Analysis
-
max time kernel
50s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
30-06-2024 17:05
General
-
Target
SpyderCrypter.exe
-
Size
4.8MB
-
MD5
b3fb79184d1097420fb68b0240df9660
-
SHA1
60fcb2b85867b247bb5c622f121e4ab208c7da9c
-
SHA256
8babb9a5318d0b2fa43d6c18e91a23a70de547243db91f866e50bb2ff1b7db8b
-
SHA512
130ecef6b8d4418784dafa341277b214693c0d1849e6cf04a87193eb413b3ae0cef7eeb3124494a8bca33ffb2d1b27f875adeadbae1aea3d2ff767710471807e
-
SSDEEP
98304:FYh322d2m5YhkvxW/gGfoq8Np9qAX7z3z9CW6dwFdkyRYq/:FYhGy2tqvpoT8NvzJTp/
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe"C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe"C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\jackpear63605335.vbs" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C computerdefaults.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ComputerDefaults.execomputerdefaults.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\jackpear63605335.vbs5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN BraveUpdateScheduler_QMyk9gHxWJYAojiqe050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\QMyk9gHxWJYAojiqe050MX.exe" /RL HIGHEST /IT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC ONLOGON /TN BraveUpdateScheduler_QMyk9gHxWJYAojiqe050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\QMyk9gHxWJYAojiqe050MX.exe" /RL HIGHEST /IT4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 22723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD58c9bad84a35d7dc762ba1ae096d58dde
SHA1c511d10f0870e695e6b8c4baab6a6222d8719760
SHA256664313e52458dac6690d56f35ff0de85c9153a67b605e71453933a4532b3c1b0
SHA512c1bc5599d679c3a0bdd5c50a8893951782d3d03404b47f4495c35c72b07c0168d12c1619c76a2e72ace28ad57c7302fc27c873ee602bb5c5828505b84a9c1dcc
-
C:\Users\Admin\AppData\Local\Temp\SpyderResources.exeFilesize
11KB
MD5cc132ca7e1cf77db1a3e737260fcf14b
SHA1f6058656d44e95c23071251b278bc779a88083da
SHA2564c62d4e150f91dc3fdd1f29c955763c52f357045b1a2edf98ac272631dfdb210
SHA51252e64fdf7acf08525ddb352b0dd0b6ca3df8d8f13fa09dcd31c270c4e2040f2361c04ba56915cd05539f581df712562537239fbc942131cc725502af6d010fee
-
C:\Users\Admin\AppData\Local\Temp\jackpear63605335.vbsFilesize
171B
MD5a34267102c21aff46aecc85598924544
SHA177268af47c6a4b9c6be7f7487b2c9b233d49d435
SHA256eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44
SHA5125d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3
-
memory/3612-40-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/3612-31-0x0000000004CC0000-0x0000000004CDA000-memory.dmpFilesize
104KB
-
memory/3612-39-0x000000000BBE0000-0x000000000D123000-memory.dmpFilesize
21.3MB
-
memory/3612-32-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/3612-33-0x0000000000EA0000-0x0000000000EAA000-memory.dmpFilesize
40KB
-
memory/3612-30-0x00000000002F0000-0x00000000002FA000-memory.dmpFilesize
40KB
-
memory/3612-34-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-12-0x0000000000750000-0x000000000115C000-memory.dmpFilesize
10.0MB
-
memory/4880-35-0x0000000000750000-0x000000000115C000-memory.dmpFilesize
10.0MB
-
memory/4880-11-0x0000000000750000-0x000000000115C000-memory.dmpFilesize
10.0MB
-
memory/4880-15-0x0000000005B70000-0x0000000005B7A000-memory.dmpFilesize
40KB
-
memory/4880-16-0x0000000006770000-0x0000000006984000-memory.dmpFilesize
2.1MB
-
memory/4880-17-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-18-0x00000000071A0000-0x0000000007250000-memory.dmpFilesize
704KB
-
memory/4880-2-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-7-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-8-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-4-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-14-0x0000000005CB0000-0x0000000005D42000-memory.dmpFilesize
584KB
-
memory/4880-5-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-13-0x00000000061C0000-0x0000000006764000-memory.dmpFilesize
5.6MB
-
memory/4880-3-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-38-0x0000000075870000-0x0000000075871000-memory.dmpFilesize
4KB
-
memory/4880-6-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-0-0x0000000000750000-0x000000000115C000-memory.dmpFilesize
10.0MB
-
memory/4880-42-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-43-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-44-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-47-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-46-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-45-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-49-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-50-0x0000000075850000-0x0000000075940000-memory.dmpFilesize
960KB
-
memory/4880-1-0x0000000075870000-0x0000000075871000-memory.dmpFilesize
4KB