b2e8dbdaf60dbf348e715a5643a767cbd5eeabd0699988eedc78eb80595d0f5d

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpoofX.exe
Size

2.9MB
MD5

bafe98fde65f7b51b1f2a1dbc62a6c88
SHA1

1bf16c146dedf6bb2e6a272abb8c9883525a9649
SHA256

b2e8dbdaf60dbf348e715a5643a767cbd5eeabd0699988eedc78eb80595d0f5d
SHA512

9219fef6ec1438964d5aa7c1813f852ce581491025d7e9448095ca4416de951f4fc68361c2bc5460154407f4aca4a4270ed5b72b3d3c5c98df1815405de97765
SSDEEP

49152:ttGrOk4cHGD8Y9f3/QKYQ+C4ykOdSmssUnlKn2jybt:UOxc6GNM1M+

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2852	spoofx.exe
2124	icsys.icn.exe
2904	explorer.exe
2788	spoolsv.exe
2876	svchost.exe
3008	spoolsv.exe

Loads dropped DLL 6 IoCs

pid	Process
2748	SpoofX.exe
2748	SpoofX.exe
2124	icsys.icn.exe
2904	explorer.exe
2788	spoolsv.exe
2876	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	SpoofX.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpoofX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2692	schtasks.exe
2064	schtasks.exe
1800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2748	SpoofX.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2904	explorer.exe
2876	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2748	SpoofX.exe
2748	SpoofX.exe
2124	icsys.icn.exe
2124	icsys.icn.exe
2904	explorer.exe
2904	explorer.exe
2788	spoolsv.exe
2788	spoolsv.exe
2876	svchost.exe
2876	svchost.exe
3008	spoolsv.exe
3008	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2852	2748	SpoofX.exe	30
PID 2748 wrote to memory of 2852	2748	SpoofX.exe	30
PID 2748 wrote to memory of 2852	2748	SpoofX.exe	30
PID 2748 wrote to memory of 2852	2748	SpoofX.exe	30
PID 2748 wrote to memory of 2124	2748	SpoofX.exe	31
PID 2748 wrote to memory of 2124	2748	SpoofX.exe	31
PID 2748 wrote to memory of 2124	2748	SpoofX.exe	31
PID 2748 wrote to memory of 2124	2748	SpoofX.exe	31
PID 2124 wrote to memory of 2904	2124	icsys.icn.exe	32
PID 2124 wrote to memory of 2904	2124	icsys.icn.exe	32
PID 2124 wrote to memory of 2904	2124	icsys.icn.exe	32
PID 2124 wrote to memory of 2904	2124	icsys.icn.exe	32
PID 2904 wrote to memory of 2788	2904	explorer.exe	33
PID 2904 wrote to memory of 2788	2904	explorer.exe	33
PID 2904 wrote to memory of 2788	2904	explorer.exe	33
PID 2904 wrote to memory of 2788	2904	explorer.exe	33
PID 2788 wrote to memory of 2876	2788	spoolsv.exe	34
PID 2788 wrote to memory of 2876	2788	spoolsv.exe	34
PID 2788 wrote to memory of 2876	2788	spoolsv.exe	34
PID 2788 wrote to memory of 2876	2788	spoolsv.exe	34
PID 2876 wrote to memory of 3008	2876	svchost.exe	35
PID 2876 wrote to memory of 3008	2876	svchost.exe	35
PID 2876 wrote to memory of 3008	2876	svchost.exe	35
PID 2876 wrote to memory of 3008	2876	svchost.exe	35
PID 2904 wrote to memory of 2244	2904	explorer.exe	36
PID 2904 wrote to memory of 2244	2904	explorer.exe	36
PID 2904 wrote to memory of 2244	2904	explorer.exe	36
PID 2904 wrote to memory of 2244	2904	explorer.exe	36
PID 2876 wrote to memory of 2692	2876	svchost.exe	37
PID 2876 wrote to memory of 2692	2876	svchost.exe	37
PID 2876 wrote to memory of 2692	2876	svchost.exe	37
PID 2876 wrote to memory of 2692	2876	svchost.exe	37
PID 2876 wrote to memory of 2064	2876	svchost.exe	40
PID 2876 wrote to memory of 2064	2876	svchost.exe	40
PID 2876 wrote to memory of 2064	2876	svchost.exe	40
PID 2876 wrote to memory of 2064	2876	svchost.exe	40
PID 2876 wrote to memory of 1800	2876	svchost.exe	43
PID 2876 wrote to memory of 1800	2876	svchost.exe	43
PID 2876 wrote to memory of 1800	2876	svchost.exe	43
PID 2876 wrote to memory of 1800	2876	svchost.exe	43

C:\Users\Admin\AppData\Local\Temp\SpoofX.exe
"C:\Users\Admin\AppData\Local\Temp\SpoofX.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- \??\c:\users\admin\appdata\local\temp\spoofx.exe
  c:\users\admin\appdata\local\temp\spoofx.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2124
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2788
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:43 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2692
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:44 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2064
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:45 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1800
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\spoofx.exe

Filesize
2.8MB

MD5
e6acb564763adbc0c7af1e7c1de314a3

SHA1
77c5fde92d723c2b0c47b27a6559ee461a9079aa

SHA256
be477d54367117c635c42cd3d360996a15fc3c1ad264238c25b179d9070396d2

SHA512
764703f25556bf50ac19bc648d3246f90fc6055ef1340517144758b5028a4a135855035dfe91a30fdbb7ab9aabf0eb5f4fe65cff12348a6c887b36b3bf67c1cb

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
9d784d1b70d22a7fad8328ea7a417c0a

SHA1
42ed0f6ee5cccb4df948f0ed07973fa8bd876da6

SHA256
aa0a36ede6c2e2e5c49a3843aebc88b3aa3e8f2e4a1415dcd96cc566e0a936dd

SHA512
d9db7bf42efb8485726ab8036322c6a095a0a8147aa7f2ff2994706df9ab3c999531b5cb2826a57a810e9c674800f36c7c41d6bbce3d59d8d586f5f199c0c250

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
bb5c74fe047e063455fd82211aeb86f5

SHA1
e62545fa23913c20c8f365ef8654189ee03d2b79

SHA256
13e727a78869653195db6645679146cdb19614d35b8bda5b8cea961d6b9ebed7

SHA512
521cd6a4f42bf3ddab85c131e7952d4c36f8e610c811b4f0f7fb7da7894324cc4bfba6dcca7a471f05d2c768e4561e5d303c2bae991d424e51057540419841e2

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d4bd692e9ec589210189592be6562b0a

SHA1
13381aba597e20fcdaf453394836ae160a48a1ca

SHA256
7afb6ea8dd7d28755768acb44e453739219cbf7cd1ed69626b28ab213041d52c

SHA512
b181bc5417810eccd6d98bf47fda25d50348e4219e19051886090121cdefd1d6e93be8e91fe70c694f67d3fa0b25630d534b418ed43ef7d99ce910c18fdfc543

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
807b2ee0977bd1db66001c9077d96687

SHA1
63cef6f00637250f8a796e4f858610b98a4a9f59

SHA256
ebd37b095536a5ddcc7ad5fc919a92fa54896594e4cbd5f51c25cce43f7ff19c

SHA512
27b9c231bd7b114a7ee941349cc4530789502d4a596412b05fc8378982d880a6ace6cd74695f4303cea563c3406c562f70697dddb11efdfdb71096c90b7d2e7f

Download Submit
memory/2124-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-23-0x00000000005B0000-0x00000000005CF000-memory.dmp

Filesize
124KB

Download
memory/2748-11-0x00000000004A0000-0x00000000004BF000-memory.dmp

Filesize
124KB

Download
memory/2748-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2748-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2788-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2876-51-0x0000000000380000-0x000000000039F000-memory.dmp

Filesize
124KB

Download
memory/2876-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2904-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3008-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download