d7074a99b06f3e8a021f10728079294535469cbbcce319e787138ca1056f3513

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 20:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1214084291c2282508c8d7bcdefe337d.exe
Size

581KB
MD5

1214084291c2282508c8d7bcdefe337d
SHA1

b20ecc098940f7ac1f959b7ed4eb3b54eded639a
SHA256

d7074a99b06f3e8a021f10728079294535469cbbcce319e787138ca1056f3513
SHA512

7958c55524bf4631cb70f187e4638377b0aa6251b6c1ecfcc688c948d8641f8b3b06d4bd9755381e9cffa516119c362759d47b727e473edd31e49f036b11d8f4
SSDEEP

12288:MZ4hUnM8rC6ibkVAw9gPdR0YaFYponURzneJOYLT5go9GlD:MZ4hmjrebk29PdR0Kponczne4W5u

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	1431820951.exe

Loads dropped DLL 11 IoCs

pid	Process
1692	1214084291c2282508c8d7bcdefe337d.exe
1692	1214084291c2282508c8d7bcdefe337d.exe
1692	1214084291c2282508c8d7bcdefe337d.exe
1692	1214084291c2282508c8d7bcdefe337d.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
780	2700	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe
Token: SeSystemProfilePrivilege	2816	wmic.exe
Token: SeSystemtimePrivilege	2816	wmic.exe
Token: SeProfSingleProcessPrivilege	2816	wmic.exe
Token: SeIncBasePriorityPrivilege	2816	wmic.exe
Token: SeCreatePagefilePrivilege	2816	wmic.exe
Token: SeBackupPrivilege	2816	wmic.exe
Token: SeRestorePrivilege	2816	wmic.exe
Token: SeShutdownPrivilege	2816	wmic.exe
Token: SeDebugPrivilege	2816	wmic.exe
Token: SeSystemEnvironmentPrivilege	2816	wmic.exe
Token: SeRemoteShutdownPrivilege	2816	wmic.exe
Token: SeUndockPrivilege	2816	wmic.exe
Token: SeManageVolumePrivilege	2816	wmic.exe
Token: 33	2816	wmic.exe
Token: 34	2816	wmic.exe
Token: 35	2816	wmic.exe
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe
Token: SeSystemProfilePrivilege	2816	wmic.exe
Token: SeSystemtimePrivilege	2816	wmic.exe
Token: SeProfSingleProcessPrivilege	2816	wmic.exe
Token: SeIncBasePriorityPrivilege	2816	wmic.exe
Token: SeCreatePagefilePrivilege	2816	wmic.exe
Token: SeBackupPrivilege	2816	wmic.exe
Token: SeRestorePrivilege	2816	wmic.exe
Token: SeShutdownPrivilege	2816	wmic.exe
Token: SeDebugPrivilege	2816	wmic.exe
Token: SeSystemEnvironmentPrivilege	2816	wmic.exe
Token: SeRemoteShutdownPrivilege	2816	wmic.exe
Token: SeUndockPrivilege	2816	wmic.exe
Token: SeManageVolumePrivilege	2816	wmic.exe
Token: 33	2816	wmic.exe
Token: 34	2816	wmic.exe
Token: 35	2816	wmic.exe
Token: SeIncreaseQuotaPrivilege	2660	wmic.exe
Token: SeSecurityPrivilege	2660	wmic.exe
Token: SeTakeOwnershipPrivilege	2660	wmic.exe
Token: SeLoadDriverPrivilege	2660	wmic.exe
Token: SeSystemProfilePrivilege	2660	wmic.exe
Token: SeSystemtimePrivilege	2660	wmic.exe
Token: SeProfSingleProcessPrivilege	2660	wmic.exe
Token: SeIncBasePriorityPrivilege	2660	wmic.exe
Token: SeCreatePagefilePrivilege	2660	wmic.exe
Token: SeBackupPrivilege	2660	wmic.exe
Token: SeRestorePrivilege	2660	wmic.exe
Token: SeShutdownPrivilege	2660	wmic.exe
Token: SeDebugPrivilege	2660	wmic.exe
Token: SeSystemEnvironmentPrivilege	2660	wmic.exe
Token: SeRemoteShutdownPrivilege	2660	wmic.exe
Token: SeUndockPrivilege	2660	wmic.exe
Token: SeManageVolumePrivilege	2660	wmic.exe
Token: 33	2660	wmic.exe
Token: 34	2660	wmic.exe
Token: 35	2660	wmic.exe
Token: SeIncreaseQuotaPrivilege	2708	wmic.exe
Token: SeSecurityPrivilege	2708	wmic.exe
Token: SeTakeOwnershipPrivilege	2708	wmic.exe
Token: SeLoadDriverPrivilege	2708	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2700	1692	1214084291c2282508c8d7bcdefe337d.exe	28
PID 1692 wrote to memory of 2700	1692	1214084291c2282508c8d7bcdefe337d.exe	28
PID 1692 wrote to memory of 2700	1692	1214084291c2282508c8d7bcdefe337d.exe	28
PID 1692 wrote to memory of 2700	1692	1214084291c2282508c8d7bcdefe337d.exe	28
PID 2700 wrote to memory of 2816	2700	1431820951.exe	29
PID 2700 wrote to memory of 2816	2700	1431820951.exe	29
PID 2700 wrote to memory of 2816	2700	1431820951.exe	29
PID 2700 wrote to memory of 2816	2700	1431820951.exe	29
PID 2700 wrote to memory of 2660	2700	1431820951.exe	32
PID 2700 wrote to memory of 2660	2700	1431820951.exe	32
PID 2700 wrote to memory of 2660	2700	1431820951.exe	32
PID 2700 wrote to memory of 2660	2700	1431820951.exe	32
PID 2700 wrote to memory of 2708	2700	1431820951.exe	35
PID 2700 wrote to memory of 2708	2700	1431820951.exe	35
PID 2700 wrote to memory of 2708	2700	1431820951.exe	35
PID 2700 wrote to memory of 2708	2700	1431820951.exe	35
PID 2700 wrote to memory of 2592	2700	1431820951.exe	36
PID 2700 wrote to memory of 2592	2700	1431820951.exe	36
PID 2700 wrote to memory of 2592	2700	1431820951.exe	36
PID 2700 wrote to memory of 2592	2700	1431820951.exe	36
PID 2700 wrote to memory of 2056	2700	1431820951.exe	38
PID 2700 wrote to memory of 2056	2700	1431820951.exe	38
PID 2700 wrote to memory of 2056	2700	1431820951.exe	38
PID 2700 wrote to memory of 2056	2700	1431820951.exe	38
PID 2700 wrote to memory of 780	2700	1431820951.exe	40
PID 2700 wrote to memory of 780	2700	1431820951.exe	40
PID 2700 wrote to memory of 780	2700	1431820951.exe	40
PID 2700 wrote to memory of 780	2700	1431820951.exe	40

C:\Users\Admin\AppData\Local\Temp\1214084291c2282508c8d7bcdefe337d.exe
"C:\Users\Admin\AppData\Local\Temp\1214084291c2282508c8d7bcdefe337d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\1431820951.exe
  C:\Users\Admin\AppData\Local\Temp\1431820951.exe 8*6*8*1*3*7*3*4*9*1*7 J0pBQzosLS4pHyhLTzpPRj06LBcuRz1OT05PREZANC8ZJz5BUlFCQTkpNisvLBguQEJBOScfKEhMR0NSPFFbQEM2KTAxMx0oUEFJVT5KWU1RSTZlcGtvMycpa3FzJ0FBSkomTElILD5JTSpATT9HGidCSUJAR0BDNm9FO0JRRk9ALVI/TT9AOEgpMTIqRkZJRRguQSo6LSgvKS0aJ0MvNiotFy49KzclMB0oQTA0LCoYKTw0OiYuHCZPS0c+TUJRWE1OQFU6O1M1HyxJT0s7VDxMWT1USTo6HCZPS0c+TUJRWEs9REQ2GCk9V0JYUk5DPBknP1BEXDxKQENIRz03GC5FSFBQVkFLR1FLRE82LRwmU0E5SENYTE5cUUlLNhgpTkw6Kx0rO1IqNRonUVJHUUVERFhPP0RCTEZCRURAQD1PSks6GSxFSl5LTUhMSEo+OnBpdF4YKUpEUU5PSkBNQFdPS0RPWEE9UFI2KhonR0Y9QlQ0MBknQ0teQVJLPURIPFc/RkJPUk1QPEM2XltkcmIZLEBGVkdESTlDXEJNOS01JyouMS01LCstMDcZJ05BTEI2LjAqMDEqMSsvNBksQEZWR0RJOUNcTUZJPDwuJysvLi8pLjEhMDMsMjIxNCM+SRcuTjk3RW53YmloWCQrXi8mLyghVGVlY2hvbSNNUSQzKigkLFolT05ULzEhKmEkTGxhY2JncSEpZTAmKh0yXyRvchwyWikrJi8iLF8nPlM7LygtKChlZmdcKkBdXWNuHShSTkM8YWxuaCQwWiIuXSQrXmFdcy4nLS0oMF1dbWFmaydmal1uHipgSnRrTWZpXENob2hkbl5dSl1lYGBdbFdjYmlpa3AkK14rLDIuMS8zKi8xHSxeY2xwa2hmYF1lW2ZgZF5vISllKiwtKTcvMDAsLyQsXjMqLy4wNS8uNS4sUmVNLU1nPWpPQGMtRGh0aUo/UWlHYWkoSnc+cUVkTDBFTk14STxLakV4bGFRcTc2RkBrZktMLGFQeDEpSHY8a1FLbS5JZmxlVTpyMEROOWVVPUYuQXhwYVJPY3BTRGBRYGUsLVpsQ2tgLzhrUT9MZVdET2hVO1EqSypBN1E+bUhHaT9ISk5NQ0t3RjtLTChxRGpLPlEsamtSZG5rWXdccQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703524796.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703524796.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703524796.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703524796.txt bios get version
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703524796.txt bios get version
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431820951.exe

Filesize
315KB

MD5
795e3d139ac93d5ba1b033e2e145998d

SHA1
dbe52af6a91a4c9722e7746935458f970cce4e39

SHA256
c506ccad9165ff428b5a1b7da08d31b525d50f6d6d38f81c3e896e6fbe43606a

SHA512
a2ff48cff523339c0636f97843d7692ffc5170446d1609129a77847209d03e4380370793b2418c0ccc4297f5146d88e910d19d746844340f76e87653396032d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431820951.exe

Filesize
256KB

MD5
12de15df78d0524ea3f290bdf00d5b92

SHA1
7d76c8be8faf37b084affa3649ddbbdfb603abe3

SHA256
15f1c661f6a77a92d2ffaa58ed4031eafc2d386c7f4e2c3e18dc0321535dda08

SHA512
489e27b96efd2ded4a1ecaa2f8973e2af61ebb388164c825b8733ae132d14950322dba70bb24e630feaf34e014a3b502241a1fda0bc6a5f1f8709bfce8ec285d

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703524796.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj67AA.tmp\kaxgcem.dll

Filesize
153KB

MD5
64ffd6dbd03f55408fbc6640317368f0

SHA1
227d86d47d53d5f62a2227e6d2b282519d38005d

SHA256
b8d9b2c53ea62560b03c2ef9f139370380b4c931d1fc02172bc7e1a98e41ffc3

SHA512
ba03c31e00ec24a7bd4e59088feaee3eb389b459cbd041613222f95d9ea1689920127d390d81c2e0000ccf72f67a2043cf81dd324cab3c887003aa93783501c8

Download Submit
\Users\Admin\AppData\Local\Temp\1431820951.exe

Filesize
704KB

MD5
81f7313cbd5ba39899a8919c302e862f

SHA1
75283af84f334ff0ff5ff49e8d25c81a9c7bb090

SHA256
a74f7cb817fd20982acb2b996049013e5b3246419ca441ade93997dbc9b296f3

SHA512
1525eee8d4174f45e437e411520ab35c4ffcb9dac81ee7e8213266c19915b9e500e192b1f19bd4b8c4ce5fadcf89b810b154059613cdc608c131eedd32f46dca

Download Submit
\Users\Admin\AppData\Local\Temp\1431820951.exe

Filesize
305KB

MD5
03bf20fd326196490d7e4fab3c24e294

SHA1
9a92e6fc6f84b9ab54d3b515fbb1e5acc277c21f

SHA256
a491605cd97415d02a3b196d627374a55ced27891cb3336203029e7ab8d9abab

SHA512
73aaf225ba42e8fb0e07a0da5ee0bea8e19fb1c7a9b632a81cf471ec9eee43350df09d1a32d2c55a497b72b4a908acf4c911d4a2ae4f74f54d54586587acf838

Download Submit
\Users\Admin\AppData\Local\Temp\1431820951.exe

Filesize
64KB

MD5
5631cd8e833f6295022023055e15ecae

SHA1
7cfca551fb2104072582a829f1d648ad839f15b3

SHA256
13efa98de48e1147f4eef31455a531640a7efb3b408ed8fc20818638acb29a14

SHA512
92bc56928a39c46403b1a55199e9c0f9730b59e7ec0d0143902427e763d4769da348f2a167ae9ee34bf485ba7d8f3d278a5a9feff8bff5325ed494c3f9e086da

Download Submit
\Users\Admin\AppData\Local\Temp\1431820951.exe

Filesize
203KB

MD5
764ba5bd39be69d23d2844053e9256b8

SHA1
6b25bd27e128331ea0c305913c5a4ec094e3e7a0

SHA256
cab6a2450e5cf3bba60734386be4dbf4b8d05f19f0ca9c45855e20515413bf6b

SHA512
fce5480d071c2b28a9ab6719fdd84a71041594ec8eef5d6bfef8dcec7b61de3506bad54af7c813e26a1c8dff6cb466ea8044425818c6a096dac19d230ce10b1d

Download Submit
\Users\Admin\AppData\Local\Temp\1431820951.exe

Filesize
192KB

MD5
90df36e5d64f9d1c9df3d1dd26b3a9fe

SHA1
8e4c5e11750233fa2d3e084b0edb16ad34ec38c9

SHA256
8839d2fd09af8e6f144a9ee083e6962e9c5290da3a577936c64e8627d36ae576

SHA512
cc115b641d897eebb369dc4cee8bad8455c25d75e4f2081cf3b2398939f364b8257e3e2ba72d9137839d30eadc601768b54908e7f83bb529e71bf30052e5714f

Download Submit
\Users\Admin\AppData\Local\Temp\1431820951.exe

Filesize
679KB

MD5
14a90dc3f83b9f3eb4e4fafb4f7ee477

SHA1
1554d4a19195479d8ee250b51e4d7ebfa6d2cf0b

SHA256
b4d9b43721d2acd3fb9e33368a0d6c350ef9ad405d86402a5f41c798cb0022d2

SHA512
9bc61f57f5f18c947619dab55595a391efbf0f18b4f4662fc22ea3ebed927c6471ec3fabaea2e01c3765d0a782b1e0a8e751204527ced67ac4619999316cefdd

Download Submit
\Users\Admin\AppData\Local\Temp\nsj67AA.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit