20e67cabd1880e55430b1d008e96534d81b65bf6b90125cc171a4994754f8e33

General

Target

SpyNet.exe
Size

1.9MB
MD5

5c664bb7c9e941ce733578c523fde300
SHA1

4c4d79c0c10280584a87cbe08d88654b0dc3f9be
SHA256

2af2016b07434db1f0571a5116fcd97228ee7c1e9d86a17ad3806e0f163b79f0
SHA512

0be11b4c2da13e46a2634d4912eb0132cdc64b4d32fed230e0f663de0431f5a115b571925baa842b2b43dc220e1a0a6e4f5af6b77fe72bd22f4e480dbfc13406
SSDEEP

49152:h5ykdSag7jT4PCSfjb75AVXUXdXAygTlOuBRiyAiK:h5yQE2Lb7qIAdx5BJAV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	SpyNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpyNet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	SpyNet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	SpyNet.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	SpyNet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	SpyNet.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	SpyNet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	SpyNet.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	SpyNet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	SpyNet.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SpyNet.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SpyNet.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4880	SpyNet.exe
4880	SpyNet.exe
4880	SpyNet.exe
4880	SpyNet.exe
4880	SpyNet.exe
4880	SpyNet.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4880	SpyNet.exe
4880	SpyNet.exe
4880	SpyNet.exe
4880	SpyNet.exe
4880	SpyNet.exe
4880	SpyNet.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 5276	4880	SpyNet.exe	83
PID 4880 wrote to memory of 5276	4880	SpyNet.exe	83
PID 4880 wrote to memory of 5276	4880	SpyNet.exe	83

C:\Users\Admin\AppData\Local\Temp\SpyNet.exe
"C:\Users\Admin\AppData\Local\Temp\SpyNet.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\teste.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IP.txt

Filesize
134KB

MD5
d7870b5bb20a5a1a644694029776eb08

SHA1
5878d567f5dcf515bfe50560053ad0a211080685

SHA256
505f00b360ada90a8fdc8bbcb327f70ab15c3f112328a8e559dc6b49e96eac3c

SHA512
ba4f491f0c61c3b07fd8bd79e6d56510bbc98e2ec244e52d675589051ddff1a4211dd50af9b027b69473ecbb18db5333ef0a96d7af6d2c8754c310fbaa12162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Language\Default.ini

Filesize
12KB

MD5
97ca0e8da3fc6cdc3b9b577b38062e48

SHA1
2db8d25349044b3fca05652327255b1eb714e487

SHA256
898cf89326b21792bd948919aacb6cc8ef3221e26d5b6823c9c4c3bf71900ec8

SHA512
e821a83fffbf2a35fb662ca0f540c28a5c6bbc0970d4e36a864ca9cd416e54c0281b09ca5f5ef4fe43a4cc6b705f9ab2b80b07488332395e0adf6e96fa17ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Settings\Settings.ini

Filesize
1KB

MD5
a3736344320ee4c395fd3282a70b96f0

SHA1
72987bdb665a7f01578a98aaf4ffe63082d59043

SHA256
c5cdcac30d6a42779237d84b3e10956bf3ce0dff5d7af6628402ee8d68a42b54

SHA512
437dd23cb52a2464f8bc35c2479e3205f86e83542933a27caeb3e2dcb8382543ec9b9d8ee9412df7a4ee7712557d8ea57d196b59b73c0fca9fef6119b385c062

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.vbs

Filesize
841B

MD5
615964e5ab63a70f0e205a476c48e356

SHA1
292620321db69d57ba23fa98d2a89484ddcf83d0

SHA256
38a2c0e90a7c86eb5355710dd205f22f84dbba59e688cd3da6394af8c924a102

SHA512
69886825baf2075f8e6cdc50b0b34f92d5d06d42db4586396fb3db806fef79986ba5754c7b1251b007cde4f943efe9e3d27800dd7e15f8084fd7e7e6046c3ccc

Download Submit
memory/4880-1071-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1073-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1061-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/4880-1069-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/4880-1068-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1070-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/4880-0-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1072-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-3-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/4880-1074-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1075-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1076-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1077-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1078-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1079-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1080-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1081-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1082-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1083-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads