Overview
overview
8Static
static
3Spoofers (1).rar
windows7-x64
3Spoofers (1).rar
windows10-2004-x64
3Spoofers/F...er.rar
windows7-x64
3Spoofers/F...er.rar
windows10-2004-x64
3331865B8C33.exe
windows7-x64
1331865B8C33.exe
windows10-2004-x64
1VMProtectSDK64.dll
windows7-x64
1VMProtectSDK64.dll
windows10-2004-x64
1Spoofers/R...er.zip
windows7-x64
1Spoofers/R...er.zip
windows10-2004-x64
1Spoofers/U...ed.rar
windows7-x64
3Spoofers/U...ed.rar
windows10-2004-x64
89670B438E96.exe
windows7-x64
19670B438E96.exe
windows10-2004-x64
1Serial Che...er.exe
windows7-x64
1Serial Che...er.exe
windows10-2004-x64
1Serial Che...64.dll
windows7-x64
1Serial Che...64.dll
windows10-2004-x64
1VMProtectSDK64.dll
windows7-x64
1VMProtectSDK64.dll
windows10-2004-x64
1Resubmissions
02-08-2024 14:36
240802-ryvdssxgqm 8Analysis
-
max time kernel
95s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 14:36
Static task
static1
Behavioral task
behavioral1
Sample
Spoofers (1).rar
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
Spoofers (1).rar
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Spoofers/Full_Loader.rar
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Spoofers/Full_Loader.rar
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
331865B8C33.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
331865B8C33.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
VMProtectSDK64.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral8
Sample
VMProtectSDK64.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Spoofers/RedEagleSpoofer.zip
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
Spoofers/RedEagleSpoofer.zip
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Spoofers/Unbranded.rar
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
Spoofers/Unbranded.rar
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
9670B438E96.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
9670B438E96.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Serial Checker/Checker.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
Serial Checker/Checker.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Serial Checker/VMProtectSDK64.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral18
Sample
Serial Checker/VMProtectSDK64.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
VMProtectSDK64.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral20
Sample
VMProtectSDK64.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
Serial Checker/Checker.exe
-
Size
409KB
-
MD5
5ae052bc0a1c37418eb07b02de4ac4ae
-
SHA1
41be7d4bd78144784b4b35694d72c0f321f0e324
-
SHA256
afccfaac810fbb349b1ad9c770ba8256f7f726fc2ca327d49f6f5ab0240ee265
-
SHA512
91db77b0a6184a066430f89ce68e8ed3e6ce80d33843d4bbb07a467d9a164f63db2e3d7bcf2b32e65e890b30099f0da7c5ac28134af026f309ae9366f4391ce2
-
SSDEEP
6144:/NTbbNcOmdeyytlrL0QRWd09EaP0LS/6SrIR+Nk04XA:V0MyyD0QRWd09L8LTSrp4
Malware Config
Signatures
-
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry Checker.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3796 Checker.exe 3796 Checker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5008 WMIC.exe Token: SeSecurityPrivilege 5008 WMIC.exe Token: SeTakeOwnershipPrivilege 5008 WMIC.exe Token: SeLoadDriverPrivilege 5008 WMIC.exe Token: SeSystemProfilePrivilege 5008 WMIC.exe Token: SeSystemtimePrivilege 5008 WMIC.exe Token: SeProfSingleProcessPrivilege 5008 WMIC.exe Token: SeIncBasePriorityPrivilege 5008 WMIC.exe Token: SeCreatePagefilePrivilege 5008 WMIC.exe Token: SeBackupPrivilege 5008 WMIC.exe Token: SeRestorePrivilege 5008 WMIC.exe Token: SeShutdownPrivilege 5008 WMIC.exe Token: SeDebugPrivilege 5008 WMIC.exe Token: SeSystemEnvironmentPrivilege 5008 WMIC.exe Token: SeRemoteShutdownPrivilege 5008 WMIC.exe Token: SeUndockPrivilege 5008 WMIC.exe Token: SeManageVolumePrivilege 5008 WMIC.exe Token: 33 5008 WMIC.exe Token: 34 5008 WMIC.exe Token: 35 5008 WMIC.exe Token: 36 5008 WMIC.exe Token: SeIncreaseQuotaPrivilege 5008 WMIC.exe Token: SeSecurityPrivilege 5008 WMIC.exe Token: SeTakeOwnershipPrivilege 5008 WMIC.exe Token: SeLoadDriverPrivilege 5008 WMIC.exe Token: SeSystemProfilePrivilege 5008 WMIC.exe Token: SeSystemtimePrivilege 5008 WMIC.exe Token: SeProfSingleProcessPrivilege 5008 WMIC.exe Token: SeIncBasePriorityPrivilege 5008 WMIC.exe Token: SeCreatePagefilePrivilege 5008 WMIC.exe Token: SeBackupPrivilege 5008 WMIC.exe Token: SeRestorePrivilege 5008 WMIC.exe Token: SeShutdownPrivilege 5008 WMIC.exe Token: SeDebugPrivilege 5008 WMIC.exe Token: SeSystemEnvironmentPrivilege 5008 WMIC.exe Token: SeRemoteShutdownPrivilege 5008 WMIC.exe Token: SeUndockPrivilege 5008 WMIC.exe Token: SeManageVolumePrivilege 5008 WMIC.exe Token: 33 5008 WMIC.exe Token: 34 5008 WMIC.exe Token: 35 5008 WMIC.exe Token: 36 5008 WMIC.exe Token: SeIncreaseQuotaPrivilege 4964 WMIC.exe Token: SeSecurityPrivilege 4964 WMIC.exe Token: SeTakeOwnershipPrivilege 4964 WMIC.exe Token: SeLoadDriverPrivilege 4964 WMIC.exe Token: SeSystemProfilePrivilege 4964 WMIC.exe Token: SeSystemtimePrivilege 4964 WMIC.exe Token: SeProfSingleProcessPrivilege 4964 WMIC.exe Token: SeIncBasePriorityPrivilege 4964 WMIC.exe Token: SeCreatePagefilePrivilege 4964 WMIC.exe Token: SeBackupPrivilege 4964 WMIC.exe Token: SeRestorePrivilege 4964 WMIC.exe Token: SeShutdownPrivilege 4964 WMIC.exe Token: SeDebugPrivilege 4964 WMIC.exe Token: SeSystemEnvironmentPrivilege 4964 WMIC.exe Token: SeRemoteShutdownPrivilege 4964 WMIC.exe Token: SeUndockPrivilege 4964 WMIC.exe Token: SeManageVolumePrivilege 4964 WMIC.exe Token: 33 4964 WMIC.exe Token: 34 4964 WMIC.exe Token: 35 4964 WMIC.exe Token: 36 4964 WMIC.exe Token: SeIncreaseQuotaPrivilege 4964 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3796 wrote to memory of 1708 3796 Checker.exe 83 PID 3796 wrote to memory of 1708 3796 Checker.exe 83 PID 3796 wrote to memory of 5016 3796 Checker.exe 84 PID 3796 wrote to memory of 5016 3796 Checker.exe 84 PID 3796 wrote to memory of 4032 3796 Checker.exe 85 PID 3796 wrote to memory of 4032 3796 Checker.exe 85 PID 4032 wrote to memory of 5008 4032 cmd.exe 86 PID 4032 wrote to memory of 5008 4032 cmd.exe 86 PID 3796 wrote to memory of 2356 3796 Checker.exe 88 PID 3796 wrote to memory of 2356 3796 Checker.exe 88 PID 2356 wrote to memory of 4964 2356 cmd.exe 89 PID 2356 wrote to memory of 4964 2356 cmd.exe 89 PID 3796 wrote to memory of 3564 3796 Checker.exe 90 PID 3796 wrote to memory of 3564 3796 Checker.exe 90 PID 3564 wrote to memory of 1244 3564 cmd.exe 91 PID 3564 wrote to memory of 1244 3564 cmd.exe 91 PID 3796 wrote to memory of 3848 3796 Checker.exe 92 PID 3796 wrote to memory of 3848 3796 Checker.exe 92 PID 3848 wrote to memory of 1372 3848 cmd.exe 93 PID 3848 wrote to memory of 1372 3848 cmd.exe 93 PID 3796 wrote to memory of 1324 3796 Checker.exe 94 PID 3796 wrote to memory of 1324 3796 Checker.exe 94 PID 1324 wrote to memory of 1048 1324 cmd.exe 95 PID 1324 wrote to memory of 1048 1324 cmd.exe 95 PID 3796 wrote to memory of 1688 3796 Checker.exe 96 PID 3796 wrote to memory of 1688 3796 Checker.exe 96 PID 1688 wrote to memory of 4040 1688 cmd.exe 97 PID 1688 wrote to memory of 4040 1688 cmd.exe 97 PID 3796 wrote to memory of 3340 3796 Checker.exe 98 PID 3796 wrote to memory of 3340 3796 Checker.exe 98 PID 3340 wrote to memory of 744 3340 cmd.exe 99 PID 3340 wrote to memory of 744 3340 cmd.exe 99 PID 3796 wrote to memory of 1508 3796 Checker.exe 100 PID 3796 wrote to memory of 1508 3796 Checker.exe 100 PID 3796 wrote to memory of 3872 3796 Checker.exe 101 PID 3796 wrote to memory of 3872 3796 Checker.exe 101 PID 3872 wrote to memory of 692 3872 cmd.exe 102 PID 3872 wrote to memory of 692 3872 cmd.exe 102 PID 3796 wrote to memory of 4460 3796 Checker.exe 103 PID 3796 wrote to memory of 4460 3796 Checker.exe 103 PID 4460 wrote to memory of 2180 4460 cmd.exe 104 PID 4460 wrote to memory of 2180 4460 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\Serial Checker\Checker.exe"C:\Users\Admin\AppData\Local\Temp\Serial Checker\Checker.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get name, serialnumber2⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get name, serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic logicaldisk get name, volumeserialnumber2⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get name, volumeserialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:1244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber2⤵
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵PID:1372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic systemenclosure get serialnumber2⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\System32\Wbem\WMIC.exewmic systemenclosure get serialnumber3⤵PID:1048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where 'PNPDeviceID like '%%PCI%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'' get MacAddress2⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_NetworkAdapter where 'PNPDeviceID like '%%PCI%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'' get MacAddress3⤵PID:4040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get partnumber,serialnumber, ProcessorId2⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get partnumber,serialnumber, ProcessorId3⤵PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nvidia-smi -L2⤵PID:1508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber2⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber3⤵PID:692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get SerialNumber2⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\System32\Wbem\WMIC.exewmic os get SerialNumber3⤵PID:2180
-
-