13bf7211134ca383262be765c2acffd4c082dd4039673933340c4f39817e994e

Analysis

max time kernel
3s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0113ac38fe89817af3d2bf03f1c9e68b.exe
Size

581KB
MD5

0113ac38fe89817af3d2bf03f1c9e68b
SHA1

1c019c3273dd04ed157fd186f3799811e5432714
SHA256

13bf7211134ca383262be765c2acffd4c082dd4039673933340c4f39817e994e
SHA512

870fcf30c6fd04c416cbb8aa758347f0acf5088e2554cca5ff900a0eef1f22eb48bce8e65e45eabb85939b72b4c7309c5369ff3f2cff0114710037e031209d0b
SSDEEP

12288:u9DJhNH8ZkXWykEr8369tNFMP8NdHXpZ2achJC4+4:uFJbl+36tKPdhJ7D

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2668	1431831751.exe

Loads dropped DLL 4 IoCs

pid	Process
2060	0113ac38fe89817af3d2bf03f1c9e68b.exe
2060	0113ac38fe89817af3d2bf03f1c9e68b.exe
2060	0113ac38fe89817af3d2bf03f1c9e68b.exe
2060	0113ac38fe89817af3d2bf03f1c9e68b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	2668	WerFault.exe	26

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2784	wmic.exe
Token: SeSecurityPrivilege	2784	wmic.exe
Token: SeTakeOwnershipPrivilege	2784	wmic.exe
Token: SeLoadDriverPrivilege	2784	wmic.exe
Token: SeSystemProfilePrivilege	2784	wmic.exe
Token: SeSystemtimePrivilege	2784	wmic.exe
Token: SeProfSingleProcessPrivilege	2784	wmic.exe
Token: SeIncBasePriorityPrivilege	2784	wmic.exe
Token: SeCreatePagefilePrivilege	2784	wmic.exe
Token: SeBackupPrivilege	2784	wmic.exe
Token: SeRestorePrivilege	2784	wmic.exe
Token: SeShutdownPrivilege	2784	wmic.exe
Token: SeDebugPrivilege	2784	wmic.exe
Token: SeSystemEnvironmentPrivilege	2784	wmic.exe
Token: SeRemoteShutdownPrivilege	2784	wmic.exe
Token: SeUndockPrivilege	2784	wmic.exe
Token: SeManageVolumePrivilege	2784	wmic.exe
Token: 33	2784	wmic.exe
Token: 34	2784	wmic.exe
Token: 35	2784	wmic.exe
Token: SeIncreaseQuotaPrivilege	2784	wmic.exe
Token: SeSecurityPrivilege	2784	wmic.exe
Token: SeTakeOwnershipPrivilege	2784	wmic.exe
Token: SeLoadDriverPrivilege	2784	wmic.exe
Token: SeSystemProfilePrivilege	2784	wmic.exe
Token: SeSystemtimePrivilege	2784	wmic.exe
Token: SeProfSingleProcessPrivilege	2784	wmic.exe
Token: SeIncBasePriorityPrivilege	2784	wmic.exe
Token: SeCreatePagefilePrivilege	2784	wmic.exe
Token: SeBackupPrivilege	2784	wmic.exe
Token: SeRestorePrivilege	2784	wmic.exe
Token: SeShutdownPrivilege	2784	wmic.exe
Token: SeDebugPrivilege	2784	wmic.exe
Token: SeSystemEnvironmentPrivilege	2784	wmic.exe
Token: SeRemoteShutdownPrivilege	2784	wmic.exe
Token: SeUndockPrivilege	2784	wmic.exe
Token: SeManageVolumePrivilege	2784	wmic.exe
Token: 33	2784	wmic.exe
Token: 34	2784	wmic.exe
Token: 35	2784	wmic.exe
Token: SeIncreaseQuotaPrivilege	2748	wmic.exe
Token: SeSecurityPrivilege	2748	wmic.exe
Token: SeTakeOwnershipPrivilege	2748	wmic.exe
Token: SeLoadDriverPrivilege	2748	wmic.exe
Token: SeSystemProfilePrivilege	2748	wmic.exe
Token: SeSystemtimePrivilege	2748	wmic.exe
Token: SeProfSingleProcessPrivilege	2748	wmic.exe
Token: SeIncBasePriorityPrivilege	2748	wmic.exe
Token: SeCreatePagefilePrivilege	2748	wmic.exe
Token: SeBackupPrivilege	2748	wmic.exe
Token: SeRestorePrivilege	2748	wmic.exe
Token: SeShutdownPrivilege	2748	wmic.exe
Token: SeDebugPrivilege	2748	wmic.exe
Token: SeSystemEnvironmentPrivilege	2748	wmic.exe
Token: SeRemoteShutdownPrivilege	2748	wmic.exe
Token: SeUndockPrivilege	2748	wmic.exe
Token: SeManageVolumePrivilege	2748	wmic.exe
Token: 33	2748	wmic.exe
Token: 34	2748	wmic.exe
Token: 35	2748	wmic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2668	2060	0113ac38fe89817af3d2bf03f1c9e68b.exe	26
PID 2060 wrote to memory of 2668	2060	0113ac38fe89817af3d2bf03f1c9e68b.exe	26
PID 2060 wrote to memory of 2668	2060	0113ac38fe89817af3d2bf03f1c9e68b.exe	26
PID 2060 wrote to memory of 2668	2060	0113ac38fe89817af3d2bf03f1c9e68b.exe	26
PID 2668 wrote to memory of 2784	2668	1431831751.exe	24
PID 2668 wrote to memory of 2784	2668	1431831751.exe	24
PID 2668 wrote to memory of 2784	2668	1431831751.exe	24
PID 2668 wrote to memory of 2784	2668	1431831751.exe	24
PID 2668 wrote to memory of 2748	2668	1431831751.exe	40
PID 2668 wrote to memory of 2748	2668	1431831751.exe	40
PID 2668 wrote to memory of 2748	2668	1431831751.exe	40
PID 2668 wrote to memory of 2748	2668	1431831751.exe	40

C:\Users\Admin\AppData\Local\Temp\0113ac38fe89817af3d2bf03f1c9e68b.exe
"C:\Users\Admin\AppData\Local\Temp\0113ac38fe89817af3d2bf03f1c9e68b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\1431831751.exe
  C:\Users\Admin\AppData\Local\Temp\1431831751.exe 8]3]8]2]1]3]5]8]4]5]6 J01BQjwwKyouGylLUjpOSEE4KBwqSD1RT01RSEQ8OSsaJ0FBUVNGPzUuMiwvLxgtQkY/NSwbKUhPR0JUQE9XRT83KTMxMh8sTj1OUT9KXE1QSzpjbHBrNCcsa3B1Kz89T0YnTExIK0BNSyZFSUBHHSdBS0Y+Q0U/N28wQk0zTEZMLDItLE1EN0otRDs+Mj07QBgtQy44KS0rKi0dJ0IxOigpHCo+KzolLx8sPyw5KCsYLDwzPCosGCtLTEdBTUFTXEtKRVE7O1Y1Hi5NTUdAUD1MXD1TSz44GCtLTEdBTUFTXEk5SUA3GCw9VkRcUEpIOBonQlBDXkBIPEhESD06GC1HTE5MWz1MR1RLQ1E6KxgrT0I5S0NXTlJaTU5HNxgsTks8LxsnQE4rNR0nUFRLT0FJQFlPQkRBTkpAQUk8QT1SSko8HSpBT1pMTUtMR0xCOGxucF8YLEpDU1JNRkVJQVdSS0NRXD85VU43Kh0nRkhBQFA5LBonRktdQ1ZJOUlEPVdCRkFRVktMQT83Xl5kcWQdKjxLUkhETDlCXkZLNTIxKCoxMSw3MCkpMS8aJ1FBS0Q6LCwvLDIsLS4wMR0qPEtSSERMOUJeUURFQTgvJy4vLTEtLC0mMDQrLTIwMSc8RRwqTzk6RW15ZmdkXSAsXjImLiolUmFqX2lvcCNMUygxJi8gLVooT01WMy8dL10lTG9hYmRrbx0uYTEmLR0xYShtbiEuWykuJi4oKGdhZ2AlP2JbaW4dKk1ORzdgcWxuJDBcHS5hHypjX2NzLikoLSwrXGJrZ2ZrKWFqYWkdL15QdGtPYWlgPmd0ZmpuXl9FXWlbX2JqXWNia2RrdB8qYykyMi4zLCwxLCoiKmRjbHJmaGpbXGpZbGBkYGohLWApMSsvNzErLi4tHytjKy8zMSswMzAzMC5SRVF0TnJfbkk/cChJeDVxRU9FYUhQZ3VLUC9pRlJlMElMRzRJPTFsST1faVFSQDJHTEFqRUw+XFZDQjFEPytjUkBrMEpAYl1VdT8wSEsubFU+LDBFPWNpUTBnbFRPMVVUZT4oXzFPc1xDcmNRL0pnV2pFYFV1aipJKFhPSUBgQ05zXy9FQk1KTjxoP0VNTi5NaVc8SWYzY1lTbG1gUUxp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703607183.txt bios get version
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703607183.txt bios get version
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703607183.txt bios get version
    3⤵
    PID:640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 372
    3⤵
    - Program crash
    PID:2624
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703607183.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2748

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703607183.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
21KB

MD5
6c4f21e464d7a597e4c552b63ad387aa

SHA1
a97aa49ca6afd2d46375005fbd0ece5f578a6339

SHA256
8a26817c0cae599c3cf24dd6a82dc4bd960d157b740f36d531b3649cfdde1ea3

SHA512
347a90c02eaab5c5ac24bd11c4ef6a32b0c1f91ac06d19657a26d3eadd7edc8cdb049e390b19aa331872732e60eec198ea6c0ccc4bdbbd84b0897c4ad59ea1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
41KB

MD5
98b53e69c8b9675d369356560725068c

SHA1
870c5e067a5a33b2e7f240bf4ab0bb249839f0f3

SHA256
a3a4fd590829643e50b8fbee863ac9b192d96f5fef6dab6fc9e66b56c1a651e7

SHA512
fe1b93e28edcb618a4dd19778ba96bfa25d68d8aecfc710d9a399c992b677d075f2e7250bf516a763f737c95c332616b2e4d78c0204295cbd951c75654f7d63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703607183.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703607183.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703607183.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC534.tmp\cgibuti.dll

Filesize
38KB

MD5
7295009ddab65eb29c00dd97964f31c8

SHA1
e03359e9724804974df6767fcdaf46e2abd2bf89

SHA256
090ba52982d0bdff24de1c959377b808fe6418f456a1cf8716bdad7188cd157c

SHA512
a0b03bdf0b08d00c2e81db3aff76fb5307ba44d07e220cbccf8761e8bf0b954f9a2ad473febee006c01bb9db97c1542440c58b83045ff0c908e4268c3fccf165

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
50KB

MD5
5aca47b9d5fc504caa5295167dd32ed5

SHA1
cec256b8fe23d59c1be108e7cf66636018c0f743

SHA256
e549fad6a52135f6671e1db1ab083e4149a49c1e075241a33190a13c47116203

SHA512
8be60b932fdf1302e7f6bb2913c172bf9cebe97352e030339f91cece3019e84751742ae1e39c5e195597684ad4a292311caa1a0a4afb29e43fc9fa18a7a04b67

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
5KB

MD5
0c1984c181c7e87d0195b59b3b8ffe04

SHA1
ff6838bdb2db32f77bd4c9acd01af07e5bab520a

SHA256
fae5b25588924bf8a397c7708dd819cc1678d51e606c0e01b4636314cbd7f136

SHA512
fe1bbb31c1bf2ca87ccd7abaa9671097d2e1ab32f9b87b2f85238c41ac42fdcb6631c8ae2370e3fb2e0b90cdec7b6eb71d6423170038a950d8d6265489241685

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
98KB

MD5
7bfc9c84533346bc66183e95873908aa

SHA1
b6c34c46323c7a4487f746f8bc672c5432b67892

SHA256
d9a1f72da9d16a331fe396fa0170ad6519fe65bce9550885ddceaf8b45ade310

SHA512
58bd2b788dee62b18b21c86c99932058b569f215ba5baa17a955789383b6d563c04dc7a013ae29fd390c2177faf37d11a09f963c269e98d0ecdfc0b806791003

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
73KB

MD5
8a4c392f6805aa57953d062ffdd5cae9

SHA1
d6ec145091ea61c58f4aeab9e164b58ba645d603

SHA256
5c896ac8c7a3a78484827571c674b5d99d910fdbe151205caea0cd0e5ffe9216

SHA512
e6f5b57502352fc36b281d3ca4a16bcd30b58fc47947b8ca495fb5876eda7f63513232e423849eb8b9e5d79111413ddd8b78ac13a6406451a1c64c9a0f10d0c0

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
30KB

MD5
23d87f1bcb43905347baa7affaea4184

SHA1
693bb3593ac17ff4562f1a7e85e43f3f2048ce8a

SHA256
c2e51c0c26a5eeb294e22758d0cd81966d77b9eb3c1483c0f5dd38bcd7d9bfee

SHA512
832ed1381a1ff8269faacd3350be7ba4394f02e8b777ff1ea58c45923e3a2cb89dc0bb709c084b8d11311d33e26e14d6c53cd44193d66613783dbe3dfca553a7

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
132KB

MD5
16d8c2d2d9e98b0836e97008278b5e90

SHA1
59d330d9fec68328b6c85d182a25b52d2134571e

SHA256
3af903b31347bdf671313796db27e7e00f8dd2ddf0aa342c85d1959e79d85a41

SHA512
82068849c44e7287e84ce11986a6179c4486d18250ff1ddfb2bc4b0be2d719c7f7dc4a88edae490d59174b1f5d0c055e8a58987380b57fba1aeadf986870dcbf

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
75KB

MD5
13b34615885ff43d86212cb331e232eb

SHA1
5bee35376fdb65eabb0fa4c0fe58df0b2e61f016

SHA256
9123d3be9960514eeaa8f12101bb6286c9f018025594010e46b845b4fd999158

SHA512
789373141cabe44712f4569a190b64fe50b967ff555e21949931abf9d84bfcdd15da8baa3276b977c3dde7c5ee67f3fffb253f64ae6db90051c884f2ff4f1444

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
84KB

MD5
4616c017536cace53c38b993ec93cad4

SHA1
70ecb6a8fb7600bd4f801666e738d20f93fcbc8a

SHA256
7139baab314815b669790d536cf6eb87e4dcc47b42a5b33c6dccf5d3373ae9ae

SHA512
4ab16303a70a46d4ff763999bd3fbdf2cbda380ebf5cc72465f9dda44fffaa494ece78701c564f599d837ddf819dd22f3301a6a69e2b10cf3f2bbceb77e3fcdf

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
1KB

MD5
37c0fc6e3260f0b34ae0e5a38d9f56a7

SHA1
661be592ea287db034d81dbe2c9aa8add509af90

SHA256
8fe2002aa771e3d1b1c84309fedb5c37ebfa0d3ce617f5aab28f3223770667ed

SHA512
690bfbd1846411324fd302ed6ebd1694419a81f4e04e1fe8a815639d9e91ed4ce640aeb39b683c3557eb98d29296aa179d41a17d495b117d6786075cfc1fc98a

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC534.tmp\cgibuti.dll

Filesize
37KB

MD5
e85750d71754c46b317b54b14bf9b5b2

SHA1
8b3283dd7b05820232a2b1fcfcae4e9ba698d768

SHA256
2af4b067037929333d367ec31a7e30d208a05bd05be409e01e7294c271d45e1a

SHA512
35d22567ab895cd4643246a0844fe3f833894490583f88d62ec4171d79df1bf98387c04fde9ef0eedd6c80484ceea995377835beb0d61f01490af2a575a09148

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC534.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit