Overview

overview

10

Static

static

3

spf.exe

windows10-ltsc 2021-x64

10

spf.exe

windows11-21h2-x64

10

Resubmissions

11/12/2024, 00:30

241211-at1ata1pdm 10

25/09/2024, 08:51

240925-ksf6nayhlb 10

25/09/2024, 08:42

240925-kl2h1syenb 10

25/09/2024, 08:37

240925-kjg2laydlh 10

25/09/2024, 08:29

240925-kdnl7avgkq 10

Analysis

  • max time kernel
    48s
  • max time network
    59s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    11/12/2024, 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spf.exe

  • Size

    74.3MB

  • MD5

    080f818c1eee78a599b8402962ee5593

  • SHA1

    e929908842d65b784a2b98041fd563447e085c94

  • SHA256

    370abddcc90e3fe150dc4e57dcfc237a906cd328d209c9657fdd2db662285e28

  • SHA512

    f6e2acdc25824381e4108ce5cf30360020f16f2d2810bc9d47bc83e02d80b090e0f5b1d3f5f0fbbf318bccf0850e967e98a1755b5a467b44c97d4bdbe7a8cc0a

  • SSDEEP

    1572864:UCF/QoAcEwBtXTjLnyn7PmhM2QbnzdLaXqVa:s/uD/Ia0JLat

Score
10/10
evasionexecutionpersistence

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Power Settings 1 TTPs 14 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\spf.exe
    "C:\Users\Admin\AppData\Local\Temp\spf.exe"
    1⤵
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5352
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /C sc stop bam
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:6104
      • C:\Windows\system32\sc.exe
        sc stop bam
        3⤵
        • Launches sc.exe
        PID:5364
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /C SC CONFIG "bam" START= DISABLED
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5188
      • C:\Windows\system32\sc.exe
        SC CONFIG "bam" START= DISABLED
        3⤵
        • Launches sc.exe
        PID:5108
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /C fsutil behavior set DisableLastAccess 3
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\system32\fsutil.exe
        fsutil behavior set DisableLastAccess 3
        3⤵
          PID:3120
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /hibernate off
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:4800
        • C:\Windows\system32\powercfg.exe
          powercfg /hibernate off
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1800
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-ac 0
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Windows\system32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4904
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-dc 0
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\Windows\system32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1568
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-ac 0
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:5616
        • C:\Windows\system32\powercfg.exe
          powercfg /x -disk-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:5160
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-dc 0
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:5684
        • C:\Windows\system32\powercfg.exe
          powercfg /x -disk-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:5184
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-ac 0
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:3328
        • C:\Windows\system32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:3908
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-dc 0
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:5476
        • C:\Windows\system32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1680
      • C:\Windows\SYSTEM32\w32tm.exe
        w32tm /resync
        2⤵
          PID:4668
        • C:\Windows\SYSTEM32\taskkill.exe
          taskkill /F /IM agent.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4632
        • C:\Windows\SYSTEM32\taskkill.exe
          taskkill /F /IM battle.net.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4464

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/5352-0-0x00007FFB16AF0000-0x00007FFB16AF2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/5352-3-0x00007FF6901D0000-0x00007FF6911D0000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5352-5-0x00007FFAD69A0000-0x00007FFAD69B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5352-6-0x00007FFAD69A0000-0x00007FFAD69B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5352-7-0x00007FFAD69A0000-0x00007FFAD69B0000-memory.dmp

        Filesize

        64KB

        Download