Overview

overview

9

Static

static

9

Spoof Inst...ew.chm

windows7-x64

1

Spoof Inst...ew.chm

windows10-2004-x64

1

Spoof Inst...ew.exe

windows7-x64

6

Spoof Inst...ew.exe

windows10-2004-x64

6

Spoof Inst...pt.ps1

windows7-x64

3

Spoof Inst...pt.ps1

windows10-2004-x64

3

Spoof Inst...ID.cmd

windows7-x64

1

Spoof Inst...ID.cmd

windows10-2004-x64

1

Spoof Inst...id.exe

windows7-x64

3

Spoof Inst...id.exe

windows10-2004-x64

3

Spoof Inst...64.exe

windows7-x64

1

Spoof Inst...64.exe

windows10-2004-x64

1

Spoof Inst...me.bat

windows7-x64

3

Spoof Inst...me.bat

windows10-2004-x64

7

Spoof Inst...sk.exe

windows7-x64

5

Spoof Inst...sk.exe

windows10-2004-x64

5

Spoof Inst...ch.exe

windows7-x64

7

Spoof Inst...ch.exe

windows10-2004-x64

7

Spoof Inst...gs.vbs

windows7-x64

3

Spoof Inst...gs.vbs

windows10-2004-x64

1

Spoof Inst...ol.exe

windows7-x64

7

Spoof Inst...ol.exe

windows10-2004-x64

7

Spoof Inst...he.bat

windows7-x64

1

Spoof Inst...he.bat

windows10-2004-x64

1

Spoof Inst...or.url

windows7-x64

1

Spoof Inst...or.url

windows10-2004-x64

1

Spoof Inst...on.bat

windows7-x64

8

Spoof Inst...on.bat

windows10-2004-x64

8

Spoof Inst...er.exe

windows7-x64

6

Spoof Inst...er.exe

windows10-2004-x64

6

Spoof Inst...le.exe

windows7-x64

6

Spoof Inst...le.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2024 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Spoof Instructions/Toolz/GeoLocation.bat

  • Size

    1KB

  • MD5

    9b5aedfc8cd2493803737f542828166a

  • SHA1

    6abb1d991cea9cccdb7a08082fc9c22ca32baab1

  • SHA256

    5f8ba3ee3267ae4174c21eb587d711a0eb123a5681e4387dc02f0a5b1bc3bd1c

  • SHA512

    e7413a70df5dd13b4c7dfc94b26e7a8b4d267b926720c6d7b7e8be90a0d53541dbf938a5cab61c0c6db4a109d47af8a9c935494f0ae5fa195a9b004683924a1e

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Powershell Invoke Web Request.

    execution
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\GeoLocation.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-WebRequest -Uri 'https://api.ipify.org').Content"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(Invoke-WebRequest -Uri 'https://api.ipify.org').Content"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'http://ip-api.com/json/194.110.13.70' -UseBasicParsing | ConvertFrom-Json | ForEach-Object { $_ | Add-Member -NotePropertyName 'latitude / longitude' -NotePropertyValue \"$($_.lat), $($_.lon)\" -Force -PassThru } | Select-Object -Property status, country, countryCode, region, regionName, city, zip, timezone, isp, org, as, query, 'latitude / longitude' | Format-List"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://freegeoip.app/json/194.110.13.70' -UseBasicParsing | ConvertFrom-Json | ForEach-Object { $_ | Add-Member -NotePropertyName 'latitude / longitude' -NotePropertyValue \"$($_.latitude), $($_.longitude)\" -Force -PassThru } | Select-Object -Property ip, country_code, country_name, region_code, region_name, city, zip_code, time_zone, metro_code, 'latitude / longitude' | Format-List"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    c73fbd7d9ca40e3168e63be530913e76

    SHA1

    a2de46cb05c33220a4528f31671780f2ec048c65

    SHA256

    029ebfd4d8c837dfa0afb80278828d84224415c09dec5d40d9c2d68b668e34c7

    SHA512

    6adb867051c31826bd2225041414f0f3591efceb4fa3f916396aa2b1e9e3abf4f935868125c75f645beb15ce3d5c5e5957d606c098a6e97b8fd620b72702226e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    e78cb05c9efa108b91876a5939826766

    SHA1

    1e39a1267db8303f794cc92c8b75e4e8b6d2c61a

    SHA256

    44aca2158df884c5d14b7c2af30becb298d8c6f51590a16c5df979c3aeb00602

    SHA512

    c9be62c20d1fd8bcfccc9bc0256115f1dc3cec47c4af753bda509b3f0e428e5d7616a0d2f0ac1494c859d61689ad3582c257b69844bcdac669d285c56f168842

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2pwyhnqm.prf.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/876-27-0x000001AA56140000-0x000001AA56302000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/876-28-0x000001AA56840000-0x000001AA56D68000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4244-0-0x00007FFBA6273000-0x00007FFBA6275000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4244-10-0x0000029BF5F50000-0x0000029BF5F72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4244-11-0x00007FFBA6270000-0x00007FFBA6D31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4244-12-0x00007FFBA6270000-0x00007FFBA6D31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4244-13-0x0000029BF6AE0000-0x0000029BF7286000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/4244-16-0x00007FFBA6270000-0x00007FFBA6D31000-memory.dmp

    Filesize

    10.8MB

    Download