Overview
overview
10Static
static
10AQUA PREMIUM (1).rar
windows7-x64
7AQUA PREMIUM (1).rar
windows10-2004-x64
1AQUA PREMI...of.exe
windows7-x64
7AQUA PREMI...of.exe
windows10-2004-x64
8��M̵L�.pyc
windows7-x64
��M̵L�.pyc
windows10-2004-x64
Respoof.cmd
windows7-x64
1Respoof.cmd
windows10-2004-x64
1first.reg
windows7-x64
1first.reg
windows10-2004-x64
1Analysis
-
max time kernel
45s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 09:03
Behavioral task
behavioral1
Sample
AQUA PREMIUM (1).rar
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
AQUA PREMIUM (1).rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
AQUA PREMIUM Spoof.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
AQUA PREMIUM Spoof.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
��M̵L�.pyc
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
��M̵L�.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Respoof.cmd
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Respoof.cmd
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
first.reg
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
first.reg
Resource
win10v2004-20241007-en
General
-
Target
Respoof.cmd
-
Size
65B
-
MD5
a64d3a4c1d61344273de4e3f2dd3b652
-
SHA1
245859a286db226f15a0c8c51c9b71f31ea1b79a
-
SHA256
6f4b8912c0f77f2e589e8fed98246680bdd01a442f91729ce15ee812b8f4d50e
-
SHA512
e564799596d11b71590569f8c7b31fe7446cabc2dc6bc423308edf7ad2fcb74cbc621891cc594a6b2ebc8320600d0ca2530e92042477246914c55f369d2856cb
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1680 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2736 wrote to memory of 1680 2736 cmd.exe 29 PID 2736 wrote to memory of 1680 2736 cmd.exe 29 PID 2736 wrote to memory of 1680 2736 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Respoof.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell "Disable-MMAgent -MemoryCompression"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2984