16302e332401d4c0366df780eb5357a18166ea008d310bc5b6715951eb674f18

Analysis

max time kernel
119s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18c5b027e886686720b87b0bb8b8d112.exe
Size

695KB
MD5

18c5b027e886686720b87b0bb8b8d112
SHA1

1efbce102fe7c14b3b85647174941e9f3c7fb600
SHA256

16302e332401d4c0366df780eb5357a18166ea008d310bc5b6715951eb674f18
SHA512

7148d91f3bc9b50852c784013572260b7a806f6a1980dab198ddedc6a3a4352de59cb77325bd285a804bb016256416a7504906443e9a56766728a6132e6b2efb
SSDEEP

12288:wDRzyMP5jUoyL4hVxY8lRAB6U5YJTrNCorzAeIh4em0ZSkh0F3JF:wDRm2jdzqYBJcnHh4MSJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2892	1432242120.exe

Loads dropped DLL 11 IoCs

pid	Process
2444	18c5b027e886686720b87b0bb8b8d112.exe
2444	18c5b027e886686720b87b0bb8b8d112.exe
2444	18c5b027e886686720b87b0bb8b8d112.exe
2444	18c5b027e886686720b87b0bb8b8d112.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2008	2892	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2740	wmic.exe
Token: SeSecurityPrivilege	2740	wmic.exe
Token: SeTakeOwnershipPrivilege	2740	wmic.exe
Token: SeLoadDriverPrivilege	2740	wmic.exe
Token: SeSystemProfilePrivilege	2740	wmic.exe
Token: SeSystemtimePrivilege	2740	wmic.exe
Token: SeProfSingleProcessPrivilege	2740	wmic.exe
Token: SeIncBasePriorityPrivilege	2740	wmic.exe
Token: SeCreatePagefilePrivilege	2740	wmic.exe
Token: SeBackupPrivilege	2740	wmic.exe
Token: SeRestorePrivilege	2740	wmic.exe
Token: SeShutdownPrivilege	2740	wmic.exe
Token: SeDebugPrivilege	2740	wmic.exe
Token: SeSystemEnvironmentPrivilege	2740	wmic.exe
Token: SeRemoteShutdownPrivilege	2740	wmic.exe
Token: SeUndockPrivilege	2740	wmic.exe
Token: SeManageVolumePrivilege	2740	wmic.exe
Token: 33	2740	wmic.exe
Token: 34	2740	wmic.exe
Token: 35	2740	wmic.exe
Token: SeIncreaseQuotaPrivilege	2740	wmic.exe
Token: SeSecurityPrivilege	2740	wmic.exe
Token: SeTakeOwnershipPrivilege	2740	wmic.exe
Token: SeLoadDriverPrivilege	2740	wmic.exe
Token: SeSystemProfilePrivilege	2740	wmic.exe
Token: SeSystemtimePrivilege	2740	wmic.exe
Token: SeProfSingleProcessPrivilege	2740	wmic.exe
Token: SeIncBasePriorityPrivilege	2740	wmic.exe
Token: SeCreatePagefilePrivilege	2740	wmic.exe
Token: SeBackupPrivilege	2740	wmic.exe
Token: SeRestorePrivilege	2740	wmic.exe
Token: SeShutdownPrivilege	2740	wmic.exe
Token: SeDebugPrivilege	2740	wmic.exe
Token: SeSystemEnvironmentPrivilege	2740	wmic.exe
Token: SeRemoteShutdownPrivilege	2740	wmic.exe
Token: SeUndockPrivilege	2740	wmic.exe
Token: SeManageVolumePrivilege	2740	wmic.exe
Token: 33	2740	wmic.exe
Token: 34	2740	wmic.exe
Token: 35	2740	wmic.exe
Token: SeIncreaseQuotaPrivilege	2612	wmic.exe
Token: SeSecurityPrivilege	2612	wmic.exe
Token: SeTakeOwnershipPrivilege	2612	wmic.exe
Token: SeLoadDriverPrivilege	2612	wmic.exe
Token: SeSystemProfilePrivilege	2612	wmic.exe
Token: SeSystemtimePrivilege	2612	wmic.exe
Token: SeProfSingleProcessPrivilege	2612	wmic.exe
Token: SeIncBasePriorityPrivilege	2612	wmic.exe
Token: SeCreatePagefilePrivilege	2612	wmic.exe
Token: SeBackupPrivilege	2612	wmic.exe
Token: SeRestorePrivilege	2612	wmic.exe
Token: SeShutdownPrivilege	2612	wmic.exe
Token: SeDebugPrivilege	2612	wmic.exe
Token: SeSystemEnvironmentPrivilege	2612	wmic.exe
Token: SeRemoteShutdownPrivilege	2612	wmic.exe
Token: SeUndockPrivilege	2612	wmic.exe
Token: SeManageVolumePrivilege	2612	wmic.exe
Token: 33	2612	wmic.exe
Token: 34	2612	wmic.exe
Token: 35	2612	wmic.exe
Token: SeIncreaseQuotaPrivilege	2612	wmic.exe
Token: SeSecurityPrivilege	2612	wmic.exe
Token: SeTakeOwnershipPrivilege	2612	wmic.exe
Token: SeLoadDriverPrivilege	2612	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2892	2444	18c5b027e886686720b87b0bb8b8d112.exe	30
PID 2444 wrote to memory of 2892	2444	18c5b027e886686720b87b0bb8b8d112.exe	30
PID 2444 wrote to memory of 2892	2444	18c5b027e886686720b87b0bb8b8d112.exe	30
PID 2444 wrote to memory of 2892	2444	18c5b027e886686720b87b0bb8b8d112.exe	30
PID 2892 wrote to memory of 2740	2892	1432242120.exe	31
PID 2892 wrote to memory of 2740	2892	1432242120.exe	31
PID 2892 wrote to memory of 2740	2892	1432242120.exe	31
PID 2892 wrote to memory of 2740	2892	1432242120.exe	31
PID 2892 wrote to memory of 2612	2892	1432242120.exe	34
PID 2892 wrote to memory of 2612	2892	1432242120.exe	34
PID 2892 wrote to memory of 2612	2892	1432242120.exe	34
PID 2892 wrote to memory of 2612	2892	1432242120.exe	34
PID 2892 wrote to memory of 2220	2892	1432242120.exe	37
PID 2892 wrote to memory of 2220	2892	1432242120.exe	37
PID 2892 wrote to memory of 2220	2892	1432242120.exe	37
PID 2892 wrote to memory of 2220	2892	1432242120.exe	37
PID 2892 wrote to memory of 1044	2892	1432242120.exe	38
PID 2892 wrote to memory of 1044	2892	1432242120.exe	38
PID 2892 wrote to memory of 1044	2892	1432242120.exe	38
PID 2892 wrote to memory of 1044	2892	1432242120.exe	38
PID 2892 wrote to memory of 2524	2892	1432242120.exe	40
PID 2892 wrote to memory of 2524	2892	1432242120.exe	40
PID 2892 wrote to memory of 2524	2892	1432242120.exe	40
PID 2892 wrote to memory of 2524	2892	1432242120.exe	40
PID 2892 wrote to memory of 2008	2892	1432242120.exe	42
PID 2892 wrote to memory of 2008	2892	1432242120.exe	42
PID 2892 wrote to memory of 2008	2892	1432242120.exe	42
PID 2892 wrote to memory of 2008	2892	1432242120.exe	42

C:\Users\Admin\AppData\Local\Temp\18c5b027e886686720b87b0bb8b8d112.exe
"C:\Users\Admin\AppData\Local\Temp\18c5b027e886686720b87b0bb8b8d112.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\1432242120.exe
  C:\Users\Admin\AppData\Local\Temp\1432242120.exe 7/7/2/6/5/4/6/6/7/8/3 KElHPjgtMy0vKx0oTFM8S0U+NykYLEc+UlFKTkVDPTUuHisuam1rXm9cbGtaZmM3TWFjZ1pfYhkoQkNOUEM+Nio0MCowGio/Qz42KB0oSVBJP1E9TlhBQTYrNDMvLxopTD1PTz5QWVBORjdhbHFpMy0pbm5wKD09UEQmUklLKTtKSSZGRz9NGio/RkM8Q0Y9Nh4pPy03JyoYLD0rOycsHCk+LDUqKhktPi85JysZJ0EuNisrGytKTEg8UjxNXUpNRVA7PFE6GShOTEpATz1NV0JORT83GytKTEg8UjxNXUg8ST83GSdCUT5dT01INxooPVU+WEFHP0hDSD41HShBTU1PWzxMSE9QPks7LxsrTkI6RkhSSFNZUE5GNxknU0Y2MBoqQE0rNhgsS05MTkRJP1lQPUk8SEs/REk7QT5NT0U2HilET1lMTkZRQkZDN29ub18ZJ08+TVNMSUVIQVhNUD5LXT48VU03KxgsQUJCP1M5KxooQVBYPVdIPElDPVg9SzxLV0pPQT43X1lpbF4eKT9LUUhFRz49WEdKOC0yKycpNjEnLzEzKistKxgsTUJLPzgtLi0rKjIpKjUrGys+SVBGSUg6QllPRUc/Ni0sKyotLCstLyQqKTcqLzgrLCZKRxknUjo2HilQTkY3YWxxaR4xWyAuYB8rXmRebXAoYWVmXzFcYmxkcmlrKl1pZh0vX0tzaE9lZ189Z3RnZW1bX0lbaFpfYmtYYl9raGlzHipjKyswLC0uLCwrKi8rKzAfLWJeaXBmaWhaYmdcalthXmoiK19lX28xMB8sXm0eLGIrNC8wLR4qM10eMV4tMzErKx0vL2UjLV8uMDMtKyIrL2wfLmArJWlqbF1uYW5pXWdfHithS15nZ1xjXx8rLmNiZWNoXGlfHyxcT15ia1tiYQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703561607.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703561607.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703561607.txt bios get version
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703561607.txt bios get version
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703561607.txt bios get version
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703561607.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703561607.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703561607.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
\Users\Admin\AppData\Local\Temp\1432242120.exe

Filesize
1021KB

MD5
3c920657a2b74fedabf5b7cf42ef3e79

SHA1
0da763326ac4904f14631539f3fc6803594ea9cb

SHA256
c918d21d78d0b997b2feee3712af0a31000e1b7a22d2bcccea5103b02bfbb21f

SHA512
8c7f309385d19c1af85b7471d7cc2df2a53190c4f1855133b4813506c944407a1e689525282795d07d80cc9e7fb02aa1d8e781b0cc275803f7beb914131c9ff7

Download Submit
\Users\Admin\AppData\Local\Temp\1432242120.exe

Filesize
490KB

MD5
b229b58241fdda538dff6a9b17743c77

SHA1
f1fe24a65055d94ee0fcbe9ed9b87c96b70e0027

SHA256
2be0372286ec3c81ff543c1f5cf3949fb5a09fb3b801842197c3f08a7bdb3e5d

SHA512
3a2220e4954c5e67c6ff43120c3296af3787149f012d8ee5db0578cc68b08b5fc680ebeea313b2531a166abd1a695f7b10e794abff1bdd9196c29ba5de0dd88a

Download Submit
\Users\Admin\AppData\Local\Temp\1432242120.exe

Filesize
849KB

MD5
d951919cd1b4be0ee329ddd11fc35832

SHA1
419ee05396cdbc97beab9126bf633b5c23fdba76

SHA256
c3c677156b9db51f5557519a393cadd7169da3c54b82ab7b444ddf8e60dd4756

SHA512
058b20267ce11ebe820419184ac1034db3e434448bda4c56a3dc9bfbac21199a4baa7ffe935cde98ae2fa568979ab30b94120b1b15898eccf50a3cc93ff8aa5b

Download Submit
\Users\Admin\AppData\Local\Temp\1432242120.exe

Filesize
771KB

MD5
1195b63f1e2441158990a98fba04081f

SHA1
e1a33540eb7bf349224ba7361e5c35e0ae5b8dd0

SHA256
2498c145abd6a71d35814280cd0e8254b3e076e2499433f8dbecf98a5feb22f2

SHA512
f0295535d4898f7b88b6c7507e6b9bdf0751788767d25b4f8b48ecec230ce25be35bde14e77758a28e44e718951e150779969ea2082b6559f9fd0ac8a7d98377

Download Submit
\Users\Admin\AppData\Local\Temp\1432242120.exe

Filesize
522KB

MD5
8f5fc1cfeaa6352d37eeec5874e869af

SHA1
cca292b4f668c48f91b0a3230b47e037f8c87b44

SHA256
b76bf2a18287d3748b2811f7d5e66d7407256ddecfc3fc7e3fbd0d7ab5bda842

SHA512
840cc1d30491bb7d4c46c70a6d9d6d47716509e6ab0bb85059ebf668c7590672d675f585b7dd1121a867cb7cc28d021a5f7485a9ae03afda828358fe9061d506

Download Submit
\Users\Admin\AppData\Local\Temp\1432242120.exe

Filesize
562KB

MD5
be1d7d0ce9cdf025b274f486a82ee3d2

SHA1
6334ac6f8fa8adef4e52e345754fb5238fc47f10

SHA256
a291b577b80389508db3508df0e89329cbc0cdca71a170c05d5cd24eeaf638fe

SHA512
b19dfe87cd752577668e29fb1274fb2205b1dea9c59b2ac31c1a1e7b6909f06021539c8a00724a606d2c1c2034a7b9e2f89a968fb65500ac8e1fe9ee190e269c

Download Submit
\Users\Admin\AppData\Local\Temp\1432242120.exe

Filesize
439KB

MD5
d91b6a53bf76029991424c5a26b21433

SHA1
bfc5d28a69b1cebc0528dffbd10a3f66991df009

SHA256
641b1e95b3627739786278a25f4a9604823617c75ae80548122c3391c6e85062

SHA512
ec8c6c337efc9335376e4db1ff6d393b61af9518a261d8d482d8152e859ee8f54f5cc22567166dd5dbeaabaef9e82c928bf0448b473f32bfe65c0abc2fe983c6

Download Submit
\Users\Admin\AppData\Local\Temp\nso12B7.tmp\jtbtjyt.dll

Filesize
158KB

MD5
50717a3c230f7e5d92695291df9541c1

SHA1
5fca1d6d65bff01d9bb8ac82f0fb696dcfa51b4b

SHA256
c96ed31b77fd2f24435c2b3c9aa65b46fe05070660d6ee053bc03a8c5e547d71

SHA512
8e8fbcdd400ece291021a5bcbf50b693f3e122e28930539577035fabe5ad2f1ee1965349208bb17a9015c42210c3d1a20fbdc7c10f922eb213bbfbf716d9218f

Download Submit
\Users\Admin\AppData\Local\Temp\nso12B7.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit