Overview

overview

10

Static

static

7

IESecurity.dll

windows11-21h2-x64

6

ProcMon.dll

windows11-21h2-x64

3

SpySheriff.exe

windows11-21h2-x64

7

Uninstall.exe

windows11-21h2-x64

3

heur000.dll

windows11-21h2-x64

3

heur001.dll

windows11-21h2-x64

3

heur002.dll

windows11-21h2-x64

4

heur003.dll

windows11-21h2-x64

10

Resubmissions

28/08/2024, 05:45

240828-gfzwfsyfpl 10

11/03/2024, 16:38

240311-t5j8hsfe8v 10

11/03/2024, 16:32

240311-t11dyabd98 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SpySheriff(1).zip

  • Size

    1.3MB

  • Sample

    240828-gfzwfsyfpl

  • MD5

    5ec70a62b7fa20507ab4b70c3389bb37

  • SHA1

    68ee641337d66b3d6c31dd7f0729afbf2bbdc069

  • SHA256

    d16dddc1e9ad69c5ef67afd93eb801c74ca5b95ec8b46741786c8c8ec47b1b1d

  • SHA512

    0a11577e6ca68124741cf9d3f9357839cd28e83b60a074b06065a962102c14401ecd7035042b9197263ca42626b14e18356d4d413fb2217f52cfe93009cb56e8

  • SSDEEP

    24576:VNgDMZ96GXyY03689pDhw0Ifxpa+7FLzMrn7a7gIWAxZjD9YenhEdNxA1P:7c05yY2vDhAraskS7p/NY2KA1P

Score
10/10
adwareaspackv2discoveryevasionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Targets

    • Target

      IESecurity.dll

    • Size

      41KB

    • MD5

      04ea7f07722c9c03cf932876a841183a

    • SHA1

      cfb77d3970be7037dcdd887e862d7bbbf4855640

    • SHA256

      f407f96d71d6fa7597ce85abb9ba4bdd95d02fe7f2ef46f0c343a4a0d6115c0d

    • SHA512

      bc70b4a7fc5cf8a6edc01a53e8a0c216ea3c7c81daa6020b35326dfe2db28d1851b7d558e023af2295aa58ab10285ba016aea9fe950f9bbc3a3722f3ae5beea9

    • SSDEEP

      768:VgTrL1xJddyW9QtPW1pVHkmTHzHtCo9vQDbUGTO:VS/JGUQtPWhEmTHzHAo1QDbUGTO

    Score
    6/10
    adwarediscoverystealer

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware
    behavioral1

    • Target

      ProcMon.dll

    • Size

      32KB

    • MD5

      894745b78819bfe885a068b5412dd192

    • SHA1

      75d24b9c7bee65f2b088f58f4e422c744f7eeeba

    • SHA256

      acb1ceb5a01227cb6506c30c5693387441be1c3af0e69eae3d07092075c995a8

    • SHA512

      3a8f311dad8abeb772531779592df96a18d1e5cfd643692e3b2485f5fbf381f91406ab12e121e8bdb2867b1a7d5b59a86e5e73e34d3a0ef792069fdac2a30a12

    • SSDEEP

      384:vQHejeETXLLxJ507mlvZysfqy7XJxo99p4jB+k/:TjeETXvR0WRi8XJxo99p4jB+

    Score
    3/10
    discovery
    behavioral2

    • Target

      SpySheriff.exe

    • Size

      403KB

    • MD5

      c899f93e8b753fedd068ef3fe2edb0fd

    • SHA1

      144b1f18d0e307d14937c21ca1d7cbfc91828a10

    • SHA256

      5c2a85fb56de2e0a1a1d260ef2177e0209477586c8a6740494bbaf40a9785f47

    • SHA512

      1aceacb4eba0815322dd3fcd273d8703408362eee3b2d2b5981d2abbe4c2b02852608f46b2e7ce46a50e921871d445c239014b5957c6ba0606bd0334ce7bd41b

    • SSDEEP

      12288:eBMDMf+ztV53y2k9I68iXDycz+rYIYsVRSHsDr:eS4S53h68eIZjD

    Score
    7/10
    discoveryevasionpersistenceprivilege_escalationspywarestealertrojan

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral3

    • Target

      Uninstall.exe

    • Size

      36KB

    • MD5

      a846e764e1b11edda7b233eed37b60f3

    • SHA1

      7c072ff57e369705cd64801c87c3618951890f53

    • SHA256

      af0d7f1a4388da8050f3d3612513f5e0e190f783179502dc7fd099e1b3db8015

    • SHA512

      b6363ccbe1bf2c9bfdcaa1afc6a9cbe22886abc32107c94dbcd74bd8de4146a466bc2d0bfeb1db1b5f036462cd31653f73e6273ed39ac4bd82a16e1f4c1621b9

    • SSDEEP

      384:4l1fU0XdOGml1ZWyyRnBnZWOh6ohsEeR0B958XCq4:AxdZys9Nh6oC0z55z

    Score
    3/10
    discovery
    behavioral4

    • Target

      heur000.dll

    • Size

      124KB

    • MD5

      ca4822789da674e2ae4658ee4250adb5

    • SHA1

      58c3f3f15781cd775ce485f5c4d392b31bdbbe10

    • SHA256

      16e8d6dc3e1c3562f8f7e98d492c152965fc08d7cc57e3846e35de11af49092e

    • SHA512

      7022c63c100acc1cd2083f051ce37baa8a8e1dd1fad7c76e0ff90e05fc1c59356f9e2ae09402ca4f91bafece0c9ee52af804c52f05e6453d42bf3816542a61d7

    • SSDEEP

      3072:prQm5MC1bRoAwOSxoPMVsf0nQla8vxgs2N+r3rk:Km53RRgPvSCsDr3r

    Score
    3/10
    discovery
    behavioral5

    • Target

      heur001.dll

    • Size

      124KB

    • MD5

      840c8e9d2aaccc87d6dad1d409e45a10

    • SHA1

      41be046bf69a7a5bbf27b224554f42d81f5c9c47

    • SHA256

      68fe6616070f5d5d20b12ff020a6197ae93a93ae06d24bf6e872cc35862f758f

    • SHA512

      ed9bf5b7252e26035e1c5779f7f4a065315970e206dc23463cc7dec07a0e890e0757c757a6ff4d910cff639b911b54b20acd488a2190dcc4ee29628b39eb4012

    • SSDEEP

      3072:WPJLnHOfXoAwOSxoPMVsf0nQla8vxgs2N+r3r+f:WPeRgPvSCsDr3r+f

    Score
    3/10
    discovery
    behavioral6

    • Target

      heur002.dll

    • Size

      117KB

    • MD5

      ee21fd7fa9a45453ed55ccb7ce7b9aaa

    • SHA1

      335d0f3bad37dfc77cafa85b2f56c27688e64e7d

    • SHA256

      1f6a5cd4ec1e361925b80b7b4f18b77ff70f0d27d5f6bc043f605363f1f2ef05

    • SHA512

      d8c244c3f188a9a348cf32f1982fe4a7ff7c5a21e45ef8a5a69033b7287fd1b83bf83de2659f9cdcd516e4bef17d84cec2f0a0abcb59108127f2c2ab771f865d

    • SSDEEP

      3072:p0WzeOMDsoAwOSxoPMVsf0nQla8vxgs2N+r3rYF:uWq/DsRgPvSCsDr3r

    Score
    4/10
    discovery
    behavioral7

    • Target

      heur003.dll

    • Size

      118KB

    • MD5

      bb06f2c0d34812d455aecc790aab74d4

    • SHA1

      b206b3f29a3823ac4dad859c13e32dfa1f5f92f0

    • SHA256

      45f6c21d358f56679acb89adeda25e296ab0eb5518eda33a175a1e22cfd71e19

    • SHA512

      f5a4d616fa5e55072c360101216fee9a43c26572910d68ad2b7b68e8fbd3ad0f68aeaa84ffc6bbcbfb8c32e2e82eb2a6f0f5b51d33e640e70c4fd495222042ad

    • SSDEEP

      3072:+CL0FKkhYyoAwOSxoPMVsf0nQla8vxgs2N+r3rWM:+4Q9/RgPvSCsDr3r

    Score
    10/10
    discoverypersistenceprivilege_escalation

    • Modifies WinLogon for persistence

      persistence

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Modifies system executable filetype association

      persistence
    behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Browser Extensions

1
T1176

Event Triggered Execution

3
T1546

AppInit DLLs

1
T1546.010

Change Default File Association

1
T1546.001

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

3
T1546

AppInit DLLs

1
T1546.010

Change Default File Association

1
T1546.001

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

5
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

5
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks