d6c2f953a4c4b2f7bf58378855bbc3d38c1b4d686118ad899540e5778413788d

Analysis

max time kernel
90s
max time network
168s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02/12/2024, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpfile-main/Spoofer.exe
Size

1.4MB
MD5

8a3a208004bb6c2538c5b1f7b3a9abc2
SHA1

7df25e02fe6f0c38a4cd9c413d4dc9e43712e23f
SHA256

b21dcd28685971bccad0f04e828a95770e7eb93c9c44ac8463eac0577adfe37f
SHA512

d1ae7d0a274c82054ba18f010f921e51eb7ef4a98ae990490da5cd49601ce6c089cc0f1a5b4a6ae7dc32333f5760fca6e3e737af350695730d847b3e341a8247
SSDEEP

24576:5Axa2A3lBPp1vXmwsSgtJ+HPstaTHpOqwzzFQeaqduiI157y1P9cFPCegnEz:5Ak2wX/m4gtJ+U8JWzzF3aUXI1l8cFa4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	Spoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	MontanaSpoofer.exe

Executes dropped EXE 1 IoCs

pid	Process
948	MontanaSpoofer.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	MontanaSpoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	MontanaSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	MontanaSpoofer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	Spoofer.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 948	4988	Spoofer.exe	83
PID 4988 wrote to memory of 948	4988	Spoofer.exe	83

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Spoofer.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll

Filesize
2.1MB

MD5
b429ae86c5be521bc8ca3b164cec3acb

SHA1
387560073ff5a1f2191abc6f75fc34532bbb6dd2

SHA256
3ac70532408b89159bfe235d4ed228faa03ae3fbd63ec6a82d895f287a3b0579

SHA512
eae65de53da50708983ed8ebf9e1e3dd5f9aea95a354d272e199bb59517f62bfe35f0df7a37d81ab0423d0d6d29304fa70284c731bd54023e446b2c19bacafb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.deps.json

Filesize
2KB

MD5
1f8022d231b0c479e19eb86a10312c4f

SHA1
eebe57abb1999de25b03fb23c6247e420c3f355b

SHA256
86c9558da38267d785e4f6d78056778b673aaed42cbd8f704b1dd64811d08f3d

SHA512
3c14143d5d9d60f9c8f572276c4f6d0ee0712760ce63fddae620f099fdf46e28f15f929584737e3cb028fffa4ba2819550f66a68f90cc8a3a2ebdbf9d7dfbd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.dll

Filesize
454KB

MD5
d0902a9df335a37f1dd5ad5ce1223928

SHA1
e1526d6ecc8c293333a6d6b813260349a18b140f

SHA256
275c1257d4c2dacc787f3f80f2cdc2328552f09d8c87b5b6226a9cd712dd8f0b

SHA512
4d1c655a4cd44c0e3e28234ab87c4f0331d02a5ee9c4d340dd6c4b765d88b27ddcced490bec9010cfd5ea6376ce45c1d7143656998ee2018b3516a1c36d3e218

Download Submit
C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.exe

Filesize
135KB

MD5
6606c3f98d9f8fae5e9c5337eec434c4

SHA1
ea0d27f6ee5c7d5a97cdaebac02e48da5a17e577

SHA256
a48b56504cd8581af88cf3d4dd61549e3d00573318962ab1c3af53aef723c337

SHA512
7e8787c296123cf0306adc5e545119bb345b4f267beb03a5657eeb4d59673eeac05c04307abeb9dc1cd91290f71736d6d8991049eddacdda44f9cf6c6b631599

Download Submit
C:\Users\Admin\AppData\Local\Temp\MontanaSpoofer.runtimeconfig.json

Filesize
443B

MD5
9db099f143ead47e224653d0dde19fe9

SHA1
d050db767fc64aa1705353132da3e35048475d3c

SHA256
7e79af92820e50910b90f1cade2728f45987393f24b50e384dc225d9773b7194

SHA512
579c3c870903b3d47dbc2567153fa7c73e0aa47387c6969b8982037884033a4b25de702e0efb8c7ae717b6b463192b917b18a79b1ef5f8c969f257422af2b65f

Download Submit
memory/948-29-0x0000012599030000-0x0000012599031000-memory.dmp

Filesize
4KB

Download
memory/4988-0-0x00007FF8CFA93000-0x00007FF8CFA95000-memory.dmp

Filesize
8KB

Download
memory/4988-1-0x0000000000BA0000-0x0000000000D06000-memory.dmp

Filesize
1.4MB

Download
memory/4988-2-0x00007FF8CFA90000-0x00007FF8D0552000-memory.dmp

Filesize
10.8MB

Download
memory/4988-27-0x00007FF8CFA90000-0x00007FF8D0552000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads