Analysis
-
max time kernel
187s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-11-2024 03:39
General
-
Target
spora.exe
-
Size
112KB
-
MD5
570e9cf484050e21346bcdcb99824d77
-
SHA1
f889cbfd2f25e65fae443c9f70192bd310a04b51
-
SHA256
2637247ad66e6e57a68093528bb137c959cdbb438764318f09326fc8a79bdaaf
-
SHA512
a31ac315c243f7225e32913873426de2a56331f2e47cf0d4ae613ac1ea27b334940a15908e6335db40d92b6cfc9e265143b0b363545c54e356a8d267381b7b2f
-
SSDEEP
1536:Ohw7p8e/dl1SHJ070ir7kREEvxLAEOBHYwBzHy0xD1/wb93vsslLng5n2:OhwH/dlS0QUsxLXOHbBby0b/wB0Ykn2
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\spora.exe"C:\Users\Admin\AppData\Local\Temp\spora.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\spora.exeC:\Users\Admin\AppData\Local\Temp\spora.exe2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\USF50-62RZT-XTATX-HTOOT-ZYYYY.HTML3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:692 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD58481b71d61faa011ac20489911dba498
SHA153f0925782f0af815a3125a42a109c092fe2e333
SHA256325029b1e2a7a610cde9f47d26354b46b907d24acc4e90f6b67c2e1b7d04b2d2
SHA51200003a09f5a1494d7b0ce4d7de454f09e1c28cea7a38b1f11f76875005c1349a7f13e1068343482e8e4bcd7d02da4b327c18fd360116c19e979395fe179aaae6
-
Filesize
342B
MD5d0422a0fb0856c56d4e3fd14bef61235
SHA1d425e77b5a075635d90ee391dcce6f04327cc723
SHA256a17fca09172603d0242bf08039a872613c25abe19d3b33616141880723e4c3a5
SHA51255d4d57dfa0274fb4ab49ea2df11570fcc5e716a6a5390ce5f38e0ad30da974ba7e7b17b2fa9b82b7dc7ec9bffcf34483fa29590d249a8468f0ff30e7da39028
-
Filesize
342B
MD5018c34f0cb92c9453571183adbc0d83d
SHA1675ad7ba77992a00b72a8ee018ea6727c953b252
SHA256a2fa0f66e7db180f62d8289322803b58ac96eae1536fa101540ea47612814bc0
SHA51290b0e2b3ea731de6271315a6e43e353a2912d34f12badf501eedda1cf386313d4a69dc0457476e2e2103c95943b1f2f88bee006e721f437da6dcce7b2c115597
-
Filesize
342B
MD5b5e7e8d76341d23d0111070871a29cb5
SHA11b8b335d00bcf36f776f14b977fca4a0e74fc210
SHA2562ff7e7e591813b1d7e7c3d06cdfd2aa2d9a829e71a6ba44d67b864339a2b85b7
SHA5121a354dcb59f754a7a11b8b7e62ce7a385931b66d484a16cbfd22fcfda28992ea83a985e3cdb050d544d301101ca7873bccc77eda553f3b13062d35e85536eade
-
Filesize
342B
MD5dfff273ca3a765bcbd1407fcd2810b2f
SHA10cbac3cc022b932592e975e8592f2adb540ec82b
SHA2569a0099e55d3f18892208dfd6627fb7e0fe3bf002dc3a0660e11f238f325ae619
SHA512665589b07f8b938716a4991fe4c79426eaa1530334e0a77518d6840750cd8cb121764c95176ebfbebfa0d97f67da3be44d9413a9efbfc1f73c97ad7bcb915fe0
-
Filesize
342B
MD5857dca8067ac951311e2574449d15dd9
SHA1ab4cce505a36d6a084d1ceb4d2e618abe643ccad
SHA256fbe124cccbc0e589105b3e1543d570f886d671429a5599ca3e1bce9a285cff9c
SHA5124d167d32f0db96ca6884ae720013b67e741acc88f12bc69f79de41edc6f611cb6fc0a84778f9d461595c4d0170484c8e8af8bb1c664772b2e11e2336f7a11b1d
-
Filesize
342B
MD5b2a8384a28ed4fa28e485f3bf0dbc91f
SHA18e61727691b7d9e989b86157c5f96be6cde9a80c
SHA2561c8a9dc3caa0d2cb48cfe6ee041878f6810458e9839f4333bf0e8f8ac0fad09a
SHA512dbcaeb6008acb8f41af15cc2cb394729a0c2067a5a255f2c9eec56e2208ea95e37a48fa36af03eff66a65b29544bccf1f508d9d54bdb31f7be658fc3e4f6beba
-
Filesize
342B
MD5d764851983b159a28c2b1436918274d2
SHA140be46caf56a38ac8f06c71de8acd45528d300db
SHA2568997c26b18eaac8ac417e34ed5122ca2514b01184fe553a167b70f11de9f25d7
SHA512c33047e5d53ddcf86a532d73ea6ad32aa7bc3c871a2a49e43dcc3a9ab3264548446b8fdd8e4c327b90166cf843e18527143dedf5576c5e27772c18883f2cd1b0
-
Filesize
342B
MD52e17ed58d368110e0374ecfa4b308e1c
SHA1a3781f69cb4262803d1319b547c2a6bcfae37ec7
SHA256d32888ff8a12a2f2f52a0601bcc2885a6541b8764b5adf7a999f2d0ac103240d
SHA51209e4883b326cafa54fc7de5764fffbb1dfbd4ebbd43bc070295815f137737bf5285654c13644a48c1824cec9e9643e4a34a35783e1f45e332ce091a8e79edb53
-
Filesize
342B
MD5b2eb0d5510d02c2a4e72c6a703055d2d
SHA1f4c980ec1c714022c4b0f9789704da5eb1fc7991
SHA256a6ee666f3e9f8b2733eedfc031c76575f5321da7cad0e3bac9b03c785bfe37e5
SHA5127c54ac297fa203525988aba19e85734974d3066745c55880b02203a981b1fe441771cf859d1e9edb66558de0b5424eb910edb0b93d1d81f2e857aad9856e4fbe
-
Filesize
342B
MD5671c57d4fcaa281ee5a5f58029d46a87
SHA18ac1bb64686620638d0d55ff4b9aa01f67e80dc6
SHA256825fde202331abbee1e00354f7b04d13d1e92b2565a61e201f648f81e5a3911b
SHA512d4fdda79933564f6309a0f62ef48ae449a2861f05572578cf587db0d05b65ed6a72a85c0df28d63be30ec8910b8d973b270100a6ed17e39c831ebeb556c9fd9c
-
Filesize
342B
MD5791af685c309d82a7c431feda3f6550e
SHA1f5092cfa8db6a347e975468fee4af75a50ba8d5b
SHA2561b5e9fad4b135fbf4f7072bdc363913bf223c33f368e8e7f9185abf252361763
SHA512b93b4f233afdd6eb0702ed278979d012a46a57cb9f7afa51af4c7d3f7ca75a8944c2b05be5a8fa1eaaa00def56421f3a13cd5bc3a9f877acb2ee0d1b6995ef20
-
Filesize
342B
MD58abba63eed0fc51db6df1c1c95ef8c38
SHA180419a53103c3b2a964336dd605289003bd65b86
SHA256092e256aca4f47702ef50f4d62987990fc5591e022c3c3da9e86deee723379bd
SHA5122d1e92e7b64abfe0ca9bc89edb4da74b4f42f7b83fa329a352bd8254feeacc17876fdffa97f6cfec137ccc26cd8cd575df6bc9de92534508bcb251d369af4b8e
-
Filesize
342B
MD5a62e24911465918336a4a2bb772812df
SHA181930232d1a3ea70479226cd4b0db8c0fe0f4288
SHA2568abb34819a227f417b8a88ea734259199056cb7bc0a03d53416a6d1584076b1a
SHA512e1c33298f1fbc0817f3705ea92bc17c93bc51bd95c520420bd6f2903573f20f07f43f6c79c9bdb3a66eb34d0978719c4be71c27ad0c4c551cf775a27ebc01cd8
-
Filesize
342B
MD5baf60c4957e7bbc1e31c1a9155dc4f64
SHA118543727bbecb3cc41b1f77dc9f7e299124114b6
SHA256de56ee67be6f329600f5d30da671a04804d9dcc50236df7fd7d7e5a779a35453
SHA512aa1a6fd1dc961cc7ed2cab1f573ed699d220ac9adfa0f47f6b4453e88e1ee3f6fa448354e94755162b4b0e6209149277c7ef052d510c66112517d62a58636159
-
Filesize
342B
MD595e3ee2dfa0b6d5f7206da9b21686e67
SHA1c5f55d6392811fb626ed01b7c962abdd542920e8
SHA256517010463a5c76a9591b9898d0b5f872993e53a8c15d083c17176d5d565cbeb2
SHA51250b8d2376d71f5c689973d698c955cabd590df561120f84d19ff361887cd1755cb4d38bef5561fcd1879b6f9ac37dcfae79c23df8da7b2e2f6d3a874ce35c0fe
-
Filesize
342B
MD565ab68ad3d7c2addb8e1695cb6a01af5
SHA18e65dc39db453fc2feda7f63e61761d6e261ebc3
SHA25686a446b63f145e1c5d5ec5c1d1c42974518199148a245c58e552d9c1051f66a8
SHA51297067c97c9009e488c3e19001619475e0aec173a6c9b81672f2b8beffb094a3075aecdb3ceaf81a74c202067a0c5cefe83fa68f0f4b50335a817521cdae7b65e
-
Filesize
342B
MD51bd0743e8b67e62580a552ec8f9c2349
SHA1a4f32df7ad6f5929e44dce00b9f69f6a432dbbc7
SHA256460b4b52eacf0fdda6e6f993cdb64fe6b5ee7db79c8430e77cfc575ff7f3f7ad
SHA5125408c795e6182aa3baeb5604d95ac2804e547885eeba025b945f71dd244b15f75d0cf77fd147d5a0edf1820e6363eb47a39e533a6c5aadc5dab2b210cfbe6c4d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD561abff02832b67d275b10e21909146ff
SHA16394ad02c77c02c3168be8c3a0b81d2fb8062898
SHA2563ed7b10a126d8144bb966958d98a23bf727e92138a48456e7381b44c4f77759b
SHA51243095a9b0fe2adff81f9c77dc8fbf2c7a4ab28ae1e01a9da2bd0e0cb3c029a3c336ea3543275c288db30ddc64896fc6a133c21a848de3e79b43d88e2fd60e6ff
-
Filesize
14KB
MD5d98f12ec6e0ef7f3117471ba9712a5f1
SHA11771a2bb43ce9b4421a8b643f5c3036e920853b0
SHA256da4343509481acbb5805078da4f397ed35332d95041ca166f77ca8e0d2f21434
SHA512cf4c5079d0288f7ad7f7b93d06884a36932b2b80f6955a749eda716596aee2b66c6d8154aa9b02e365e6ce2c047a47ab18c6c468279f2f810a0eafcb25316205
-
Filesize
5KB
MD5f693ab1fdb0feb2d24976b12fb3e3196
SHA1eb6a62e6e99c6b6005c45cf6a7f202818d35e5fd
SHA256c6dfb028f50623f5cdbec757f0c27cf04fef3690db93fabf714b6c573ccf49c2
SHA5122795161e37a9a3479ee1b849c020afab2f12ae2bf8040b1ad7bd9e8069817772b7b918bfca685096a74676ac7ca0ce7a257b04e879406d99f64d5b2404fc3324
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
20KB