Overview

overview

8

Static

static

1

URLScan

urlscan

https://github.com/J...

windows7-x64

3

https://github.com/J...

windows10-1703-x64

8

Resubmissions

06/09/2024, 08:22

240906-j9n26awcnm 8

06/09/2024, 08:08

240906-j1snzswarf 8

06/09/2024, 08:05

240906-jy7ecsvfpr 8

06/09/2024, 08:04

240906-jyjy3awajd 3

06/09/2024, 08:04

240906-jyez4svfln 1

06/09/2024, 08:02

240906-jw61tavhmc 8

06/09/2024, 08:00

240906-jwf5dsvhkb 8

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06/09/2024, 08:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/JaredWestley/HWIDSpoofer/releases/download/1.0/HWIDSpoofer.exe

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://github.com/JaredWestley/HWIDSpoofer/releases/download/1.0/HWIDSpoofer.exe"
    1⤵
      PID:1124
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5024
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\HWIDSpoofer.exe
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\HWIDSpoofer.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3264
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4644
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3560
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:5104
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4380
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3584
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.0.904450966\1696357425" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0a8071f-8c31-4064-b8c0-69b4ff563140} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 1780 1a6ffa15e58 gpu
          3⤵
            PID:5052
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.1.2097228306\1834446802" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66ae9ec7-e674-4030-8d44-bb43e308b35d} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 2136 1a6fe6f9258 socket
            3⤵
            • Checks processor information in registry
            PID:428
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.2.1552708256\762575308" -childID 1 -isForBrowser -prefsHandle 2836 -prefMapHandle 2904 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0dac651-cb5e-4eff-a89d-afdaaadf2e9d} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 2880 1a6fe762458 tab
            3⤵
              PID:1116
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.3.1734257757\1350673000" -childID 2 -isForBrowser -prefsHandle 1040 -prefMapHandle 984 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b919728-3824-4010-92bd-bc79516f4cd4} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 3276 1a6f6060a58 tab
              3⤵
                PID:1988
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.4.1825729710\852452431" -childID 3 -isForBrowser -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eff076d7-1122-48ef-8b79-013105d3d3bb} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 4240 1a687425558 tab
                3⤵
                  PID:3288
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.5.461889654\675140421" -childID 4 -isForBrowser -prefsHandle 4896 -prefMapHandle 4860 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d75e4c5-cc28-43b4-849e-abe86d1d31fc} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 4908 1a687c1a558 tab
                  3⤵
                    PID:2276
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.6.234995919\125975787" -childID 5 -isForBrowser -prefsHandle 5052 -prefMapHandle 5056 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca8e654e-4353-4a2e-8d87-65312d319898} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 5044 1a687e98858 tab
                    3⤵
                      PID:4352
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.7.1153419427\2123822539" -childID 6 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2df9002a-373e-48ee-9461-c82d74021322} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 5240 1a687e9bb58 tab
                      3⤵
                        PID:664
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    1⤵
                      PID:2500

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UI7OZYVI\HWIDSpoofer[1].exe
                      Filesize

                      995KB

                      MD5

                      73598365e7be8f06f79b4bd81ef86341

                      SHA1

                      354adaea812528d9e5bb3cbf5c5fec7b144cfa45

                      SHA256

                      127e0c260765a58e3916eea7b5f4a6edd447504d372f24ff4d78b9068d54dece

                      SHA512

                      456bfc208b6abe9ea45b18492a6d32a9008245412c81dc60c1df18e138099a0a81a2eecc04849300b65f32da515f795471c227eb3346cada5d4d6b68c743f63a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF26A4FF841E071C01.TMP
                      Filesize

                      24KB

                      MD5

                      d3cdb7663712ddb6ef5056c72fe69e86

                      SHA1

                      f08bf69934fb2b9ca0aba287c96abe145a69366c

                      SHA256

                      3e8c2095986b262ac8fccfabda2d021fc0d3504275e83cffe1f0a333f9efbe15

                      SHA512

                      c0acd65db7098a55dae0730eb1dcd8aa94e95a71f39dd40b087be0b06afc5d1bb310f555781853b5a78a8803dba0fb44df44bd2bb14baeca29c7c7410dffc812

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UI7OZYVI\HWIDSpoofer[1].exe
                      Filesize

                      79KB

                      MD5

                      3df65d31ad4c4e0d68f07db7de16a313

                      SHA1

                      2ab1d4737b08e2b15acfaac7757b74072823ed69

                      SHA256

                      41af2f007025c0e7814937300320d12e25e58c634eeddae5c2c38efc2d411a1c

                      SHA512

                      b6aabbb92f3c5f463beb50b12749095853a056398149cc0d7fbe3278d564b5b6bd7ff39cf2635a601c7f6b5cf24a39ed5c6758603cba9b6f78112ccaefca4d3b

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      25b49a33ad7fdc8e3dbbf27b459ecd2d

