c4178eca2d3b5be55e07a3a7bd788d878fa919f0e3be7ee2ba0cc59c5c26da3e

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22-09-2023 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe
Size

720KB
MD5

c360341ee4b8179f6fd9049efe4a8acb
SHA1

fb4dca2436b21b989bfbdc6d1bce8c757a2300c6
SHA256

5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683
SHA512

0cd467952772c395a46a0e9922b5ab3a42456c172e3ae4ac8c34cff67beca8e8c8a66a0835038546b05769aa22cfcb4a4e41aea23bba281b4b6cf6a293634693
SSDEEP

12288:tdV4W7FDXVWqA9suNmpWhSqjqkDkKHnjCji5O1zwStDqtJtsmyDvnzy:td/vWqA9hmCSqjqkhuG50zwS9qaI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2432	clrvu.exe

Loads dropped DLL 9 IoCs

pid	Process
1732	5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe
1732	5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	2432	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2672	wmic.exe
Token: SeSecurityPrivilege	2672	wmic.exe
Token: SeTakeOwnershipPrivilege	2672	wmic.exe
Token: SeLoadDriverPrivilege	2672	wmic.exe
Token: SeSystemProfilePrivilege	2672	wmic.exe
Token: SeSystemtimePrivilege	2672	wmic.exe
Token: SeProfSingleProcessPrivilege	2672	wmic.exe
Token: SeIncBasePriorityPrivilege	2672	wmic.exe
Token: SeCreatePagefilePrivilege	2672	wmic.exe
Token: SeBackupPrivilege	2672	wmic.exe
Token: SeRestorePrivilege	2672	wmic.exe
Token: SeShutdownPrivilege	2672	wmic.exe
Token: SeDebugPrivilege	2672	wmic.exe
Token: SeSystemEnvironmentPrivilege	2672	wmic.exe
Token: SeRemoteShutdownPrivilege	2672	wmic.exe
Token: SeUndockPrivilege	2672	wmic.exe
Token: SeManageVolumePrivilege	2672	wmic.exe
Token: 33	2672	wmic.exe
Token: 34	2672	wmic.exe
Token: 35	2672	wmic.exe
Token: SeIncreaseQuotaPrivilege	2672	wmic.exe
Token: SeSecurityPrivilege	2672	wmic.exe
Token: SeTakeOwnershipPrivilege	2672	wmic.exe
Token: SeLoadDriverPrivilege	2672	wmic.exe
Token: SeSystemProfilePrivilege	2672	wmic.exe
Token: SeSystemtimePrivilege	2672	wmic.exe
Token: SeProfSingleProcessPrivilege	2672	wmic.exe
Token: SeIncBasePriorityPrivilege	2672	wmic.exe
Token: SeCreatePagefilePrivilege	2672	wmic.exe
Token: SeBackupPrivilege	2672	wmic.exe
Token: SeRestorePrivilege	2672	wmic.exe
Token: SeShutdownPrivilege	2672	wmic.exe
Token: SeDebugPrivilege	2672	wmic.exe
Token: SeSystemEnvironmentPrivilege	2672	wmic.exe
Token: SeRemoteShutdownPrivilege	2672	wmic.exe
Token: SeUndockPrivilege	2672	wmic.exe
Token: SeManageVolumePrivilege	2672	wmic.exe
Token: 33	2672	wmic.exe
Token: 34	2672	wmic.exe
Token: 35	2672	wmic.exe
Token: SeIncreaseQuotaPrivilege	2552	wmic.exe
Token: SeSecurityPrivilege	2552	wmic.exe
Token: SeTakeOwnershipPrivilege	2552	wmic.exe
Token: SeLoadDriverPrivilege	2552	wmic.exe
Token: SeSystemProfilePrivilege	2552	wmic.exe
Token: SeSystemtimePrivilege	2552	wmic.exe
Token: SeProfSingleProcessPrivilege	2552	wmic.exe
Token: SeIncBasePriorityPrivilege	2552	wmic.exe
Token: SeCreatePagefilePrivilege	2552	wmic.exe
Token: SeBackupPrivilege	2552	wmic.exe
Token: SeRestorePrivilege	2552	wmic.exe
Token: SeShutdownPrivilege	2552	wmic.exe
Token: SeDebugPrivilege	2552	wmic.exe
Token: SeSystemEnvironmentPrivilege	2552	wmic.exe
Token: SeRemoteShutdownPrivilege	2552	wmic.exe
Token: SeUndockPrivilege	2552	wmic.exe
Token: SeManageVolumePrivilege	2552	wmic.exe
Token: 33	2552	wmic.exe
Token: 34	2552	wmic.exe
Token: 35	2552	wmic.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2432	1732	5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe	28
PID 1732 wrote to memory of 2432	1732	5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe	28
PID 1732 wrote to memory of 2432	1732	5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe	28
PID 1732 wrote to memory of 2432	1732	5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe	28
PID 2432 wrote to memory of 2672	2432	clrvu.exe	29
PID 2432 wrote to memory of 2672	2432	clrvu.exe	29
PID 2432 wrote to memory of 2672	2432	clrvu.exe	29
PID 2432 wrote to memory of 2672	2432	clrvu.exe	29
PID 2432 wrote to memory of 2552	2432	clrvu.exe	32
PID 2432 wrote to memory of 2552	2432	clrvu.exe	32
PID 2432 wrote to memory of 2552	2432	clrvu.exe	32
PID 2432 wrote to memory of 2552	2432	clrvu.exe	32
PID 2432 wrote to memory of 2696	2432	clrvu.exe	34
PID 2432 wrote to memory of 2696	2432	clrvu.exe	34
PID 2432 wrote to memory of 2696	2432	clrvu.exe	34
PID 2432 wrote to memory of 2696	2432	clrvu.exe	34
PID 2432 wrote to memory of 2540	2432	clrvu.exe	36
PID 2432 wrote to memory of 2540	2432	clrvu.exe	36
PID 2432 wrote to memory of 2540	2432	clrvu.exe	36
PID 2432 wrote to memory of 2540	2432	clrvu.exe	36
PID 2432 wrote to memory of 2288	2432	clrvu.exe	38
PID 2432 wrote to memory of 2288	2432	clrvu.exe	38
PID 2432 wrote to memory of 2288	2432	clrvu.exe	38
PID 2432 wrote to memory of 2288	2432	clrvu.exe	38
PID 2432 wrote to memory of 2576	2432	clrvu.exe	40
PID 2432 wrote to memory of 2576	2432	clrvu.exe	40
PID 2432 wrote to memory of 2576	2432	clrvu.exe	40
PID 2432 wrote to memory of 2576	2432	clrvu.exe	40

C:\Users\Admin\AppData\Local\Temp\5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe
"C:\Users\Admin\AppData\Local\Temp\5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\clrvu.exe
  C:\Users\Admin\AppData\Local\Temp/clrvu.exe /PID=8805 /SUBPID=0 /DISTID=26718 /VM=2 /NETWORDK=1 /CID=0 /PRODUCT_ID=25912 /RETURNING_USER_DAYS=2 /SERVER_URL=http://installer.ppdownload.com
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91695375808.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91695375808.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91695375808.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91695375808.txt bios get version
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91695375808.txt bios get version
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 376
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\91695375808.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\clrvu.exe

Filesize
804KB

MD5
be68db8b143151636145ff1cec67bc53

SHA1
61dd5573901bbf9618ed938b831f81bd00c0b229

SHA256
781431f688efbc927a732302e25cee24d94833d416047d68ee9e80f3126f5623

SHA512
dfc8d41084896f45b58830cb536010cbb843b58c7b38e2ac9ffd4c0e1c76a317fdfd4c07f2aa83896d245b1b7cb2886e36ba023caea70fe7d9a78b747c40938d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi31BB.tmp\yolo.dll

Filesize
125KB

MD5
0499fd97ea937c781b215c0d8b42c335

SHA1
19eee2fd9aeb9098ca8954d3d855df64dff1da10

SHA256
46afe34ef9bcc3e2d76bd85f73235cabd22982b29ac85e5b8415ecb72fb10760

SHA512
b54821c203cb5ec2e59404500607a6f1e6e213f00ef4acf866837fba3696a96b5b0f986e3547bce6b66f4cbb056d49862be0785a3e711b2aee30bb4b99d93cad

Download Submit
\Users\Admin\AppData\Local\Temp\clrvu.exe

Filesize
804KB

MD5
be68db8b143151636145ff1cec67bc53

SHA1
61dd5573901bbf9618ed938b831f81bd00c0b229

SHA256
781431f688efbc927a732302e25cee24d94833d416047d68ee9e80f3126f5623

SHA512
dfc8d41084896f45b58830cb536010cbb843b58c7b38e2ac9ffd4c0e1c76a317fdfd4c07f2aa83896d245b1b7cb2886e36ba023caea70fe7d9a78b747c40938d

Download Submit
\Users\Admin\AppData\Local\Temp\clrvu.exe

Filesize
804KB

MD5
be68db8b143151636145ff1cec67bc53

SHA1
61dd5573901bbf9618ed938b831f81bd00c0b229

SHA256
781431f688efbc927a732302e25cee24d94833d416047d68ee9e80f3126f5623

SHA512
dfc8d41084896f45b58830cb536010cbb843b58c7b38e2ac9ffd4c0e1c76a317fdfd4c07f2aa83896d245b1b7cb2886e36ba023caea70fe7d9a78b747c40938d

Download Submit
\Users\Admin\AppData\Local\Temp\clrvu.exe

Filesize
804KB

MD5
be68db8b143151636145ff1cec67bc53

SHA1
61dd5573901bbf9618ed938b831f81bd00c0b229

SHA256
781431f688efbc927a732302e25cee24d94833d416047d68ee9e80f3126f5623

SHA512
dfc8d41084896f45b58830cb536010cbb843b58c7b38e2ac9ffd4c0e1c76a317fdfd4c07f2aa83896d245b1b7cb2886e36ba023caea70fe7d9a78b747c40938d

Download Submit
\Users\Admin\AppData\Local\Temp\clrvu.exe

Filesize
804KB

MD5
be68db8b143151636145ff1cec67bc53

SHA1
61dd5573901bbf9618ed938b831f81bd00c0b229

SHA256
781431f688efbc927a732302e25cee24d94833d416047d68ee9e80f3126f5623

SHA512
dfc8d41084896f45b58830cb536010cbb843b58c7b38e2ac9ffd4c0e1c76a317fdfd4c07f2aa83896d245b1b7cb2886e36ba023caea70fe7d9a78b747c40938d

Download Submit
\Users\Admin\AppData\Local\Temp\clrvu.exe

Filesize
804KB

MD5
be68db8b143151636145ff1cec67bc53

SHA1
61dd5573901bbf9618ed938b831f81bd00c0b229

SHA256
781431f688efbc927a732302e25cee24d94833d416047d68ee9e80f3126f5623

SHA512
dfc8d41084896f45b58830cb536010cbb843b58c7b38e2ac9ffd4c0e1c76a317fdfd4c07f2aa83896d245b1b7cb2886e36ba023caea70fe7d9a78b747c40938d

Download Submit
\Users\Admin\AppData\Local\Temp\clrvu.exe

Filesize
804KB

MD5
be68db8b143151636145ff1cec67bc53

SHA1
61dd5573901bbf9618ed938b831f81bd00c0b229

SHA256
781431f688efbc927a732302e25cee24d94833d416047d68ee9e80f3126f5623

SHA512
dfc8d41084896f45b58830cb536010cbb843b58c7b38e2ac9ffd4c0e1c76a317fdfd4c07f2aa83896d245b1b7cb2886e36ba023caea70fe7d9a78b747c40938d

Download Submit
\Users\Admin\AppData\Local\Temp\clrvu.exe

Filesize
804KB

MD5
be68db8b143151636145ff1cec67bc53

SHA1
61dd5573901bbf9618ed938b831f81bd00c0b229

SHA256
781431f688efbc927a732302e25cee24d94833d416047d68ee9e80f3126f5623

SHA512
dfc8d41084896f45b58830cb536010cbb843b58c7b38e2ac9ffd4c0e1c76a317fdfd4c07f2aa83896d245b1b7cb2886e36ba023caea70fe7d9a78b747c40938d

Download Submit
\Users\Admin\AppData\Local\Temp\clrvu.exe

Filesize
804KB

MD5
be68db8b143151636145ff1cec67bc53

SHA1
61dd5573901bbf9618ed938b831f81bd00c0b229

SHA256
781431f688efbc927a732302e25cee24d94833d416047d68ee9e80f3126f5623

SHA512
dfc8d41084896f45b58830cb536010cbb843b58c7b38e2ac9ffd4c0e1c76a317fdfd4c07f2aa83896d245b1b7cb2886e36ba023caea70fe7d9a78b747c40938d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi31BB.tmp\yolo.dll

Filesize
125KB

MD5
0499fd97ea937c781b215c0d8b42c335

SHA1
19eee2fd9aeb9098ca8954d3d855df64dff1da10

SHA256
46afe34ef9bcc3e2d76bd85f73235cabd22982b29ac85e5b8415ecb72fb10760

SHA512
b54821c203cb5ec2e59404500607a6f1e6e213f00ef4acf866837fba3696a96b5b0f986e3547bce6b66f4cbb056d49862be0785a3e711b2aee30bb4b99d93cad

Download Submit