Overview
overview
7Static
static
7Temp Spoofer.zip
windows7-x64
1Temp Spoofer.zip
windows10-2004-x64
1Temp Spoof...er.bat
windows7-x64
1Temp Spoof...er.bat
windows10-2004-x64
1Temp Spoof...on.pdf
windows7-x64
3Temp Spoof...on.pdf
windows10-2004-x64
3Temp Spoof...ent.7z
windows7-x64
3Temp Spoof...ent.7z
windows10-2004-x64
3client.exe
windows7-x64
1client.exe
windows10-2004-x64
1Temp Spoof...ol.rar
windows7-x64
3Temp Spoof...ol.rar
windows10-2004-x64
3dControl/dControl.exe
windows7-x64
7dControl/dControl.exe
windows10-2004-x64
7out.exe
windows7-x64
out.exe
windows10-2004-x64
dControl/dControl.ini
windows7-x64
1dControl/dControl.ini
windows10-2004-x64
1Analysis
-
max time kernel
91s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 09:27
Behavioral task
behavioral1
Sample
Temp Spoofer.zip
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
Temp Spoofer.zip
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Temp Spoofer/Checker.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
Temp Spoofer/Checker.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Temp Spoofer/Temp Spoofer Instruction.pdf
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
Temp Spoofer/Temp Spoofer Instruction.pdf
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Temp Spoofer/client.7z
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
Temp Spoofer/client.7z
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
client.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
client.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Temp Spoofer/dControl.rar
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
Temp Spoofer/dControl.rar
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
dControl/dControl.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
dControl/dControl.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
out.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
out.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
dControl/dControl.ini
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
dControl/dControl.ini
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
Temp Spoofer/Checker.bat
-
Size
1KB
-
MD5
08fb4451ab72d4402f0e59c01a818b80
-
SHA1
01710b42e2ed57fa36ba99a2d4fbbf172fca1e69
-
SHA256
75c8fd9956c04d97d837172afcd0960aaede7d803725665430e189065caf3215
-
SHA512
3fe67c40b945ae20db5dae4db621a41844e4b70f44cd131a0dd1c06750e4451ff019b9f9262acbd5bafefc1f1ba8db33a65db1177aebab55570a30d992ee4273
Malware Config
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 712 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4848 WMIC.exe Token: SeSecurityPrivilege 4848 WMIC.exe Token: SeTakeOwnershipPrivilege 4848 WMIC.exe Token: SeLoadDriverPrivilege 4848 WMIC.exe Token: SeSystemProfilePrivilege 4848 WMIC.exe Token: SeSystemtimePrivilege 4848 WMIC.exe Token: SeProfSingleProcessPrivilege 4848 WMIC.exe Token: SeIncBasePriorityPrivilege 4848 WMIC.exe Token: SeCreatePagefilePrivilege 4848 WMIC.exe Token: SeBackupPrivilege 4848 WMIC.exe Token: SeRestorePrivilege 4848 WMIC.exe Token: SeShutdownPrivilege 4848 WMIC.exe Token: SeDebugPrivilege 4848 WMIC.exe Token: SeSystemEnvironmentPrivilege 4848 WMIC.exe Token: SeRemoteShutdownPrivilege 4848 WMIC.exe Token: SeUndockPrivilege 4848 WMIC.exe Token: SeManageVolumePrivilege 4848 WMIC.exe Token: 33 4848 WMIC.exe Token: 34 4848 WMIC.exe Token: 35 4848 WMIC.exe Token: 36 4848 WMIC.exe Token: SeIncreaseQuotaPrivilege 4848 WMIC.exe Token: SeSecurityPrivilege 4848 WMIC.exe Token: SeTakeOwnershipPrivilege 4848 WMIC.exe Token: SeLoadDriverPrivilege 4848 WMIC.exe Token: SeSystemProfilePrivilege 4848 WMIC.exe Token: SeSystemtimePrivilege 4848 WMIC.exe Token: SeProfSingleProcessPrivilege 4848 WMIC.exe Token: SeIncBasePriorityPrivilege 4848 WMIC.exe Token: SeCreatePagefilePrivilege 4848 WMIC.exe Token: SeBackupPrivilege 4848 WMIC.exe Token: SeRestorePrivilege 4848 WMIC.exe Token: SeShutdownPrivilege 4848 WMIC.exe Token: SeDebugPrivilege 4848 WMIC.exe Token: SeSystemEnvironmentPrivilege 4848 WMIC.exe Token: SeRemoteShutdownPrivilege 4848 WMIC.exe Token: SeUndockPrivilege 4848 WMIC.exe Token: SeManageVolumePrivilege 4848 WMIC.exe Token: 33 4848 WMIC.exe Token: 34 4848 WMIC.exe Token: 35 4848 WMIC.exe Token: 36 4848 WMIC.exe Token: SeIncreaseQuotaPrivilege 2544 WMIC.exe Token: SeSecurityPrivilege 2544 WMIC.exe Token: SeTakeOwnershipPrivilege 2544 WMIC.exe Token: SeLoadDriverPrivilege 2544 WMIC.exe Token: SeSystemProfilePrivilege 2544 WMIC.exe Token: SeSystemtimePrivilege 2544 WMIC.exe Token: SeProfSingleProcessPrivilege 2544 WMIC.exe Token: SeIncBasePriorityPrivilege 2544 WMIC.exe Token: SeCreatePagefilePrivilege 2544 WMIC.exe Token: SeBackupPrivilege 2544 WMIC.exe Token: SeRestorePrivilege 2544 WMIC.exe Token: SeShutdownPrivilege 2544 WMIC.exe Token: SeDebugPrivilege 2544 WMIC.exe Token: SeSystemEnvironmentPrivilege 2544 WMIC.exe Token: SeRemoteShutdownPrivilege 2544 WMIC.exe Token: SeUndockPrivilege 2544 WMIC.exe Token: SeManageVolumePrivilege 2544 WMIC.exe Token: 33 2544 WMIC.exe Token: 34 2544 WMIC.exe Token: 35 2544 WMIC.exe Token: 36 2544 WMIC.exe Token: SeIncreaseQuotaPrivilege 2544 WMIC.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2152 wrote to memory of 4848 2152 cmd.exe 83 PID 2152 wrote to memory of 4848 2152 cmd.exe 83 PID 2152 wrote to memory of 2544 2152 cmd.exe 85 PID 2152 wrote to memory of 2544 2152 cmd.exe 85 PID 2152 wrote to memory of 3536 2152 cmd.exe 86 PID 2152 wrote to memory of 3536 2152 cmd.exe 86 PID 2152 wrote to memory of 4784 2152 cmd.exe 87 PID 2152 wrote to memory of 4784 2152 cmd.exe 87 PID 2152 wrote to memory of 2268 2152 cmd.exe 88 PID 2152 wrote to memory of 2268 2152 cmd.exe 88 PID 2152 wrote to memory of 4276 2152 cmd.exe 89 PID 2152 wrote to memory of 4276 2152 cmd.exe 89 PID 2152 wrote to memory of 3052 2152 cmd.exe 90 PID 2152 wrote to memory of 3052 2152 cmd.exe 90 PID 2152 wrote to memory of 1852 2152 cmd.exe 91 PID 2152 wrote to memory of 1852 2152 cmd.exe 91 PID 2152 wrote to memory of 1160 2152 cmd.exe 92 PID 2152 wrote to memory of 1160 2152 cmd.exe 92 PID 2152 wrote to memory of 712 2152 cmd.exe 94 PID 2152 wrote to memory of 712 2152 cmd.exe 94 PID 2152 wrote to memory of 220 2152 cmd.exe 95 PID 2152 wrote to memory of 220 2152 cmd.exe 95
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp Spoofer\Checker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵PID:3536
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber2⤵PID:4784
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵PID:2268
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber2⤵PID:4276
-
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET PNPDeviceID2⤵PID:3052
-
-
C:\Windows\System32\Wbem\WMIC.exewmic desktopmonitor get pnpdeviceid2⤵PID:1852
-
-
C:\Windows\system32\getmac.exegetmac2⤵PID:1160
-
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:712
-
-
C:\Windows\system32\cmd.execmd /k2⤵PID:220
-