Analysis
-
max time kernel
32s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 19:44
Behavioral task
behavioral1
Sample
Spy-Net v2.6/Spy-Net v2.6/SpyNet.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Spy-Net v2.6/Spy-Net v2.6/server.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Spy-Net v2.6/Spy-Net v2.6/sqlite3.dll
Resource
win10v2004-20240508-en
General
-
Target
Spy-Net v2.6/Spy-Net v2.6/SpyNet.exe
-
Size
2.0MB
-
MD5
98de7bcad1ba2caf74007bd97bc2b505
-
SHA1
8a79d06159a339313b810f23835b8417429dd356
-
SHA256
e4b3b3e72bd3bf4052a3136cb811ea54923bc2d7807709992e0345743d49ced8
-
SHA512
ef57cc4f0ad4bf1f54baaf7213bf868c418eebfb0eee3c32ff376b67d5d5337c35a94a1418951d82aae371820ce37eade7cf0a74ce54a4198e18327bd232a35d
-
SSDEEP
49152:GhwHJZqdp7orGOA0jhE6wSZCTIzY7wXSxQ5E+X6Oftn/Z9s0K:GhwHJZUp7orG90NE6KIM7wXr5EI6OR/7
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SpyNet.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation SpyNet.exe -
Processes:
resource yara_rule behavioral1/memory/4632-0-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/4632-1009-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/4632-1010-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/4632-1013-0x0000000000400000-0x0000000000957000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SpyNet.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom SpyNet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 SpyNet.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom SpyNet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 SpyNet.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags SpyNet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 SpyNet.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags SpyNet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 SpyNet.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SpyNet.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SpyNet.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SpyNet.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SpyNet.exepid process 4632 SpyNet.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
SpyNet.exepid process 4632 SpyNet.exe 4632 SpyNet.exe 4632 SpyNet.exe 4632 SpyNet.exe 4632 SpyNet.exe 4632 SpyNet.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
SpyNet.exepid process 4632 SpyNet.exe 4632 SpyNet.exe 4632 SpyNet.exe 4632 SpyNet.exe 4632 SpyNet.exe 4632 SpyNet.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SpyNet.exedescription pid process target process PID 4632 wrote to memory of 2336 4632 SpyNet.exe cscript.exe PID 4632 wrote to memory of 2336 4632 SpyNet.exe cscript.exe PID 4632 wrote to memory of 2336 4632 SpyNet.exe cscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Spy-Net v2.6\Spy-Net v2.6\SpyNet.exe"C:\Users\Admin\AppData\Local\Temp\Spy-Net v2.6\Spy-Net v2.6\SpyNet.exe"1⤵
- Checks computer location settings
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\teste.vbs"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Spy-Net v2.6\Spy-Net v2.6\Language\Default.iniFilesize
14KB
MD5ee9826fd3883b9756896baed5d076cc6
SHA1d1c829cabcb967410e03489723d9e51b9549d6f6
SHA256e06ff3e2b4cf78d6147d00dbfd00066751d1d6680b3dd672e861574741a894d9
SHA512404cfe3632fc3614a0e686504a2edcdf984aab20afc8fc4c7785d76bd52bf466078e756838c2ce5350439ad128756e55e1c3b12f3badd70fba8e74d171a05538
-
C:\Users\Admin\AppData\Local\Temp\teste.txtFilesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
C:\Users\Admin\AppData\Local\Temp\teste.vbsFilesize
841B
MD5615964e5ab63a70f0e205a476c48e356
SHA1292620321db69d57ba23fa98d2a89484ddcf83d0
SHA25638a2c0e90a7c86eb5355710dd205f22f84dbba59e688cd3da6394af8c924a102
SHA51269886825baf2075f8e6cdc50b0b34f92d5d06d42db4586396fb3db806fef79986ba5754c7b1251b007cde4f943efe9e3d27800dd7e15f8084fd7e7e6046c3ccc
-
memory/4632-1-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/4632-0-0x0000000000400000-0x0000000000957000-memory.dmpFilesize
5.3MB
-
memory/4632-3-0x0000000002AA0000-0x0000000002AA1000-memory.dmpFilesize
4KB
-
memory/4632-1009-0x0000000000400000-0x0000000000957000-memory.dmpFilesize
5.3MB
-
memory/4632-1011-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/4632-1010-0x0000000000400000-0x0000000000957000-memory.dmpFilesize
5.3MB
-
memory/4632-1012-0x0000000002AA0000-0x0000000002AA1000-memory.dmpFilesize
4KB
-
memory/4632-1013-0x0000000000400000-0x0000000000957000-memory.dmpFilesize
5.3MB