38d4d9602810dac11dae56b544c8643946ddbc6294eb53d9424c605c3deaa7e4

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

039dd9394e2a0501e3930ca5c2252b39.exe
Size

677KB
MD5

039dd9394e2a0501e3930ca5c2252b39
SHA1

122384e9f67f58f0a9dab0344d2410875d9f268f
SHA256

38d4d9602810dac11dae56b544c8643946ddbc6294eb53d9424c605c3deaa7e4
SHA512

c4385e0f3d629887e19b7ac3b52ff3313c03b79d2c9c91f3fa443ae8d1c67c75aea4e84d0b399cdd06b475586048738b12979120d115ca62b954c04a251c40a2
SSDEEP

12288:n7FkxxnYNxh6a5HYLeViPaQ+o8/GYpXdO2zcSHnPMepV8xAwKQs5ZYnGKrOZ:n7FaFYNOSYuiPadoYGYJ82RHPMDo5ZYS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1748	1432026082.exe

Loads dropped DLL 11 IoCs

pid	Process
1428	039dd9394e2a0501e3930ca5c2252b39.exe
1428	039dd9394e2a0501e3930ca5c2252b39.exe
1428	039dd9394e2a0501e3930ca5c2252b39.exe
1428	039dd9394e2a0501e3930ca5c2252b39.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3048	1748	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe
Token: SeSystemProfilePrivilege	2744	wmic.exe
Token: SeSystemtimePrivilege	2744	wmic.exe
Token: SeProfSingleProcessPrivilege	2744	wmic.exe
Token: SeIncBasePriorityPrivilege	2744	wmic.exe
Token: SeCreatePagefilePrivilege	2744	wmic.exe
Token: SeBackupPrivilege	2744	wmic.exe
Token: SeRestorePrivilege	2744	wmic.exe
Token: SeShutdownPrivilege	2744	wmic.exe
Token: SeDebugPrivilege	2744	wmic.exe
Token: SeSystemEnvironmentPrivilege	2744	wmic.exe
Token: SeRemoteShutdownPrivilege	2744	wmic.exe
Token: SeUndockPrivilege	2744	wmic.exe
Token: SeManageVolumePrivilege	2744	wmic.exe
Token: 33	2744	wmic.exe
Token: 34	2744	wmic.exe
Token: 35	2744	wmic.exe
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe
Token: SeSystemProfilePrivilege	2744	wmic.exe
Token: SeSystemtimePrivilege	2744	wmic.exe
Token: SeProfSingleProcessPrivilege	2744	wmic.exe
Token: SeIncBasePriorityPrivilege	2744	wmic.exe
Token: SeCreatePagefilePrivilege	2744	wmic.exe
Token: SeBackupPrivilege	2744	wmic.exe
Token: SeRestorePrivilege	2744	wmic.exe
Token: SeShutdownPrivilege	2744	wmic.exe
Token: SeDebugPrivilege	2744	wmic.exe
Token: SeSystemEnvironmentPrivilege	2744	wmic.exe
Token: SeRemoteShutdownPrivilege	2744	wmic.exe
Token: SeUndockPrivilege	2744	wmic.exe
Token: SeManageVolumePrivilege	2744	wmic.exe
Token: 33	2744	wmic.exe
Token: 34	2744	wmic.exe
Token: 35	2744	wmic.exe
Token: SeIncreaseQuotaPrivilege	2964	wmic.exe
Token: SeSecurityPrivilege	2964	wmic.exe
Token: SeTakeOwnershipPrivilege	2964	wmic.exe
Token: SeLoadDriverPrivilege	2964	wmic.exe
Token: SeSystemProfilePrivilege	2964	wmic.exe
Token: SeSystemtimePrivilege	2964	wmic.exe
Token: SeProfSingleProcessPrivilege	2964	wmic.exe
Token: SeIncBasePriorityPrivilege	2964	wmic.exe
Token: SeCreatePagefilePrivilege	2964	wmic.exe
Token: SeBackupPrivilege	2964	wmic.exe
Token: SeRestorePrivilege	2964	wmic.exe
Token: SeShutdownPrivilege	2964	wmic.exe
Token: SeDebugPrivilege	2964	wmic.exe
Token: SeSystemEnvironmentPrivilege	2964	wmic.exe
Token: SeRemoteShutdownPrivilege	2964	wmic.exe
Token: SeUndockPrivilege	2964	wmic.exe
Token: SeManageVolumePrivilege	2964	wmic.exe
Token: 33	2964	wmic.exe
Token: 34	2964	wmic.exe
Token: 35	2964	wmic.exe
Token: SeIncreaseQuotaPrivilege	2624	wmic.exe
Token: SeSecurityPrivilege	2624	wmic.exe
Token: SeTakeOwnershipPrivilege	2624	wmic.exe
Token: SeLoadDriverPrivilege	2624	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1748	1428	039dd9394e2a0501e3930ca5c2252b39.exe	28
PID 1428 wrote to memory of 1748	1428	039dd9394e2a0501e3930ca5c2252b39.exe	28
PID 1428 wrote to memory of 1748	1428	039dd9394e2a0501e3930ca5c2252b39.exe	28
PID 1428 wrote to memory of 1748	1428	039dd9394e2a0501e3930ca5c2252b39.exe	28
PID 1748 wrote to memory of 2744	1748	1432026082.exe	30
PID 1748 wrote to memory of 2744	1748	1432026082.exe	30
PID 1748 wrote to memory of 2744	1748	1432026082.exe	30
PID 1748 wrote to memory of 2744	1748	1432026082.exe	30
PID 1748 wrote to memory of 2964	1748	1432026082.exe	33
PID 1748 wrote to memory of 2964	1748	1432026082.exe	33
PID 1748 wrote to memory of 2964	1748	1432026082.exe	33
PID 1748 wrote to memory of 2964	1748	1432026082.exe	33
PID 1748 wrote to memory of 2624	1748	1432026082.exe	35
PID 1748 wrote to memory of 2624	1748	1432026082.exe	35
PID 1748 wrote to memory of 2624	1748	1432026082.exe	35
PID 1748 wrote to memory of 2624	1748	1432026082.exe	35
PID 1748 wrote to memory of 2652	1748	1432026082.exe	37
PID 1748 wrote to memory of 2652	1748	1432026082.exe	37
PID 1748 wrote to memory of 2652	1748	1432026082.exe	37
PID 1748 wrote to memory of 2652	1748	1432026082.exe	37
PID 1748 wrote to memory of 2664	1748	1432026082.exe	39
PID 1748 wrote to memory of 2664	1748	1432026082.exe	39
PID 1748 wrote to memory of 2664	1748	1432026082.exe	39
PID 1748 wrote to memory of 2664	1748	1432026082.exe	39
PID 1748 wrote to memory of 3048	1748	1432026082.exe	40
PID 1748 wrote to memory of 3048	1748	1432026082.exe	40
PID 1748 wrote to memory of 3048	1748	1432026082.exe	40
PID 1748 wrote to memory of 3048	1748	1432026082.exe	40

C:\Users\Admin\AppData\Local\Temp\039dd9394e2a0501e3930ca5c2252b39.exe
"C:\Users\Admin\AppData\Local\Temp\039dd9394e2a0501e3930ca5c2252b39.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\1432026082.exe
  C:\Users\Admin\AppData\Local\Temp\1432026082.exe 9]3]7]2]7]9]3]4]1]7]7 Jk1CQjYqLS4xGShKUjtOQjs6LB8oRzxRUE1LQkZAPCkZJkFCUU1AQTkxKSswNBktPEBBOS8ZKEdPSEJOOlFbSD02KDMyMhkmUEFRTz5JXE5QRTRlcHNpMyYsbHBvJUFBUkQmS0xJKzpHTSpIRz9GHShBRUBAR0g9Nm5MLlE7OU5IQ00qOkg9RUI+UkFJTj1GShktPSg6LzUuLSwvGS09KTopMBkoOzA2KyoXLEAzNiYoHShCLjQqLR8oSUlMPVM8S1xMUUJPOEBSOxkmTU5OPU46UVhDTkM+OR8oSUlMPVM8S1xKQEY+NB0oQ1E8XFFRRTYXLD5WPlZASUNFQkVCNh4oP0xPU1g7SUxQUT5JOi8fKE0/PkdJUkZSW1RLRTQdKFRGNC8cLj1MKDoZLUtMS1BIRj5WVD5KPEZKQUhGOj5CTlBFNB0rSExYSVJHUkJEQjlza25cHShQPktSTk1CRz5cTlE+SVxAQFJMNC8ZLUFAQUFXNioXLEJRWDtWSkBGQjpcPkw8SVZMUz49NGNaamxcHStDSFBFSUg/PVZGTDwxMiUuMDYnKzMqMSosFyxNR0Y8Oi0zLCsnLzIxLyodK0NIUEVJSD89VlFFTD42LCwqNygpLS00IzIxMi84KSonPUwZKEw+Nk1pXG9dJCtfMCsxLiQfVGVtXWhucCRMTSIyKjAiJEdvXnFtZiIuZSsnKC8nMTEvKFJka2xgbGcjK10uLi0qLxcsTlBFNGVwc2keKl4eMF8cL2JmXm0oKykvKihhYXJiYGUrYmxfZiIuZUtuZVFia147bHNtZWhYYUZfZ1hkYXFYXVxtZW1yHC9iMC0sKS0rNywtMiExX11mdGdqaFhhaWBnWl5iayMrXS4wMispKTYsNC4cMGIyMDAwMS8wLC8xMVk/LmtIPU8uWWdrcUU8J3NBLyknSWVucEdgNWJYc2ZuSHk6cEBEcDREOkdiS2NSaklNQ25EdjRkUjwnM0NnaFtWPy8wRGBoYlZzPC9GaGBiT2dGNENKLWRYK0NjVUBuW1gvRTBbKzl1W2tkW1UuWWdSPktlVnNndE9CcUlHQjtNSzw/TEtjcTxMKUw9SVNFOEtlOT9MQ1JbV1IwbVpxUm4=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703624674.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703624674.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703624674.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703624674.txt bios get version
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703624674.txt bios get version
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1432026082.exe

Filesize
149KB

MD5
f9acab040bf3e4409c8a4591f5a97227

SHA1
66c718726cc52c1f5c49a1d48b370466314fb3aa

SHA256
111ad1069484424c58951f478b1c11053205869c2bf5aeeacaa373cd5de97a91

SHA512
5223fee1317ca4edd2ce2bd26f783c54303f108c3c12497e08de8b3ac5f67fa06a582855b6a929ba32384bff4149b5ec219fe4fe5e6c9e0bd4c36c8328213639

Download Submit
C:\Users\Admin\AppData\Local\Temp\1432026082.exe

Filesize
75KB

MD5
d716482d13ad0e62647d05a149eebe5b

SHA1
f41be6c3e210f2a96c97a13a86430912c91383af

SHA256
21564607874164838aca02bc9928df828a1ec10097b7e21c5d573c03a2d3bdce

SHA512
bf33b2bf45a0285d587a7d2eababf84cbe8fd18b9922ff94e4fe2a61c85f3633880ccf857c8850524b421753fa7893852f9a589c19ec6b9abc7bccfd5cfd26ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703624674.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\1432026082.exe

Filesize
483KB

MD5
3208c3b39b64ce63759c9a9b1caefd1e

SHA1
770761b71d90ccc3bb2a97864af39b2e0ded984a

SHA256
296b2f59c25d2b19311a05a096739e14d67843e366dcd723ea6a965863998e21

SHA512
592bf9505771620527017e86e79d0e8adcde1cea84d635148bcdbbf45318640a693d5ab4ee3b0f7b1814f18045ad50e411e27a3ee256045cdc8f02a8a360c602

Download Submit
\Users\Admin\AppData\Local\Temp\1432026082.exe

Filesize
227KB

MD5
f34d7bb1fb973ad993b4707715b27ae6

SHA1
791eefb14f795562029375a35b3375d9813decd3

SHA256
e9daabc54daa2571518afdfebb806c95c5b348a9ca54f87ccb3507e2c7f712ca

SHA512
f681f9ab64f1dbfd43377e2b0f3a93bbe0b6a9ba591e0814a83926df3608bc5dac5844c0169f21b67b0f06045d3317821095524e4f941cf9be779700677b7de4

Download Submit
\Users\Admin\AppData\Local\Temp\1432026082.exe

Filesize
242KB

MD5
60c445f63bcbcd2691a4e3be8789b1c7

SHA1
8642f8c02bfedddaf31ba3c1ff1f68e493ecbd38

SHA256
ee1babd0f898ac1093476985589bdf0e5cc28cb0409b9f2eb88be1a85ecbada2

SHA512
89e4bcb2778dc7c566ed4a7e776a61d06454063d035bc1cb1c16179646ad472999e296d59cd9eb5049560827d8884a40187167b2c3ed91004cee647328326c32

Download Submit
\Users\Admin\AppData\Local\Temp\1432026082.exe

Filesize
455KB

MD5
fd43acc799b9fcd249c88c8e8e39b694

SHA1
8941676a1b34b355f0e47767251c7ce17e965d95

SHA256
d3d137814b771c8234800d4e8c14ebaff077a15de6d30d302cb869d9f7a203ac

SHA512
9a1069f1181ea0d31208c983ec90cf3d92353f5afbd2a5125c6ae44dec8aed67cecffbf3716f54938bb15744d19bf980cdf0aaf58c5dfb6331298a4c26f8389e

Download Submit
\Users\Admin\AppData\Local\Temp\1432026082.exe

Filesize
581KB

MD5
9e8a2bed439fc1959dbedebbe26a8876

SHA1
5b2d6ce636c1c06ae2dec3bf386b2f54573fff5f

SHA256
d68eaf2762384cfc858c5344f705608a576f05733a634f715cf61453a9f170f7

SHA512
c7044047ede7ee6e98995246ef8add5a838c4ee58253ffc6518b82272f60707ff32cca3237dbf28ea76bce26106141efbd17187b35bd43dde8212abee2daf45e

Download Submit
\Users\Admin\AppData\Local\Temp\1432026082.exe

Filesize
531KB

MD5
4304803887e442444f4e4e65791ea204

SHA1
d01a4222aa0fd451e0b4a43e4e65e675522159c9

SHA256
e8a3af61ebc79d1de13cae80a9f4c101d32c5076f9c9f48f899c55cf54b6fa2b

SHA512
3dece47b42daaa021377422768ec11d9f91edf5c1366fea0826159bc08d9780d9fe1fe30afe31a33d12b2f0b23de2d2c8c7e82785f9d8973fd1e2ba39a14d0c7

Download Submit
\Users\Admin\AppData\Local\Temp\1432026082.exe

Filesize
486KB

MD5
f61c82d89e882edf6a233d65d7fd3e71

SHA1
db39765ff8e04affeccf552e8b02a6ecad345892

SHA256
9ede3ddbe5cf55f9de6aa8dccd2eb97e7b0d59cc65a19fd05ac5763df3643e8b

SHA512
d32c8041238e3aefacf6900d858569fd40353a075c4cc22c46ab8a019c2f210c12cdea475c028c958792b3728220a9f2d715f4ca3f8a733e4b6dd098cfac11e5

Download Submit
\Users\Admin\AppData\Local\Temp\1432026082.exe

Filesize
484KB

MD5
c03e6cf35a8311bd19a7fe6109321153

SHA1
39382433a9f715edd3aac765561d991ad92de7a1

SHA256
79b71549f4ed39f391b7490495f640c7e6caee6ad56b04d5b1a5d9080bc0ba0d

SHA512
60ac95a1d4575a081cab4fbbd730c75437c763f3b102bf79535c752d88bb89b2725fcaf67579365362829c95af9fc16945cbed44b72057ae3ef4f03d4fdb9c0b

Download Submit
\Users\Admin\AppData\Local\Temp\1432026082.exe

Filesize
363KB

MD5
8f1f48305a1ccd256a54391a0077c6da

SHA1
ca7a459d09cf0e403d46ace4f2ed12236592d98b

SHA256
35384fd0078b28776fbd26d069fa050b35f9451abdc592d0f21410a928fe5c60

SHA512
fe6f751b3937142e3ffe54160dcd9f09dca74d09fe1938da1d733ca0519438d8fbec40e5d4fcb01fc986d1fe85b9355f366b7a0536d26c78d499116f17d40289

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF0F.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF0F.tmp\qpderpw.dll

Filesize
158KB

MD5
704dfc3222f6734fe248d96c42aac826

SHA1
0348ab95aa6268554f35b9e1c9be3192c6ffa7b8

SHA256
416f599582e7d5e1a92938221cb8d7abb93593fea0907ab5884d549a3d5e6818

SHA512
e48c9ba9c819ce6c60e48379fb70dec4751c15b30ed3baccd7b376757b47b00c414a4e84cbc1fde83d8d8c7b57f0b1bfe7dc5463a256dd6a99deaae3bef380d0

Download Submit