b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Analysis

max time kernel
4s
max time network
7s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/12/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Trojan/Spark/Spark.exe
Size

495KB
MD5

181ee63003e5c3ec8c378030286ed7a2
SHA1

6707f3a0906ab6d201edc5b6389f9e66e345f174
SHA256

55bfcb784904477ef62ef7e4994dee42f03d69bfec3591989513cccbba3fc8fe
SHA512

e9820f60b496d6631e054204c6fc5b525527d40a578faac1d5cdb116abcb4a35aacf4f4354ff092a2b455c5d9c2e0f29a761d737d9c9ad3d59d70b51d0583d92
SSDEEP

12288:ehny10sOqEl5yD4UmxYV1g1bT2kdSOSGL84Umxb:exZ5vYORMOJ/b

Score

9^/10

defense_evasion discovery evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3028	bcdedit.exe
2808	bcdedit.exe

Enables test signing to bypass driver trust controls 1 TTPs 1 IoCs

Allows any signed driver to load without validation against a trusted certificate authority.

defense_evasion

Code Signing Policy Modification

T1553.006

pid	Process
2808	bcdedit.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	Spark.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\File Cache\Spark.exe	Spark.exe
File opened for modification	C:\Windows\File Cache\Spark.exe	Spark.exe
File created	C:\Windows\File Cache\Initialised	Spark.exe
File created	C:\Windows\File Cache\DLL.dll	Spark.exe
File created	C:\Windows\File Cache\IFEO.exe	Spark.exe
File created	C:\Windows\File Cache\Driver.sys	Spark.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Spark.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2316	Spark.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	Spark.exe
Token: SeShutdownPrivilege	2316	Spark.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 3028	2316	Spark.exe	31
PID 2316 wrote to memory of 3028	2316	Spark.exe	31
PID 2316 wrote to memory of 3028	2316	Spark.exe	31
PID 2316 wrote to memory of 3028	2316	Spark.exe	31
PID 2316 wrote to memory of 2808	2316	Spark.exe	33
PID 2316 wrote to memory of 2808	2316	Spark.exe	33
PID 2316 wrote to memory of 2808	2316	Spark.exe	33
PID 2316 wrote to memory of 2808	2316	Spark.exe	33

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Trojan\Spark\Spark.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Trojan\Spark\Spark.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" -set nointegritychecks on
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3028
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" -set testsigning on
  2⤵
  - Modifies boot configuration data using bcdedit
  - Enables test signing to bypass driver trust controls
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Code Signing Policy Modification

T1553.006

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\File Cache\DLL.dll

Filesize
116KB

MD5
a61c26b360471c8258c7571037c4bca0

SHA1
5db105e0384f25b1ab165c10a9445e6b943cd0ff

SHA256
e77316a1fd682e1af8af3ccd03c170f886b9ec8edf7013e1be6a6207cb5a6f16

SHA512
3ef680d50ccfa4311d3d1bec1648c48cf8e8633353dea5e06f52339047ede36fd1655ce728541e769d9fcaa6ab8c2a66981aef708a9f4d05ae46ad26f9d6aef4

Download Submit
memory/2316-0-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

Filesize
4KB

Download
memory/2316-1-0x0000000000A10000-0x0000000000A90000-memory.dmp

Filesize
512KB

Download
memory/2316-6-0x0000000002080000-0x00000000020D4000-memory.dmp

Filesize
336KB

Download
memory/2316-7-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download