8a379a4e3c2c7d4165b20b961af2a6799b89a9d729a31cecc324c7ad2bb2d54d

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04d8bd0abfe9c448f8b3f08c8c181390.exe
Size

581KB
MD5

04d8bd0abfe9c448f8b3f08c8c181390
SHA1

00b40dd8d27ec3403d2cd5d588b7808eedd89579
SHA256

8a379a4e3c2c7d4165b20b961af2a6799b89a9d729a31cecc324c7ad2bb2d54d
SHA512

1933deb59010f4cf685ed78300923631e0a5cc34ca99ebf69e8eb8286b4774cdf0e4ee598b7ef7866d6620a8d7ca36733ebdb259972c09e85995ef869ec301a3
SSDEEP

12288:+TDJhNH8ZkXWykEr8369tNFMP8NdHXpZ2achJC4+Q:+PJbl+36tKPdhJ7d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2716	1431831751.exe

Loads dropped DLL 11 IoCs

pid	Process
2276	04d8bd0abfe9c448f8b3f08c8c181390.exe
2276	04d8bd0abfe9c448f8b3f08c8c181390.exe
2276	04d8bd0abfe9c448f8b3f08c8c181390.exe
2276	04d8bd0abfe9c448f8b3f08c8c181390.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2844	2716	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2796	wmic.exe
Token: SeSecurityPrivilege	2796	wmic.exe
Token: SeTakeOwnershipPrivilege	2796	wmic.exe
Token: SeLoadDriverPrivilege	2796	wmic.exe
Token: SeSystemProfilePrivilege	2796	wmic.exe
Token: SeSystemtimePrivilege	2796	wmic.exe
Token: SeProfSingleProcessPrivilege	2796	wmic.exe
Token: SeIncBasePriorityPrivilege	2796	wmic.exe
Token: SeCreatePagefilePrivilege	2796	wmic.exe
Token: SeBackupPrivilege	2796	wmic.exe
Token: SeRestorePrivilege	2796	wmic.exe
Token: SeShutdownPrivilege	2796	wmic.exe
Token: SeDebugPrivilege	2796	wmic.exe
Token: SeSystemEnvironmentPrivilege	2796	wmic.exe
Token: SeRemoteShutdownPrivilege	2796	wmic.exe
Token: SeUndockPrivilege	2796	wmic.exe
Token: SeManageVolumePrivilege	2796	wmic.exe
Token: 33	2796	wmic.exe
Token: 34	2796	wmic.exe
Token: 35	2796	wmic.exe
Token: SeIncreaseQuotaPrivilege	2796	wmic.exe
Token: SeSecurityPrivilege	2796	wmic.exe
Token: SeTakeOwnershipPrivilege	2796	wmic.exe
Token: SeLoadDriverPrivilege	2796	wmic.exe
Token: SeSystemProfilePrivilege	2796	wmic.exe
Token: SeSystemtimePrivilege	2796	wmic.exe
Token: SeProfSingleProcessPrivilege	2796	wmic.exe
Token: SeIncBasePriorityPrivilege	2796	wmic.exe
Token: SeCreatePagefilePrivilege	2796	wmic.exe
Token: SeBackupPrivilege	2796	wmic.exe
Token: SeRestorePrivilege	2796	wmic.exe
Token: SeShutdownPrivilege	2796	wmic.exe
Token: SeDebugPrivilege	2796	wmic.exe
Token: SeSystemEnvironmentPrivilege	2796	wmic.exe
Token: SeRemoteShutdownPrivilege	2796	wmic.exe
Token: SeUndockPrivilege	2796	wmic.exe
Token: SeManageVolumePrivilege	2796	wmic.exe
Token: 33	2796	wmic.exe
Token: 34	2796	wmic.exe
Token: 35	2796	wmic.exe
Token: SeIncreaseQuotaPrivilege	2088	wmic.exe
Token: SeSecurityPrivilege	2088	wmic.exe
Token: SeTakeOwnershipPrivilege	2088	wmic.exe
Token: SeLoadDriverPrivilege	2088	wmic.exe
Token: SeSystemProfilePrivilege	2088	wmic.exe
Token: SeSystemtimePrivilege	2088	wmic.exe
Token: SeProfSingleProcessPrivilege	2088	wmic.exe
Token: SeIncBasePriorityPrivilege	2088	wmic.exe
Token: SeCreatePagefilePrivilege	2088	wmic.exe
Token: SeBackupPrivilege	2088	wmic.exe
Token: SeRestorePrivilege	2088	wmic.exe
Token: SeShutdownPrivilege	2088	wmic.exe
Token: SeDebugPrivilege	2088	wmic.exe
Token: SeSystemEnvironmentPrivilege	2088	wmic.exe
Token: SeRemoteShutdownPrivilege	2088	wmic.exe
Token: SeUndockPrivilege	2088	wmic.exe
Token: SeManageVolumePrivilege	2088	wmic.exe
Token: 33	2088	wmic.exe
Token: 34	2088	wmic.exe
Token: 35	2088	wmic.exe
Token: SeIncreaseQuotaPrivilege	2180	wmic.exe
Token: SeSecurityPrivilege	2180	wmic.exe
Token: SeTakeOwnershipPrivilege	2180	wmic.exe
Token: SeLoadDriverPrivilege	2180	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2716	2276	04d8bd0abfe9c448f8b3f08c8c181390.exe	28
PID 2276 wrote to memory of 2716	2276	04d8bd0abfe9c448f8b3f08c8c181390.exe	28
PID 2276 wrote to memory of 2716	2276	04d8bd0abfe9c448f8b3f08c8c181390.exe	28
PID 2276 wrote to memory of 2716	2276	04d8bd0abfe9c448f8b3f08c8c181390.exe	28
PID 2716 wrote to memory of 2796	2716	1431831751.exe	17
PID 2716 wrote to memory of 2796	2716	1431831751.exe	17
PID 2716 wrote to memory of 2796	2716	1431831751.exe	17
PID 2716 wrote to memory of 2796	2716	1431831751.exe	17
PID 2716 wrote to memory of 2088	2716	1431831751.exe	18
PID 2716 wrote to memory of 2088	2716	1431831751.exe	18
PID 2716 wrote to memory of 2088	2716	1431831751.exe	18
PID 2716 wrote to memory of 2088	2716	1431831751.exe	18
PID 2716 wrote to memory of 2180	2716	1431831751.exe	25
PID 2716 wrote to memory of 2180	2716	1431831751.exe	25
PID 2716 wrote to memory of 2180	2716	1431831751.exe	25
PID 2716 wrote to memory of 2180	2716	1431831751.exe	25
PID 2716 wrote to memory of 2600	2716	1431831751.exe	24
PID 2716 wrote to memory of 2600	2716	1431831751.exe	24
PID 2716 wrote to memory of 2600	2716	1431831751.exe	24
PID 2716 wrote to memory of 2600	2716	1431831751.exe	24
PID 2716 wrote to memory of 2400	2716	1431831751.exe	23
PID 2716 wrote to memory of 2400	2716	1431831751.exe	23
PID 2716 wrote to memory of 2400	2716	1431831751.exe	23
PID 2716 wrote to memory of 2400	2716	1431831751.exe	23
PID 2716 wrote to memory of 2844	2716	1431831751.exe	22
PID 2716 wrote to memory of 2844	2716	1431831751.exe	22
PID 2716 wrote to memory of 2844	2716	1431831751.exe	22
PID 2716 wrote to memory of 2844	2716	1431831751.exe	22

C:\Users\Admin\AppData\Local\Temp\04d8bd0abfe9c448f8b3f08c8c181390.exe
"C:\Users\Admin\AppData\Local\Temp\04d8bd0abfe9c448f8b3f08c8c181390.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\1431831751.exe
  C:\Users\Admin\AppData\Local\Temp\1431831751.exe 1|8|9|1|7|0|2|1|0|1|0 LkhAQzYzLjEyHy9STTlPQkQ7LyAuTkRMTk5LS0dDPS8gLjxAUk1JQjwyNjI2LBcuPElCPDAfL09KRkNOQ1JeSUM9MC4wMxkvUURSVUVRV0xRRT1mc3RvOi4nanFvLkJEU0otU0dHLDpQTi1JTUZOGCZCRUlBSklDPXZMJ0NKM0A4TS9WNkxCOERHTEM4QFFKMBcuPTE7MDEvMjAYJkMrPSswIC5EMjUkMBkvQjM9LDEfJzs0Ni0vHy9PUk48TEJNX05RSVVBQlE0HyhQUE5EVENTVzxURUE7Hy9PUk48TEJNX0xATUQ9Hyc8Vz5fU1FMPCAuPU9EWENLQ0xITkQ1Fy5BT1FTX0FSTk9KREs9Lh8vU0hARkJYSFVdVFJLPR8nTUw2Mh4uRFIxPBgmUU5OUkhNRF9WPUNCSE1DSE1AR0RNSUs2IC1IU15SVEZLSEZFO3NydGUfJ0lETVVQTUlNR15NSkRLX0JAWVI9MRgmR0JEQ1c9MCAuQUpePVlMQE1IQ149RUJLWU5TRUM9ZVljcl4gLUNPVk5LRzhDWElOPDY1LjAoKS0xLi82MR8vU0FERDYxMjIxNzM3Ly8wGS9CTldNTE45O15NSUtEPTQvMC8mMSkxMyk0OTU4MiswI0FLHy9UQTxFZnlibGpgJTFmNCYnKiFXZ21kbndyI0VTJDYsMCUyYipPRlYvNCMyYipUcWFbZGd0IzFmNi4vHSphJHJ0JDNgMTAmJygkbGdqZSpHZFtibhkvU1FMPGhzbGckLGEjMWYkMmVfXHMqLi4wMTBkZGtgZmcuZ21mbiUxXkl0Z1RnbGVDb3ZmY25aZEtgbmBnZGpWY15wam55JDJlKSsyKjgxNzc3MCQqXWNod2xrb2BkbFllYGBlcCQyZTEzKyg3LDg1NzAkM2UwKzcuODcwNjA2MVApRWxTZzdyT21uMENSLXFKZzVlTlJjKUs9WXNJR1A1Skw8d0R5VG5QQm9qUDovKkxBam5MU3JkT2k6MUlSa2dYQmcvSXNBZVhpdjVJS25kUHpPMkxCc2pQZFVkWUVZWWFGNzBZVkdzYVZnZ1cxRmZXUHBoWGpVelM7ajdMREc3T0RjdExhTUZSaEVDUWtnPERpMkpQeUFnWVVobGA9d3E=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2716

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703440158.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703440158.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:2844

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703440158.txt bios get version
1⤵
PID:2400

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703440158.txt bios get version
1⤵
PID:2600

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703440158.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
113KB

MD5
55bd15e593a84d40d751f87b0a6a4594

SHA1
4612481367e155f1d9fc709e09c79dc649341227

SHA256
77064fabbca8c8e965e1f33ced07266e716ee5b43b9de6d80b8bebefbd6b2266

SHA512
ed315cf984a98aeaa50027f2d2b5e06095b3920e7ebfa574738bd54d3b24245190f1f3e3aee573fdd7764b659dd36bcdb7849993989374781c846261ec7cd4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
149KB

MD5
aece627b1e0c46435f001e85a21ba03a

SHA1
3dcd318bbd9547d6bf1a28d7cbfcdbec584930d7

SHA256
3e3af083843948ecc46a40646370464b138b98e473b14e4d3d7d3ac166a00976

SHA512
98e20f0df87ea58f08a2faea8f9b071af71dcaa7f1702eff9819bdbbd5bea71f2bd4c012eacfa8e292d44ef7b42a2687ab2e7519407fc7cdbe69f4d7c356d107

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703440158.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi7FD.tmp\cgibuti.dll

Filesize
126KB

MD5
28b33dfd93c77f2eb82b9db6897e0fbb

SHA1
15b36a5eb52261d39822248786f281c5bcc70330

SHA256
2258938c1570e45be9119bd62ed3c424bd247571cc5af39f27206c55b5114f85

SHA512
457c6838784c41ae4105de04a4618512913e85a196be342558f1ec7dafa30baadd9133fa7f8f19fbdd0f587bbf109cf1e9610b3ca3c32eb839d07f7d19d180ff

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
120KB

MD5
bc81944c011e5d3e810bc0768ef26c5e

SHA1
a3234d14e3a10ab2f53a264255bdf41df8899e56

SHA256
4d1d035690de0307bd53a5b1c5c235902ef18cbf26e25b68df168ad39ae98273

SHA512
d913902e8aa4b9eae99fe3b0430238d82a5710c9b0a96498a8ca93db6558c5d0c69e311cbff6f1b6fac29c3527a5f6c59273f41247fb19b3146dacc2444890c5

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
174KB

MD5
a08f03a6ee641221444f1e7bd23ce098

SHA1
fc711754ae120aedd0e97bbe0070ce93a160f748

SHA256
d98142577c342e428e3dda164641478dd8012089206c98c7661137678848965f

SHA512
f2ed13f8838bd0ad5286c6a90e727a916ec6d7a0c5a2d41c00beb2991405b584fe379b106afc042dcb1c1b631cf1294ccf7ddf28ebe0b00c0e26612585799ac8

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
58KB

MD5
96fa138e3af19083187122b3ce61cd20

SHA1
f14129281e9a83d37e1d3bcd2d1c0629035643e9

SHA256
7edd7dfcb29f31d5cd1f680f550c2f85aa15731c924891f527d8b35704cd4616

SHA512
3cf5dc3352c2e00931aef1b4584a121f4dc9b7b876cfd97deaa0da958d42d73ea09fa772bac8375042d65f1e5ab8effc4cdc96641b42d23e91fd44c180ceed5a

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
75KB

MD5
98429fc665d18e57ca9a09bf515db80d

SHA1
a00e7c354ed3267748d3f4fd85acd77c08c37ba9

SHA256
987317daf04ffffb3d6782157bb232ada787fd87776bd7e4e2143ae0b30f09a7

SHA512
f9132dda5804018a8e58d75af7588c6c8ed9a3e89ae82ae9de70ff11cf5c5a31c180bc4facfb314d8b2bd86840210fbf6010ca6d9b52a8ff36b95ec52884e7d2

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
92KB

MD5
439e79e5fb7438045aaf869b610af5cc

SHA1
f8561fd10e9955c1632bcdc2af253c6f62670da6

SHA256
d99c6f7359a06da40ae233c38e5171a48ddb84a984cb6cf00f9d3e345f5e5298

SHA512
92e64517e951462b079e52613ef4f81d94f853d875863c9856192efacda0347248812fe5f40b547856247151a336c40d767403da13bb0d861d159544f3eaf273

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
62KB

MD5
72fc71edd9487ff93115e620ea4dad7a

SHA1
99015f70ec663bb23e88a6b740330dac63e4acae

SHA256
b255c41b031ef22f219886274c620b51ec1ab5d3c4dc27cce2d5e16f7c7fcd2d

SHA512
3e6446fc74c1894416b9ba919f2799a09eadf53c58e1ac533a2b3d5f7307a3165cc4f17c69b1e1c29a5d43667fbf9538bce685d3e2b66b4afcd745a03531835e

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
133KB

MD5
be9c153880dac4c27c60a9fa78a33eb2

SHA1
76ba061811740c1113e570549fc9be29712f3a24

SHA256
3db00493ee827abd372f660a7d1a3d5555f5e2cee90e76320aef69bd694a0831

SHA512
ff56dfa8aad042d26f2807e5ac62a1995e2e8a26fe4f9cd46306859c92353a3ba27789ed672869c68d132236d991b13195b2238780b6b131d77913650cf159e8

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
45KB

MD5
44266e76b5fff44edadb2a6570ca4bfb

SHA1
f1252cdff893649e84d0efb04f49256479dd2b52

SHA256
003434778dc8ca706d650706898cf2a544f12b4dcbe940c00f5457d22e4181ab

SHA512
24bf85387a81644af312722a6bc46e27eb1cb3913916a774563332abd3ac47a3962636b8eabe8315ab055b25236a72e3dbe38d3090fb458bc7815f824d5d3cf3

Download Submit
\Users\Admin\AppData\Local\Temp\nsi7FD.tmp\cgibuti.dll

Filesize
141KB

MD5
331eed6a9515c54ee3a05717531f2c61

SHA1
470a8758034b30f0071c9aeba0a240f91b7f43fd

SHA256
2e0a3686b4602c5cfefc8778b51f14e78e8f9911175c25b9466c22c6b96d400b

SHA512
65308f4fd8deb720cb609b9bb8844b3b2e8cfc67d710119194e4dbf32f2cb64ddf0f5c45fd5778d13798a959260430e83b9d56ffc1fb567bba5061c390514afd

Download Submit
\Users\Admin\AppData\Local\Temp\nsi7FD.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit