Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-10-2024 22:24
Behavioral task
behavioral1
Sample
spoofer.zip
Resource
win11-20241007-en
General
-
Target
spoofer.zip
-
Size
5.9MB
-
MD5
c7f9198be6270dd2336d22949a08762d
-
SHA1
3631f3ad251a927d0a7eba07f9b1b9091258a47a
-
SHA256
08f1dbb2333b840510f6a02171d0f87144fbc72d20252480589773caa02d2eb2
-
SHA512
cc92b2443cfc3a90f96394395ed31239e2370a55183d3bd72128baa6d1cbfa75e7e710cbd23406693b07cd23abf378f280eb3caef03a754c7e64dc4c1de346f0
-
SSDEEP
98304:z/4UjR9KIuSssi8jlqypwB/ogWcFgAcjA2V7f5tLQSrDlUZprMh354lCxEWXgtWz:UoKIuPssyGu7cF2U2V7TQQpAMhmIx3QA
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
spoofer.exespoofer.exepid process 2992 spoofer.exe 2544 spoofer.exe -
Loads dropped DLL 11 IoCs
Processes:
spoofer.exepid process 2544 spoofer.exe 2544 spoofer.exe 2544 spoofer.exe 2544 spoofer.exe 2544 spoofer.exe 2544 spoofer.exe 2544 spoofer.exe 2544 spoofer.exe 2544 spoofer.exe 2544 spoofer.exe 2544 spoofer.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zO8E106DA7\spoofer.exe pyinstaller -
Modifies registry class 1 IoCs
Processes:
MiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7zFM.exepid process 488 7zFM.exe 488 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 488 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zFM.exespoofer.exedescription pid process Token: SeRestorePrivilege 488 7zFM.exe Token: 35 488 7zFM.exe Token: SeSecurityPrivilege 488 7zFM.exe Token: SeDebugPrivilege 2544 spoofer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 488 7zFM.exe 488 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MiniSearchHost.exepid process 3304 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7zFM.exespoofer.exespoofer.exedescription pid process target process PID 488 wrote to memory of 2992 488 7zFM.exe spoofer.exe PID 488 wrote to memory of 2992 488 7zFM.exe spoofer.exe PID 2992 wrote to memory of 2544 2992 spoofer.exe spoofer.exe PID 2992 wrote to memory of 2544 2992 spoofer.exe spoofer.exe PID 2544 wrote to memory of 1524 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1524 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4156 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4156 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4696 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4696 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1544 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1544 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4668 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4668 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1152 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1152 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1220 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1220 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4264 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4264 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1920 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1920 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 3420 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 3420 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4888 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4888 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4720 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4720 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1212 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1212 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4380 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4380 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 2760 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 2760 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 2104 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 2104 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 2216 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 2216 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 424 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 424 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 2680 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 2680 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 392 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 392 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4992 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4992 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 960 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 960 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1532 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1532 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4580 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4580 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4692 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4692 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4896 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 4896 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1312 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 1312 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 2496 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 2496 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 920 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 920 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 5044 2544 spoofer.exe cmd.exe PID 2544 wrote to memory of 5044 2544 spoofer.exe cmd.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\spoofer.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Users\Admin\AppData\Local\Temp\7zO8E106DA7\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\7zO8E106DA7\spoofer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\7zO8E106DA7\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\7zO8E106DA7\spoofer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c4⤵PID:1524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Loading...4⤵PID:4156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Displaying compatibility details4⤵PID:1544
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵PID:4668
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Loading...4⤵PID:1220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Spoofing introduction...4⤵PID:4264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Spoofing MB Series...4⤵PID:3420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Spoofing RAM Series...4⤵PID:2760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2216
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Spoofing GPU Series...4⤵PID:392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Spoofing Disk Series...4⤵PID:4692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2496
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Spoofing Partition GUIDs...4⤵PID:5044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:5064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Spoofing MAC/Network Adapter...4⤵PID:1088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Spoofing ARP (addressing protocol)...4⤵PID:4848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Spoofing PCI Devices...4⤵PID:3656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Spoofing Monitor Series...4⤵PID:2432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title [ WooferNet ] Spoofing Registry...4⤵PID:1528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:732
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3304
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5ad7a569bafd3a938fe348f531b8ef332
SHA17fdd2f52d07640047bb62e0f3d3c946ddd85c227
SHA256f0e06109256d5577e9f62db2c398974c5002bd6d08892f20517760601b705309
SHA512b762bae338690082d817b3008144926498a1bd2d6d99be33e513c43515808f9a3184bd10254e5c6a1ff90a9211653f066050249030ad9fe0460ec88335b3d423
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD518ebbe9c5b9d1f57828cb23f70ee4358
SHA13bffe5a39ea4b5dff89e2e051911dc366d6d517f
SHA25632feacc1e37265de0ea41d7113a91ec4ea7a697d92941d747adf814039111df7
SHA51299ea34ce3b016720a2c5d651e68eb4bca122f8cd05d9b18e4e0225b836a576517a691914c00472977570a24a9360a2049d7150d8392abbab76cd5a3d6e3fa01e
-
Filesize
6.1MB
MD5f7a490916b7e7273d5a0bfb67aebcb0a
SHA1f296dc5940e18537f022ad171bc8becec616238c
SHA25620a5aeae85cb060ad100061b0cfd11d884fb9e91f747e32db6aadfdf43546b25
SHA5129718b7f28190f70d210bf23382ae7b4deea5ddaa29fe5b7e12d9589d714e93572c37dcdb0466bc885e8d87848e30e4a94317a989c0706393b8ff96240652bf31
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
81KB
MD556203038756826a0a683d5750ee04093
SHA193d5a07f49bdcc7eb8fba458b2428fe4afcc20d2
SHA25631c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c
SHA5123da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a
-
Filesize
120KB
MD5462fd515ca586048459b9d90a660cb93
SHA106089f5d5e2a6411a0d7b106d24d5203eb70ec60
SHA256bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4
SHA51267851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3
-
Filesize
154KB
MD514ea9d8ba0c2379fb1a9f6f3e9bbd63b
SHA1f7d4e7b86acaf796679d173e18f758c1e338de82
SHA256c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39
SHA51264a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce
-
Filesize
77KB
MD5c389430e19f1cd4c2e7b8538e8c52459
SHA1546ed5a85ad80a7b7db99f80c7080dc972e4f2a2
SHA256a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067
SHA5125bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671
-
Filesize
1.0MB
MD50a8f8810fa4f8a83e350245bf416c4c0
SHA1797561b1ff11aecc90b223d95f16290866cdb092
SHA2562e301262d77c18e44163dc97b3557c37aec4f70badf1deeaec56eeb5c8dd03cc
SHA512088d5aef90ceda9f89c41ac779941bb17c22ad4f072b8533076327c80e7f6b10ee6d24c6861d614196e19c9fa36bf361a884e735888a3f6f6171e38f7a631443
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
76KB
MD5ebefbc98d468560b222f2d2d30ebb95c
SHA1ee267e3a6e5bed1a15055451efcccac327d2bc43
SHA25667c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478
SHA512ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3
-
Filesize
64KB
MD524f4d5a96cd4110744766ea2da1b8ffa
SHA1b12a2205d3f70f5c636418811ab2f8431247da15
SHA25673b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53
SHA512bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4
-
Filesize
4.3MB
MD5e4533934b37e688106beac6c5919281e
SHA1ada39f10ef0bbdcf05822f4260e43d53367b0017
SHA2562bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5
SHA512fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9
-
Filesize
29KB
MD5c6ef07e75eae2c147042d142e23d2173
SHA16ef3e912db5faf5a6b4225dbb6e34337a2271a60
SHA25643ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78
SHA51230e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45