1539c445b9a5e409cdd483bbdd41b682d43966ff4c9811b2c9294ff17c964ef2

General

Target

disk spoofer.exe
Size

841KB
MD5

e0234b0124913ff987332a30daf9c8aa
SHA1

932c901ed2c80ab3fa5c4d20c908a3901736947c
SHA256

1539c445b9a5e409cdd483bbdd41b682d43966ff4c9811b2c9294ff17c964ef2
SHA512

1379979eb49cb0c5df93ca4855026e69a917292691e0bd1aeb483f34d7f27b909d9ecfc7c23e027f0d1a0855fce7a3780bcd6e8412646ae6945fbe693e1a3946
SSDEEP

12288:B1YPOSYOiTn2Tqu+Ox6VPWLV2rqbZAWPKlzQsaOBuv/yVbZu3907mPE7dgRw:GYOisUVPWLmqVASKhQsuv4g3e7+muRw

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

disk spoofer.exedisk spoofer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	disk spoofer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	disk spoofer.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

disk spoofer.exedisk spoofer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	disk spoofer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	disk spoofer.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/60-1-0x0000010572150000-0x0000010572228000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

disk spoofer.exedisk spoofer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	disk spoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	disk spoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	disk spoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	disk spoofer.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

disk spoofer.exedisk spoofer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	disk spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	disk spoofer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	disk spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	disk spoofer.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1980 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

disk spoofer.exedisk spoofer.exe

pid process

60 disk spoofer.exe
60 disk spoofer.exe
4276 disk spoofer.exe
4276 disk spoofer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

disk spoofer.exedisk spoofer.exe

description pid process

Token: SeDebugPrivilege 60 disk spoofer.exe
Token: SeDebugPrivilege 4276 disk spoofer.exe

pid	process
1980	timeout.exe

pid	process
60	disk spoofer.exe
60	disk spoofer.exe
4276	disk spoofer.exe
4276	disk spoofer.exe

description	pid	process
Token: SeDebugPrivilege	60	disk spoofer.exe
Token: SeDebugPrivilege	4276	disk spoofer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

disk spoofer.execmd.execmd.exe

description	pid	process	target process
PID 4276 wrote to memory of 4960	4276	disk spoofer.exe	cmd.exe
PID 4276 wrote to memory of 4960	4276	disk spoofer.exe	cmd.exe
PID 4960 wrote to memory of 4420	4960	cmd.exe	cmd.exe
PID 4960 wrote to memory of 4420	4960	cmd.exe	cmd.exe
PID 4420 wrote to memory of 1980	4420	cmd.exe	timeout.exe
PID 4420 wrote to memory of 1980	4420	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\disk spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\disk spoofer.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\disk spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\disk spoofer.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c start cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\system32\cmd.exe
    cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KeyAuth\debug\disk spoofer\Nov_26_2024_logs.txt

Filesize
142B

MD5
206136dbf1460afd04cf0ab6798601f3

SHA1
19fce0e6e1bf60259396294627a52ef52431f086

SHA256
64f7c76a85ee97513fae457901e1a5e2395e5b49541a654b1d76484063b96b3e

SHA512
21a8e4a39189ff5b9af5730f949cb5a2e907cafd4405c36fe69efc3ebb8d5ccbd3009ca4d434e9e883d1bf413f41a1ac1b04987c9aa80d67e043b53dd11e7aa0

Download Submit
memory/60-6-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/60-9-0x0000010574710000-0x000001057474C000-memory.dmp

Filesize
240KB

Download
memory/60-3-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/60-4-0x0000010572630000-0x0000010572642000-memory.dmp

Filesize
72KB

Download
memory/60-5-0x0000010573E70000-0x0000010573E92000-memory.dmp

Filesize
136KB

Download
memory/60-0-0x00007FF880903000-0x00007FF880905000-memory.dmp

Filesize
8KB

Download
memory/60-7-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/60-2-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/60-10-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/60-1-0x0000010572150000-0x0000010572228000-memory.dmp

Filesize
864KB

Download
memory/4276-12-0x00007FF87E320000-0x00007FF87EDE2000-memory.dmp

Filesize
10.8MB

Download
memory/4276-13-0x00007FF87E320000-0x00007FF87EDE2000-memory.dmp

Filesize
10.8MB

Download
memory/4276-11-0x00007FF87E323000-0x00007FF87E325000-memory.dmp

Filesize
8KB

Download
memory/4276-17-0x00007FF87E320000-0x00007FF87EDE2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads