a267fb3c7bf28403c6ba48ef5d69cd4ffb80a16ff5cfb4884dbae4fa25ef9517

Analysis

max time kernel
432s
max time network
451s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2025 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpyNoteX_U.rar
Size

198.2MB
MD5

a9199153c0aa419f2623285fe10c79c1
SHA1

4f938082eda7c09c6ce21f0ea192c346fbca4616
SHA256

a267fb3c7bf28403c6ba48ef5d69cd4ffb80a16ff5cfb4884dbae4fa25ef9517
SHA512

6f6060fd226a72c018bfcb827a574b9ec7a21cc6ac161337f62fb4ca3a315b866c436ebde1aa4a63d691f6229a2d1187396bcb3e6c7006df97d7a36f87a14191
SSDEEP

6291456:bRJU7Yb4ixaLrYIsoLC2K3vLlNubgiVXdk1DAMOqQ:bHU7Yb4TMMoXuMvBXOl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3388	SpyNote.exe
4416	SpyNote.exe
4492	SpyNote.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2952	7zFM.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	2952	7zFM.exe
Token: 35	2952	7zFM.exe
Token: SeSecurityPrivilege	2952	7zFM.exe
Token: SeRestorePrivilege	4564	7zG.exe
Token: 35	4564	7zG.exe
Token: SeSecurityPrivilege	4564	7zG.exe
Token: SeSecurityPrivilege	4564	7zG.exe
Token: SeSecurityPrivilege	2952	7zFM.exe
Token: SeSecurityPrivilege	2952	7zFM.exe
Token: SeRestorePrivilege	2204	7zG.exe
Token: 35	2204	7zG.exe
Token: SeSecurityPrivilege	2204	7zG.exe
Token: SeSecurityPrivilege	2204	7zG.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2952	7zFM.exe
2952	7zFM.exe
4564	7zG.exe
2952	7zFM.exe
2952	7zFM.exe
2952	7zFM.exe
2204	7zG.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3388	SpyNote.exe
3388	SpyNote.exe
4416	SpyNote.exe
4416	SpyNote.exe
4492	SpyNote.exe
4492	SpyNote.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SpyNoteX_U.rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2736

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\SpyNoteX U\SpyNoteX U\" -spe -an -ai#7zMap26888:100:7zEvent2371
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4564

C:\Users\Admin\Desktop\SpyNoteX U\SpyNoteX U\SpyNoteX Unpacked\SpyNote\SpyNote.exe
"C:\Users\Admin\Desktop\SpyNoteX U\SpyNoteX U\SpyNoteX Unpacked\SpyNote\SpyNote.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3388

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SpyNoteX U\SpyNoteX U\SpyNoteX Unpacked\SpyNote\Password.txt
1⤵
PID:4028

C:\Users\Admin\Desktop\SpyNoteX U\SpyNoteX U\SpyNoteX Unpacked\SpyNote\SpyNote.exe
"C:\Users\Admin\Desktop\SpyNoteX U\SpyNoteX U\SpyNoteX Unpacked\SpyNote\SpyNote.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\SpyNoteX U\SpyNoteX U\" -ad -an -ai#7zMap3061:100:7zEvent9350
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2204

C:\Users\Admin\Desktop\SpyNote.exe
"C:\Users\Admin\Desktop\SpyNote.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\SpyNoteX U\SpyNoteX U\SpyNoteX U\SpyNoteX Unpacked\SpyNote\._cache_SpyNoteX_Unpacked.exe

Filesize
669KB

MD5
ed5d7959aba470056673dc2bcb8c846c

SHA1
2433ca935c2c53d96838b9b12a45a6704ce16f8c

SHA256
9d0c0ba0fc489668c0261c4749cef554fa5929008444a80a0599bdb005f1141c

SHA512
f0746c7320b6ef9297b884d5d9659fadeea2376f863fc827c50a2e7b3ea5b9a1dc00e93ebf24a97d458ee3bd95e720685c998d7f615be0cb42fc80e77110f87a

Download Submit
C:\Users\Admin\Desktop\SpyNoteX U\SpyNoteX U\SpyNoteX U\SpyNoteX Unpacked\SpyNote\._cache_payload.exe

Filesize
146KB

MD5
33ea72f4cec1a8e447b32a6c175e5712

SHA1
01122ecd46af42eb75f5c34ebe9d115862ca4af8

SHA256
6a2a7206e7c76c9a92f9994660986347308919301dbe172d500f950027200261

SHA512
66952c02bc131b4e919582b5f4a9ec0493ee32539012e4b7a2ddafa1fc0200f0d1f171bffc01fbc350cb98509220a72138806f2dc138a24b86f9d3fcf4776051

Download Submit
C:\Users\Admin\Desktop\SpyNoteX U\SpyNoteX U\SpyNoteX Unpacked\SpyNote\Password.txt

Filesize
18B

MD5
b6ce586d5cb92ad00f46923ce5263a52

SHA1
bf114989fe5c181ad1bb5b590be1e0b85bb5e808

SHA256
2079244811531293a5117b8924a53bf731721c6644f988f5132fa038cf857cb4

SHA512
3a66eb140fba06fad68739a183ee949354bf84c3f6569d9b9b993c1e1e0db414127c9b14d2b4a13b5c264098d19008f6990cf95e663d195075a25dc1e09f9ca1

Download Submit