hxxps://www[.]mediafire[.]com/file/uj93vl8j1t57cok/FreeSpoofer[.]exe/file

Analysis

max time kernel
1680s
max time network
1687s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02-10-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/uj93vl8j1t57cok/FreeSpoofer.exe/file

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
4520	msedge.exe
4520	msedge.exe
1104	msedge.exe
1104	msedge.exe
4684	identity_helper.exe
4684	identity_helper.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 4092	4520	msedge.exe	78
PID 4520 wrote to memory of 4092	4520	msedge.exe	78
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 468	4520	msedge.exe	79
PID 4520 wrote to memory of 2172	4520	msedge.exe	80
PID 4520 wrote to memory of 2172	4520	msedge.exe	80
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81
PID 4520 wrote to memory of 4728	4520	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/uj93vl8j1t57cok/FreeSpoofer.exe/file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff901be3cb8,0x7ff901be3cc8,0x7ff901be3cd8
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,11606077052949806210,16920727460036717600,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,11606077052949806210,16920727460036717600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,11606077052949806210,16920727460036717600,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11606077052949806210,16920727460036717600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11606077052949806210,16920727460036717600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,11606077052949806210,16920727460036717600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,11606077052949806210,16920727460036717600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11606077052949806210,16920727460036717600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11606077052949806210,16920727460036717600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11606077052949806210,16920727460036717600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11606077052949806210,16920727460036717600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,11606077052949806210,16920727460036717600,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
c48d6e3d0a5b64e5740509fdaa9d6bde

SHA1
7a90191758af6783eac2392eabdb58a2eb43a27c

SHA256
9de8fe74f37dc99575ac317090110453bd4fb2437f68541fe7a9ddf03e8894c0

SHA512
fe9d1c8ac656a9d8f9f864adad408eb50b55de9099872d556b2f26fc9cefe148dff41b4f3ae51d7214bf9efe4dc89e79951e87d73b106f45f08b93e0c16bfe6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1f4878edd9f3fbc1c4fb91863f691862

SHA1
99783a86d0c3721dc56237ff1dcc41c7b690de28

SHA256
dc9f2758c569e79a03a4397a2dcf06016fdb6c551664c2974da52e1e811986d7

SHA512
ad2666b7f174ce1c8b2b001196e4db2544bf505a62eaee32d11c750e8badaf0bd37b112f4396fb44cbb733368a5893fdd79956a287de4a188c89a1929783a7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e1a7832361c6692830b53f216027a80a

SHA1
0593c0512fe5c844862c04b8207ae0b5af547823

SHA256
ce7b9edd32ac2b0088382322e7a6d6622b12f25efe6b24c8b9ca8d3e9fd50123

SHA512
74662387a0a5b19560984fa1e5778d2e7f7c7cc3f8be3a868dafe1e978061dbb6ed49d88150e1e7f031e04dddcc709cf9cf34dde155456e625ace26b1397e366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
507f7d82c2e93cb21f4f2f9062cbcee9

SHA1
2bf2dd0d0d359f8d8eff7f0abbaca513d24014e9

SHA256
b70dce487de4c89d48dd8e4c2db0f77d39da7ed1005429b8515697c9bd04be07

SHA512
e334e54314940376e8111427165a5a7239b5ff9bdb6c148821419ba4c413e08f7e4970a1ef759b269adb0c1eb59783829a6b316442571bc6071caa00ac069274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0806b57b41a3bdaaa4c4eb2acdc3cd56

SHA1
432ccad82e974871a33d92b7b2a98d7fc960c42f

SHA256
c17ce78709c4e65aea95da795b58d70c12411ce54ca8c120b785ebe50eed7405

SHA512
e3e84e68e6367188c29b5e3e851a02759dcf3eacad05ece52a429a204a863dd1646e23264bcd54e565f1704a10645a04cabb0d14e07ee84ffd8b50a4deaa540f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
389704ef72c75c444cec23f468749d8e

SHA1
e3fd325b680214725b0dac0a1cdac0d3446e0aaa

SHA256
cc9a8818a4414e388a324745ded3eaca877e64c97c2d189d2991254c37b6a288

SHA512
c41647cd2d1f63372391662fe377431a02f83d61fc3d38530fb3d6a100857db86ce93a0e3d260e163c6c8d59cbea77473e8cc1bb5bc7f21772a42cf2406b544e

Download Submit