ac4eaeb2bb589ce4c07fffb410b00ab719acb3a4141e41b220865f317062337c

Analysis

max time kernel
8s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Generic_Spoofer.exe
Size

20.6MB
MD5

82e930eaeb0cb97af4783a8133766620
SHA1

fa706352ea841b0be4f82720886ad88cab4b88ee
SHA256

ac4eaeb2bb589ce4c07fffb410b00ab719acb3a4141e41b220865f317062337c
SHA512

ab1182282c85e2b871e4d1019bc23d001d6b101a381179c14cf6f1f7a74716941f620b094ca813873d6cb209752984b60e5f918be390d0aa0f1b942dfcba5ae4
SSDEEP

393216:Nrmreuv9fsv45wwie48CQN3IINqJqYMK/JgL/AeM2UM2LTbCDEqi687:Ru1fsv45TNrN4//mZMu2b

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
608	timeout.exe

Kills process with taskkill 13 IoCs

evasion

pid	Process
2020	taskkill.exe
1988	taskkill.exe
752	taskkill.exe
2312	taskkill.exe
2596	taskkill.exe
3004	taskkill.exe
2776	taskkill.exe
2168	taskkill.exe
2856	taskkill.exe
380	taskkill.exe
1312	taskkill.exe
1132	taskkill.exe
2116	taskkill.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe
1344	Generic_Spoofer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2348	1344	Generic_Spoofer.exe	31
PID 1344 wrote to memory of 2348	1344	Generic_Spoofer.exe	31
PID 1344 wrote to memory of 2348	1344	Generic_Spoofer.exe	31
PID 2348 wrote to memory of 3004	2348	cmd.exe	32
PID 2348 wrote to memory of 3004	2348	cmd.exe	32
PID 2348 wrote to memory of 3004	2348	cmd.exe	32
PID 1344 wrote to memory of 2732	1344	Generic_Spoofer.exe	35
PID 1344 wrote to memory of 2732	1344	Generic_Spoofer.exe	35
PID 1344 wrote to memory of 2732	1344	Generic_Spoofer.exe	35
PID 2732 wrote to memory of 2020	2732	cmd.exe	36
PID 2732 wrote to memory of 2020	2732	cmd.exe	36
PID 2732 wrote to memory of 2020	2732	cmd.exe	36
PID 1344 wrote to memory of 2600	1344	Generic_Spoofer.exe	39
PID 1344 wrote to memory of 2600	1344	Generic_Spoofer.exe	39
PID 1344 wrote to memory of 2600	1344	Generic_Spoofer.exe	39
PID 2600 wrote to memory of 2596	2600	cmd.exe	40
PID 2600 wrote to memory of 2596	2600	cmd.exe	40
PID 2600 wrote to memory of 2596	2600	cmd.exe	40
PID 1344 wrote to memory of 2652	1344	Generic_Spoofer.exe	41
PID 1344 wrote to memory of 2652	1344	Generic_Spoofer.exe	41
PID 1344 wrote to memory of 2652	1344	Generic_Spoofer.exe	41
PID 1344 wrote to memory of 2720	1344	Generic_Spoofer.exe	42
PID 1344 wrote to memory of 2720	1344	Generic_Spoofer.exe	42
PID 1344 wrote to memory of 2720	1344	Generic_Spoofer.exe	42
PID 1344 wrote to memory of 1060	1344	Generic_Spoofer.exe	43
PID 1344 wrote to memory of 1060	1344	Generic_Spoofer.exe	43
PID 1344 wrote to memory of 1060	1344	Generic_Spoofer.exe	43
PID 2720 wrote to memory of 2328	2720	cmd.exe	44
PID 2720 wrote to memory of 2328	2720	cmd.exe	44
PID 2720 wrote to memory of 2328	2720	cmd.exe	44
PID 2720 wrote to memory of 2888	2720	cmd.exe	45
PID 2720 wrote to memory of 2888	2720	cmd.exe	45
PID 2720 wrote to memory of 2888	2720	cmd.exe	45
PID 2720 wrote to memory of 2204	2720	cmd.exe	46
PID 2720 wrote to memory of 2204	2720	cmd.exe	46
PID 2720 wrote to memory of 2204	2720	cmd.exe	46
PID 1060 wrote to memory of 1988	1060	cmd.exe	47
PID 1060 wrote to memory of 1988	1060	cmd.exe	47
PID 1060 wrote to memory of 1988	1060	cmd.exe	47
PID 1344 wrote to memory of 664	1344	Generic_Spoofer.exe	48
PID 1344 wrote to memory of 664	1344	Generic_Spoofer.exe	48
PID 1344 wrote to memory of 664	1344	Generic_Spoofer.exe	48
PID 664 wrote to memory of 752	664	cmd.exe	49
PID 664 wrote to memory of 752	664	cmd.exe	49
PID 664 wrote to memory of 752	664	cmd.exe	49
PID 1344 wrote to memory of 2996	1344	Generic_Spoofer.exe	50
PID 1344 wrote to memory of 2996	1344	Generic_Spoofer.exe	50
PID 1344 wrote to memory of 2996	1344	Generic_Spoofer.exe	50
PID 2996 wrote to memory of 2312	2996	cmd.exe	51
PID 2996 wrote to memory of 2312	2996	cmd.exe	51
PID 2996 wrote to memory of 2312	2996	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\Generic_Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Generic_Spoofer.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM WmiPrvSE.exe /f > NUL 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\taskkill.exe
    taskkill /IM WmiPrvSE.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM Discord.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM Discord.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM DiscordCanary.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM DiscordCanary.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Generic_Spoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Generic_Spoofer.exe" MD5
    3⤵
    PID:2328
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2888
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM DiscordPTB.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM DiscordPTB.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM DiscordDevelopment.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM DiscordDevelopment.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM steam.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM steam.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM steamservice.exe >nul 2>&1
  2⤵
  PID:2836
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM steamservice.exe
    3⤵
    - Kills process with taskkill
    PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM steamwebhelper.exe >nul 2>&1
  2⤵
  PID:2960
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM steamwebhelper.exe
    3⤵
    - Kills process with taskkill
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM NVDisplay.Container.exe >nul 2>&1
  2⤵
  PID:2668
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM NVDisplay.Container.exe
    3⤵
    - Kills process with taskkill
    PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM NVDisplay.Container.exe >nul 2>&1
  2⤵
  PID:744
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM NVDisplay.Container.exe
    3⤵
    - Kills process with taskkill
    PID:380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / F / FI "IMAGENAME eq *nvidia*" /T >nul 2>&1
  2⤵
  PID:1816
- - C:\Windows\system32\taskkill.exe
    taskkill / F / FI "IMAGENAME eq *nvidia*" /T
    3⤵
    - Kills process with taskkill
    PID:1312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / F / FI "IMAGENAME eq *steam*" /T >nul 2>&1
  2⤵
  PID:1744
- - C:\Windows\system32\taskkill.exe
    taskkill / F / FI "IMAGENAME eq *steam*" /T
    3⤵
    - Kills process with taskkill
    PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / F / FI "IMAGENAME eq *discord*" /T >nul 2>&1
  2⤵
  PID:2308
- - C:\Windows\system32\taskkill.exe
    taskkill / F / FI "IMAGENAME eq *discord*" /T
    3⤵
    - Kills process with taskkill
    PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
  2⤵
  PID:2144
- - C:\Windows\system32\cmd.exe
    cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
    3⤵
    PID:2112
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1344-0-0x0000000140F51000-0x000000014183D000-memory.dmp

Filesize
8.9MB

Download
memory/1344-3-0x00000000776C0000-0x00000000776C2000-memory.dmp

Filesize
8KB

Download
memory/1344-1-0x00000000776C0000-0x00000000776C2000-memory.dmp

Filesize
8KB

Download
memory/1344-8-0x00000000776F0000-0x00000000776F2000-memory.dmp

Filesize
8KB

Download
memory/1344-10-0x00000000776F0000-0x00000000776F2000-memory.dmp

Filesize
8KB

Download
memory/1344-6-0x00000000776F0000-0x00000000776F2000-memory.dmp

Filesize
8KB

Download
memory/1344-5-0x00000000776C0000-0x00000000776C2000-memory.dmp

Filesize
8KB

Download
memory/1344-15-0x000000013FE80000-0x0000000142CD0000-memory.dmp

Filesize
46.3MB

Download
memory/1344-16-0x000000013FE80000-0x0000000142CD0000-memory.dmp

Filesize
46.3MB

Download
memory/1344-17-0x0000000140F51000-0x000000014183D000-memory.dmp

Filesize
8.9MB

Download
memory/1344-18-0x000000013FE80000-0x0000000142CD0000-memory.dmp

Filesize
46.3MB

Download