6bee7985d657d7bd67af472aeaf187770bc322fde9857122f7f6cc0277d8174c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

057748a33b8ea8d62cc6b8d4ff6cd55e.exe
Size

581KB
MD5

057748a33b8ea8d62cc6b8d4ff6cd55e
SHA1

7188a760c14f53efc09ab71eaa2f03e8dc985c31
SHA256

6bee7985d657d7bd67af472aeaf187770bc322fde9857122f7f6cc0277d8174c
SHA512

162fa9100e03145f7dca48b683391f849dbd7d90d0c105de17ca80deb8d745c21ae36cbd274a624e9075b8f46b42674f3a6b66934ae86448b7e0408c216c171c
SSDEEP

12288:UqrLOfbfw892zPjQ6BVfCrvjHaQqMETxfPGa7znERAXl8ifyNLy:UqGTliDwrvba8Elh7rxlHKu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3016	1431799351.exe

Loads dropped DLL 11 IoCs

pid	Process
2948	057748a33b8ea8d62cc6b8d4ff6cd55e.exe
2948	057748a33b8ea8d62cc6b8d4ff6cd55e.exe
2948	057748a33b8ea8d62cc6b8d4ff6cd55e.exe
2948	057748a33b8ea8d62cc6b8d4ff6cd55e.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1064	3016	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3052	wmic.exe
Token: SeSecurityPrivilege	3052	wmic.exe
Token: SeTakeOwnershipPrivilege	3052	wmic.exe
Token: SeLoadDriverPrivilege	3052	wmic.exe
Token: SeSystemProfilePrivilege	3052	wmic.exe
Token: SeSystemtimePrivilege	3052	wmic.exe
Token: SeProfSingleProcessPrivilege	3052	wmic.exe
Token: SeIncBasePriorityPrivilege	3052	wmic.exe
Token: SeCreatePagefilePrivilege	3052	wmic.exe
Token: SeBackupPrivilege	3052	wmic.exe
Token: SeRestorePrivilege	3052	wmic.exe
Token: SeShutdownPrivilege	3052	wmic.exe
Token: SeDebugPrivilege	3052	wmic.exe
Token: SeSystemEnvironmentPrivilege	3052	wmic.exe
Token: SeRemoteShutdownPrivilege	3052	wmic.exe
Token: SeUndockPrivilege	3052	wmic.exe
Token: SeManageVolumePrivilege	3052	wmic.exe
Token: 33	3052	wmic.exe
Token: 34	3052	wmic.exe
Token: 35	3052	wmic.exe
Token: SeIncreaseQuotaPrivilege	3052	wmic.exe
Token: SeSecurityPrivilege	3052	wmic.exe
Token: SeTakeOwnershipPrivilege	3052	wmic.exe
Token: SeLoadDriverPrivilege	3052	wmic.exe
Token: SeSystemProfilePrivilege	3052	wmic.exe
Token: SeSystemtimePrivilege	3052	wmic.exe
Token: SeProfSingleProcessPrivilege	3052	wmic.exe
Token: SeIncBasePriorityPrivilege	3052	wmic.exe
Token: SeCreatePagefilePrivilege	3052	wmic.exe
Token: SeBackupPrivilege	3052	wmic.exe
Token: SeRestorePrivilege	3052	wmic.exe
Token: SeShutdownPrivilege	3052	wmic.exe
Token: SeDebugPrivilege	3052	wmic.exe
Token: SeSystemEnvironmentPrivilege	3052	wmic.exe
Token: SeRemoteShutdownPrivilege	3052	wmic.exe
Token: SeUndockPrivilege	3052	wmic.exe
Token: SeManageVolumePrivilege	3052	wmic.exe
Token: 33	3052	wmic.exe
Token: 34	3052	wmic.exe
Token: 35	3052	wmic.exe
Token: SeIncreaseQuotaPrivilege	2628	wmic.exe
Token: SeSecurityPrivilege	2628	wmic.exe
Token: SeTakeOwnershipPrivilege	2628	wmic.exe
Token: SeLoadDriverPrivilege	2628	wmic.exe
Token: SeSystemProfilePrivilege	2628	wmic.exe
Token: SeSystemtimePrivilege	2628	wmic.exe
Token: SeProfSingleProcessPrivilege	2628	wmic.exe
Token: SeIncBasePriorityPrivilege	2628	wmic.exe
Token: SeCreatePagefilePrivilege	2628	wmic.exe
Token: SeBackupPrivilege	2628	wmic.exe
Token: SeRestorePrivilege	2628	wmic.exe
Token: SeShutdownPrivilege	2628	wmic.exe
Token: SeDebugPrivilege	2628	wmic.exe
Token: SeSystemEnvironmentPrivilege	2628	wmic.exe
Token: SeRemoteShutdownPrivilege	2628	wmic.exe
Token: SeUndockPrivilege	2628	wmic.exe
Token: SeManageVolumePrivilege	2628	wmic.exe
Token: 33	2628	wmic.exe
Token: 34	2628	wmic.exe
Token: 35	2628	wmic.exe
Token: SeIncreaseQuotaPrivilege	2628	wmic.exe
Token: SeSecurityPrivilege	2628	wmic.exe
Token: SeTakeOwnershipPrivilege	2628	wmic.exe
Token: SeLoadDriverPrivilege	2628	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 3016	2948	057748a33b8ea8d62cc6b8d4ff6cd55e.exe	30
PID 2948 wrote to memory of 3016	2948	057748a33b8ea8d62cc6b8d4ff6cd55e.exe	30
PID 2948 wrote to memory of 3016	2948	057748a33b8ea8d62cc6b8d4ff6cd55e.exe	30
PID 2948 wrote to memory of 3016	2948	057748a33b8ea8d62cc6b8d4ff6cd55e.exe	30
PID 3016 wrote to memory of 3052	3016	1431799351.exe	29
PID 3016 wrote to memory of 3052	3016	1431799351.exe	29
PID 3016 wrote to memory of 3052	3016	1431799351.exe	29
PID 3016 wrote to memory of 3052	3016	1431799351.exe	29
PID 3016 wrote to memory of 2628	3016	1431799351.exe	28
PID 3016 wrote to memory of 2628	3016	1431799351.exe	28
PID 3016 wrote to memory of 2628	3016	1431799351.exe	28
PID 3016 wrote to memory of 2628	3016	1431799351.exe	28
PID 3016 wrote to memory of 2604	3016	1431799351.exe	21
PID 3016 wrote to memory of 2604	3016	1431799351.exe	21
PID 3016 wrote to memory of 2604	3016	1431799351.exe	21
PID 3016 wrote to memory of 2604	3016	1431799351.exe	21
PID 3016 wrote to memory of 2544	3016	1431799351.exe	22
PID 3016 wrote to memory of 2544	3016	1431799351.exe	22
PID 3016 wrote to memory of 2544	3016	1431799351.exe	22
PID 3016 wrote to memory of 2544	3016	1431799351.exe	22
PID 3016 wrote to memory of 1712	3016	1431799351.exe	25
PID 3016 wrote to memory of 1712	3016	1431799351.exe	25
PID 3016 wrote to memory of 1712	3016	1431799351.exe	25
PID 3016 wrote to memory of 1712	3016	1431799351.exe	25
PID 3016 wrote to memory of 1064	3016	1431799351.exe	24
PID 3016 wrote to memory of 1064	3016	1431799351.exe	24
PID 3016 wrote to memory of 1064	3016	1431799351.exe	24
PID 3016 wrote to memory of 1064	3016	1431799351.exe	24

C:\Users\Admin\AppData\Local\Temp\057748a33b8ea8d62cc6b8d4ff6cd55e.exe
"C:\Users\Admin\AppData\Local\Temp\057748a33b8ea8d62cc6b8d4ff6cd55e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\1431799351.exe
  C:\Users\Admin\AppData\Local\Temp\1431799351.exe 9^4^5^4^4^6^8^9^2^9^1 JkxEQDktKCkwFy5KUT1MRT41Jx4mTTxQUktORUE7OycfJkBET1BDPDQwLjEuLhsrP0M8NC4XLkdOSkBRPUxWRzs8KDI0MBwpSzxQTURJW1BOSDdga3JnOSYrbm5yKDw8UUIsS0tLKT1KSCVHRUVGHCo/SEM7Qkc7PG5KLS5CMDwpL0tCSD8/NUcqKEtUKklHMhsrQCs1KC8nLyocKkAuNyUoHiZDKjkoLRwpPCs7JDAXKz8xOScpFy1HUUZAUD9QWUhJR01AOlU4HCtKSkZCTEJLW0BRSDs1Fy1HUUZAUD9QWUY4Szw8FytAVEFZTUlKNB8mQVNBWz1FO0pATTw5GytESUtLXTlRRlNOQU43KBctS0c4SkZVS09XTFBDPBcrUUk5LBgmQkowNBwqTlFITEBLPF5OQUc/S0c9QEs4RjxRTUg5GidAUVZRTEpPRUk/NWtwbGQXK01BUE9KRUdFRlZRTkFOWTw4V0o8KRwqREU+PU87KB8mRU5bQFNGOEtAQlZBST9OU0hLQzs8XV1nb2EaJztNTk1DSzxAW0NINDQtLSkwNCo0LSYoMjAfJlBESUE3KSsxKDcoLDMyLxonO01OTUNLPEBbTkFEQzQ0Ji0xKy4qKSwoMDkoMDUuLyRIRB4mVDg5SGt2Y2RjXxwxXTEpLCciT2BsW25ubyZKUCUuJTEcMlknUktTMCwcMVkqS25kYGFobBwwXTYlLCAvXiVqbSMqYCgtKSwlJWRgaVwqPmFeZ2saJ0xQQzxfcG9sIS1ZHDBdJCliYmFwKyYnLygwW2FuZWNoJmBsXW4cLmFOcWhMYGtcQ2ZzaWhrW1xEX2VgXmFtW2BfaGNtcCQpYiwwLyswKC4vNSshLWJgaW9lamZgW2lcal1hXWkjKWUoMC4tNCsoLzQrJCpiKzQzLywrNygxLC1VLS1uS2FLbk1kNDJIZTJxQmYwZUZPL3FJTk1rSE52KEdlQS1HOihyRnhqaFU/ZyxEOi5qSXFFZlR2PzFBUWZnUD8zLEg9MF9XcVAoRmRzZVM7bjZCeG5oVWlCZlE+bltZPk0yXmlMKFlVYmdPLmNjVWdkYldxMG1OdCxxS2EoQkRCb1BMLGcySHFUP0lwNU5RUERDSkEvZ1FSNGleTmtr
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3016

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703461139.txt bios get version
1⤵
PID:2604

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703461139.txt bios get version
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:1064

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703461139.txt bios get version
1⤵
PID:1712

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703461139.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703461139.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431799351.exe

Filesize
42KB

MD5
e5e65cc540bdc6ac6ce8b8d09c14e8bd

SHA1
cea9ed718e216b5f46a792c65a6f2b1fabdca2af

SHA256
b4f5cc4c5874b44ce1c8ac516bc6ce1f306f689e4cafa8a20b927541b6276610

SHA512
b0ad39cb6ec8d29236ec970d7d245a6dcb7497069a8b100580cec2a7cdd6c087a7c2a76487924e4c4dfc9109e5663af565717bed0ac222982545048bc7e88acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431799351.exe

Filesize
3KB

MD5
21d5756103b53d18e9b47d6652b4636f

SHA1
79b6c3a57c227cc9235c9058dbbb3280292f4e9f

SHA256
058eb06a8cbaaac5b1cea4f1a85b41a8f7034af5ac7e491609e53b89e5705af9

SHA512
efd398c786cd73a649bcf2abdef34abab58009bfced9879b604cf51bb18a95ba699826fec7ee349504c9c7908d09a2beb45a646bfe9298e288e5e3f5b690e399

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703461139.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703461139.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703461139.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd625C.tmp\ibbbywk.dll

Filesize
97KB

MD5
2a020b45f3d2feb57c3c5c4aece5a85c

SHA1
dce225a95058e992bda66dbb29f385e4c62ddb5a

SHA256
5084a4b79c20931ce892d709d038f50e2859d3ec576d412dfadd6023d38c6224

SHA512
f2c5404548145606c53799be19b3db0707277791f5bde56701fa5a3d4bc646659c4dbbcf7d04db4ade82d0c8843e6bb41775cfe69ac235839d04cc90b73d502c

Download Submit
\Users\Admin\AppData\Local\Temp\1431799351.exe

Filesize
59KB

MD5
58053135490c481cd15857163e609c2c

SHA1
ef1ec38a40576cca6c40f5fcf16aa2cfe41fcf5d

SHA256
dc488be30f90d7f9122fccc389e019d7121e262f64d2729add378f73a33fc321

SHA512
65b3efae9c50c17f7ae2f00dd5f164ce81002b61ee93764842870c55334a86b368152cbcc989f9bc998587c4f60d70732f9b172d646ee658e56f90ae30f6a411

Download Submit
\Users\Admin\AppData\Local\Temp\1431799351.exe

Filesize
100KB

MD5
f267d0bbeb05226ba49bd3510e5d02bd

SHA1
954b4bf799ab9b737ac4892975bbe84cc615219d

SHA256
f34e0f6276682882ae801cbd95377b39ca4a724ebf27687bda491f69a3caeb37

SHA512
2b5c2a6a3eabb667080bedda245c0812c87df00efa2c395054d2d30bca2d28d0c356b76d7cfa762be11c006ef387f5d9dae06eb9351eeccb3e93560c7bc5585b

Download Submit
\Users\Admin\AppData\Local\Temp\1431799351.exe

Filesize
27KB

MD5
46cb49e10d25ec34863f29f349863a03

SHA1
419924ad8335490fbfdb95f1e303f00535e1f910

SHA256
b4f488f61efe18d06a786abdc19dccea3b1f6d521c7577ee7756ed0799413168

SHA512
f9d0db76fc1270c9227ec22e37be2ed029f477cb955c9958056bf8d842e0f31d6838dc8f598f31c7682da7d6f19c8da6aaa37caac49fb987c10132f9eec8d3b2

Download Submit
\Users\Admin\AppData\Local\Temp\1431799351.exe

Filesize
32KB

MD5
17f66e6f21bd89c743fba439d5bd878b

SHA1
145606227c5f4c8b24ca171030668910a0d10516

SHA256
f4d855077dfbfa4d952194718f2ad635403c8e16b56fdcec5051988dde181d1d

SHA512
e486a3171d8b6e53ee877d63ca275632f316100dd987ada8612c43c1cb8edd97aa26a7300a164675b588bf58bb03c2f4a2fb1ed22f94f252d4fa7ba64f94581c

Download Submit
\Users\Admin\AppData\Local\Temp\1431799351.exe

Filesize
45KB

MD5
822b96fcaea48c807adf1a3a91d256e9

SHA1
322b52fdd249954282d5640378cf643547015d49

SHA256
3f1d1f04f6771fbf145df287b9157a92c2ba62e279fcba009e3aae41d82812f8

SHA512
b74918a1a400c9cb7c360346cd17dae903bbe72949ab007d622658ca8a0eb3b880190cbfcfdd618792d21204a6ac5c2db8d0ec457441603ce29820c62c780463

Download Submit
\Users\Admin\AppData\Local\Temp\1431799351.exe

Filesize
50KB

MD5
77287c70ba9b851051b9efbcfd5f1222

SHA1
c143d1113166c5ba92cf2ac3bcfd21e735e3e0f1

SHA256
58630879847406caafdfa4982cf2d19703aef363b624a17bfc3f82ca1a7e3057

SHA512
0ab15a14fc2d6224d0b7be84314723096d1628c2562f3cf2fd9dce3c71983a6e87658166025dd6132373978394c5a4ff9aaf1095f796913deede89f788632ef9

Download Submit
\Users\Admin\AppData\Local\Temp\1431799351.exe

Filesize
33KB

MD5
b5dd7e30129858a80636caa822705737

SHA1
5e6e975b4f05b2c96b7fadc31764eba2b6b2c17c

SHA256
346a1728ea29438372825b41ecd6e4e3b8cf2d498176f5934e70c4d9719ae619

SHA512
2e39a574533f421185ab35bd9da06385fea5c120091966aeb300d1d63aa8eacd8c800cc2e3fea7748f22af148881a287530caec2de1022d6381b523100a97aa6

Download Submit
\Users\Admin\AppData\Local\Temp\1431799351.exe

Filesize
74B

MD5
570f7c57e6060b2ba31d511630186b74

SHA1
f28adc1ae5eadafda1d22bd69fbb925966896383

SHA256
1d98b5a54055bf2a32b9814e8b4d791071d4946e2b77ec47852179fee79ce60b

SHA512
edf46a16f27dd8978fd7c4ea61d81e285c3759c4fc201cdb2d7533f7710abc25d80bfcf93752ef04f92fc69cad9b2a5af3948a90a1adf98969e9b27359c788dc

Download Submit
\Users\Admin\AppData\Local\Temp\1431799351.exe

Filesize
32KB

MD5
c21ff50a3ceba8e29f3b67d980321f2f

SHA1
aa366e5b1f09404b3c3f45628a5963a41822fef6

SHA256
dcc4df7ad42100531ebd1d72e8a8afcc96a4f12822b1333d1f8b9cd5a15030c6

SHA512
4423c77205fd41c4a1fa61581f9b7dd0d70fc558ed9626eda1cb9f8d3f3cdaef137c99f30242465eb3787da4cefb0e81bcab40ca5026d4a4ab0b8d5fffb67f6e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd625C.tmp\ibbbywk.dll

Filesize
85KB

MD5
94137e0694b326717b38d825b38f0658

SHA1
a7e64265b6d57d3c88c130671595d0f8390f4a3d

SHA256
a1fdc258121a9e942a97ddaffca439ed353a3f93d9721721ffe1df35b96c79bc

SHA512
7bb3176b49a8adda6c9a02c530c7e043933efb04f475fa7885a92f58e2d00fdbcf8d34b763879e295917c11752095060a24e4b301439e2b608bcb8871296d8bf

Download Submit
\Users\Admin\AppData\Local\Temp\nsd625C.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit