5573de9d49488008fc769cbfd736a5bb976273a1ea79bd2b70ce6344d10e990a

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05969354e5ce57a53e570b3101ab3871.exe
Size

559KB
MD5

05969354e5ce57a53e570b3101ab3871
SHA1

c4f4744e0d3d0ef7b0f6bcac8b5129e555f9ecc3
SHA256

5573de9d49488008fc769cbfd736a5bb976273a1ea79bd2b70ce6344d10e990a
SHA512

ce64da577836dce9f8cee4239a2e8472593eb56e0b49e90c3720eeda3a85b0f94b460b23ac537121db64b5b35e1b79708a0c7085ffcf9a003994b566e6334a50
SSDEEP

12288:FmQDRNKuqDIo+wzn5rL5960NAbq4uIVlfli/Q8u+TVbUWGjAJdg:FVytIo+AJ9dNyxhlfANuqwWH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2684	1430568137.exe

Loads dropped DLL 10 IoCs

pid	Process
2212	05969354e5ce57a53e570b3101ab3871.exe
2212	05969354e5ce57a53e570b3101ab3871.exe
2212	05969354e5ce57a53e570b3101ab3871.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1092	2684	WerFault.exe	25

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2864	wmic.exe
Token: SeSecurityPrivilege	2864	wmic.exe
Token: SeTakeOwnershipPrivilege	2864	wmic.exe
Token: SeLoadDriverPrivilege	2864	wmic.exe
Token: SeSystemProfilePrivilege	2864	wmic.exe
Token: SeSystemtimePrivilege	2864	wmic.exe
Token: SeProfSingleProcessPrivilege	2864	wmic.exe
Token: SeIncBasePriorityPrivilege	2864	wmic.exe
Token: SeCreatePagefilePrivilege	2864	wmic.exe
Token: SeBackupPrivilege	2864	wmic.exe
Token: SeRestorePrivilege	2864	wmic.exe
Token: SeShutdownPrivilege	2864	wmic.exe
Token: SeDebugPrivilege	2864	wmic.exe
Token: SeSystemEnvironmentPrivilege	2864	wmic.exe
Token: SeRemoteShutdownPrivilege	2864	wmic.exe
Token: SeUndockPrivilege	2864	wmic.exe
Token: SeManageVolumePrivilege	2864	wmic.exe
Token: 33	2864	wmic.exe
Token: 34	2864	wmic.exe
Token: 35	2864	wmic.exe
Token: SeIncreaseQuotaPrivilege	2864	wmic.exe
Token: SeSecurityPrivilege	2864	wmic.exe
Token: SeTakeOwnershipPrivilege	2864	wmic.exe
Token: SeLoadDriverPrivilege	2864	wmic.exe
Token: SeSystemProfilePrivilege	2864	wmic.exe
Token: SeSystemtimePrivilege	2864	wmic.exe
Token: SeProfSingleProcessPrivilege	2864	wmic.exe
Token: SeIncBasePriorityPrivilege	2864	wmic.exe
Token: SeCreatePagefilePrivilege	2864	wmic.exe
Token: SeBackupPrivilege	2864	wmic.exe
Token: SeRestorePrivilege	2864	wmic.exe
Token: SeShutdownPrivilege	2864	wmic.exe
Token: SeDebugPrivilege	2864	wmic.exe
Token: SeSystemEnvironmentPrivilege	2864	wmic.exe
Token: SeRemoteShutdownPrivilege	2864	wmic.exe
Token: SeUndockPrivilege	2864	wmic.exe
Token: SeManageVolumePrivilege	2864	wmic.exe
Token: 33	2864	wmic.exe
Token: 34	2864	wmic.exe
Token: 35	2864	wmic.exe
Token: SeIncreaseQuotaPrivilege	2952	wmic.exe
Token: SeSecurityPrivilege	2952	wmic.exe
Token: SeTakeOwnershipPrivilege	2952	wmic.exe
Token: SeLoadDriverPrivilege	2952	wmic.exe
Token: SeSystemProfilePrivilege	2952	wmic.exe
Token: SeSystemtimePrivilege	2952	wmic.exe
Token: SeProfSingleProcessPrivilege	2952	wmic.exe
Token: SeIncBasePriorityPrivilege	2952	wmic.exe
Token: SeCreatePagefilePrivilege	2952	wmic.exe
Token: SeBackupPrivilege	2952	wmic.exe
Token: SeRestorePrivilege	2952	wmic.exe
Token: SeShutdownPrivilege	2952	wmic.exe
Token: SeDebugPrivilege	2952	wmic.exe
Token: SeSystemEnvironmentPrivilege	2952	wmic.exe
Token: SeRemoteShutdownPrivilege	2952	wmic.exe
Token: SeUndockPrivilege	2952	wmic.exe
Token: SeManageVolumePrivilege	2952	wmic.exe
Token: 33	2952	wmic.exe
Token: 34	2952	wmic.exe
Token: 35	2952	wmic.exe
Token: SeIncreaseQuotaPrivilege	2952	wmic.exe
Token: SeSecurityPrivilege	2952	wmic.exe
Token: SeTakeOwnershipPrivilege	2952	wmic.exe
Token: SeLoadDriverPrivilege	2952	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2684	2212	05969354e5ce57a53e570b3101ab3871.exe	25
PID 2212 wrote to memory of 2684	2212	05969354e5ce57a53e570b3101ab3871.exe	25
PID 2212 wrote to memory of 2684	2212	05969354e5ce57a53e570b3101ab3871.exe	25
PID 2212 wrote to memory of 2684	2212	05969354e5ce57a53e570b3101ab3871.exe	25
PID 2684 wrote to memory of 2864	2684	1430568137.exe	23
PID 2684 wrote to memory of 2864	2684	1430568137.exe	23
PID 2684 wrote to memory of 2864	2684	1430568137.exe	23
PID 2684 wrote to memory of 2864	2684	1430568137.exe	23
PID 2684 wrote to memory of 2952	2684	1430568137.exe	32
PID 2684 wrote to memory of 2952	2684	1430568137.exe	32
PID 2684 wrote to memory of 2952	2684	1430568137.exe	32
PID 2684 wrote to memory of 2952	2684	1430568137.exe	32
PID 2684 wrote to memory of 2576	2684	1430568137.exe	34
PID 2684 wrote to memory of 2576	2684	1430568137.exe	34
PID 2684 wrote to memory of 2576	2684	1430568137.exe	34
PID 2684 wrote to memory of 2576	2684	1430568137.exe	34
PID 2684 wrote to memory of 2068	2684	1430568137.exe	37
PID 2684 wrote to memory of 2068	2684	1430568137.exe	37
PID 2684 wrote to memory of 2068	2684	1430568137.exe	37
PID 2684 wrote to memory of 2068	2684	1430568137.exe	37
PID 2684 wrote to memory of 1952	2684	1430568137.exe	38
PID 2684 wrote to memory of 1952	2684	1430568137.exe	38
PID 2684 wrote to memory of 1952	2684	1430568137.exe	38
PID 2684 wrote to memory of 1952	2684	1430568137.exe	38
PID 2684 wrote to memory of 1092	2684	1430568137.exe	40
PID 2684 wrote to memory of 1092	2684	1430568137.exe	40
PID 2684 wrote to memory of 1092	2684	1430568137.exe	40
PID 2684 wrote to memory of 1092	2684	1430568137.exe	40

C:\Users\Admin\AppData\Local\Temp\05969354e5ce57a53e570b3101ab3871.exe
"C:\Users\Admin\AppData\Local\Temp\05969354e5ce57a53e570b3101ab3871.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\1430568137.exe
  C:\Users\Admin\AppData\Local\Temp\1430568137.exe 7,9,6,1,4,2,7,1,5,1,5 KEdDQzkxKy8rHypMTDxPRUI2LxsuST5LUU5OSUJDOC8bKDtDUlBHPTwsODIwFylCRUI2LxsuS0tGPlQ/UlhIPzwsLzAuHytRPlFRRE1YTExLOWZtc2s5KihqbHUqQj5SRixPSEcnQExOJ0hJRUoZJj1LRUFESD88Gyg7KzwpLxkuPzE4JigaLkAxNiwsHyo9KzcsLR4oQzA8KCoXKU9OTT1UPlNaSUlDVT1BUjwbLktLRj5UP1JYRFBLPDYXKU9OTT1UPlNaRzhHRDkeKERTRFpOSUY8HC0+V0BePkY7RkhKQzYfKkdKTEtZQU5NUFJAUTgrFylTRD9HSlROUFhMTEs5HihVSDwtGSY+Ui07GS5NVElNQEdEW1U+Sz5OSD5AR0BDQ05RRzwbKEBNXk5TR1NETEA2a2x0YR4oUUBTUEtFQ01DXU5SQFFaPThTUjkwGS5DSD8+TzcwHC1CUlpDVEc4R0g/XT5NPlFUSUs/QzlkWmtuZBsoO0lWSkpIQD9eREk0Ky8wLCoyMy0sMS0oMS8uGS5PSEg+NCszLy4uNi83KywXKUNLVUdLSkA/WEtDTEE7Li4tLi0pKC8pLTguMjUxLiNHRx8rUzo8SG51YmNmYCEwXzQpLyYhTmNtYG1wciZNTyQtKDAhMVsqUk5SLysjKj1uaWtgVmBbQmNzITBfNC42KSwtJSdHRk1MRyQtXCJmaGdjJEZgYmZoICVCZHBobGAkLV8rLC0sLCsyLDApKiovKk9fX2BtaCArXS8yMywsNRsuUEtDN2dwcmkkLmAgK10fMWJlXnMpLywqL2QtZWxfbiAxYUtsaFNla15DanZpZWZbY0lfZ2BiZG1YW19vaG1yJC1lLC0qKjQzMjEvLSQtXyguMiwzMDMzLy0eKWAwMDEpNDIzMykpHzJiMTIyNDQuMi0rMi9YP3dzS09GL1R5X3dFeCtzQ1A8KktAV25MTlVrSGAuc0pnbGdceUxqQVFBbFhlb2pYQTEtQlUwdUhoanRDUDxqTj9taEhCTHJIYGluRS9sdUpoTGtBUUR1TWJQcEdSP2RTMDVyUWxraElBRWFXLkhmYGhzYF1kRG9Ha2lmXlZzakFRWWNgQFQxSk4/KlNGazZFdg==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703461930.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703461930.txt bios get version
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703461930.txt bios get version
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703461930.txt bios get version
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1092

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703461930.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1430568137.exe

Filesize
105KB

MD5
471541f4785ab9f7061d2aede01e948a

SHA1
22e6569a9d3de538c0eee8f4233bdf020eb9d4f9

SHA256
5670680bee831f48327289a241a069efbcb2c8096a39121b1e8c80285e731f54

SHA512
d23c8a72232ed9d979062582b617f32a8c48c919e3c53c1c973516907eddd368f3ba985b03c07bd8ff2009a72ce3e8d6c92a87d7f1fad555a53c4ca0b431a194

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703461930.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703461930.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703461930.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd536E.tmp\dhihhg.dll

Filesize
68KB

MD5
aa9f47aaf2f13dfd024ba7966ac8dc8c

SHA1
60a277e31e44c7bc3c104d41386883adc3efa980

SHA256
0c03d947db52e45be8fd0555f26b7b9cdaf97f4d6fd1292de9c13d673f3d7361

SHA512
196a86aa8a8725fc88fbf89c0fc5029e1fa19acb7404a74894d932f898719c4a0fa32df06c4007526d57d4b05fb01c50749b8b653e5fd8d53ccca20b5e7006f1

Download Submit
\Users\Admin\AppData\Local\Temp\1430568137.exe

Filesize
33KB

MD5
04f77c832782beb46af4109dfcf0ec57

SHA1
e76a8f9a3e148dfa435802f03379be8153b2b116

SHA256
333be67b45a75d3df23daf29fb4f2fdc030c08a70dc0e929c808d689bdc27097

SHA512
040596e72d1f11121af61e7b4645b2df4c87af8244f5fe28a321e53379297c46a8eff3ac492f5548eb7270d3a2d8f82662b7c1f832e1b20b7176fb5102bd5818

Download Submit
\Users\Admin\AppData\Local\Temp\1430568137.exe

Filesize
230KB

MD5
628fb8f97a278078b127ffe4d7233883

SHA1
938dd0dc915f54abcbaaa6cdc0415248134215cb

SHA256
c74d7e017edba2e7255cc5aded3d00f68b4305fc0f8bb640529199107e54c2a2

SHA512
c8f922860fcc02f5906cba2d3a29b9e25aaf3bf088377f0738fb930fb48d09af69336d9b9ce43c6d724c7413db26cdbf3659dfa08ab6484d66e771b2043b4c4c

Download Submit
\Users\Admin\AppData\Local\Temp\1430568137.exe

Filesize
40KB

MD5
11e222317467a894f7a164571ef03433

SHA1
cc419a758475b198491533c5d23f04f34cb92b24

SHA256
68995b6cc7c789f00e1b26d22be8fdcef98a563f31d0842cdf0f63a5a0a01fe0

SHA512
203a64a8db69d3a9c34d35e6e0019771ab195a69c51f60f55f405ddf9aa3347169da893316ed3cdb83cacd4984462c4aca27f078c2d6923ddb5d73c67d557b2c

Download Submit
\Users\Admin\AppData\Local\Temp\1430568137.exe

Filesize
82KB

MD5
3e59d49764b7bbd1b3d17e2287f641f5

SHA1
98d2dceacc0c840cbdee089ecaeae302e1fc12f6

SHA256
36ae4ae61e3d8e3c4ec339a082f80019e469d822443a7d7f19f694b87fbe1f98

SHA512
7dc6c7f0d0c7f60a6e46cdb9775ca06aa5bfa4795816e9f5f0c4a94b1fc3c2c5da6789abfd6209492fb70be61dd655a6e2d48ef79a70e5e95ebac68250b3de90

Download Submit
\Users\Admin\AppData\Local\Temp\1430568137.exe

Filesize
75KB

MD5
9210b7ba9893ba8a3e6cfb34552386da

SHA1
a17896ed2a7d59d63e81e888c8496cc14f3ebfd7

SHA256
50988ead9161f6d58d4cda72edf321e23f7d9a0e235579fd64fd1b565e257526

SHA512
d5a7c749d8c5f653575ac7c2afc0710f107e62895562460fd82080e4a7075253e78eb433b30e99c1e026d02ea86ae26f1626017730cbbb13fc01a26127a1534d

Download Submit
\Users\Admin\AppData\Local\Temp\1430568137.exe

Filesize
92KB

MD5
e0d45d5e77be5992836c42e19c3cf7e3

SHA1
6196813efac9f04af70fc5dcc3d2cc8606efd877

SHA256
e158ced37f54b698acef8681c53b5db2b13dae2ba5b1f53a17964289edae2ae7

SHA512
9e42f65487ada8ddf1fdd0b92fbdd0921f4037421b92422581c891c2875e3776a6afdc7fc0db4176e21be5de4c16b62b65d6c97c7d46e98045f40e0e2c4e8c46

Download Submit
\Users\Admin\AppData\Local\Temp\1430568137.exe

Filesize
102KB

MD5
07febd5d60ad471fe4b2b036500a9d90

SHA1
295b39fdb722cc1aff788242446b4ff3f7cc3a50

SHA256
06b84dfa99f572e0075e28981df91dd882cdb39bc820cd4785223afab60d503e

SHA512
caf9fd27b256684f9df007695fe69147db0958717b7a18bccce69ba6ca57500a4b55bafa9362c2ebc559e374b94c964723ffa82c835a4901d50a596d1359edfa

Download Submit
\Users\Admin\AppData\Local\Temp\1430568137.exe

Filesize
95KB

MD5
ba764b0a02380d9449aabcd1bc1dc834

SHA1
f7773720780275e2d5d45aaa27c31fa7acafcd49

SHA256
baa59b406432f5ca278dc9fec3d969bc295643610d8404be7c3b593c4376c8db

SHA512
d2fb4fd95d3c44cf6084215b6efb45d7df4cdccbbdc97532aa87e5e8b2110a060bb1899062ae08fa113cf3ed8f734a0f046c76a555d9dbb9609ba6fa00f92294

Download Submit
\Users\Admin\AppData\Local\Temp\nsd536E.tmp\dhihhg.dll

Filesize
60KB

MD5
b976b5d7e4729674a0b79844d19f31ad

SHA1
4707decc34808aeb4be77a46a600af5fdefefee8

SHA256
64a0399a3e3f202e508cada9346a58392aa9c14af6faf77cfca5182cd78e1460

SHA512
832650cc7edc38c3d16a75e55e7ca21778e4f6ba85fd30ca50c1d678f107ec52e61e5cc27a8284ccb718306ee44a096a117fe866bb73b84868533c3d31f2f079

Download Submit
\Users\Admin\AppData\Local\Temp\nsd536E.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit