c4178eca2d3b5be55e07a3a7bd788d878fa919f0e3be7ee2ba0cc59c5c26da3e

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe
Size

720KB
MD5

c360341ee4b8179f6fd9049efe4a8acb
SHA1

fb4dca2436b21b989bfbdc6d1bce8c757a2300c6
SHA256

5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683
SHA512

0cd467952772c395a46a0e9922b5ab3a42456c172e3ae4ac8c34cff67beca8e8c8a66a0835038546b05769aa22cfcb4a4e41aea23bba281b4b6cf6a293634693
SSDEEP

12288:tdV4W7FDXVWqA9suNmpWhSqjqkDkKHnjCji5O1zwStDqtJtsmyDvnzy:td/vWqA9hmCSqjqkhuG50zwS9qaI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4860	clrvu.exe

Loads dropped DLL 1 IoCs

pid	Process
4428	5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1328	4860	WerFault.exe	87

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3844	wmic.exe
Token: SeSecurityPrivilege	3844	wmic.exe
Token: SeTakeOwnershipPrivilege	3844	wmic.exe
Token: SeLoadDriverPrivilege	3844	wmic.exe
Token: SeSystemProfilePrivilege	3844	wmic.exe
Token: SeSystemtimePrivilege	3844	wmic.exe
Token: SeProfSingleProcessPrivilege	3844	wmic.exe
Token: SeIncBasePriorityPrivilege	3844	wmic.exe
Token: SeCreatePagefilePrivilege	3844	wmic.exe
Token: SeBackupPrivilege	3844	wmic.exe
Token: SeRestorePrivilege	3844	wmic.exe
Token: SeShutdownPrivilege	3844	wmic.exe
Token: SeDebugPrivilege	3844	wmic.exe
Token: SeSystemEnvironmentPrivilege	3844	wmic.exe
Token: SeRemoteShutdownPrivilege	3844	wmic.exe
Token: SeUndockPrivilege	3844	wmic.exe
Token: SeManageVolumePrivilege	3844	wmic.exe
Token: 33	3844	wmic.exe
Token: 34	3844	wmic.exe
Token: 35	3844	wmic.exe
Token: 36	3844	wmic.exe
Token: SeIncreaseQuotaPrivilege	3844	wmic.exe
Token: SeSecurityPrivilege	3844	wmic.exe
Token: SeTakeOwnershipPrivilege	3844	wmic.exe
Token: SeLoadDriverPrivilege	3844	wmic.exe
Token: SeSystemProfilePrivilege	3844	wmic.exe
Token: SeSystemtimePrivilege	3844	wmic.exe
Token: SeProfSingleProcessPrivilege	3844	wmic.exe
Token: SeIncBasePriorityPrivilege	3844	wmic.exe
Token: SeCreatePagefilePrivilege	3844	wmic.exe
Token: SeBackupPrivilege	3844	wmic.exe
Token: SeRestorePrivilege	3844	wmic.exe
Token: SeShutdownPrivilege	3844	wmic.exe
Token: SeDebugPrivilege	3844	wmic.exe
Token: SeSystemEnvironmentPrivilege	3844	wmic.exe
Token: SeRemoteShutdownPrivilege	3844	wmic.exe
Token: SeUndockPrivilege	3844	wmic.exe
Token: SeManageVolumePrivilege	3844	wmic.exe
Token: 33	3844	wmic.exe
Token: 34	3844	wmic.exe
Token: 35	3844	wmic.exe
Token: 36	3844	wmic.exe
Token: SeIncreaseQuotaPrivilege	1252	wmic.exe
Token: SeSecurityPrivilege	1252	wmic.exe
Token: SeTakeOwnershipPrivilege	1252	wmic.exe
Token: SeLoadDriverPrivilege	1252	wmic.exe
Token: SeSystemProfilePrivilege	1252	wmic.exe
Token: SeSystemtimePrivilege	1252	wmic.exe
Token: SeProfSingleProcessPrivilege	1252	wmic.exe
Token: SeIncBasePriorityPrivilege	1252	wmic.exe
Token: SeCreatePagefilePrivilege	1252	wmic.exe
Token: SeBackupPrivilege	1252	wmic.exe
Token: SeRestorePrivilege	1252	wmic.exe
Token: SeShutdownPrivilege	1252	wmic.exe
Token: SeDebugPrivilege	1252	wmic.exe
Token: SeSystemEnvironmentPrivilege	1252	wmic.exe
Token: SeRemoteShutdownPrivilege	1252	wmic.exe
Token: SeUndockPrivilege	1252	wmic.exe
Token: SeManageVolumePrivilege	1252	wmic.exe
Token: 33	1252	wmic.exe
Token: 34	1252	wmic.exe
Token: 35	1252	wmic.exe
Token: 36	1252	wmic.exe
Token: SeIncreaseQuotaPrivilege	1252	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 4860	4428	5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe	87
PID 4428 wrote to memory of 4860	4428	5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe	87
PID 4428 wrote to memory of 4860	4428	5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe	87
PID 4860 wrote to memory of 3844	4860	clrvu.exe	88
PID 4860 wrote to memory of 3844	4860	clrvu.exe	88
PID 4860 wrote to memory of 3844	4860	clrvu.exe	88
PID 4860 wrote to memory of 1252	4860	clrvu.exe	91
PID 4860 wrote to memory of 1252	4860	clrvu.exe	91
PID 4860 wrote to memory of 1252	4860	clrvu.exe	91
PID 4860 wrote to memory of 464	4860	clrvu.exe	93
PID 4860 wrote to memory of 464	4860	clrvu.exe	93
PID 4860 wrote to memory of 464	4860	clrvu.exe	93
PID 4860 wrote to memory of 2980	4860	clrvu.exe	95
PID 4860 wrote to memory of 2980	4860	clrvu.exe	95
PID 4860 wrote to memory of 2980	4860	clrvu.exe	95
PID 4860 wrote to memory of 396	4860	clrvu.exe	97
PID 4860 wrote to memory of 396	4860	clrvu.exe	97
PID 4860 wrote to memory of 396	4860	clrvu.exe	97

C:\Users\Admin\AppData\Local\Temp\5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe
"C:\Users\Admin\AppData\Local\Temp\5084ab2cc5e8d74934a278832a025409eb9c55174fb407fc960c53c634042683.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\clrvu.exe
  C:\Users\Admin\AppData\Local\Temp/clrvu.exe /PID=8805 /SUBPID=0 /DISTID=26718 /VM=2 /NETWORDK=1 /CID=0 /PRODUCT_ID=25912 /RETURNING_USER_DAYS=2 /SERVER_URL=http://installer.ppdownload.com
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91695375809.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91695375809.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91695375809.txt bios get version
    3⤵
    PID:464
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91695375809.txt bios get version
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91695375809.txt bios get version
    3⤵
    PID:396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 844
    3⤵
    - Program crash
    PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4860 -ip 4860
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\91695375809.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\91695375809.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\91695375809.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\91695375809.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\91695375809.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\91695375809.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\91695375809.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\clrvu.exe

Filesize
804KB

MD5
be68db8b143151636145ff1cec67bc53

SHA1
61dd5573901bbf9618ed938b831f81bd00c0b229

SHA256
781431f688efbc927a732302e25cee24d94833d416047d68ee9e80f3126f5623

SHA512
dfc8d41084896f45b58830cb536010cbb843b58c7b38e2ac9ffd4c0e1c76a317fdfd4c07f2aa83896d245b1b7cb2886e36ba023caea70fe7d9a78b747c40938d

Download Submit
C:\Users\Admin\AppData\Local\Temp\clrvu.exe

Filesize
804KB

MD5
be68db8b143151636145ff1cec67bc53

SHA1
61dd5573901bbf9618ed938b831f81bd00c0b229

SHA256
781431f688efbc927a732302e25cee24d94833d416047d68ee9e80f3126f5623

SHA512
dfc8d41084896f45b58830cb536010cbb843b58c7b38e2ac9ffd4c0e1c76a317fdfd4c07f2aa83896d245b1b7cb2886e36ba023caea70fe7d9a78b747c40938d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6A05.tmp\yolo.dll

Filesize
125KB

MD5
0499fd97ea937c781b215c0d8b42c335

SHA1
19eee2fd9aeb9098ca8954d3d855df64dff1da10

SHA256
46afe34ef9bcc3e2d76bd85f73235cabd22982b29ac85e5b8415ecb72fb10760

SHA512
b54821c203cb5ec2e59404500607a6f1e6e213f00ef4acf866837fba3696a96b5b0f986e3547bce6b66f4cbb056d49862be0785a3e711b2aee30bb4b99d93cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6A05.tmp\yolo.dll

Filesize
125KB

MD5
0499fd97ea937c781b215c0d8b42c335

SHA1
19eee2fd9aeb9098ca8954d3d855df64dff1da10

SHA256
46afe34ef9bcc3e2d76bd85f73235cabd22982b29ac85e5b8415ecb72fb10760

SHA512
b54821c203cb5ec2e59404500607a6f1e6e213f00ef4acf866837fba3696a96b5b0f986e3547bce6b66f4cbb056d49862be0785a3e711b2aee30bb4b99d93cad

Download Submit