Overview

overview

8

Static

static

3

frog/D3DX9_43.dll

windows11-21h2-x64

1

frog/Frog ...1).exe

windows11-21h2-x64

8

Resubmissions

10/03/2025, 16:32

250310-t1813s1xcy 8

10/03/2025, 16:28

250310-tyrzsa1ly8 10

Analysis

  • max time kernel
    39s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/03/2025, 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    frog/Frog Spoofer (1).exe

  • Size

    2.7MB

  • MD5

    e001605fa695282a2d3170d8d9e956c9

  • SHA1

    4544155daae0335ada1d05a509e43b8c0434ffc8

  • SHA256

    003dc05c74dedfb83f73982173d2ed293a84a2af8a7ef8b6e6ff928119859a2e

  • SHA512

    11642791791255eea62db5b5058e651329d9b537cc9ffd734702b5bf5207351ecc3bbdb3499acb3dc43e7937da8efd9e23b1e1ccfaa6a077bd747a40926d40d6

  • SSDEEP

    49152:wy8J1anDS2TFQTnQT2QT9QT1QTXCbAAKrqgvWAtY3o41MBXcOz5dD:CxYw1aCkX23o41MBXc4D

Score
8/10
defense_evasionexecution

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\frog\Frog Spoofer (1).exe
    "C:\Users\Admin\AppData\Local\Temp\frog\Frog Spoofer (1).exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im HTTPDebuggerUI.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1456
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im HTTPDebuggerSvc.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:32
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Windows\system32\sc.exe
        sc stop HTTPDebuggerPro
        3⤵
        • Launches sc.exe
        PID:1868
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3444
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2028
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3560
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads