21ea8ae337cd406d83594b0f3d3cd60bc29eb8eca0d4af504059d0072a959f90

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e251debfd43aef9596628cba2b1f2ce.exe
Size

631KB
MD5

3e251debfd43aef9596628cba2b1f2ce
SHA1

cf8a570f176e0615c03cad9aa6438abd55467793
SHA256

21ea8ae337cd406d83594b0f3d3cd60bc29eb8eca0d4af504059d0072a959f90
SHA512

7c7e175767291dadb89065e9e29b9882f70a1479e038eacc3cebc52d218d8647c12518899c6eaddbac09441b050538164f9e0fa60364f49d6c5eba3b8629f3f3
SSDEEP

12288:7/xcy/ZUAdnR5xtlJQ9fptF70Uc8pyz/n+C9/NkpwR8EzOL39MrVOVP8Ov:7/xcUumnR5hJQ9fpL70Spu++uE8bLyY1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3056	1430924520.exe

Loads dropped DLL 11 IoCs

pid	Process
2060	3e251debfd43aef9596628cba2b1f2ce.exe
2060	3e251debfd43aef9596628cba2b1f2ce.exe
2060	3e251debfd43aef9596628cba2b1f2ce.exe
2060	3e251debfd43aef9596628cba2b1f2ce.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1632	3056	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3004	wmic.exe
Token: SeSecurityPrivilege	3004	wmic.exe
Token: SeTakeOwnershipPrivilege	3004	wmic.exe
Token: SeLoadDriverPrivilege	3004	wmic.exe
Token: SeSystemProfilePrivilege	3004	wmic.exe
Token: SeSystemtimePrivilege	3004	wmic.exe
Token: SeProfSingleProcessPrivilege	3004	wmic.exe
Token: SeIncBasePriorityPrivilege	3004	wmic.exe
Token: SeCreatePagefilePrivilege	3004	wmic.exe
Token: SeBackupPrivilege	3004	wmic.exe
Token: SeRestorePrivilege	3004	wmic.exe
Token: SeShutdownPrivilege	3004	wmic.exe
Token: SeDebugPrivilege	3004	wmic.exe
Token: SeSystemEnvironmentPrivilege	3004	wmic.exe
Token: SeRemoteShutdownPrivilege	3004	wmic.exe
Token: SeUndockPrivilege	3004	wmic.exe
Token: SeManageVolumePrivilege	3004	wmic.exe
Token: 33	3004	wmic.exe
Token: 34	3004	wmic.exe
Token: 35	3004	wmic.exe
Token: SeIncreaseQuotaPrivilege	3004	wmic.exe
Token: SeSecurityPrivilege	3004	wmic.exe
Token: SeTakeOwnershipPrivilege	3004	wmic.exe
Token: SeLoadDriverPrivilege	3004	wmic.exe
Token: SeSystemProfilePrivilege	3004	wmic.exe
Token: SeSystemtimePrivilege	3004	wmic.exe
Token: SeProfSingleProcessPrivilege	3004	wmic.exe
Token: SeIncBasePriorityPrivilege	3004	wmic.exe
Token: SeCreatePagefilePrivilege	3004	wmic.exe
Token: SeBackupPrivilege	3004	wmic.exe
Token: SeRestorePrivilege	3004	wmic.exe
Token: SeShutdownPrivilege	3004	wmic.exe
Token: SeDebugPrivilege	3004	wmic.exe
Token: SeSystemEnvironmentPrivilege	3004	wmic.exe
Token: SeRemoteShutdownPrivilege	3004	wmic.exe
Token: SeUndockPrivilege	3004	wmic.exe
Token: SeManageVolumePrivilege	3004	wmic.exe
Token: 33	3004	wmic.exe
Token: 34	3004	wmic.exe
Token: 35	3004	wmic.exe
Token: SeIncreaseQuotaPrivilege	2704	wmic.exe
Token: SeSecurityPrivilege	2704	wmic.exe
Token: SeTakeOwnershipPrivilege	2704	wmic.exe
Token: SeLoadDriverPrivilege	2704	wmic.exe
Token: SeSystemProfilePrivilege	2704	wmic.exe
Token: SeSystemtimePrivilege	2704	wmic.exe
Token: SeProfSingleProcessPrivilege	2704	wmic.exe
Token: SeIncBasePriorityPrivilege	2704	wmic.exe
Token: SeCreatePagefilePrivilege	2704	wmic.exe
Token: SeBackupPrivilege	2704	wmic.exe
Token: SeRestorePrivilege	2704	wmic.exe
Token: SeShutdownPrivilege	2704	wmic.exe
Token: SeDebugPrivilege	2704	wmic.exe
Token: SeSystemEnvironmentPrivilege	2704	wmic.exe
Token: SeRemoteShutdownPrivilege	2704	wmic.exe
Token: SeUndockPrivilege	2704	wmic.exe
Token: SeManageVolumePrivilege	2704	wmic.exe
Token: 33	2704	wmic.exe
Token: 34	2704	wmic.exe
Token: 35	2704	wmic.exe
Token: SeIncreaseQuotaPrivilege	2608	wmic.exe
Token: SeSecurityPrivilege	2608	wmic.exe
Token: SeTakeOwnershipPrivilege	2608	wmic.exe
Token: SeLoadDriverPrivilege	2608	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3056	2060	3e251debfd43aef9596628cba2b1f2ce.exe	28
PID 2060 wrote to memory of 3056	2060	3e251debfd43aef9596628cba2b1f2ce.exe	28
PID 2060 wrote to memory of 3056	2060	3e251debfd43aef9596628cba2b1f2ce.exe	28
PID 2060 wrote to memory of 3056	2060	3e251debfd43aef9596628cba2b1f2ce.exe	28
PID 3056 wrote to memory of 3004	3056	1430924520.exe	27
PID 3056 wrote to memory of 3004	3056	1430924520.exe	27
PID 3056 wrote to memory of 3004	3056	1430924520.exe	27
PID 3056 wrote to memory of 3004	3056	1430924520.exe	27
PID 3056 wrote to memory of 2704	3056	1430924520.exe	26
PID 3056 wrote to memory of 2704	3056	1430924520.exe	26
PID 3056 wrote to memory of 2704	3056	1430924520.exe	26
PID 3056 wrote to memory of 2704	3056	1430924520.exe	26
PID 3056 wrote to memory of 2608	3056	1430924520.exe	19
PID 3056 wrote to memory of 2608	3056	1430924520.exe	19
PID 3056 wrote to memory of 2608	3056	1430924520.exe	19
PID 3056 wrote to memory of 2608	3056	1430924520.exe	19
PID 3056 wrote to memory of 2584	3056	1430924520.exe	23
PID 3056 wrote to memory of 2584	3056	1430924520.exe	23
PID 3056 wrote to memory of 2584	3056	1430924520.exe	23
PID 3056 wrote to memory of 2584	3056	1430924520.exe	23
PID 3056 wrote to memory of 2440	3056	1430924520.exe	20
PID 3056 wrote to memory of 2440	3056	1430924520.exe	20
PID 3056 wrote to memory of 2440	3056	1430924520.exe	20
PID 3056 wrote to memory of 2440	3056	1430924520.exe	20
PID 3056 wrote to memory of 1632	3056	1430924520.exe	40
PID 3056 wrote to memory of 1632	3056	1430924520.exe	40
PID 3056 wrote to memory of 1632	3056	1430924520.exe	40
PID 3056 wrote to memory of 1632	3056	1430924520.exe	40

C:\Users\Admin\AppData\Local\Temp\3e251debfd43aef9596628cba2b1f2ce.exe
"C:\Users\Admin\AppData\Local\Temp\3e251debfd43aef9596628cba2b1f2ce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\1430924520.exe
  C:\Users\Admin\AppData\Local\Temp\1430924520.exe 5*6*4*9*4*9*5*1*2*8*0 KkpFOzkoNDI0KyAqTVE5TEA/PC4YL0k/UE5LSUZIQjUxICwsZ25mX3RhbG5cZ2E0TlxkbF9fZRspQEBPS0RDOyo3MisuFys6REM7KCAqSk5GQEw+U11BRDgsMjAwKhsuUT1SUT9OVlFJRzxmbHRrNCsmb2lxLUI9U0YnUEZMJDxPTiZJSUBLFys6R0hBQ0k/NxwmQCg4LC8YLz8sOSQtFypDMTUtLBorOzA0KDAeJ0QwNykoHCZLUU08VT5OW0dOQFFAQVE9GylMSUs7UEJSV0VQRj00HCZLUU08VT5OW0U9REA8HidFUz9bTE5DOB8tPVhAWT9EQENETUM1ICpCS0pQVj1RTU9TQEw5LBwmT0c/RktUSVFWUUlHPB4nVkg3LhcrO04wOxgvTU9KS0VEQF5VPUw+SUk8RUQ8RkNNUkc3HCZFSlpRU0ZUREdBNHBpcGQeJ1JATlFJSkBJRl1NU0BMWzs9UE48MBgvQ0NAPFQ0LB8tQVNaPlVFPUREQl09Tj5MVUdQPD88ZFlsbl8cJkBGUk1KR0E/WUVHOS8uLTQuLiwyNCUtLDAfLUxJSD85KDAqKzgxLTIyLhwmQEZSTUpHQT9ZUEBJPDg0LS4vLSotLCYtNS8vMjEvJExEHCZQQDsYL1BMSDRka29vIythICxiHC5dYmRyai5hY2hcNFtgcmlsb2soX2ZpHC1lUG1uT2NpXEBmcm1qZ2FfR11lXV5gcV1cZWtma3AhKWExMCoyLSwuKS4pLTEwKiUtYGBmc2Vnbl9cbVxoXV5haSAxZF9lby8yHC9dayQxXDE0LTIqISkxYyMrZC0xMyguHC01ah0zXywyMDAqIDE0ZiUuXi0ibGlqY3NbdGlbaVwhKl9RY2FtXGFhHC4tYWhqXW5cZ2EcL1tNZGdlYWJf
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1632

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703625015.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703625015.txt bios get version
1⤵
PID:2440

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703625015.txt bios get version
1⤵
PID:2584

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703625015.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703625015.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst1814.tmp\frjhhh.dll

Filesize
92KB

MD5
7c23229d5c12d2fd5d0e3c3432ede3b2

SHA1
65c81e8e5431c24309f6108bdcb5702b6b1378ae

SHA256
a903e52aece837939dde19d71428b0577cf0d7dacfa75914d6b32a0ba671019f

SHA512
c14b5bd092a0b68e4c4ce4160432f1ef7a6f26195ab4978e9a041e6e855f96dec3e277996920a266a984333e1daf6f404fc93882df985e66345b9715e2612ff2

Download Submit
\Users\Admin\AppData\Local\Temp\1430924520.exe

Filesize
92KB

MD5
c4824474a6047146446b523de9873e86

SHA1
6e19a352e605f292ab4d640d61ac90efa2ddee08

SHA256
4eee540890af80e70eb0114eeb42871114a751d2380443a57fa95bf3ea905a1a

SHA512
df4f5b3026c2ee86043d13e9dceedd96e25579c2cd60d7eba615a384be7d745d9608d5e0a13839037bb842cf5bee0ae86aaddb795ae7815d89d338c9f45beb5f

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\frjhhh.dll

Filesize
95KB

MD5
d6f0a1b196b88240fef0ab1e9428bf34

SHA1
f6837a8e4266f1b1cbc8c1ebd9ba585170e31008

SHA256
7d660caf5493391198197a2d1127c36dbca4b85a3ecf93e61f3a77d6f7eb631b

SHA512
607751450ae95afa9da48cc88b6ef1395857ea29ababeae6e29c54d90ca5374f28fa10c1b52e9f38ffed4ec0edfb8addf820fb4493506f1e7b9f4a451e4cba50

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit