9cac97daee2c837dd50b2af4dcbcf1de227807234559f649547df588e99f833e

Analysis

max time kernel
125s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06de09f3c8a4100e7c26ac8dbdaea606.exe
Size

633KB
MD5

06de09f3c8a4100e7c26ac8dbdaea606
SHA1

13727e236cbdc77ad28f5ef2d92e2fd033270543
SHA256

9cac97daee2c837dd50b2af4dcbcf1de227807234559f649547df588e99f833e
SHA512

237f376b45a9a542e935f60cfa4a409a5cecb36e5c621d524358b31d4430c066ba503c101939fca419fe127f48001cbe1f5e40da06ef5201e58c6d0f6aaf12e2
SSDEEP

12288:PXgXEJV4XMYQeVt140lfOXNQch/7PS14Hb65D1Tfbrni7aWuZcEJYc0W:PXgIV4XMYh14Eit/7R765D1TfbDgavZ3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1492	1430730120.exe

Loads dropped DLL 2 IoCs

pid	Process
3784	06de09f3c8a4100e7c26ac8dbdaea606.exe
3784	06de09f3c8a4100e7c26ac8dbdaea606.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3936	1492	WerFault.exe	92

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1412	wmic.exe
Token: SeSecurityPrivilege	1412	wmic.exe
Token: SeTakeOwnershipPrivilege	1412	wmic.exe
Token: SeLoadDriverPrivilege	1412	wmic.exe
Token: SeSystemProfilePrivilege	1412	wmic.exe
Token: SeSystemtimePrivilege	1412	wmic.exe
Token: SeProfSingleProcessPrivilege	1412	wmic.exe
Token: SeIncBasePriorityPrivilege	1412	wmic.exe
Token: SeCreatePagefilePrivilege	1412	wmic.exe
Token: SeBackupPrivilege	1412	wmic.exe
Token: SeRestorePrivilege	1412	wmic.exe
Token: SeShutdownPrivilege	1412	wmic.exe
Token: SeDebugPrivilege	1412	wmic.exe
Token: SeSystemEnvironmentPrivilege	1412	wmic.exe
Token: SeRemoteShutdownPrivilege	1412	wmic.exe
Token: SeUndockPrivilege	1412	wmic.exe
Token: SeManageVolumePrivilege	1412	wmic.exe
Token: 33	1412	wmic.exe
Token: 34	1412	wmic.exe
Token: 35	1412	wmic.exe
Token: 36	1412	wmic.exe
Token: SeIncreaseQuotaPrivilege	1412	wmic.exe
Token: SeSecurityPrivilege	1412	wmic.exe
Token: SeTakeOwnershipPrivilege	1412	wmic.exe
Token: SeLoadDriverPrivilege	1412	wmic.exe
Token: SeSystemProfilePrivilege	1412	wmic.exe
Token: SeSystemtimePrivilege	1412	wmic.exe
Token: SeProfSingleProcessPrivilege	1412	wmic.exe
Token: SeIncBasePriorityPrivilege	1412	wmic.exe
Token: SeCreatePagefilePrivilege	1412	wmic.exe
Token: SeBackupPrivilege	1412	wmic.exe
Token: SeRestorePrivilege	1412	wmic.exe
Token: SeShutdownPrivilege	1412	wmic.exe
Token: SeDebugPrivilege	1412	wmic.exe
Token: SeSystemEnvironmentPrivilege	1412	wmic.exe
Token: SeRemoteShutdownPrivilege	1412	wmic.exe
Token: SeUndockPrivilege	1412	wmic.exe
Token: SeManageVolumePrivilege	1412	wmic.exe
Token: 33	1412	wmic.exe
Token: 34	1412	wmic.exe
Token: 35	1412	wmic.exe
Token: 36	1412	wmic.exe
Token: SeIncreaseQuotaPrivilege	396	wmic.exe
Token: SeSecurityPrivilege	396	wmic.exe
Token: SeTakeOwnershipPrivilege	396	wmic.exe
Token: SeLoadDriverPrivilege	396	wmic.exe
Token: SeSystemProfilePrivilege	396	wmic.exe
Token: SeSystemtimePrivilege	396	wmic.exe
Token: SeProfSingleProcessPrivilege	396	wmic.exe
Token: SeIncBasePriorityPrivilege	396	wmic.exe
Token: SeCreatePagefilePrivilege	396	wmic.exe
Token: SeBackupPrivilege	396	wmic.exe
Token: SeRestorePrivilege	396	wmic.exe
Token: SeShutdownPrivilege	396	wmic.exe
Token: SeDebugPrivilege	396	wmic.exe
Token: SeSystemEnvironmentPrivilege	396	wmic.exe
Token: SeRemoteShutdownPrivilege	396	wmic.exe
Token: SeUndockPrivilege	396	wmic.exe
Token: SeManageVolumePrivilege	396	wmic.exe
Token: 33	396	wmic.exe
Token: 34	396	wmic.exe
Token: 35	396	wmic.exe
Token: 36	396	wmic.exe
Token: SeIncreaseQuotaPrivilege	396	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 1492	3784	06de09f3c8a4100e7c26ac8dbdaea606.exe	92
PID 3784 wrote to memory of 1492	3784	06de09f3c8a4100e7c26ac8dbdaea606.exe	92
PID 3784 wrote to memory of 1492	3784	06de09f3c8a4100e7c26ac8dbdaea606.exe	92
PID 1492 wrote to memory of 1412	1492	1430730120.exe	93
PID 1492 wrote to memory of 1412	1492	1430730120.exe	93
PID 1492 wrote to memory of 1412	1492	1430730120.exe	93
PID 1492 wrote to memory of 396	1492	1430730120.exe	96
PID 1492 wrote to memory of 396	1492	1430730120.exe	96
PID 1492 wrote to memory of 396	1492	1430730120.exe	96
PID 1492 wrote to memory of 1300	1492	1430730120.exe	99
PID 1492 wrote to memory of 1300	1492	1430730120.exe	99
PID 1492 wrote to memory of 1300	1492	1430730120.exe	99
PID 1492 wrote to memory of 3572	1492	1430730120.exe	100
PID 1492 wrote to memory of 3572	1492	1430730120.exe	100
PID 1492 wrote to memory of 3572	1492	1430730120.exe	100
PID 1492 wrote to memory of 4808	1492	1430730120.exe	102
PID 1492 wrote to memory of 4808	1492	1430730120.exe	102
PID 1492 wrote to memory of 4808	1492	1430730120.exe	102

C:\Users\Admin\AppData\Local\Temp\06de09f3c8a4100e7c26ac8dbdaea606.exe
"C:\Users\Admin\AppData\Local\Temp\06de09f3c8a4100e7c26ac8dbdaea606.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Local\Temp\1430730120.exe
  C:\Users\Admin\AppData\Local\Temp\1430730120.exe 1!0!1!5!8!6!9!2!0!8!2 LlBIPzUrMDE2Kx4uU1Q9SEM7OzAYLU1FU1JHTEJHRDUvJDIva2ppW3NjbGxgbWQ4Sl9ga2FfYx8vQ0RLTkBCPSo1NjExGyc9QEI9KB4uUFFKPE86Ul9BQjwyNTQsLRctUz1QVUVRWk1MQztobHJvOi4qa2xtLEQ9UUotU0pIJzhOUCZHTUZOGyc9Q0dDQ0dDPR8qPCs0KzEYLUMyPCgpGiZCMzUrMCAuPyw3JC8gJ0I0PSwsGClHUE88U0JUXktKQ00/Q1E7Hy9PTUc+TEFUV0NUTEA4GClHUE88U0JUXkk5Rzw7ICdDV0VeUEpGNB4vPVZEX0JIPEZATEU1Hi5ITk5MWTlQT09RRFI8MBgpS0ZBRklYT1RaTUxDOyAnVEw9MRsnPkovPRgtUVVNT0FHPF1XPUpCT0xAQUc4RUVNUEs9HypBTVZQVUZSSE1EOGxsbGMgJ1BEVFRNRkNFRV9NUURSXj85U0o7MhgtR0lDQFA3KB4vQVFeRFhJOUdAQV89TEJSWEtMPzs7ZllqcmUfKjxJTkxMRz9DX0hLNSsoMi4pMjIuNC8mKys3ICdSSE1EOCkuKi43KzMzMzcbJz5GVU5ETUBEXk9BRzw7NScyLjIvLC0kKC46Ky45MzclOUcXLVU5Ox8vVE1EN19ydGgjMmEkLV4fKWRnXXJxLmVkZF8vYmVraXNvbylbaWQjMl5QdG5TZGVfO213ZmpuYWNIWWhYZWVqXWNlb2dncxwwZiowMTIxLSosKTAyKjAxJTFhXGlubGxnX2NtYGlZYVxwJSpkZmVzMC4fKmRwHTFjMTguLi0cMDZcIzJkMTIvKykjMi5qJDNjLS4zKzElKjRtJTJfKSVncG9cc2J0bVxlXxwxZEpjaG1gYl0fKTRmYWpkbmBoXR8qYlJdZ2xhZmA=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703468086.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703468086.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703468086.txt bios get version
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703468086.txt bios get version
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703468086.txt bios get version
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 956
    3⤵
    - Program crash
    PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1492 -ip 1492
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1430730120.exe

Filesize
928KB

MD5
d543fbc47ef4aa334913f5fa498bbd74

SHA1
8f6b60c117df6c664223f8be39344377c44cb151

SHA256
a55c918dcf7ade6f0088a09690921b6b4036753ebad22d8cd708cbbd24f143ab

SHA512
6fd2bc397582a3dfe0033a3f7772fe32bb69ee8590798ed9ce63fdffa5ecf72de210e70b6e97780ff44ffc66601b811c0b5456cc3d47e7ae8bd22513b04f7663

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703468086.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703468086.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703468086.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy67F2.tmp\dsvfr.dll

Filesize
126KB

MD5
c77a97b9a08e2e742170cc1aa7c2fcb1

SHA1
98d637e1f3cf0fdebd74bf821aaf43bd42590a06

SHA256
e9f06c5e19f0682473abc1f73fd7c400dbb0d79124c161f4f863a2be7249ac72

SHA512
f73d8ba2dc2bb0707edbc0ba1fd9b89742fc91f787c5c58f9243dad42a2de64d655bd34068d3a92a7630810249f3fdeb389b2318a3d1482f29b5ce79e0fbc575

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy67F2.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit