Overview
overview
9Static
static
9Spoof Inst...ew.chm
windows7-x64
1Spoof Inst...ew.chm
windows10-2004-x64
1Spoof Inst...ew.exe
windows7-x64
6Spoof Inst...ew.exe
windows10-2004-x64
6Spoof Inst...pt.ps1
windows7-x64
3Spoof Inst...pt.ps1
windows10-2004-x64
3Spoof Inst...ID.cmd
windows7-x64
1Spoof Inst...ID.cmd
windows10-2004-x64
1Spoof Inst...id.exe
windows7-x64
3Spoof Inst...id.exe
windows10-2004-x64
3Spoof Inst...64.exe
windows7-x64
1Spoof Inst...64.exe
windows10-2004-x64
1Spoof Inst...me.bat
windows7-x64
3Spoof Inst...me.bat
windows10-2004-x64
7Spoof Inst...sk.exe
windows7-x64
5Spoof Inst...sk.exe
windows10-2004-x64
5Spoof Inst...ch.exe
windows7-x64
7Spoof Inst...ch.exe
windows10-2004-x64
7Spoof Inst...gs.vbs
windows7-x64
3Spoof Inst...gs.vbs
windows10-2004-x64
1Spoof Inst...ol.exe
windows7-x64
7Spoof Inst...ol.exe
windows10-2004-x64
7Spoof Inst...he.bat
windows7-x64
1Spoof Inst...he.bat
windows10-2004-x64
1Spoof Inst...or.url
windows7-x64
1Spoof Inst...or.url
windows10-2004-x64
1Spoof Inst...on.bat
windows7-x64
8Spoof Inst...on.bat
windows10-2004-x64
8Spoof Inst...er.exe
windows7-x64
6Spoof Inst...er.exe
windows10-2004-x64
6Spoof Inst...le.exe
windows7-x64
6Spoof Inst...le.exe
windows10-2004-x64
6Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 21:28
Behavioral task
behavioral1
Sample
Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.chm
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.chm
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Spoof Instructions/Spoof Toolz/Reg_Script.ps1
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
Spoof Instructions/Spoof Toolz/Reg_Script.ps1
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Spoof Instructions/Spoof Toolz/VolChange/ChangeVolID.cmd
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
Spoof Instructions/Spoof Toolz/VolChange/ChangeVolID.cmd
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid64.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Spoof Instructions/Toolz/Activate Win10Home.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
Spoof Instructions/Toolz/Activate Win10Home.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Spoof Instructions/Toolz/AnyDesk.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
Spoof Instructions/Toolz/AnyDesk.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Spoof Instructions/Toolz/DNSBench.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
Spoof Instructions/Toolz/DNSBench.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Spoof Instructions/Toolz/Defender Control/Defender_Settings.vbs
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
Spoof Instructions/Toolz/Defender Control/Defender_Settings.vbs
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Spoof Instructions/Toolz/Defender Control/dControl.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
Spoof Instructions/Toolz/Defender Control/dControl.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Spoof Instructions/Toolz/DelUSBCache.bat
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
Spoof Instructions/Toolz/DelUSBCache.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Spoof Instructions/Toolz/Free Online GUID Generator.url
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
Spoof Instructions/Toolz/Free Online GUID Generator.url
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Spoof Instructions/Toolz/GeoLocation.bat
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
Spoof Instructions/Toolz/GeoLocation.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Spoof Instructions/Toolz/PrivaZerPortable/App/PrivaZer/PrivaZer.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
Spoof Instructions/Toolz/PrivaZerPortable/App/PrivaZer/PrivaZer.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Spoof Instructions/Toolz/PrivaZerPortable/PrivaZerPortable.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral32
Sample
Spoof Instructions/Toolz/PrivaZerPortable/PrivaZerPortable.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
Spoof Instructions/Toolz/DNSBench.exe
-
Size
168KB
-
MD5
04177f89fa23b9d6fec146d9be737566
-
SHA1
b95ea3c6094affda5f05110d1c0ae6daa56ebc2b
-
SHA256
a1375a7ecbacf70efd3d54c7ec3c1ceae7166ad1c723b390ac78d7a3e1b19f92
-
SHA512
75244f24c1d3710e7eb292d72fce0e276143f6302d02edf22db484be21cda52f74166fff3e511a734de1b1b77c18d0ddf9776586d8e102d5f9619d7011c1f3ad
-
SSDEEP
3072:5Sww+ICvU0Qv8Z9yzvSh3gzaDKzHDa4cn2qTWM9gbYfOheIB2:5SwwPC08CzvSh3geOzm4cn2AWM9gbi
Malware Config
Signatures
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.220.222 Destination IP 129.250.35.250 Destination IP 4.2.2.4 Destination IP 68.4.16.25 Destination IP 198.153.192.1 Destination IP 208.67.222.222 Destination IP 68.111.16.30 Destination IP 68.12.16.30 Destination IP 156.154.70.22 Destination IP 66.92.224.2 Destination IP 68.87.69.154 Destination IP 64.81.111.2 Destination IP 198.41.0.4 Destination IP 4.2.2.6 Destination IP 68.11.16.25 Destination IP 68.100.16.30 Destination IP 208.67.220.220 Destination IP 209.55.1.220 Destination IP 4.2.2.5 Destination IP 66.92.159.2 Destination IP 68.2.16.25 Destination IP 74.118.212.2 Destination IP 156.154.71.25 Destination IP 24.113.32.29 Destination IP 68.87.64.154 Destination IP 156.154.70.1 Destination IP 68.13.16.30 Destination IP 216.231.41.2 Destination IP 156.154.71.22 Destination IP 68.9.16.30 Destination IP 129.250.35.251 Destination IP 156.154.70.25 Destination IP 68.6.16.30 Destination IP 68.1.18.30 Destination IP 68.4.16.30 Destination IP 64.81.79.2 Destination IP 208.67.220.123 Destination IP 24.113.32.30 Destination IP 68.10.16.25 Destination IP 68.10.16.30 Destination IP 216.27.175.2 Destination IP 1.0.0.1 Destination IP 68.9.16.25 Destination IP 204.97.212.10 Destination IP 68.12.16.25 Destination IP 204.194.234.200 Destination IP 64.81.127.2 Destination IP 68.100.16.25 Destination IP 74.118.212.1 Destination IP 198.153.194.1 Destination IP 68.6.16.25 Destination IP 208.67.222.123 Destination IP 68.111.16.25 Destination IP 4.2.2.3 Destination IP 64.81.45.2 Destination IP 68.1.18.25 Destination IP 68.2.16.30 Destination IP 68.11.16.30 Destination IP 68.13.16.25 Destination IP 156.154.71.1 Destination IP 64.81.159.2 Destination IP 66.92.64.2 Destination IP 4.2.2.2 Destination IP 209.55.0.110 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DNSBench.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4168 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4168 AUDIODG.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\DNSBench.exe"C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\DNSBench.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3196
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x314 0x4c81⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168