Overview

overview

8

Static

static

1

URLScan

urlscan

https://github.com/J...

windows10-1703-x64

Resubmissions

06/09/2024, 08:22

240906-j9n26awcnm 8

06/09/2024, 08:08

240906-j1snzswarf 8

06/09/2024, 08:05

240906-jy7ecsvfpr 8

06/09/2024, 08:04

240906-jyjy3awajd 3

06/09/2024, 08:04

240906-jyez4svfln 1

06/09/2024, 08:02

240906-jw61tavhmc 8

06/09/2024, 08:00

240906-jwf5dsvhkb 8

Analysis

  • max time kernel
    24s
  • max time network
    25s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06/09/2024, 08:00

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://github.com/JaredWestley/HWIDSpoofer/releases/download/1.0/HWIDSpoofer.exe

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://github.com/JaredWestley/HWIDSpoofer/releases/download/1.0/HWIDSpoofer.exe"
    1⤵
      PID:3484
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1408
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\HWIDSpoofer.exe
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\HWIDSpoofer.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Windows\System32\shutdown.exe
          "C:\Windows\System32\shutdown.exe" -r -t 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4708
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1640
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1504
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4580
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4360
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3440
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0 /state0:0xa3aff855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4892
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
        PID:1372
      • C:\Windows\system32\browser_broker.exe
        C:\Windows\system32\browser_broker.exe -Embedding
        1⤵
          PID:3812

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\HWIDSpoofer.exe.g1aqafn.partial
          Filesize

          995KB

          MD5

          73598365e7be8f06f79b4bd81ef86341

          SHA1

          354adaea812528d9e5bb3cbf5c5fec7b144cfa45

          SHA256

          127e0c260765a58e3916eea7b5f4a6edd447504d372f24ff4d78b9068d54dece

          SHA512

          456bfc208b6abe9ea45b18492a6d32a9008245412c81dc60c1df18e138099a0a81a2eecc04849300b65f32da515f795471c227eb3346cada5d4d6b68c743f63a

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\137FI8KS\HWIDSpoofer[1].exe
          Filesize

          127KB

          MD5

          5ee0f83014cb9bec4d6c545c7c89fe06

          SHA1

          55b21c9da7948257158e41e5ba51aae27a6712c2

          SHA256

          791c6b7c681b551871f5c826e6195f602ac50c85bd7268269339c947f1892f2d

          SHA512

          f808b96dfa3c10c513a7056a26c153b48bc060397fbe493507ad8a76ab28996e71380b91f3b8671d89377772e6866e819de70d71d4c1533eefaa93a9c6886f64

          Download Submit

        • memory/1408-16-0x0000019DCC220000-0x0000019DCC230000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1408-35-0x0000019DC94A0000-0x0000019DC94A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1408-0-0x0000019DCC120000-0x0000019DCC130000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1504-43-0x000001A475700000-0x000001A475800000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2948-111-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2948-112-0x0000000002DA0000-0x0000000002E20000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2948-113-0x000000001BA60000-0x000000001BBAE000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2948-114-0x0000000002F40000-0x0000000002F54000-memory.dmp

          Filesize

          80KB

          Download

        • memory/4360-82-0x0000028B6A480000-0x0000028B6A580000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/4580-72-0x000001FCDBE00000-0x000001FCDBE02000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4580-70-0x000001FCDBD40000-0x000001FCDBD42000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4580-67-0x000001FCDBD10000-0x000001FCDBD12000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4580-65-0x000001FCCBA00000-0x000001FCCBB00000-memory.dmp

          Filesize

          1024KB

          Download