er.exe
windows7-x64
6Spoof Inst...er.exe
windows10-2004-x64
6Spoof Inst...le.exe
windows7-x64
6Spoof Inst...le.exe
windows10-2004-x64
6Analysis
-
max time kernel
141s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-08-2024 21:28
Behavioral task
behavioral1
Sample
Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.chm
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.chm
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Spoof Instructions/Spoof Toolz/Reg_Script.ps1
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
Spoof Instructions/Spoof Toolz/Reg_Script.ps1
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Spoof Instructions/Spoof Toolz/VolChange/ChangeVolID.cmd
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
Spoof Instructions/Spoof Toolz/VolChange/ChangeVolID.cmd
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid64.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Spoof Instructions/Toolz/Activate Win10Home.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
Spoof Instructions/Toolz/Activate Win10Home.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Spoof Instructions/Toolz/AnyDesk.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
Spoof Instructions/Toolz/AnyDesk.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Spoof Instructions/Toolz/DNSBench.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
Spoof Instructions/Toolz/DNSBench.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Spoof Instructions/Toolz/Defender Control/Defender_Settings.vbs
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
Spoof Instructions/Toolz/Defender Control/Defender_Settings.vbs
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Spoof Instructions/Toolz/Defender Control/dControl.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
Spoof Instructions/Toolz/Defender Control/dControl.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Spoof Instructions/Toolz/DelUSBCache.bat
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
Spoof Instructions/Toolz/DelUSBCache.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Spoof Instructions/Toolz/Free Online GUID Generator.url
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
Spoof Instructions/Toolz/Free Online GUID Generator.url
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Spoof Instructions/Toolz/GeoLocation.bat
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
Spoof Instructions/Toolz/GeoLocation.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Spoof Instructions/Toolz/PrivaZerPortable/App/PrivaZer/PrivaZer.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
Spoof Instructions/Toolz/PrivaZerPortable/App/PrivaZer/PrivaZer.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Spoof Instructions/Toolz/PrivaZerPortable/PrivaZerPortable.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral32
Sample
Spoof Instructions/Toolz/PrivaZerPortable/PrivaZerPortable.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
Spoof Instructions/Toolz/PrivaZerPortable/PrivaZerPortable.exe
-
Size
318KB
-
MD5
bcd6161b343dc8720e162a767f43cef3
-
SHA1
b9e93c755a04407b14998cc3a3c0daa6b01bb3eb
-
SHA256
ea0a403721dabdf04450c835667facc68a5434989263bea3701de6c9eb784a4d
-
SHA512
7cf62ce9eca4405c75f6e8db0b025bc7075fdb52e95e74e27c6910c9ee3c738ae457b0eadfa5f60f3378b651f6a3cf7fe12a8c261fc9822da782606eb4b3e4bb
-
SSDEEP
6144:wEUX9TD12SFJs/Sqh9gfvVSYi7oVG8mmJdn6:wEQBs/SqhW8YwP
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: PrivaZer.exe File opened (read-only) \??\G: PrivaZer.exe File opened (read-only) \??\I: PrivaZer.exe File opened (read-only) \??\K: PrivaZer.exe File opened (read-only) \??\O: PrivaZer.exe File opened (read-only) \??\N: PrivaZer.exe File opened (read-only) \??\R: PrivaZer.exe File opened (read-only) \??\S: PrivaZer.exe File opened (read-only) \??\A: PrivaZer.exe File opened (read-only) \??\B: PrivaZer.exe File opened (read-only) \??\H: PrivaZer.exe File opened (read-only) \??\M: PrivaZer.exe File opened (read-only) \??\W: PrivaZer.exe File opened (read-only) \??\Y: PrivaZer.exe File opened (read-only) \??\Z: PrivaZer.exe File opened (read-only) \??\L: PrivaZer.exe File opened (read-only) \??\P: PrivaZer.exe File opened (read-only) \??\Q: PrivaZer.exe File opened (read-only) \??\U: PrivaZer.exe File opened (read-only) \??\E: PrivaZer.exe File opened (read-only) \??\J: PrivaZer.exe File opened (read-only) \??\T: PrivaZer.exe File opened (read-only) \??\X: PrivaZer.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe -
Loads dropped DLL 3 IoCs
pid Process 2356 PrivaZerPortable.exe 2356 PrivaZerPortable.exe 2356 PrivaZerPortable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PrivaZerPortable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PrivaZer.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier PrivaZer.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000808730f970e5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000b257fa70e5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD." SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2356 PrivaZerPortable.exe 2788 PrivaZer.exe 2788 PrivaZer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeManageVolumePrivilege 2308 SearchIndexer.exe Token: 33 2308 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2308 SearchIndexer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2788 PrivaZer.exe 2788 PrivaZer.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2788 PrivaZer.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 2788 PrivaZer.exe 2788 PrivaZer.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe 1880 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2788 2356 PrivaZerPortable.exe 31 PID 2356 wrote to memory of 2788 2356 PrivaZerPortable.exe 31 PID 2356 wrote to memory of 2788 2356 PrivaZerPortable.exe 31 PID 2356 wrote to memory of 2788 2356 PrivaZerPortable.exe 31 PID 2308 wrote to memory of 1880 2308 SearchIndexer.exe 33 PID 2308 wrote to memory of 1880 2308 SearchIndexer.exe 33 PID 2308 wrote to memory of 1880 2308 SearchIndexer.exe 33 PID 2308 wrote to memory of 2516 2308 SearchIndexer.exe 34 PID 2308 wrote to memory of 2516 2308 SearchIndexer.exe 34 PID 2308 wrote to memory of 2516 2308 SearchIndexer.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\PrivaZerPortable\PrivaZerPortable.exe"C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\PrivaZerPortable\PrivaZerPortable.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\PrivaZerPortable\App\PrivaZer\PrivaZer.exe"C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\PrivaZerPortable\App\PrivaZer\PrivaZer.exe"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1880
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 5162⤵
- Modifies data under HKEY_USERS
PID:2516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5017ace9bd07611b1a4728ce71fce9777
SHA17f13c6af85be9e54d1dff99576e0a071083a0f90
SHA256ff97c5548e7471cf5df397e9a69504e2abc66ff5c7d702e9cc99341e5c63edf7
SHA512d4d79bce57e06fa6d44b985d306d6d3e718aff83b88991f6624d4905f97698fe8b56515cb9f356fc3dc648c9a0f1e7f4e99f92b84feabb6d2f104439f6cfe8ed
-
Filesize
28KB
MD541307bb0634da41c6f7a3af2e2bda5dd
SHA134e3aa27f85502009da8a21955d9060873986128
SHA2567094fb1eb7fb766c2667d25ab86e61181df44d621f6a633ae0c74aeacfa3285d
SHA5124d63db1505a165c605be6e6320926c1afc9c3ef5a0b0d3f4f7b25f33d49a095f8f003c86a545c0c22ea4a89016da89043e3ed4a7abffb285866d8e212e41c9e1
-
Filesize
33B
MD5b2ec006c3e67b6bd9129fe5e5fbe7b27
SHA143ad64edcb9e6cb1f2aa597ce5ff44d1b2e178c4
SHA2562d7bcda4007dc91377a9856cde2afc8dde9431514c46317f9235d2847e9249ab
SHA51262e8776de89c07f99911f4de5d4b17cf1342d45693311e49d62195bb01b1d1b2731a0c0fc7f50caa9e5379d013d286292eb54e46d0a00a6b1bc16d828d60edc0
-
Filesize
140B
MD556d8dc890dacb6adcbd4c3afd348c276
SHA1e4217b69c54fd73d3cda21193c4c143dbf28c652
SHA25638379e07709c9aa128a17bc71505715f19727587e962a97f921dd911a262ea66
SHA512c6b6541454e642e93aaf69461d9e5e84bb0b780a0baa10ed9d5804349a8d002345ff5cb775c929647f07572e3eadb5467579e988b4d41bc01e6547ac3732b2ad
-
Filesize
628B
MD5e68f2ad31f23af7aa2143d8c3a2b35fa
SHA1945584d2b702882f18609f709a92256935903684
SHA2569d707e1933f7bea73456eb24c8b8d1e69a37bfabd5c701667f5f0267a71b2699
SHA5123f0c4cfe2388a2656df2ff1b5257d87cd7c258dcd3994ec201b5646192adbba3c7890122237a1f4aba40cba95bebe60ec0a99fef53f0fcdec5ebee16bbac024b
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
11KB
MD5b5358341df2cb171876a5f201e31a834
SHA1df34750ea5504274be5ff8ddd306b49e302d04f9
SHA256156b9b583399faf13c4d46b89339fb0f7f38dc847ac2d7872178d8e3998b9734
SHA512821dc42e24fa2d44a1d4d16b26c3da2688dac0fa44a266e38da2aff706c91440d83a87abc74131930e6c38a44a0c5e627db2d045375fde147e0edd3276f4b014