21c8bb4e7a319d0d7e6ed302de1224094bc6d59b3cd73bb30527c831bc4a8303

Analysis

max time kernel
116s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

121fb174f56325c6654de4503c7f3746.exe
Size

759KB
MD5

121fb174f56325c6654de4503c7f3746
SHA1

ddc6e9b2f8333d71e9057b07ff780e7faf14bb3c
SHA256

21c8bb4e7a319d0d7e6ed302de1224094bc6d59b3cd73bb30527c831bc4a8303
SHA512

8f65ee11e66e2d71d4d030953b6ae1c6aa4b0941d7c99f6069a305199d28bf1f0c347a80221c535002b3ab97bb8b56544fe30561d1776a7cafa4d617cf6af21e
SSDEEP

12288:9qt53Ys2ZELwbbuMc0ckdSq7yvRajGvuUrSRynv9rVlwVALGZkZPCfCvIqLmwl5N:9qAs2ZEL8CM3cuvQajAuYnvUucOUWlX/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4872	1432479682.exe

Loads dropped DLL 2 IoCs

pid	Process
4904	121fb174f56325c6654de4503c7f3746.exe
4904	121fb174f56325c6654de4503c7f3746.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3792	4872	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2100	wmic.exe
Token: SeSecurityPrivilege	2100	wmic.exe
Token: SeTakeOwnershipPrivilege	2100	wmic.exe
Token: SeLoadDriverPrivilege	2100	wmic.exe
Token: SeSystemProfilePrivilege	2100	wmic.exe
Token: SeSystemtimePrivilege	2100	wmic.exe
Token: SeProfSingleProcessPrivilege	2100	wmic.exe
Token: SeIncBasePriorityPrivilege	2100	wmic.exe
Token: SeCreatePagefilePrivilege	2100	wmic.exe
Token: SeBackupPrivilege	2100	wmic.exe
Token: SeRestorePrivilege	2100	wmic.exe
Token: SeShutdownPrivilege	2100	wmic.exe
Token: SeDebugPrivilege	2100	wmic.exe
Token: SeSystemEnvironmentPrivilege	2100	wmic.exe
Token: SeRemoteShutdownPrivilege	2100	wmic.exe
Token: SeUndockPrivilege	2100	wmic.exe
Token: SeManageVolumePrivilege	2100	wmic.exe
Token: 33	2100	wmic.exe
Token: 34	2100	wmic.exe
Token: 35	2100	wmic.exe
Token: 36	2100	wmic.exe
Token: SeIncreaseQuotaPrivilege	2100	wmic.exe
Token: SeSecurityPrivilege	2100	wmic.exe
Token: SeTakeOwnershipPrivilege	2100	wmic.exe
Token: SeLoadDriverPrivilege	2100	wmic.exe
Token: SeSystemProfilePrivilege	2100	wmic.exe
Token: SeSystemtimePrivilege	2100	wmic.exe
Token: SeProfSingleProcessPrivilege	2100	wmic.exe
Token: SeIncBasePriorityPrivilege	2100	wmic.exe
Token: SeCreatePagefilePrivilege	2100	wmic.exe
Token: SeBackupPrivilege	2100	wmic.exe
Token: SeRestorePrivilege	2100	wmic.exe
Token: SeShutdownPrivilege	2100	wmic.exe
Token: SeDebugPrivilege	2100	wmic.exe
Token: SeSystemEnvironmentPrivilege	2100	wmic.exe
Token: SeRemoteShutdownPrivilege	2100	wmic.exe
Token: SeUndockPrivilege	2100	wmic.exe
Token: SeManageVolumePrivilege	2100	wmic.exe
Token: 33	2100	wmic.exe
Token: 34	2100	wmic.exe
Token: 35	2100	wmic.exe
Token: 36	2100	wmic.exe
Token: SeIncreaseQuotaPrivilege	4288	wmic.exe
Token: SeSecurityPrivilege	4288	wmic.exe
Token: SeTakeOwnershipPrivilege	4288	wmic.exe
Token: SeLoadDriverPrivilege	4288	wmic.exe
Token: SeSystemProfilePrivilege	4288	wmic.exe
Token: SeSystemtimePrivilege	4288	wmic.exe
Token: SeProfSingleProcessPrivilege	4288	wmic.exe
Token: SeIncBasePriorityPrivilege	4288	wmic.exe
Token: SeCreatePagefilePrivilege	4288	wmic.exe
Token: SeBackupPrivilege	4288	wmic.exe
Token: SeRestorePrivilege	4288	wmic.exe
Token: SeShutdownPrivilege	4288	wmic.exe
Token: SeDebugPrivilege	4288	wmic.exe
Token: SeSystemEnvironmentPrivilege	4288	wmic.exe
Token: SeRemoteShutdownPrivilege	4288	wmic.exe
Token: SeUndockPrivilege	4288	wmic.exe
Token: SeManageVolumePrivilege	4288	wmic.exe
Token: 33	4288	wmic.exe
Token: 34	4288	wmic.exe
Token: 35	4288	wmic.exe
Token: 36	4288	wmic.exe
Token: SeIncreaseQuotaPrivilege	4288	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4872	4904	121fb174f56325c6654de4503c7f3746.exe	36
PID 4904 wrote to memory of 4872	4904	121fb174f56325c6654de4503c7f3746.exe	36
PID 4904 wrote to memory of 4872	4904	121fb174f56325c6654de4503c7f3746.exe	36
PID 4872 wrote to memory of 2100	4872	1432479682.exe	20
PID 4872 wrote to memory of 2100	4872	1432479682.exe	20
PID 4872 wrote to memory of 2100	4872	1432479682.exe	20
PID 4872 wrote to memory of 4288	4872	1432479682.exe	25
PID 4872 wrote to memory of 4288	4872	1432479682.exe	25
PID 4872 wrote to memory of 4288	4872	1432479682.exe	25
PID 4872 wrote to memory of 2884	4872	1432479682.exe	34
PID 4872 wrote to memory of 2884	4872	1432479682.exe	34
PID 4872 wrote to memory of 2884	4872	1432479682.exe	34
PID 4872 wrote to memory of 3612	4872	1432479682.exe	28
PID 4872 wrote to memory of 3612	4872	1432479682.exe	28
PID 4872 wrote to memory of 3612	4872	1432479682.exe	28
PID 4872 wrote to memory of 2872	4872	1432479682.exe	33
PID 4872 wrote to memory of 2872	4872	1432479682.exe	33
PID 4872 wrote to memory of 2872	4872	1432479682.exe	33

C:\Users\Admin\AppData\Local\Temp\121fb174f56325c6654de4503c7f3746.exe
"C:\Users\Admin\AppData\Local\Temp\121fb174f56325c6654de4503c7f3746.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\1432479682.exe
  C:\Users\Admin\AppData\Local\Temp\1432479682.exe 8/7/0/7/8/7/0/6/6/9/2 J0lJPTUtODAtFy1LTkJJQT09KhomTD1NV0hKREk+NygeJz1JTExCRDcwLDQxGS88QT09KhomTkpIRE47TV9DPjQ0KS45GSdMRUxQPFBXTlJFNWF0bmoxLSdscm8mPUVNRSRSR0ktOkhJLkNIPU0YKENFQTxLQz40Hic9MTYlKiApPik7JSogKDwsPScrFy08LT0mKRkvPi80KykZL0lKSERPPUtdSEtJTzk8WTcaJk5KSEROO01fP09DPzUZL0lKSERPPUtdRjpNPjVMa3NqXCwvJzInKCcxGik8Vj1YVUtENiApP09DVzxNPURCTj83Fy1ASFNNVztSSVFKQ0o2MRknTUg7SEJXR05fTkpFPRopTUs1KyAoPEwxNxomUE1HVEJFPl9RP0NBR0ZFQkU6Rz9PSUo1GS9CS1hST0hLR0U+PW1qbmUaKUlDTE5SR0FHR1lPSkNKWEQ6UUw9LBomRkE9RVE1KiApQ0pdPFJOOkVCQ1k/RUFKUlBNPT09YFtjcV0ZLz1HUE5GSThCV0JQNjAtLiszKiwqKjYnLywgKU5ASz02MS0rKzQyLy0vMRkvPUdQTkZJOEJXTUlGPTY1KSwrLSopMS4iLTouKjEvMSNQRg==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4872

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703470280.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703470280.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703470280.txt bios get version
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4872 -ip 4872
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 852
1⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703470280.txt bios get version
1⤵
PID:2872

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703470280.txt bios get version
1⤵
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1432479682.exe

Filesize
382KB

MD5
f2a82d146e409ca7d6d78092a0ad34c5

SHA1
285e4108cdf91e850fc185f8487756117937390f

SHA256
6eb7bc40783440253fdd551ecaec16dcbd06aebca6054ec073473649d2397cce

SHA512
6c27a4edf4c26442ba69e555b80831384928117c6efb68559fdf052fb079009c233e7f8f42d41c4259447780bae302c50d68c40483d8f8f4b6c0c234d849cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1432479682.exe

Filesize
92KB

MD5
bd2066f7cd8ac44b8f4f4a9c6d724da0

SHA1
1ffc7c8ec8ab412cc657bf423256fb76116b995c

SHA256
b367a8aa6ee0e8047af7b10b47bd4a3315a2403dd949056e38212b149e20223f

SHA512
4c8f4f8bbeae2ab4d754d489a8d54974efbb26bfdc7d40832feba9a62c533a6d7b3686d9ecf748864dbff07e1372ace4c69042d69a22ee752c9c612f50dde93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv472C.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv472C.tmp\iymcmjl.dll

Filesize
94KB

MD5
80882e3ffbc562cdc19ac88c31957c03

SHA1
cf91453c329d6968a11ab17b3d9c917e513bc113

SHA256
c65cc689393021956e410e78323d62d8e76f16e5ccac96f9f2479ea983f20a8b

SHA512
15fe2e82454314a1e912b0cc60cdbda748bceee8dffa47505831b2161766187d3938c3262602fb2304156fe2bb822bcf7fcce7e29669f2457ee56e92d338ec3a

Download Submit