0ad4cd3377a9044cded63bc370164aabd0f43720b9256d8752efcf6dba98a21f

Resubmissions

08/09/2024, 09:04

240908-k1tfyszapf 7

08/09/2024, 09:02

240908-kzvydszalf 8

08/09/2024, 08:02

240908-jxkh7sxbmh 8

Analysis

max time kernel
21s
max time network
24s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 08:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Immortal+Free+Spoofer.exe
Size

64.4MB
MD5

5a9c7de5228ecbbfebaf6652167472f7
SHA1

eb13a351425eac3a91459a83e78b153963b7d422
SHA256

0ad4cd3377a9044cded63bc370164aabd0f43720b9256d8752efcf6dba98a21f
SHA512

078e689c4abddb4c075bdc077c838641e1c6fa2d2fcf98f9dc166bd561812da86cfb29550438266a87acf89fad7de3897effb2d1ac015aaa37aa4ab308b295e6
SSDEEP

393216:pjaZgP8kDQoo53we9r9OJ/sbA9ZhGInxtnWxvdiQ2OUNpCEp7kN3VkQGQPNLFu4J:hkghDQk49Otsbyx1DOUNoER7gj

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Immortal+Free+Spoofer.exe

Executes dropped EXE 1 IoCs

pid	Process
4308	LOADER_HERE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4448	WMIC.exe
Token: SeSecurityPrivilege	4448	WMIC.exe
Token: SeTakeOwnershipPrivilege	4448	WMIC.exe
Token: SeLoadDriverPrivilege	4448	WMIC.exe
Token: SeSystemProfilePrivilege	4448	WMIC.exe
Token: SeSystemtimePrivilege	4448	WMIC.exe
Token: SeProfSingleProcessPrivilege	4448	WMIC.exe
Token: SeIncBasePriorityPrivilege	4448	WMIC.exe
Token: SeCreatePagefilePrivilege	4448	WMIC.exe
Token: SeBackupPrivilege	4448	WMIC.exe
Token: SeRestorePrivilege	4448	WMIC.exe
Token: SeShutdownPrivilege	4448	WMIC.exe
Token: SeDebugPrivilege	4448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4448	WMIC.exe
Token: SeRemoteShutdownPrivilege	4448	WMIC.exe
Token: SeUndockPrivilege	4448	WMIC.exe
Token: SeManageVolumePrivilege	4448	WMIC.exe
Token: 33	4448	WMIC.exe
Token: 34	4448	WMIC.exe
Token: 35	4448	WMIC.exe
Token: 36	4448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4448	WMIC.exe
Token: SeSecurityPrivilege	4448	WMIC.exe
Token: SeTakeOwnershipPrivilege	4448	WMIC.exe
Token: SeLoadDriverPrivilege	4448	WMIC.exe
Token: SeSystemProfilePrivilege	4448	WMIC.exe
Token: SeSystemtimePrivilege	4448	WMIC.exe
Token: SeProfSingleProcessPrivilege	4448	WMIC.exe
Token: SeIncBasePriorityPrivilege	4448	WMIC.exe
Token: SeCreatePagefilePrivilege	4448	WMIC.exe
Token: SeBackupPrivilege	4448	WMIC.exe
Token: SeRestorePrivilege	4448	WMIC.exe
Token: SeShutdownPrivilege	4448	WMIC.exe
Token: SeDebugPrivilege	4448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4448	WMIC.exe
Token: SeRemoteShutdownPrivilege	4448	WMIC.exe
Token: SeUndockPrivilege	4448	WMIC.exe
Token: SeManageVolumePrivilege	4448	WMIC.exe
Token: 33	4448	WMIC.exe
Token: 34	4448	WMIC.exe
Token: 35	4448	WMIC.exe
Token: 36	4448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5084	WMIC.exe
Token: SeSecurityPrivilege	5084	WMIC.exe
Token: SeTakeOwnershipPrivilege	5084	WMIC.exe
Token: SeLoadDriverPrivilege	5084	WMIC.exe
Token: SeSystemProfilePrivilege	5084	WMIC.exe
Token: SeSystemtimePrivilege	5084	WMIC.exe
Token: SeProfSingleProcessPrivilege	5084	WMIC.exe
Token: SeIncBasePriorityPrivilege	5084	WMIC.exe
Token: SeCreatePagefilePrivilege	5084	WMIC.exe
Token: SeBackupPrivilege	5084	WMIC.exe
Token: SeRestorePrivilege	5084	WMIC.exe
Token: SeShutdownPrivilege	5084	WMIC.exe
Token: SeDebugPrivilege	5084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5084	WMIC.exe
Token: SeRemoteShutdownPrivilege	5084	WMIC.exe
Token: SeUndockPrivilege	5084	WMIC.exe
Token: SeManageVolumePrivilege	5084	WMIC.exe
Token: 33	5084	WMIC.exe
Token: 34	5084	WMIC.exe
Token: 35	5084	WMIC.exe
Token: 36	5084	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5084	WMIC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 4308	2352	Immortal+Free+Spoofer.exe	99
PID 2352 wrote to memory of 4308	2352	Immortal+Free+Spoofer.exe	99
PID 2352 wrote to memory of 2720	2352	Immortal+Free+Spoofer.exe	104
PID 2352 wrote to memory of 2720	2352	Immortal+Free+Spoofer.exe	104
PID 2720 wrote to memory of 4448	2720	cmd.exe	106
PID 2720 wrote to memory of 4448	2720	cmd.exe	106
PID 2720 wrote to memory of 5084	2720	cmd.exe	107
PID 2720 wrote to memory of 5084	2720	cmd.exe	107
PID 2720 wrote to memory of 3388	2720	cmd.exe	108
PID 2720 wrote to memory of 3388	2720	cmd.exe	108
PID 2720 wrote to memory of 4808	2720	cmd.exe	109
PID 2720 wrote to memory of 4808	2720	cmd.exe	109
PID 2720 wrote to memory of 4612	2720	cmd.exe	110
PID 2720 wrote to memory of 4612	2720	cmd.exe	110
PID 2720 wrote to memory of 4860	2720	cmd.exe	111
PID 2720 wrote to memory of 4860	2720	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\Immortal+Free+Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Immortal+Free+Spoofer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe" C:\Users\Admin\AppData\Local\Temp\signed_ud.sys
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Checker.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get model, serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:3388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:4808
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:4612
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Checker.bat

Filesize
456B

MD5
cafc57aca6d10f9dcdc9d3aec9a35b72

SHA1
2e0e30ac79878b3d4d326f00735aaa7ff4b4a3df

SHA256
1c63492020872da13d2b35aa8eb02517376e1a7391bfaa1584d828bd5aa916ad

SHA512
d0e14f1eb2077b455f0a42a60b37c625badae4084734ce0e050e992a7b759d969c6d86e2be49ae20712c70c2453cb9efd3de8cb8124f0b489826f8f80f93fb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe

Filesize
534KB

MD5
cd4d08af76e7614f46bc853cf82cebc6

SHA1
94e75dac14976227c1c33ae48866e820db52aa1a

SHA256
f03d6b156974af96b66b3913bbcdf49609720f37f2e69c4222c2d0920f442f58

SHA512
b24396f3973156d8aef58203a0bcf1d542362e8591509e054488d6562fcf60e3cd628db0252a45ead220b4c7e82f065092e8a6145fcbfc399b4ca86f17084d99

Download Submit
memory/4308-5-0x00007FF7409F0000-0x00007FF740AA3000-memory.dmp

Filesize
716KB

Download
memory/4308-6-0x00007FF7409F0000-0x00007FF740AA3000-memory.dmp

Filesize
716KB

Download