                      SHA1

                      c5a3972a50dc33d370843579d9a9744ffb62dd6f

                      SHA256

                      cf32effd40d1a2544039dadc364ac5d371071534def32b0166d02eb07e629e54

                      SHA512

                      094a0628432ab2c53566633ad391c100b1210df40389a94755b0c09b2647fca1fa2ef19f01d2bdf769039089acc999ea1ec2d073fc3898e39c3199cdb2da613e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\943b1aa8-eb20-4cf5-8477-53b6fb820179
                      Filesize

                      746B

                      MD5

                      caebf7ac7fd937bf991f7023e27fa1a4

                      SHA1

                      1e5ff35eba05008db74f10863476bb97a1e27d97

                      SHA256

                      c385733633202eabfc7a44cc93c83b9f0f6aac53f983dc631534e2350aaf8047

                      SHA512

                      e0aba10ea22645ed450b8e492338171c12d045c508caa971d3e36373d6a4311943b5381771832a018ca132c5bffd3864cc35d8928b8054372b6eeb72103fed7b

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\cb714b31-602a-436e-aa2b-949b8cf44975
                      Filesize

                      10KB

                      MD5

                      cc88f9828e3e3380237cd62ff5597640

                      SHA1

                      2b2ebb1b8ff835e575cf7d0a3e83226a3b00a242

                      SHA256

                      c2d07af77b4501359b564884986158d89910db77b299d406ee3bfe13c05e44ad

                      SHA512

                      e8834b3f0273082979f6b1dae3f35f52d32ca27a2cb72dc223e343491db86b184d8e021e0fdd79d52cab4692826fe5ab3f2651eca53e171bfbe9d215ca26523f

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      8c6afe2e1cc77cfe51353be907d1d348

                      SHA1

                      3dc3c2bbd2733777a9b1b5b1c6b991b1c7b26a22

                      SHA256

                      f26d37cba07e64ccb7ac64893ece63093f3d50d499e9b645e505f443131b32ec

                      SHA512

                      f66a8be0fb53bcdada36db5f7e6d4bae8f649b6719d4732c6cbfe063579060977772f103a801a08b2b57f92080776af724433ab028b7734d8d98c0d839b1e1a3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      459b3e6771ff40c69d06fbe0994d2f76

                      SHA1

                      e89577326c1e9dd79a35e724a05d8214fe2a8c75

                      SHA256

                      35dec618ab8a327dec56677aa7c448715be153ea5f98813af1c9af48a5aba62a

                      SHA512

                      a0c37bdaeed5091167badf4dea4f10fa09a26aaa6b63234d18ee900aa571c03e8c84c4a2b6b78236ecd7c5efde6eef086901d6a71f2d2bbbb0bf660e20df2c6b

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4
                      Filesize

                      884B

                      MD5

                      b21716e993c5c2350f435c6f45232dbf

                      SHA1

                      76ce02c558ea356974ca295cdc572782e5d39e2b

                      SHA256

                      05037e80f0ecf306b72811ddcc81e81bd6f8b3061b6bf271ec1d1f94b637c455

                      SHA512

                      dcf2d99f0f1b682ec7f6ab798964025eb8449d856fd50f9fb81bd9f2bcf583cb015bbe96ff5a0b5d0b94ca596d17d9e6d08f2e7eb35dc7bdf96fa99aa41138be

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      184KB

                      MD5

                      731c0e733fe1e3123d366af7c8e578ae

                      SHA1

                      9756304ea773dd9cd96e5996dc79de2ed6a9ae9c

                      SHA256

                      8f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359

                      SHA512

                      d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427

                      Download Submit

                    • memory/3264-140-0x000000001ECF0000-0x000000001ED42000-memory.dmp

                      Filesize

                      328KB

                      Download

                    • memory/3264-141-0x000000001ED90000-0x000000001EE3A000-memory.dmp

                      Filesize

                      680KB

                      Download

                    • memory/3264-113-0x000000001BC60000-0x000000001BDAE000-memory.dmp

                      Filesize

                      1.3MB

                      Download

                    • memory/3264-114-0x00000000013B0000-0x00000000013C4000-memory.dmp

                      Filesize

                      80KB

                      Download

                    • memory/3264-111-0x0000000000BF0000-0x0000000000CF0000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/3264-112-0x000000001B910000-0x000000001B990000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/3560-45-0x000001C7E2600000-0x000001C7E2700000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/4380-83-0x00000250D4E00000-0x00000250D4F00000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/5024-128-0x0000022A62D90000-0x0000022A62D92000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/5024-17-0x0000022A5EA30000-0x0000022A5EA40000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/5024-135-0x0000022A62B20000-0x0000022A62B21000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/5024-131-0x0000022A62BF0000-0x0000022A62BF1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/5024-35-0x0000022A62BC0000-0x0000022A62BC2000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/5024-0-0x0000022A5E920000-0x0000022A5E930000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/5104-71-0x00000259E2790000-0x00000259E2792000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/5104-73-0x00000259E27B0000-0x00000259E27B2000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/5104-68-0x00000259E2760000-0x00000259E2762000-memory.dmp

                      Filesize

                      8KB

                      Download