118f3e5ff6de52851a3615116a5580dceee6c564b11456850617e7c95337ad57

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fac952b630046702142b8e34e0a098f.exe
Size

648KB
MD5

3fac952b630046702142b8e34e0a098f
SHA1

820bd391b5006861f29deb848783af5f11c69868
SHA256

118f3e5ff6de52851a3615116a5580dceee6c564b11456850617e7c95337ad57
SHA512

4e7f544d7e7d6d9552f2e35051998478031c8bb0949ec3406d864a45e9fa629e22f84d62529da3512503235c44df3126ad417b48c08866024b811d8d5fcfa746
SSDEEP

12288:VAll8Fs2pPcx5AL6AnR9SUCnp4XS3h1GvLzZUBlG7BX4uUb:VAlqVPcHq609LqKSR1QZte

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2108	1430995618.exe

Loads dropped DLL 11 IoCs

pid	Process
1900	3fac952b630046702142b8e34e0a098f.exe
1900	3fac952b630046702142b8e34e0a098f.exe
1900	3fac952b630046702142b8e34e0a098f.exe
1900	3fac952b630046702142b8e34e0a098f.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2696	2108	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1904	wmic.exe
Token: SeSecurityPrivilege	1904	wmic.exe
Token: SeTakeOwnershipPrivilege	1904	wmic.exe
Token: SeLoadDriverPrivilege	1904	wmic.exe
Token: SeSystemProfilePrivilege	1904	wmic.exe
Token: SeSystemtimePrivilege	1904	wmic.exe
Token: SeProfSingleProcessPrivilege	1904	wmic.exe
Token: SeIncBasePriorityPrivilege	1904	wmic.exe
Token: SeCreatePagefilePrivilege	1904	wmic.exe
Token: SeBackupPrivilege	1904	wmic.exe
Token: SeRestorePrivilege	1904	wmic.exe
Token: SeShutdownPrivilege	1904	wmic.exe
Token: SeDebugPrivilege	1904	wmic.exe
Token: SeSystemEnvironmentPrivilege	1904	wmic.exe
Token: SeRemoteShutdownPrivilege	1904	wmic.exe
Token: SeUndockPrivilege	1904	wmic.exe
Token: SeManageVolumePrivilege	1904	wmic.exe
Token: 33	1904	wmic.exe
Token: 34	1904	wmic.exe
Token: 35	1904	wmic.exe
Token: SeIncreaseQuotaPrivilege	1904	wmic.exe
Token: SeSecurityPrivilege	1904	wmic.exe
Token: SeTakeOwnershipPrivilege	1904	wmic.exe
Token: SeLoadDriverPrivilege	1904	wmic.exe
Token: SeSystemProfilePrivilege	1904	wmic.exe
Token: SeSystemtimePrivilege	1904	wmic.exe
Token: SeProfSingleProcessPrivilege	1904	wmic.exe
Token: SeIncBasePriorityPrivilege	1904	wmic.exe
Token: SeCreatePagefilePrivilege	1904	wmic.exe
Token: SeBackupPrivilege	1904	wmic.exe
Token: SeRestorePrivilege	1904	wmic.exe
Token: SeShutdownPrivilege	1904	wmic.exe
Token: SeDebugPrivilege	1904	wmic.exe
Token: SeSystemEnvironmentPrivilege	1904	wmic.exe
Token: SeRemoteShutdownPrivilege	1904	wmic.exe
Token: SeUndockPrivilege	1904	wmic.exe
Token: SeManageVolumePrivilege	1904	wmic.exe
Token: 33	1904	wmic.exe
Token: 34	1904	wmic.exe
Token: 35	1904	wmic.exe
Token: SeIncreaseQuotaPrivilege	2104	wmic.exe
Token: SeSecurityPrivilege	2104	wmic.exe
Token: SeTakeOwnershipPrivilege	2104	wmic.exe
Token: SeLoadDriverPrivilege	2104	wmic.exe
Token: SeSystemProfilePrivilege	2104	wmic.exe
Token: SeSystemtimePrivilege	2104	wmic.exe
Token: SeProfSingleProcessPrivilege	2104	wmic.exe
Token: SeIncBasePriorityPrivilege	2104	wmic.exe
Token: SeCreatePagefilePrivilege	2104	wmic.exe
Token: SeBackupPrivilege	2104	wmic.exe
Token: SeRestorePrivilege	2104	wmic.exe
Token: SeShutdownPrivilege	2104	wmic.exe
Token: SeDebugPrivilege	2104	wmic.exe
Token: SeSystemEnvironmentPrivilege	2104	wmic.exe
Token: SeRemoteShutdownPrivilege	2104	wmic.exe
Token: SeUndockPrivilege	2104	wmic.exe
Token: SeManageVolumePrivilege	2104	wmic.exe
Token: 33	2104	wmic.exe
Token: 34	2104	wmic.exe
Token: 35	2104	wmic.exe
Token: SeIncreaseQuotaPrivilege	2708	wmic.exe
Token: SeSecurityPrivilege	2708	wmic.exe
Token: SeTakeOwnershipPrivilege	2708	wmic.exe
Token: SeLoadDriverPrivilege	2708	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2108	1900	3fac952b630046702142b8e34e0a098f.exe	40
PID 1900 wrote to memory of 2108	1900	3fac952b630046702142b8e34e0a098f.exe	40
PID 1900 wrote to memory of 2108	1900	3fac952b630046702142b8e34e0a098f.exe	40
PID 1900 wrote to memory of 2108	1900	3fac952b630046702142b8e34e0a098f.exe	40
PID 2108 wrote to memory of 1904	2108	1430995618.exe	29
PID 2108 wrote to memory of 1904	2108	1430995618.exe	29
PID 2108 wrote to memory of 1904	2108	1430995618.exe	29
PID 2108 wrote to memory of 1904	2108	1430995618.exe	29
PID 2108 wrote to memory of 2104	2108	1430995618.exe	39
PID 2108 wrote to memory of 2104	2108	1430995618.exe	39
PID 2108 wrote to memory of 2104	2108	1430995618.exe	39
PID 2108 wrote to memory of 2104	2108	1430995618.exe	39
PID 2108 wrote to memory of 2708	2108	1430995618.exe	38
PID 2108 wrote to memory of 2708	2108	1430995618.exe	38
PID 2108 wrote to memory of 2708	2108	1430995618.exe	38
PID 2108 wrote to memory of 2708	2108	1430995618.exe	38
PID 2108 wrote to memory of 2612	2108	1430995618.exe	35
PID 2108 wrote to memory of 2612	2108	1430995618.exe	35
PID 2108 wrote to memory of 2612	2108	1430995618.exe	35
PID 2108 wrote to memory of 2612	2108	1430995618.exe	35
PID 2108 wrote to memory of 2444	2108	1430995618.exe	34
PID 2108 wrote to memory of 2444	2108	1430995618.exe	34
PID 2108 wrote to memory of 2444	2108	1430995618.exe	34
PID 2108 wrote to memory of 2444	2108	1430995618.exe	34
PID 2108 wrote to memory of 2696	2108	1430995618.exe	36
PID 2108 wrote to memory of 2696	2108	1430995618.exe	36
PID 2108 wrote to memory of 2696	2108	1430995618.exe	36
PID 2108 wrote to memory of 2696	2108	1430995618.exe	36

C:\Users\Admin\AppData\Local\Temp\3fac952b630046702142b8e34e0a098f.exe
"C:\Users\Admin\AppData\Local\Temp\3fac952b630046702142b8e34e0a098f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\1430995618.exe
  C:\Users\Admin\AppData\Local\Temp\1430995618.exe 3,9,7,8,2,0,1,9,3,3,5 LEdCPDsxOCozMBssSk46TklDNC0dKks8TU9NUkpAQTosIikpaHBvY2xgcWleZF41UGVoZF5kYB0mPUFRVEg7Oi8yNCgrGC1DSDs6LRssR0tHQlVCS1xGPzopLzEyMx8mUEJNUzxLV1NSSzRlcW9tMSgncXJ1JUFCTkgkTUdOLUBHTStESz1IGC1DS0BASERBNBknQjE8JC4dKkEpNiUvIC47MDooLhcoPDI9LCgdLD8yNCYpHi9PSUxBUEBLWEhQSVU4QFY4HSZJSk1EVDpRXEBSQzo1Hi9PSUxBUEBLWEY/TUQ0HSxAVTxYTVBMPBcsQlNCVjxFQkxIRUI6Gyw/SEtSX0FJTFROQkk2LR4vUz8+S0ZWRk5XU1JLNB0sUUo0KxgtRFIoOh0qT0xHTEdNRFZUQkdARkY9R01APkJSTUk0GSdHU15JUktPRkQ+NXJydFwdLE1CS05KTElNPlxSTkJJWDw/WVI0Lx0qRUA9PVY9MBcsRk5cO1JGP01IOlxCSUBJUkhSRUM0Y15ncFwZJ0JPVkVJTDxBVkJIOzQ4JS4yLCssLiYvMi8XLFFESjw2KTIzMCk0Li8xKRknQk9WRUlMPEFWTUFLRTwsLC4rLCkpKTMqMjEvMTUtKSNISyAuTD46GyxMS0Q7aHNrbSIuXhwrXiMyZV5icW0rXWJkYzhjXHBob2xnJ1ttbSQpY09wa0tiZWNEbm5raWpeW0ZZbGFmXG9cX2JnZWd3JTFdLy8tLykrKjAyMSkvLy0iKV9cbXdtY2xeX2pYZ1llZXEcL2NiYmsuLiMzZWciMF8uMCwuMSUxLWEiLmEpMC8vMiQpM2kgMFsrLjc0MhwvM2kiKl0pKXBxZmFyXnFlWmVjJTJbT2JkalhgXSMyNV1maWBrWGZdIzNjSWJmaF5eXg==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2108

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703627929.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703627929.txt bios get version
1⤵
PID:2444

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703627929.txt bios get version
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:2696

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703627929.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703627929.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
93KB

MD5
3b7402beafffd27af3fca1d85fcb6342

SHA1
5eeddb42e0684bbbaa2d764895fe314fb7ae4a34

SHA256
ddd934d7c796f7d0df7441181082522493f277e0407ab7495d883c872c1a3c41

SHA512
844896dfd9ef524506d11ccab4b8db7e00778268ef5da350aca5a4ea4917d5d2e12d978329e22a362fa00c670a2e07c7a4a5e12916754a08b3662330bbf5ce36

Download Submit
C:\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
382KB

MD5
a15a38ff72aef5f50d529525df131f5b

SHA1
3e8e9108111345391237d1877ecfedbbc93c5972

SHA256
8e06da536abac75d87e236b71ae1f4578856d4ce63eb472b30d1ca5797b3e4a8

SHA512
18305fa596c7bd3fb1bff4c0cc075c7e357b09552694ea149fe93fbee3bf613773837d2bd938fdc2c8c2e3a124d932591c5d43770475ca012838abd0a77e6c02

Download Submit
\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
928KB

MD5
cdc736e0f419328a520686337059422a

SHA1
4e62d9bb159ddba558c607398adee7f8e5fe7eb9

SHA256
304263d7a4374aeb5505c5a8c7811e3db48fd6b7db775a19f87f83b3b088d70c

SHA512
cb92774f0fe2df891082daac52171223fd58b2a14b4bdc333cfb83a7d699829cb3bc31923f7470b8c27d38ff85bacdff78ab2f6859d14372a98f5659a23b47a7

Download Submit
\Users\Admin\AppData\Local\Temp\nsoFBB.tmp\hwkqgss.dll

Filesize
153KB

MD5
479e04762963aff3a2973d9f80c2e130

SHA1
0487115ad40cb9989a1661159d1e439a4c4430ba

SHA256
6a2f3a02e06f052d8d823f9358a062549daa9ed7d4070374b78d4f7593b9ded6

SHA512
8dd0081f819b19a764ca0904e50616ee5ae77a5964d33f5b2f6a3bdabdbc354a3dd47865cc79f081e90bd7e17e57f33fa479d6d8c55ff070af6dd2a87ca36eb5

Download Submit
\Users\Admin\AppData\Local\Temp\nsoFBB.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit