132184d7a7170651184c857770d3715b795f028b7d557897c01690ec772b819c

General

Target

096587a69bbfffc41bb9cfae92da9c7c.exe
Size

581KB
MD5

096587a69bbfffc41bb9cfae92da9c7c
SHA1

28596c9a02c494f5a7de2af6ae272f0126853621
SHA256

132184d7a7170651184c857770d3715b795f028b7d557897c01690ec772b819c
SHA512

8b1cf05b0c32d2c4838fcae5e4cb0e6ee26aa031c10bb169bb965275dfe0047112900721e4335561305ea17cfffa8a47106f1627ece179714dc45bd5a556c5f5
SSDEEP

12288:FfC73yJg1PYuWJp9f++3QLa3nL0lqLbt3nQgfGA2reW4AfAcktWTEmm:Ffwug1gxfZ3QLKniqN3nQgf6rH4ckWC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
868	1431842551.exe

Loads dropped DLL 2 IoCs

pid	Process
4328	096587a69bbfffc41bb9cfae92da9c7c.exe
4328	096587a69bbfffc41bb9cfae92da9c7c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4260	868	WerFault.exe	23

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3172	wmic.exe
Token: SeSecurityPrivilege	3172	wmic.exe
Token: SeTakeOwnershipPrivilege	3172	wmic.exe
Token: SeLoadDriverPrivilege	3172	wmic.exe
Token: SeSystemProfilePrivilege	3172	wmic.exe
Token: SeSystemtimePrivilege	3172	wmic.exe
Token: SeProfSingleProcessPrivilege	3172	wmic.exe
Token: SeIncBasePriorityPrivilege	3172	wmic.exe
Token: SeCreatePagefilePrivilege	3172	wmic.exe
Token: SeBackupPrivilege	3172	wmic.exe
Token: SeRestorePrivilege	3172	wmic.exe
Token: SeShutdownPrivilege	3172	wmic.exe
Token: SeDebugPrivilege	3172	wmic.exe
Token: SeSystemEnvironmentPrivilege	3172	wmic.exe
Token: SeRemoteShutdownPrivilege	3172	wmic.exe
Token: SeUndockPrivilege	3172	wmic.exe
Token: SeManageVolumePrivilege	3172	wmic.exe
Token: 33	3172	wmic.exe
Token: 34	3172	wmic.exe
Token: 35	3172	wmic.exe
Token: 36	3172	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 868	4328	096587a69bbfffc41bb9cfae92da9c7c.exe	23
PID 4328 wrote to memory of 868	4328	096587a69bbfffc41bb9cfae92da9c7c.exe	23
PID 4328 wrote to memory of 868	4328	096587a69bbfffc41bb9cfae92da9c7c.exe	23
PID 868 wrote to memory of 3172	868	1431842551.exe	22
PID 868 wrote to memory of 3172	868	1431842551.exe	22
PID 868 wrote to memory of 3172	868	1431842551.exe	22

C:\Users\Admin\AppData\Local\Temp\096587a69bbfffc41bb9cfae92da9c7c.exe
"C:\Users\Admin\AppData\Local\Temp\096587a69bbfffc41bb9cfae92da9c7c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\AppData\Local\Temp\1431842551.exe
  C:\Users\Admin\AppData\Local\Temp\1431842551.exe 3/7/8/9/8/0/7/2/8/3/9 LElBOzUxMTcsLRcsTE05SEk9OygdJks+TE5HUkRHPDooHSg8QEtUQkI1LywtMioXJ0NCQjUtFyxJSkY8VTxSV0Y7OissKS84GS1LQklTPkpWTVJFO2Bxa20zJyZrcm8sPEJKSCZMRkgtOk5IK0BLP0cXJ0NFRztIQEE2GCY8MTYuGCw7LzYlKBgvPTE1KigdKDwrNS0qHidBLDomKRcnUEtNPFI6UVhISUFWOkFROhcsSUpGPFU8UldCTEk6NRcnUEtNPFI6UVhGOEVFNj9cbFliHionPmxacWAiKS1JZFhxZWseJ0JPQlhNSUQ9YXJsbTEsKFlnaHNscllxYGArXlssc14zXWolcCwmWGVhc21mXm5wJ1tmZS9ibGtxWGllV11kYWxmV21jXnJdaVcxLF1oaWxkYmYlXXheHidCT0JYO0Q8TEJMPToXLEFHSkxfO1BHVEpCSzUnGC9NRjlLQlZITVZNUkU7GCxNSjYqFydETC81cidNOixfcGJDZCxiYTVgUllddG1AKzQ6Z05cZV1LcDEsXio0L2hFUXUybUdnJ0suaDlANDp0LkRkTFNuOF9WKWRZMm9SaykpRlBTKypSO1U6aEJmLUFLMGU+TE0/L0I5R3Ila0VObVxKPWo7MSlDa2EuWV8vTSltSlRLb1JILSxMXHFpZi1lUHBCa0ImWFs/YEpxRVZIWlE3ZWRQNitkS0VPRmxbdXBNKStlQmtJK0BuQC9gZS8tRmBFaVZQZCtoX0xHKUJvUllwcnJfTWhMby9AbGdjXyUmIChQTUtLRkY9Vk9FRUFHSjxGRjk+PVVLSjUdJkZMV0lNTk1HRUI0cWttXBgvS0NMUklLQkY+V1VMQ0pcOz5SSzQqIChGQUE8VTYpFydJTF08VkU+RkE6V0VHQUpWR1E+PDReYWVxXR0mQUhPRURPOkJXRkc6Ly4lKTArLDArKDAvGCZMSUZDNS4rMCowLCwxMDEYLDtMUEZDR0E9XUxGREI2LSYpNygwKC4sJzIyKC46KjEiPkQdKE04NU1oeGFpY14eKl0tLikpIFRga11nbmsrR1IjMyUuHitZI1RrZ1xiZXEeKl0vLikjK18ib28dKlkxKiwoJiJpYmNcI0deYWNsFyxOSkM1aG1yaCIqXh4qXR0yX2VdcSgrKSkoKWRecWFkZStiZl1nJStkSnJlUWJlXDxvcGxkbFhhRlllWWdecFdhXG1lZ3AdMl8vLDAoNS4sKC80HjBeLiswKjAsLDEwMh0vXS4tKygwNS0vLzEcMF8uMDAwLjMwLy41LFFNcHNNeEFzRS8tKkJMVXNJcWRkVXNfaEV5ZHZEdjlnR0xAbkxMNipFKVYvQ28pb1xraGNZVD9sUWQ1Z1Y8UzxeZ0JkWW1hWFFQTUJQTyxbWWUvb0UodG5GcFtlTnhgdEJCLS5DP1ZyVU1HZEkrOmBGbTtRUC4wb1s9QG1NY3JnUWN1a1AnQnZGdzFgQndOblg9dE1gPENtUGZNZkxDLm1ILUBvSFBQcFFmVEZSKTEeKllRVSltUmludFw+RWpLTDdBTyhGbURNOThPaGhsSkRgY0g9MHNXcjZFUU0wKEpEO0VcQF9tS2MwbFg/Px0vXVZNZ3FERT9xUWYsV1NMPT1LQDdGUmJ1cE1iX3pFaUZfWi9xY0NlWkphPWVrTExOWFBqKmZLMD1DUT1nSlU9amdWY0IsQylKUksuUkNZaS5yWk00aUkqcTxWZF9rSTJxQEVEOWlHSy8xWClia1M9Q2VDKWBsTWgsbElFQ0lOZkZyYWVTR1UpbG9Fai5yWURFY0RxXlxYUWZfYD5takZkOnhba1thRC5wX0JlUV5JZUtZVytgcVptMlhbakFfRSo5WkxBTF9KPS5rQilrd0REYGlQVU9pUWQ5cF9xcVtXZk1jRFc/ZlpEb3BRZVFiVitYZlU+cWZPPmBwUDE6YVppaGtCKTFpWEBHX1ZAUWxRSEdiQkModVopa2NZUExoVT5TY0ZhZGhaVGRhQi0/Zk5QRmFHKC5kVEE+Y1pTP2NSL01hWilrY1hNL1tVKWFgUGNcalNqYG9YQ2ltT1BKbl87S2FUZlxsR0Mp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703522772.txt bios get version
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703522772.txt bios get version
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703522772.txt bios get version
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703522772.txt bios get version
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 948
    3⤵
    - Program crash
    PID:4260

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703522772.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 868 -ip 868
1⤵
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst42E6.tmp\nraigbw.dll

Filesize
153KB

MD5
fbc2f25eece1f6307c2988c4e34d2e30

SHA1
a1bf3b628c671cbb1528122e554086e851ff8073

SHA256
01ac6332290592c8d229fb2a650c7ce6fde6a3fe40025045adafb76b718cf140

SHA512
d54f8f2bcf2183c448e336543a592f318b91cd8563a2fee436d451d82640fec1fe0927a807e505664c31b3502766cb71bc7628fa6a0b351fb271b1fa13f2909e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst42E6.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit

Analysis

Sharing