b2e8dbdaf60dbf348e715a5643a767cbd5eeabd0699988eedc78eb80595d0f5d

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpoofX.exe
Size

2.9MB
MD5

bafe98fde65f7b51b1f2a1dbc62a6c88
SHA1

1bf16c146dedf6bb2e6a272abb8c9883525a9649
SHA256

b2e8dbdaf60dbf348e715a5643a767cbd5eeabd0699988eedc78eb80595d0f5d
SHA512

9219fef6ec1438964d5aa7c1813f852ce581491025d7e9448095ca4416de951f4fc68361c2bc5460154407f4aca4a4270ed5b72b3d3c5c98df1815405de97765
SSDEEP

49152:ttGrOk4cHGD8Y9f3/QKYQ+C4ykOdSmssUnlKn2jybt:UOxc6GNM1M+

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
720	spoofx.exe
748	icsys.icn.exe
4892	explorer.exe
3936	spoolsv.exe
1816	svchost.exe
860	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	SpoofX.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpoofX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
3264	SpoofX.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4892	explorer.exe
1816	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3264	SpoofX.exe
3264	SpoofX.exe
748	icsys.icn.exe
748	icsys.icn.exe
4892	explorer.exe
4892	explorer.exe
3936	spoolsv.exe
3936	spoolsv.exe
1816	svchost.exe
1816	svchost.exe
860	spoolsv.exe
860	spoolsv.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 720	3264	SpoofX.exe	82
PID 3264 wrote to memory of 720	3264	SpoofX.exe	82
PID 3264 wrote to memory of 748	3264	SpoofX.exe	83
PID 3264 wrote to memory of 748	3264	SpoofX.exe	83
PID 3264 wrote to memory of 748	3264	SpoofX.exe	83
PID 748 wrote to memory of 4892	748	icsys.icn.exe	84
PID 748 wrote to memory of 4892	748	icsys.icn.exe	84
PID 748 wrote to memory of 4892	748	icsys.icn.exe	84
PID 4892 wrote to memory of 3936	4892	explorer.exe	85
PID 4892 wrote to memory of 3936	4892	explorer.exe	85
PID 4892 wrote to memory of 3936	4892	explorer.exe	85
PID 3936 wrote to memory of 1816	3936	spoolsv.exe	86
PID 3936 wrote to memory of 1816	3936	spoolsv.exe	86
PID 3936 wrote to memory of 1816	3936	spoolsv.exe	86
PID 1816 wrote to memory of 860	1816	svchost.exe	87
PID 1816 wrote to memory of 860	1816	svchost.exe	87
PID 1816 wrote to memory of 860	1816	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\SpoofX.exe
"C:\Users\Admin\AppData\Local\Temp\SpoofX.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264
- \??\c:\users\admin\appdata\local\temp\spoofx.exe
  c:\users\admin\appdata\local\temp\spoofx.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:748
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3936
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\spoofx.exe

Filesize
2.8MB

MD5
e6acb564763adbc0c7af1e7c1de314a3

SHA1
77c5fde92d723c2b0c47b27a6559ee461a9079aa

SHA256
be477d54367117c635c42cd3d360996a15fc3c1ad264238c25b179d9070396d2

SHA512
764703f25556bf50ac19bc648d3246f90fc6055ef1340517144758b5028a4a135855035dfe91a30fdbb7ab9aabf0eb5f4fe65cff12348a6c887b36b3bf67c1cb

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
d24c709f44ad59e5040a33a8b36e87ee

SHA1
b95067de4d9cd6dac16d74035c52848f2d394f23

SHA256
326ee1f64276e0df2965ba0efd0d77021b642d48039c221008e3fdab3ed5245b

SHA512
a0997e4788a2564207c564c02cf8ddebad70327626da3562ce763257d2486710b3daac70da6e9424c154946e1e7d5f4216f13d1b6a2b9deb23d3d2c29a205396

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
bb5c74fe047e063455fd82211aeb86f5

SHA1
e62545fa23913c20c8f365ef8654189ee03d2b79

SHA256
13e727a78869653195db6645679146cdb19614d35b8bda5b8cea961d6b9ebed7

SHA512
521cd6a4f42bf3ddab85c131e7952d4c36f8e610c811b4f0f7fb7da7894324cc4bfba6dcca7a471f05d2c768e4561e5d303c2bae991d424e51057540419841e2

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d02ea687cf81f205f03c81f70e132592

SHA1
5feabbb69b7d44360796ee36868cd7ea74dc054f

SHA256
dafab65e956fb7c1a48120d0c77d9c4e9d43b064dd5598427cbb58df50036c6f

SHA512
f594ee9bbb48a3af21381f51d0c52717272baef882fe3f8771183a6162c5ef16d890fc10d2895777db838aa2f09a5485e7857e89b52ca39f1e4de3a7947afd7a

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
f563c129ebfee83faa9dcdd998a670aa

SHA1
92beea032e020b118d61120d437eeaa388ecd835

SHA256
a381a20697c67ab77b86d1ec7844b105bd5bef41d78e217f2962744d9b14501b

SHA512
d3978ea7546d62ed99772e751ba96e9139fcb1fa490d41e6ee340fbb9e127caa9dc60bbd856ae39f6de2eb5acb91a894b0107617597187e552508e2136ddb926

Download Submit
memory/748-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3264-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3264-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3936-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4892-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4892-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download