2a7f6ee1e55fca9d142098c4fa95434076473afbac670df5d6470e8b28e062af

Analysis

max time kernel
0s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0473fc51b13a03e1b707af05be52ce85.exe
Size

420KB
MD5

0473fc51b13a03e1b707af05be52ce85
SHA1

54a2237368bd796dd9440f58e33dd810caee49f8
SHA256

2a7f6ee1e55fca9d142098c4fa95434076473afbac670df5d6470e8b28e062af
SHA512

76b9891c45920e7e6fd037db975ec77e2d00c6c58747a99880448c3aacfb1aea85fb55df16dc802d36e16076ed3213fd8279b95ea9bec1eb7edb82727736abec
SSDEEP

6144:AsxF0A1oQTKvxMKpfrWaQD3WdYgTdGn6TYGVW9I7tJ9T+x13Z2:5F0woQTy6QrW7KBG68jG7tqLI

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3148	0473fc51b13a03e1b707af05be52ce85.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4544	WMIC.exe
Token: SeSecurityPrivilege	4544	WMIC.exe
Token: SeTakeOwnershipPrivilege	4544	WMIC.exe
Token: SeLoadDriverPrivilege	4544	WMIC.exe
Token: SeSystemProfilePrivilege	4544	WMIC.exe
Token: SeSystemtimePrivilege	4544	WMIC.exe
Token: SeProfSingleProcessPrivilege	4544	WMIC.exe
Token: SeIncBasePriorityPrivilege	4544	WMIC.exe
Token: SeCreatePagefilePrivilege	4544	WMIC.exe
Token: SeBackupPrivilege	4544	WMIC.exe
Token: SeRestorePrivilege	4544	WMIC.exe
Token: SeShutdownPrivilege	4544	WMIC.exe
Token: SeDebugPrivilege	4544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4544	WMIC.exe
Token: SeRemoteShutdownPrivilege	4544	WMIC.exe
Token: SeUndockPrivilege	4544	WMIC.exe
Token: SeManageVolumePrivilege	4544	WMIC.exe
Token: 33	4544	WMIC.exe
Token: 34	4544	WMIC.exe
Token: 35	4544	WMIC.exe
Token: 36	4544	WMIC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 4544	3148	0473fc51b13a03e1b707af05be52ce85.exe	23
PID 3148 wrote to memory of 4544	3148	0473fc51b13a03e1b707af05be52ce85.exe	23
PID 3148 wrote to memory of 4544	3148	0473fc51b13a03e1b707af05be52ce85.exe	23

C:\Users\Admin\AppData\Local\Temp\0473fc51b13a03e1b707af05be52ce85.exe
"C:\Users\Admin\AppData\Local\Temp\0473fc51b13a03e1b707af05be52ce85.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:3904
- C:\Users\Admin\AppData\Local\Temp\nsb496F.tmp\7za.exe
  7za.exe e -y -p"def560728c860273d41c064c5453ac4b" [RANDOM_STRING].7z
  2⤵
  PID:1920
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:2684
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb496F.tmp\[RANDOM_STRING].7z

Filesize
92KB

MD5
fa806ccb207f21008ceb86ea9ead20f8

SHA1
76f7f2953a48fdb3fe3654becee1190c78148f60

SHA256
fc1ad0f41aa16e1c5569c3fc11e3875df17e8c1a3c86fbe60f3a505550cadb24

SHA512
77d7bed4717772cb9fb1c1dec44c3bd30842c36c9cf94e487659662d3cef433bd5324049b9a0f9f970f222174674897f2bf72fc90967a48185b778c671edf754

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb496F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit