10a117befd88193d2c0d714b8d67c6583b1322e978e7eda4c8db9e40405a5d80

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SparkClicker.zip
Size

6.8MB
MD5

a67d2dc8147f549be624d81f75438efe
SHA1

7dc0de0e35ed9ca838d3dfb653d16719a0c16ff8
SHA256

10a117befd88193d2c0d714b8d67c6583b1322e978e7eda4c8db9e40405a5d80
SHA512

0c24142e08dcf3da81400ac39998ae642e241fe2439700142919cde06c6b6617448bb119d6b97bd33c15b5dcfb06d9331233b9fef332a820b5ec3f889e36a672
SSDEEP

98304:zWlTCuzoPwnYMdelKwhTiJJQQhC1PS61qEMqzy+XzfB0CeR43DvgtsveIVlSBWl9:GTCq1GUJec61BMqbp0Ch3ZeI2bQHLFvd

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2700-41-0x0000000140000000-0x0000000140B74000-memory.dmp	vmprotect
behavioral1/memory/2700-45-0x0000000140000000-0x0000000140B74000-memory.dmp	vmprotect
behavioral1/memory/2700-47-0x0000000140000000-0x0000000140B74000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Spark Clicker.exeSpark Clicker.exeSpark Clicker.exeSpark Clicker.exe

pid process

2700 Spark Clicker.exe
268 Spark Clicker.exe
1276 Spark Clicker.exe
1592 Spark Clicker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Spark Clicker.exeSpark Clicker.exe

pid	process
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
2700	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe
268	Spark Clicker.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Spark Clicker.exeSpark Clicker.exeSpark Clicker.exeSpark Clicker.exe

description	pid	process
Token: SeSecurityPrivilege	2700	Spark Clicker.exe
Token: SeDebugPrivilege	2700	Spark Clicker.exe
Token: SeSecurityPrivilege	268	Spark Clicker.exe
Token: SeDebugPrivilege	268	Spark Clicker.exe
Token: SeSecurityPrivilege	1276	Spark Clicker.exe
Token: SeDebugPrivilege	1276	Spark Clicker.exe
Token: SeSecurityPrivilege	1592	Spark Clicker.exe
Token: SeDebugPrivilege	1592	Spark Clicker.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SparkCrack.exeSparkCrack.exe

description	pid	process	target process
PID 600 wrote to memory of 1276	600	SparkCrack.exe	Spark Clicker.exe
PID 600 wrote to memory of 1276	600	SparkCrack.exe	Spark Clicker.exe
PID 600 wrote to memory of 1276	600	SparkCrack.exe	Spark Clicker.exe
PID 600 wrote to memory of 1276	600	SparkCrack.exe	Spark Clicker.exe
PID 1108 wrote to memory of 1592	1108	SparkCrack.exe	Spark Clicker.exe
PID 1108 wrote to memory of 1592	1108	SparkCrack.exe	Spark Clicker.exe
PID 1108 wrote to memory of 1592	1108	SparkCrack.exe	Spark Clicker.exe
PID 1108 wrote to memory of 1592	1108	SparkCrack.exe	Spark Clicker.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SparkClicker.zip
1⤵
PID:2000

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2800

C:\Users\Admin\Documents\SparkClicker\Spark Clicker.exe
"C:\Users\Admin\Documents\SparkClicker\Spark Clicker.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Users\Admin\Documents\SparkClicker\Spark Clicker.exe
"C:\Users\Admin\Documents\SparkClicker\Spark Clicker.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Users\Admin\Documents\SparkClicker\SparkCrack.exe
"C:\Users\Admin\Documents\SparkClicker\SparkCrack.exe"
1⤵
PID:1892

C:\Users\Admin\Documents\SparkClicker\SparkCrack.exe
"C:\Users\Admin\Documents\SparkClicker\SparkCrack.exe" "C:\Users\Admin\Documents\SparkClicker\Spark Clicker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:600

C:\Users\Admin\Documents\SparkClicker\Spark Clicker.exe
"C:\Users\Admin\Documents\SparkClicker\Spark Clicker.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Users\Admin\Documents\SparkClicker\SparkCrack.exe
"C:\Users\Admin\Documents\SparkClicker\SparkCrack.exe" "C:\Users\Admin\Documents\SparkClicker\Spark Clicker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\Documents\SparkClicker\Spark Clicker.exe
"C:\Users\Admin\Documents\SparkClicker\Spark Clicker.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2700-0-0x0000000140164000-0x000000014054D000-memory.dmp

Filesize
3.9MB

Download
memory/2700-1-0x0000000077340000-0x0000000077342000-memory.dmp

Filesize
8KB

Download
memory/2700-5-0x0000000077340000-0x0000000077342000-memory.dmp

Filesize
8KB

Download
memory/2700-6-0x0000000077360000-0x0000000077362000-memory.dmp

Filesize
8KB

Download
memory/2700-8-0x0000000077360000-0x0000000077362000-memory.dmp

Filesize
8KB

Download
memory/2700-3-0x0000000077340000-0x0000000077342000-memory.dmp

Filesize
8KB

Download
memory/2700-10-0x0000000077360000-0x0000000077362000-memory.dmp

Filesize
8KB

Download
memory/2700-11-0x0000000077370000-0x0000000077372000-memory.dmp

Filesize
8KB

Download
memory/2700-15-0x0000000077370000-0x0000000077372000-memory.dmp

Filesize
8KB

Download
memory/2700-13-0x0000000077370000-0x0000000077372000-memory.dmp

Filesize
8KB

Download
memory/2700-23-0x000007FEFD340000-0x000007FEFD342000-memory.dmp

Filesize
8KB

Download
memory/2700-20-0x0000000077380000-0x0000000077382000-memory.dmp

Filesize
8KB

Download
memory/2700-18-0x0000000077380000-0x0000000077382000-memory.dmp

Filesize
8KB

Download
memory/2700-25-0x000007FEFD340000-0x000007FEFD342000-memory.dmp

Filesize
8KB

Download
memory/2700-16-0x0000000077380000-0x0000000077382000-memory.dmp

Filesize
8KB

Download
memory/2700-28-0x000007FEFD350000-0x000007FEFD352000-memory.dmp

Filesize
8KB

Download
memory/2700-30-0x000007FEFD350000-0x000007FEFD352000-memory.dmp

Filesize
8KB

Download
memory/2700-40-0x00000000773A0000-0x00000000773A2000-memory.dmp

Filesize
8KB

Download
memory/2700-38-0x00000000773A0000-0x00000000773A2000-memory.dmp

Filesize
8KB

Download
memory/2700-36-0x00000000773A0000-0x00000000773A2000-memory.dmp

Filesize
8KB

Download
memory/2700-35-0x0000000077390000-0x0000000077392000-memory.dmp

Filesize
8KB

Download
memory/2700-33-0x0000000077390000-0x0000000077392000-memory.dmp

Filesize
8KB

Download
memory/2700-31-0x0000000077390000-0x0000000077392000-memory.dmp

Filesize
8KB

Download
memory/2700-41-0x0000000140000000-0x0000000140B74000-memory.dmp

Filesize
11.5MB

Download
memory/2700-45-0x0000000140000000-0x0000000140B74000-memory.dmp

Filesize
11.5MB

Download
memory/2700-46-0x0000000140164000-0x000000014054D000-memory.dmp

Filesize
3.9MB

Download
memory/2700-47-0x0000000140000000-0x0000000140B74000-memory.dmp

Filesize
11.5MB

Download