20ef7d487748e9dcef6c54e5e77750d2327b4b2a9401361fc8a212c5ccf0b81c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bb17d9170a7c6d221527473279e1db1.exe
Size

420KB
MD5

0bb17d9170a7c6d221527473279e1db1
SHA1

3ae5cdd423a53db37c4eff50c2ee2a32a16ebef5
SHA256

20ef7d487748e9dcef6c54e5e77750d2327b4b2a9401361fc8a212c5ccf0b81c
SHA512

b23fd0a3032a921be700368961ab476a56a319a67a363506b8c203d3ce5f51be81d6b566365531ba3e91dd4234a156ad897fc9d00f2493572a818fcae4dbdd72
SSDEEP

12288:RFEkA4QJEQ1Wy9HvPHGO6JljrQDfSZcXG4EK8:RFEkO1WIPmlJlnNGXGn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2704	7za.exe

Loads dropped DLL 7 IoCs

pid	Process
2196	0bb17d9170a7c6d221527473279e1db1.exe
2196	0bb17d9170a7c6d221527473279e1db1.exe
2196	0bb17d9170a7c6d221527473279e1db1.exe
2196	0bb17d9170a7c6d221527473279e1db1.exe
2196	0bb17d9170a7c6d221527473279e1db1.exe
2196	0bb17d9170a7c6d221527473279e1db1.exe
2196	0bb17d9170a7c6d221527473279e1db1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe
Token: SeSystemProfilePrivilege	2036	WMIC.exe
Token: SeSystemtimePrivilege	2036	WMIC.exe
Token: SeProfSingleProcessPrivilege	2036	WMIC.exe
Token: SeIncBasePriorityPrivilege	2036	WMIC.exe
Token: SeCreatePagefilePrivilege	2036	WMIC.exe
Token: SeBackupPrivilege	2036	WMIC.exe
Token: SeRestorePrivilege	2036	WMIC.exe
Token: SeShutdownPrivilege	2036	WMIC.exe
Token: SeDebugPrivilege	2036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2036	WMIC.exe
Token: SeRemoteShutdownPrivilege	2036	WMIC.exe
Token: SeUndockPrivilege	2036	WMIC.exe
Token: SeManageVolumePrivilege	2036	WMIC.exe
Token: 33	2036	WMIC.exe
Token: 34	2036	WMIC.exe
Token: 35	2036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe
Token: SeSystemProfilePrivilege	2036	WMIC.exe
Token: SeSystemtimePrivilege	2036	WMIC.exe
Token: SeProfSingleProcessPrivilege	2036	WMIC.exe
Token: SeIncBasePriorityPrivilege	2036	WMIC.exe
Token: SeCreatePagefilePrivilege	2036	WMIC.exe
Token: SeBackupPrivilege	2036	WMIC.exe
Token: SeRestorePrivilege	2036	WMIC.exe
Token: SeShutdownPrivilege	2036	WMIC.exe
Token: SeDebugPrivilege	2036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2036	WMIC.exe
Token: SeRemoteShutdownPrivilege	2036	WMIC.exe
Token: SeUndockPrivilege	2036	WMIC.exe
Token: SeManageVolumePrivilege	2036	WMIC.exe
Token: 33	2036	WMIC.exe
Token: 34	2036	WMIC.exe
Token: 35	2036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemProfilePrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2788	WMIC.exe
Token: SeCreatePagefilePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeDebugPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: 33	2788	WMIC.exe
Token: 34	2788	WMIC.exe
Token: 35	2788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2036	2196	0bb17d9170a7c6d221527473279e1db1.exe	17
PID 2196 wrote to memory of 2036	2196	0bb17d9170a7c6d221527473279e1db1.exe	17
PID 2196 wrote to memory of 2036	2196	0bb17d9170a7c6d221527473279e1db1.exe	17
PID 2196 wrote to memory of 2036	2196	0bb17d9170a7c6d221527473279e1db1.exe	17
PID 2196 wrote to memory of 2788	2196	0bb17d9170a7c6d221527473279e1db1.exe	23
PID 2196 wrote to memory of 2788	2196	0bb17d9170a7c6d221527473279e1db1.exe	23
PID 2196 wrote to memory of 2788	2196	0bb17d9170a7c6d221527473279e1db1.exe	23
PID 2196 wrote to memory of 2788	2196	0bb17d9170a7c6d221527473279e1db1.exe	23
PID 2196 wrote to memory of 2888	2196	0bb17d9170a7c6d221527473279e1db1.exe	26
PID 2196 wrote to memory of 2888	2196	0bb17d9170a7c6d221527473279e1db1.exe	26
PID 2196 wrote to memory of 2888	2196	0bb17d9170a7c6d221527473279e1db1.exe	26
PID 2196 wrote to memory of 2888	2196	0bb17d9170a7c6d221527473279e1db1.exe	26
PID 2196 wrote to memory of 2536	2196	0bb17d9170a7c6d221527473279e1db1.exe	30
PID 2196 wrote to memory of 2536	2196	0bb17d9170a7c6d221527473279e1db1.exe	30
PID 2196 wrote to memory of 2536	2196	0bb17d9170a7c6d221527473279e1db1.exe	30
PID 2196 wrote to memory of 2536	2196	0bb17d9170a7c6d221527473279e1db1.exe	30
PID 2196 wrote to memory of 2704	2196	0bb17d9170a7c6d221527473279e1db1.exe	29
PID 2196 wrote to memory of 2704	2196	0bb17d9170a7c6d221527473279e1db1.exe	29
PID 2196 wrote to memory of 2704	2196	0bb17d9170a7c6d221527473279e1db1.exe	29
PID 2196 wrote to memory of 2704	2196	0bb17d9170a7c6d221527473279e1db1.exe	29

C:\Users\Admin\AppData\Local\Temp\0bb17d9170a7c6d221527473279e1db1.exe
"C:\Users\Admin\AppData\Local\Temp\0bb17d9170a7c6d221527473279e1db1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\nstE55.tmp\7za.exe
  7za.exe e -y -p"7ed77c48666d14b69f41555512f73531" [RANDOM_STRING].7z
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstE55.tmp\0l1efp

Filesize
8B

MD5
fd03887411dfd900c39337951e679b04

SHA1
42152a98048ce7705b7d41468fea303c30b7c28a

SHA256
526c508ecdc95803a98d14016d7299a88daa8b026096dc09e4f5692f5a794fd0

SHA512
69ed482297e2c3c0866e1292c2615de587b449559eb1fc3c2f0f30c65ed9a19c34018450d345ce0cd28feec6a5b26d1d4d4d1069f0f93fdedb396c7e5d62d3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE55.tmp\7za.exe

Filesize
43KB

MD5
db5b64f1a6be9c6b28fb34f12706b495

SHA1
7dde5fdaa5deccb4916ec52190076a1821e0fb01

SHA256
fb823a630532298fa4f666f3583d08d3617f3c8cb8aa84596514207806520f44

SHA512
673b6f48c11c064d74334f034e7d537d2f86d578c6f932198a667c8fd175d5dac5966a981ab81a683c61ac437bc8cb69c9a32d6329cb8660e16ef06945d97002

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE55.tmp\7za.exe

Filesize
133KB

MD5
adb5b1cdbb45d909be27865e6a93ca2f

SHA1
1d61a21d13540b2a873b5ee0dd6ff67f3910b135

SHA256
11ede7850e26cbc1efdc14f0175284c94cc67b4219c6844cdceef69c12c19edf

SHA512
d941b21b925b272513fa16da27ab28e04a1ffc4ed78c35d32336642ef21107bbc231affafc831de8403c682da89d38a965c7c8a321d47ea0a0983a8b047500c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE55.tmp\[RANDOM_STRING].7z

Filesize
104KB

MD5
0c15aa14d225c94ef1aa2daccc01686a

SHA1
148463a11d9d26954f6b46f37d0c73913e161d05

SHA256
7373eb8956a2b57683c6cef680205513d49208fdb875ee4a4747448e57f3efdc

SHA512
ef34569d764c1140188eb085a7fc06e5e8ffc2f1619aaf258707945663607852b68e2998dad4fae302c7690839a737d21cd6114e446c873f6b51ea3b758626b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE55.tmp\install43062.exe

Filesize
30KB

MD5
4ee760e3dd923cd7db54b923ce4c54a5

SHA1
7773a14b5af1c86fca1fd527d760c3f1514b9975

SHA256
066a138ee9006986791bf9177d26ea095c2409f1ff7704f40b38e8166fb46324

SHA512
bde375be27941d0e5d07bf999abca81a4ddaded47e97b182afc0107cfd78499628b6c783afe4323aca9169cab7e339f6bab4264ace08b14c3ef0a7fa997745f0

Download Submit
\Users\Admin\AppData\Local\Temp\nstE55.tmp\7za.exe

Filesize
71KB

MD5
0ca18b9952a5eb35ce8575daee2841c2

SHA1
5aeb5fe5b85b7f57aec42d26173f74eac57aef41

SHA256
05fbb37c92a8c6b76b4d6fe0985bd866b7dd6af6e1eeaf67bfbe29e6fb756032

SHA512
e18a0f9a9ab7f593b4ce968ae3c04ceab52b1f6e52c57730927daf7796e98cbddd2f9917f37ca06055ef2e7adb2f48aa50234505bd4d6aeec5d7dc176ff37b9d

Download Submit
\Users\Admin\AppData\Local\Temp\nstE55.tmp\7za.exe

Filesize
72KB

MD5
0a01329c2b909aeee3a9cda8cbf82313

SHA1
8b7edd59ed78cf77d7454371dfadefdef47eb0a8

SHA256
5f98dcbfae836c6b4f12735362d2519b340e51ffdbe2e4f132a24f2454e89072

SHA512
3bcf4d9398b29564ac65c8a45cbbb2f8cb9f16701e224afeb2a1a3b3d5acf3fbad527c6fbf0c02a0014382f73368c5e18fe2b743a5c633de7d6be34e1db5c9c8

Download Submit
\Users\Admin\AppData\Local\Temp\nstE55.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit