Overview
overview
7Static
static
7Temp Spoofer.zip
windows7-x64
1Temp Spoofer.zip
windows10-2004-x64
1Temp Spoof...er.bat
windows7-x64
1Temp Spoof...er.bat
windows10-2004-x64
1Temp Spoof...on.pdf
windows7-x64
3Temp Spoof...on.pdf
windows10-2004-x64
3Temp Spoof...ent.7z
windows7-x64
3Temp Spoof...ent.7z
windows10-2004-x64
3client.exe
windows7-x64
1client.exe
windows10-2004-x64
1Temp Spoof...ol.rar
windows7-x64
3Temp Spoof...ol.rar
windows10-2004-x64
3dControl/dControl.exe
windows7-x64
7dControl/dControl.exe
windows10-2004-x64
7out.exe
windows7-x64
out.exe
windows10-2004-x64
dControl/dControl.ini
windows7-x64
1dControl/dControl.ini
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 09:27
Behavioral task
behavioral1
Sample
Temp Spoofer.zip
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
Temp Spoofer.zip
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Temp Spoofer/Checker.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
Temp Spoofer/Checker.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Temp Spoofer/Temp Spoofer Instruction.pdf
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
Temp Spoofer/Temp Spoofer Instruction.pdf
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Temp Spoofer/client.7z
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
Temp Spoofer/client.7z
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
client.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
client.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Temp Spoofer/dControl.rar
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
Temp Spoofer/dControl.rar
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
dControl/dControl.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
dControl/dControl.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
out.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
out.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
dControl/dControl.ini
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
dControl/dControl.ini
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
Temp Spoofer/Checker.bat
-
Size
1KB
-
MD5
08fb4451ab72d4402f0e59c01a818b80
-
SHA1
01710b42e2ed57fa36ba99a2d4fbbf172fca1e69
-
SHA256
75c8fd9956c04d97d837172afcd0960aaede7d803725665430e189065caf3215
-
SHA512
3fe67c40b945ae20db5dae4db621a41844e4b70f44cd131a0dd1c06750e4451ff019b9f9262acbd5bafefc1f1ba8db33a65db1177aebab55570a30d992ee4273
Malware Config
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2644 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2848 WMIC.exe Token: SeSecurityPrivilege 2848 WMIC.exe Token: SeTakeOwnershipPrivilege 2848 WMIC.exe Token: SeLoadDriverPrivilege 2848 WMIC.exe Token: SeSystemProfilePrivilege 2848 WMIC.exe Token: SeSystemtimePrivilege 2848 WMIC.exe Token: SeProfSingleProcessPrivilege 2848 WMIC.exe Token: SeIncBasePriorityPrivilege 2848 WMIC.exe Token: SeCreatePagefilePrivilege 2848 WMIC.exe Token: SeBackupPrivilege 2848 WMIC.exe Token: SeRestorePrivilege 2848 WMIC.exe Token: SeShutdownPrivilege 2848 WMIC.exe Token: SeDebugPrivilege 2848 WMIC.exe Token: SeSystemEnvironmentPrivilege 2848 WMIC.exe Token: SeRemoteShutdownPrivilege 2848 WMIC.exe Token: SeUndockPrivilege 2848 WMIC.exe Token: SeManageVolumePrivilege 2848 WMIC.exe Token: 33 2848 WMIC.exe Token: 34 2848 WMIC.exe Token: 35 2848 WMIC.exe Token: SeIncreaseQuotaPrivilege 2848 WMIC.exe Token: SeSecurityPrivilege 2848 WMIC.exe Token: SeTakeOwnershipPrivilege 2848 WMIC.exe Token: SeLoadDriverPrivilege 2848 WMIC.exe Token: SeSystemProfilePrivilege 2848 WMIC.exe Token: SeSystemtimePrivilege 2848 WMIC.exe Token: SeProfSingleProcessPrivilege 2848 WMIC.exe Token: SeIncBasePriorityPrivilege 2848 WMIC.exe Token: SeCreatePagefilePrivilege 2848 WMIC.exe Token: SeBackupPrivilege 2848 WMIC.exe Token: SeRestorePrivilege 2848 WMIC.exe Token: SeShutdownPrivilege 2848 WMIC.exe Token: SeDebugPrivilege 2848 WMIC.exe Token: SeSystemEnvironmentPrivilege 2848 WMIC.exe Token: SeRemoteShutdownPrivilege 2848 WMIC.exe Token: SeUndockPrivilege 2848 WMIC.exe Token: SeManageVolumePrivilege 2848 WMIC.exe Token: 33 2848 WMIC.exe Token: 34 2848 WMIC.exe Token: 35 2848 WMIC.exe Token: SeIncreaseQuotaPrivilege 2076 WMIC.exe Token: SeSecurityPrivilege 2076 WMIC.exe Token: SeTakeOwnershipPrivilege 2076 WMIC.exe Token: SeLoadDriverPrivilege 2076 WMIC.exe Token: SeSystemProfilePrivilege 2076 WMIC.exe Token: SeSystemtimePrivilege 2076 WMIC.exe Token: SeProfSingleProcessPrivilege 2076 WMIC.exe Token: SeIncBasePriorityPrivilege 2076 WMIC.exe Token: SeCreatePagefilePrivilege 2076 WMIC.exe Token: SeBackupPrivilege 2076 WMIC.exe Token: SeRestorePrivilege 2076 WMIC.exe Token: SeShutdownPrivilege 2076 WMIC.exe Token: SeDebugPrivilege 2076 WMIC.exe Token: SeSystemEnvironmentPrivilege 2076 WMIC.exe Token: SeRemoteShutdownPrivilege 2076 WMIC.exe Token: SeUndockPrivilege 2076 WMIC.exe Token: SeManageVolumePrivilege 2076 WMIC.exe Token: 33 2076 WMIC.exe Token: 34 2076 WMIC.exe Token: 35 2076 WMIC.exe Token: SeIncreaseQuotaPrivilege 2076 WMIC.exe Token: SeSecurityPrivilege 2076 WMIC.exe Token: SeTakeOwnershipPrivilege 2076 WMIC.exe Token: SeLoadDriverPrivilege 2076 WMIC.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2848 2976 cmd.exe 29 PID 2976 wrote to memory of 2848 2976 cmd.exe 29 PID 2976 wrote to memory of 2848 2976 cmd.exe 29 PID 2976 wrote to memory of 2076 2976 cmd.exe 31 PID 2976 wrote to memory of 2076 2976 cmd.exe 31 PID 2976 wrote to memory of 2076 2976 cmd.exe 31 PID 2976 wrote to memory of 2844 2976 cmd.exe 32 PID 2976 wrote to memory of 2844 2976 cmd.exe 32 PID 2976 wrote to memory of 2844 2976 cmd.exe 32 PID 2976 wrote to memory of 1212 2976 cmd.exe 33 PID 2976 wrote to memory of 1212 2976 cmd.exe 33 PID 2976 wrote to memory of 1212 2976 cmd.exe 33 PID 2976 wrote to memory of 824 2976 cmd.exe 34 PID 2976 wrote to memory of 824 2976 cmd.exe 34 PID 2976 wrote to memory of 824 2976 cmd.exe 34 PID 2976 wrote to memory of 1816 2976 cmd.exe 35 PID 2976 wrote to memory of 1816 2976 cmd.exe 35 PID 2976 wrote to memory of 1816 2976 cmd.exe 35 PID 2976 wrote to memory of 2956 2976 cmd.exe 36 PID 2976 wrote to memory of 2956 2976 cmd.exe 36 PID 2976 wrote to memory of 2956 2976 cmd.exe 36 PID 2976 wrote to memory of 3004 2976 cmd.exe 37 PID 2976 wrote to memory of 3004 2976 cmd.exe 37 PID 2976 wrote to memory of 3004 2976 cmd.exe 37 PID 2976 wrote to memory of 2732 2976 cmd.exe 38 PID 2976 wrote to memory of 2732 2976 cmd.exe 38 PID 2976 wrote to memory of 2732 2976 cmd.exe 38 PID 2976 wrote to memory of 2644 2976 cmd.exe 40 PID 2976 wrote to memory of 2644 2976 cmd.exe 40 PID 2976 wrote to memory of 2644 2976 cmd.exe 40 PID 2976 wrote to memory of 2516 2976 cmd.exe 41 PID 2976 wrote to memory of 2516 2976 cmd.exe 41 PID 2976 wrote to memory of 2516 2976 cmd.exe 41
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Temp Spoofer\Checker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵PID:2844
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber2⤵PID:1212
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵PID:824
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber2⤵PID:1816
-
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET PNPDeviceID2⤵PID:2956
-
-
C:\Windows\System32\Wbem\WMIC.exewmic desktopmonitor get pnpdeviceid2⤵PID:3004
-
-
C:\Windows\system32\getmac.exegetmac2⤵PID:2732
-
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:2644
-
-
C:\Windows\system32\cmd.execmd /k2⤵PID:2516
-