8298eb8b66973ee39f29a001da9cca3c2a32d930f36076550ad95ad6a25785b6

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

053edfb1575416aae29d078b208f75bf.exe
Size

581KB
MD5

053edfb1575416aae29d078b208f75bf
SHA1

711fe826a805fd5ca97d7a269573a838af7f68d4
SHA256

8298eb8b66973ee39f29a001da9cca3c2a32d930f36076550ad95ad6a25785b6
SHA512

2cba277f6b5597fc26e0df180f994799706108dfe9ee0033e00680b762fea5aebfa6ad4aed0fb5e0664cf65dfeb6152cb2b7bd1d5f2ed48459c91512cf82b042
SSDEEP

12288:+uDJhNH8ZkXWykEr8369tNFMP8NdHXpZ2achJC4+F:+MJbl+36tKPdhJ7y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2504	1431831751.exe

Loads dropped DLL 11 IoCs

pid	Process
2512	053edfb1575416aae29d078b208f75bf.exe
2512	053edfb1575416aae29d078b208f75bf.exe
2512	053edfb1575416aae29d078b208f75bf.exe
2512	053edfb1575416aae29d078b208f75bf.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2184	2504	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2412	wmic.exe
Token: SeSecurityPrivilege	2412	wmic.exe
Token: SeTakeOwnershipPrivilege	2412	wmic.exe
Token: SeLoadDriverPrivilege	2412	wmic.exe
Token: SeSystemProfilePrivilege	2412	wmic.exe
Token: SeSystemtimePrivilege	2412	wmic.exe
Token: SeProfSingleProcessPrivilege	2412	wmic.exe
Token: SeIncBasePriorityPrivilege	2412	wmic.exe
Token: SeCreatePagefilePrivilege	2412	wmic.exe
Token: SeBackupPrivilege	2412	wmic.exe
Token: SeRestorePrivilege	2412	wmic.exe
Token: SeShutdownPrivilege	2412	wmic.exe
Token: SeDebugPrivilege	2412	wmic.exe
Token: SeSystemEnvironmentPrivilege	2412	wmic.exe
Token: SeRemoteShutdownPrivilege	2412	wmic.exe
Token: SeUndockPrivilege	2412	wmic.exe
Token: SeManageVolumePrivilege	2412	wmic.exe
Token: 33	2412	wmic.exe
Token: 34	2412	wmic.exe
Token: 35	2412	wmic.exe
Token: SeIncreaseQuotaPrivilege	2412	wmic.exe
Token: SeSecurityPrivilege	2412	wmic.exe
Token: SeTakeOwnershipPrivilege	2412	wmic.exe
Token: SeLoadDriverPrivilege	2412	wmic.exe
Token: SeSystemProfilePrivilege	2412	wmic.exe
Token: SeSystemtimePrivilege	2412	wmic.exe
Token: SeProfSingleProcessPrivilege	2412	wmic.exe
Token: SeIncBasePriorityPrivilege	2412	wmic.exe
Token: SeCreatePagefilePrivilege	2412	wmic.exe
Token: SeBackupPrivilege	2412	wmic.exe
Token: SeRestorePrivilege	2412	wmic.exe
Token: SeShutdownPrivilege	2412	wmic.exe
Token: SeDebugPrivilege	2412	wmic.exe
Token: SeSystemEnvironmentPrivilege	2412	wmic.exe
Token: SeRemoteShutdownPrivilege	2412	wmic.exe
Token: SeUndockPrivilege	2412	wmic.exe
Token: SeManageVolumePrivilege	2412	wmic.exe
Token: 33	2412	wmic.exe
Token: 34	2412	wmic.exe
Token: 35	2412	wmic.exe
Token: SeIncreaseQuotaPrivilege	2880	wmic.exe
Token: SeSecurityPrivilege	2880	wmic.exe
Token: SeTakeOwnershipPrivilege	2880	wmic.exe
Token: SeLoadDriverPrivilege	2880	wmic.exe
Token: SeSystemProfilePrivilege	2880	wmic.exe
Token: SeSystemtimePrivilege	2880	wmic.exe
Token: SeProfSingleProcessPrivilege	2880	wmic.exe
Token: SeIncBasePriorityPrivilege	2880	wmic.exe
Token: SeCreatePagefilePrivilege	2880	wmic.exe
Token: SeBackupPrivilege	2880	wmic.exe
Token: SeRestorePrivilege	2880	wmic.exe
Token: SeShutdownPrivilege	2880	wmic.exe
Token: SeDebugPrivilege	2880	wmic.exe
Token: SeSystemEnvironmentPrivilege	2880	wmic.exe
Token: SeRemoteShutdownPrivilege	2880	wmic.exe
Token: SeUndockPrivilege	2880	wmic.exe
Token: SeManageVolumePrivilege	2880	wmic.exe
Token: 33	2880	wmic.exe
Token: 34	2880	wmic.exe
Token: 35	2880	wmic.exe
Token: SeIncreaseQuotaPrivilege	2600	wmic.exe
Token: SeSecurityPrivilege	2600	wmic.exe
Token: SeTakeOwnershipPrivilege	2600	wmic.exe
Token: SeLoadDriverPrivilege	2600	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2504	2512	053edfb1575416aae29d078b208f75bf.exe	28
PID 2512 wrote to memory of 2504	2512	053edfb1575416aae29d078b208f75bf.exe	28
PID 2512 wrote to memory of 2504	2512	053edfb1575416aae29d078b208f75bf.exe	28
PID 2512 wrote to memory of 2504	2512	053edfb1575416aae29d078b208f75bf.exe	28
PID 2504 wrote to memory of 2412	2504	1431831751.exe	29
PID 2504 wrote to memory of 2412	2504	1431831751.exe	29
PID 2504 wrote to memory of 2412	2504	1431831751.exe	29
PID 2504 wrote to memory of 2412	2504	1431831751.exe	29
PID 2504 wrote to memory of 2880	2504	1431831751.exe	33
PID 2504 wrote to memory of 2880	2504	1431831751.exe	33
PID 2504 wrote to memory of 2880	2504	1431831751.exe	33
PID 2504 wrote to memory of 2880	2504	1431831751.exe	33
PID 2504 wrote to memory of 2600	2504	1431831751.exe	34
PID 2504 wrote to memory of 2600	2504	1431831751.exe	34
PID 2504 wrote to memory of 2600	2504	1431831751.exe	34
PID 2504 wrote to memory of 2600	2504	1431831751.exe	34
PID 2504 wrote to memory of 2632	2504	1431831751.exe	37
PID 2504 wrote to memory of 2632	2504	1431831751.exe	37
PID 2504 wrote to memory of 2632	2504	1431831751.exe	37
PID 2504 wrote to memory of 2632	2504	1431831751.exe	37
PID 2504 wrote to memory of 2652	2504	1431831751.exe	39
PID 2504 wrote to memory of 2652	2504	1431831751.exe	39
PID 2504 wrote to memory of 2652	2504	1431831751.exe	39
PID 2504 wrote to memory of 2652	2504	1431831751.exe	39
PID 2504 wrote to memory of 2184	2504	1431831751.exe	40
PID 2504 wrote to memory of 2184	2504	1431831751.exe	40
PID 2504 wrote to memory of 2184	2504	1431831751.exe	40
PID 2504 wrote to memory of 2184	2504	1431831751.exe	40

C:\Users\Admin\AppData\Local\Temp\053edfb1575416aae29d078b208f75bf.exe
"C:\Users\Admin\AppData\Local\Temp\053edfb1575416aae29d078b208f75bf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\1431831751.exe
  C:\Users\Admin\AppData\Local\Temp\1431831751.exe 2]3]0]8]3]2]4]1]7]0]1 LU1JPDoxLDErIC5RUkJIRkI5LxkvTUNRV0dPSUVDNjAfLUFJS1FHQDwrNzE1LyAnQEdAPCkgLk5PTzxSQVBeQkQ8LzM5LB0tT0RLVkRQXFVKSTtkc21wOS0sc2pzLEBETEssUkxQJT5OTC1CTkVNHS87SUc/SkJEPHVGVkpHLzFELkoxRlFLMUguSVU7UjU3TiAnQS85MCowLzMdLzwvOykwGS9DMTotKR0tQDM2LTAeLEQtOistHyhQUU1BVTtRXUxRQlZAQVY9GCxOTk49VUJSXEVNST85HyhQUU1BVTtRXUpARkU8HixFUEJdUVFFPR8tQlg9XEFJQ0VJTUM6ICdFTU9TWEJRTVRTPU87LB8oVEc/S0tRTFNbVEtMPB4sVkU6MBwuPVMwOx0vSlJMUEhGRV5VQkw7TEtBSEZBRkNSUkQ6HitITF9RU0tUQUpDOXNrdWQeLFI9UVNOTUJORl1SUz1PXUBAUlM8MB0vQEZCQVc2MR8tRlNXQVdKQEZJQl1CTjtPV0xTPkQ8ZF5sa2IeK0NIV01KTEE8XEdMPC82LTAxOSY1MSowMTQfLVFJRUI7LTMsMTcxMzIwLR4rQ0hXTUpMQTxcUkVMPj00LS43Jy8uLTQjNDkvNTooLSg9TBkvVD86TWd3Z2hrWiUxZDIuKCgmU2hnZG51cCtGUSkyLSolMmAoV0dUNDAkLGIqUm9pXGJscCQrZjYsLSUrXyludR4zYC8uLigmKWhoZGUqRWJjY2weK1RLTDxmcXRoIjFdJCtmJDBjZ11xLyovKjEwYmJzYWRsKmhnZm4jL2ZKcmxQaGZlQ210bmRsX2BMWm5gZWJyV2FjbGtoeSQwYzEsMC80Mi8yNy4iMl5hbXNtZW9gYmphZl5lYXEeMmUvMTMpNTEyMTEwJDFjNDA2NzQ2KzExMy5ZKS5wTmgxdE9VNTdEZjZxSmExYUxQcylKUlFzQ1dmL0hDKHVKT1FtT3hxaVk7aC5HQmRwS2hOa1B3QzFJTGdjVkB3L0lBNGdSekAvR0NfYlZQTDFLeHVpWWVDaFRGU2FgME43WmpQc2FQY2NVL1ZmVmtoalJ6a3RORSlIT3U3KVF5QEdMYz9KTWk/RUtpdVVIU0N1TE5nY1dTeGxfUm9z
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703441207.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703441207.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703441207.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703441207.txt bios get version
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703441207.txt bios get version
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
445KB

MD5
d26a2fa55c09bec56d616fa0d6cb154a

SHA1
65655370cb5e41f3f1b9122c4c14a5170dac9e02

SHA256
a8e4d5759060edca3f19cbf7782750d970d8984cf218a79f271958ac4a814fcb

SHA512
a82e8fe16058aacba45408aea7eded7e2e190a18046cd2b76c1382b85cd73d06e235fbf55e740febe185756d05eaaf34189b36d68c22bc2b019eb9474ced808f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
248KB

MD5
382e6a0a99b847b76555ef5cdae087e3

SHA1
9a0d3d3607ef51de4aad31b8e53c53b3f1988fd5

SHA256
5917aaf417dc6d3f1923675402baf843cd9eae79d41e5be75de60c178e622f8a

SHA512
a9191bd44403930143fb6d37e0d820aaac47636d90e956f21f52b7930d42e580a7416923f6002ba3be82a2dc7583e8dc1a3eabc47cb57a8f0e42609c7d6596d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703441207.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5B99.tmp\cgibuti.dll

Filesize
153KB

MD5
9b081b4f84974a46cffcf1ef1a2e85f9

SHA1
70a1b83bad19d28195f2df22c3d213a04b42fb2b

SHA256
303f74df9812b639b66f919804039d1e295ffae8e543fa4349507110ac766752

SHA512
4539a458b1d2ba61ffcf71ea59addd13727d26606f73dbfb21053d68d5656010dae5791d486789c14653c6fb953a7dc284c3a80db2b1970a0e7f0778ab77dbbf

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
352KB

MD5
3127791183c11269d734a119e619e635

SHA1
4f0c09c78f0e1c6a102c974e4a44f339c6615e60

SHA256
1a5eb38c2550322ec6299d8d4db35ce6bc1c7e53054624ce15af21f6cff28c43

SHA512
223006f82ef7c48f85fa275e0d2108b2b6352b1bbdc2b546b35e193d53556692dc8e40885ee58d79f539c5187268a334a88b395ed357b9257c73f7ee04528020

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
381KB

MD5
71738bae3ec62d69fe3c22b3e280e315

SHA1
cc5e0e899a3d100e64aba2d4ecad6dbba6f12c64

SHA256
22c3f79ac105fa3bdb31e7f2704735434756a6de8fea38401df5c8e087ab0158

SHA512
323f96b71518697fb1f3949e75b60af813b08acd90cf46b2138da85de34149fc6a92dcce34c923dfb1626ffa27f5d813fe2efc14d9e4f35be836295eea18fcf2

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
788KB

MD5
8890fe58240790af20b7006c537a69a2

SHA1
aebb9a5cbd652634e017bbe57d1ba032b90f5a5b

SHA256
747baf72bd89b1dc09ec74093aad6249b2ee983e56cb730476a107ee5024be27

SHA512
ddf24bf4004148b7f90b4659bc2cd59cc97c3fa9b1c75d2bfdb89d0547ecb1b62405d5258f6ea7c4e18c3892cb1cb7c4fb354f34a091325ca9b940d99eafb074

Download Submit
\Users\Admin\AppData\Local\Temp\nso5B99.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit