Overview

overview

8

Static

static

3

Fish Console Lib.dll

windows10-2004-x64

1

Fish Console Lib.dll

windows11-21h2-x64

1

Fish-Spoofer.exe

windows10-2004-x64

3

Fish-Spoofer.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    25s
  • max time network
    26s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/10/2024, 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fish-Spoofer.exe

  • Size

    19KB

  • MD5

    5b26c7f570157e727ad879566d03233e

  • SHA1

    1ddc10eee002147b02f6d3b6dcdc6de25a17319e

  • SHA256

    7ffc6990f8c8482b2400354ce2f1839fbf74afcfe13b6613da56a6d854eefeb6

  • SHA512

    1eddea9bcc8422c34879c888b3a38f0c069ff5de8e8b19c878e88dec48f5cd6929f0a2c5b0e49572af54986dcc78d697b4a9cdf41b3c45a55a7a1b2550e6486e

  • SSDEEP

    384:ElADMr9qbL8j5ARr6RJYpWkyZ0bTE6YfEd3Y88XWnHVu:ElNAQSRuRaMkZbT40r8XWHY

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 5 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fish-Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Fish-Spoofer.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Windows\map.exe
      "C:\Windows\map.exe" C:\Windows\mapdrv.sys
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:1140
    • C:\Windows\map.exe
      "C:\Windows\map.exe" C:\Windows\mapdrv.sys
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:5056
    • C:\Windows\map.exe
      "C:\Windows\map.exe" C:\Windows\mapdrv.sys
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:840
    • C:\Windows\map.exe
      "C:\Windows\map.exe" C:\Windows\mapdrv.sys
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:864
    • C:\Windows\map.exe
      "C:\Windows\map.exe" C:\Windows\mapdrv.sys
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:1172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tiyjwmEvTibuk
    Filesize

    33KB

    MD5

    1898ceda3247213c084f43637ef163b3

    SHA1

    d04e5db5b6c848a29732bfd52029001f23c3da75

    SHA256

    4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b

    SHA512

    84c3ccc657f83725b24a20f83b87577603f580993920cc42d6da58648c6888d950fd19fbb8b404ce51a3eab674066c5cefe275763fbdb32e1ae1ba98097ab377

    Download Submit

  • C:\Windows\map.exe
    Filesize

    134KB

    MD5

    9d4b543b8f15cc991961946649595566

    SHA1

    3b10c75dfd49303e29d380f199701e82da1f400d

    SHA256

    7cd36e94b2cbe1f9cdcf43dbbf725e79a6d95b51e0e1f2c1327ddf3812b2e4fa

    SHA512

    03fb0bb4f9688eb75162ca9cdc82ad76378fb67fb69abdef10aca8bd678fdb5acda1b81f9750137567a377aa61891f3d64545f962d2cf013fbd7c5713ce786f4

    Download Submit

  • C:\Windows\mapdrv.sys
    Filesize

    3KB

    MD5

    bf7fe8993701d97706fe258fa3ba69b1

    SHA1

    e0240fd7ab9056bc95764621432f34857ed648dd

    SHA256

    4f7f5d4cf54079dbfac47d6bc08fc7c4d5ca03b4f5c09b3c998b8f6bd125d82a

    SHA512

    773e0bd04b3e9f9a33cee600b6c4f3d7117f04c80580ba2f96331dde1351d5fd76fe4217a40738f4240e67df3f12885d95638c367ec51843b08e41875212bc69

    Download Submit

  • memory/3200-0-0x000000007453E000-0x000000007453F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3200-1-0x0000000000F50000-0x0000000000F5C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3200-2-0x0000000003470000-0x000000000347C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3200-3-0x00000000059C0000-0x0000000005A52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3200-4-0x0000000074530000-0x0000000074CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3200-5-0x000000007453E000-0x000000007453F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3200-6-0x0000000074530000-0x0000000074CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3200-19-0x00000000066A0000-0x0000000006706000-memory.dmp

    Filesize

    408KB

    Download