Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 06:25

General

  • Target

    0b7849588a8ca67008091f0c574b46c9.exe

  • Size

    577KB

  • MD5

    0b7849588a8ca67008091f0c574b46c9

  • SHA1

    7bbea068c09512b9ece4365f74641c9de043745e

  • SHA256

    22dd74a237e8dd14926a4c906e63dde625189d5c42ac325f4595b23a5c90ddd5

  • SHA512

    9f41ec4a268041d04af53bcde6261b08bfd0703ce96fa186284f00bf47bb5803bc3223630d0203981ee0dd20ac251eba5d0d1c9a990783d2befc6d8f9ea91e52

  • SSDEEP

    12288:44PNDb45JtN3F9vnodYu619LdioSBvXfdiwMKDiEKxSiSXyt7VlWuZcEJYc0u:44Plb+fNV9PoOnIvXUFKDiP71t7XvZYk

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b7849588a8ca67008091f0c574b46c9.exe
    "C:\Users\Admin\AppData\Local\Temp\0b7849588a8ca67008091f0c574b46c9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Users\Admin\AppData\Local\Temp\1430636522.exe
      C:\Users\Admin\AppData\Local\Temp\1430636522.exe 0]3]6]0]1]3]9]5]9]6]8 L01DRDwuMC4tLRgvUE9CT0Y7OCcaJ05CTldOT0JEOzcpJS8qcHFsW3BabmZhal89UWJgaFhhXSAsPklSUUA/NCwvNy4sIC5AQD80KhgvTUxPQ1I6T1ZDPD0vMDkzMBcqSj9KVkJMX1RPQzhfbmxwNykvcm9tKTs/S0sqTk9PKjhLRyhBTkNJIC5AQ0Q6RUFEOhovQy40KCgaJ0QvNy0wHSY/KjclMR0pRDM6JCwXKTw1OicxHyxHTUY+TUNRWVBRRk08OlM1ICxKUk5BTD5LWT1VSTs9HyxHTUY+TUNRWU5ASjw4Fyk9WEJZVVFJNBsmP1BFXD1NQ0lASTw3GC9FSVNTXDlNRlFLRU83NR8sS0M4SENZTE9fVE9DOBcpTk06LCAuQUosNBonUlJIVEhKPFpOP0RDTEdFSEo4QjxPSkw6Gi9IUFZNTEhMSUo/PXNvbGAXKUpFUU9STUZFQlZPS0VPWURAVko4KRonSEY+RVc6KBsmQ0tfQVNOQEpAPlY/RkNPU1BTQjs4XVtkc2IaL0NMTklDSTlEXENQPDUsKSgzLi4vKjgtMCgbJk5BTUI3MTMwJzEtMDE0NRovQ0xOSUNJOURcTklMQjQwJi0nMi0rNSkwMS0wNCg4J0pNHyxMPDQaJ1VPRj1ncWtrHC1ZJS9gJTFjXmBrbCZmZmZlN2FcbmJuZ3ArXW9sIilhSW9mVGZnZUNsbmljaVlkSltuYGRcbVZeXXBpaXkkL10tKSwqMi8sMjEvKS0pLB0yY15vdmtjalheZWFrW2dkbxwtXWFddDIwJTJjZyAqXik5MDAzJC8tXxwtXDI0MTExIikxYx8rZC8wOTMwHC0taB0zYSsrb29mX2xdbG5eZ2UkMFtNXGNlYWRfJTEzXWRjX2Zhal8lMmFJYGBnWWdi
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703526590.txt bios get serialnumber
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2988
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703526590.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2928
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703526590.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:840
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703526590.txt bios get version
        3⤵
          PID:2564
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81703526590.txt bios get version
          3⤵
            PID:2100
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 372
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:1624

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\81703526590.txt

        Filesize

        66B

        MD5

        9025468f85256136f923096b01375964

        SHA1

        7fcd174999661594fa5f88890ffb195e9858cc52

        SHA256

        d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

        SHA512

        92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

      • C:\Users\Admin\AppData\Local\Temp\nsy512D.tmp\dsvfr.dll

        Filesize

        126KB

        MD5

        c77a97b9a08e2e742170cc1aa7c2fcb1

        SHA1

        98d637e1f3cf0fdebd74bf821aaf43bd42590a06

        SHA256

        e9f06c5e19f0682473abc1f73fd7c400dbb0d79124c161f4f863a2be7249ac72

        SHA512

        f73d8ba2dc2bb0707edbc0ba1fd9b89742fc91f787c5c58f9243dad42a2de64d655bd34068d3a92a7630810249f3fdeb389b2318a3d1482f29b5ce79e0fbc575

      • \Users\Admin\AppData\Local\Temp\1430636522.exe

        Filesize

        764KB

        MD5

        194297c8d158d816e824da6605a295ed

        SHA1

        c31ba452cfa3c98aefedc1ac176303eb8320750d

        SHA256

        6176ad768f4f2a5bed57f5387f999a061ef85472c3522ebbb54c0b35858c59fa

        SHA512

        f37c17d9a212c3c53ea1e55419de18c68986faabf6eaeb1c20a18ad1f45f728a16b3a1ce5d10fe386c5b8fc5df31442a8f11ac64a417edc202ca546cb233aee4

      • \Users\Admin\AppData\Local\Temp\1430636522.exe

        Filesize

        374KB

        MD5

        da10b728f7d0493fa436be93c013f92c

        SHA1

        9ff7261a967e43249d5795018aabe3a7aa8b94f9

        SHA256

        b007b3076123c6a89d7dc8adf53518c067f84d0ca39844738c6cb61f0b3c80d7

        SHA512

        d39c3cbd3603e4273084ebc55cbc59aa6c4ef344182aaccefbc96c0d2440362f587a361d04ec992ed863094360e088243b3931925f06de42205e2e3494c2690c

      • \Users\Admin\AppData\Local\Temp\1430636522.exe

        Filesize

        65KB

        MD5

        e1306a3e6ae81c6369a7991287c2060f

        SHA1

        2603238297f07f9a7e119d3512c5136522499411

        SHA256

        7d835292ed6753a0217b7effb5f3dffb70fba5c3b6f2972c2ddb729dce94e5c0

        SHA512

        c31973572b2a38eb876424c06871f4db12f7215035ee4daadc3c3452804318e9a5517416290c2f635971d30fe3942cde2b15d8886adae2a133cf179f56d2f7da

      • \Users\Admin\AppData\Local\Temp\1430636522.exe

        Filesize

        64KB

        MD5

        45d5d2a1683bca226372995121fd8eef

        SHA1

        2fd9467b5427ecf56ad474f1c2dc9d7a558f86b3

        SHA256

        7b8120e29848ab1a1a395cbb6c037e4bc617c71ada4d3779afdf1902ed5b8fbb

        SHA512

        eea4f9b50a69d082403b80a5dca0b213cec8b612f7b70a57c546c8e9025e8027c0764a40ddc576b072a3ae34f77c6e4fefa97f3065a6e63adb61c73e4873e5ea

      • \Users\Admin\AppData\Local\Temp\nsy512D.tmp\nsisunz.dll

        Filesize

        40KB

        MD5

        5f13dbc378792f23e598079fc1e4422b

        SHA1

        5813c05802f15930aa860b8363af2b58426c8adf

        SHA256

        6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

        SHA512

        9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5