71ce71735aa47a3b1d17e1b6639aaf6213b4c284243ad5ae7bb36fa1c5c9975f

Analysis

max time kernel
149s
max time network
128s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-01-2025 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpyNote_v6.4/SpyNote.exe
Size

6.7MB
MD5

d9265f1d01fe8cfde1b241886e834a8c
SHA1

a5f29b1c2a6f981c246976de1ba7e053841aa562
SHA256

53f32f6ed5e1fbd5f5a29f83ab0eebc385f693824544fa4664242c91c7d9f1bf
SHA512

59fc93e2ba15e8c901216dd2108ddfc3f1b7fa954ba0cc903d684aa4a2353b295c7e5c9f8f20e744de743cff436fee5fd0e96ba1f156a0a681a275f20af85e6b
SSDEEP

196608:2dHPY7vsZ+oa4DuuyrMi8VKe+PMfw7k2c4PAVv1sUpr:+vfZ+IaLM9we+P2myds

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpyNote.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SpyNote.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SpyNote.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe
4324	SpyNote.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4324	SpyNote.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4324	SpyNote.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4324	SpyNote.exe

C:\Users\Admin\AppData\Local\Temp\SpyNote_v6.4\SpyNote.exe
"C:\Users\Admin\AppData\Local\Temp\SpyNote_v6.4\SpyNote.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1852

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\9cea0e0c-0c0a-4da7-82a2-9984815cacad.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
memory/4324-12-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-5-0x000000000B0C0000-0x000000000B666000-memory.dmp

Filesize
5.6MB

Download
memory/4324-13-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-4-0x000000000A7E0000-0x000000000A908000-memory.dmp

Filesize
1.2MB

Download
memory/4324-14-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-6-0x000000000ABB0000-0x000000000AC42000-memory.dmp

Filesize
584KB

Download
memory/4324-7-0x000000000AB30000-0x000000000AB3A000-memory.dmp

Filesize
40KB

Download
memory/4324-15-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-9-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-11-0x00000000FEFF0000-0x00000000FF3C1000-memory.dmp

Filesize
3.8MB

Download
memory/4324-10-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-0-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-3-0x000000000A740000-0x000000000A7DC000-memory.dmp

Filesize
624KB

Download
memory/4324-2-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-8-0x000000000AC50000-0x000000000ACA6000-memory.dmp

Filesize
344KB

Download
memory/4324-16-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-21-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-22-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-23-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-24-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-25-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-1-0x00000000FEFF0000-0x00000000FF3C1000-memory.dmp

Filesize
3.8MB

Download
memory/4324-32-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-34-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download
memory/4324-35-0x00000000004E0000-0x0000000001FF0000-memory.dmp

Filesize
27.1MB

Download