18365d887a86e0a1639fbec4c4a849bbe74661b3de4dd6588872f2c6ecba0768

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10d18b735360bc7b904c3208f63ba1aa.exe
Size

677KB
MD5

10d18b735360bc7b904c3208f63ba1aa
SHA1

54d33c7db26032b6afb9530493fb24bd73b45331
SHA256

18365d887a86e0a1639fbec4c4a849bbe74661b3de4dd6588872f2c6ecba0768
SHA512

01f36dc0fcfcc47611840883c74db91255ac2f2f3d91c6cbf806489995f8856ded96d994171bc3285bc1bf8c6f6692966ac7d67cc799bef323acdf8dcb434ac8
SSDEEP

12288:FcduDAl5cPU7MtJTMWEIUc4YTcjGnSZBS4vyuDPcMF86YOnJH3:FcdHl7gtRMjIssSZs4quER6pJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2436	1431982951.exe

Loads dropped DLL 11 IoCs

pid	Process
1228	10d18b735360bc7b904c3208f63ba1aa.exe
1228	10d18b735360bc7b904c3208f63ba1aa.exe
1228	10d18b735360bc7b904c3208f63ba1aa.exe
1228	10d18b735360bc7b904c3208f63ba1aa.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2204	2436	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2764	wmic.exe
Token: SeSecurityPrivilege	2764	wmic.exe
Token: SeTakeOwnershipPrivilege	2764	wmic.exe
Token: SeLoadDriverPrivilege	2764	wmic.exe
Token: SeSystemProfilePrivilege	2764	wmic.exe
Token: SeSystemtimePrivilege	2764	wmic.exe
Token: SeProfSingleProcessPrivilege	2764	wmic.exe
Token: SeIncBasePriorityPrivilege	2764	wmic.exe
Token: SeCreatePagefilePrivilege	2764	wmic.exe
Token: SeBackupPrivilege	2764	wmic.exe
Token: SeRestorePrivilege	2764	wmic.exe
Token: SeShutdownPrivilege	2764	wmic.exe
Token: SeDebugPrivilege	2764	wmic.exe
Token: SeSystemEnvironmentPrivilege	2764	wmic.exe
Token: SeRemoteShutdownPrivilege	2764	wmic.exe
Token: SeUndockPrivilege	2764	wmic.exe
Token: SeManageVolumePrivilege	2764	wmic.exe
Token: 33	2764	wmic.exe
Token: 34	2764	wmic.exe
Token: 35	2764	wmic.exe
Token: SeIncreaseQuotaPrivilege	2764	wmic.exe
Token: SeSecurityPrivilege	2764	wmic.exe
Token: SeTakeOwnershipPrivilege	2764	wmic.exe
Token: SeLoadDriverPrivilege	2764	wmic.exe
Token: SeSystemProfilePrivilege	2764	wmic.exe
Token: SeSystemtimePrivilege	2764	wmic.exe
Token: SeProfSingleProcessPrivilege	2764	wmic.exe
Token: SeIncBasePriorityPrivilege	2764	wmic.exe
Token: SeCreatePagefilePrivilege	2764	wmic.exe
Token: SeBackupPrivilege	2764	wmic.exe
Token: SeRestorePrivilege	2764	wmic.exe
Token: SeShutdownPrivilege	2764	wmic.exe
Token: SeDebugPrivilege	2764	wmic.exe
Token: SeSystemEnvironmentPrivilege	2764	wmic.exe
Token: SeRemoteShutdownPrivilege	2764	wmic.exe
Token: SeUndockPrivilege	2764	wmic.exe
Token: SeManageVolumePrivilege	2764	wmic.exe
Token: 33	2764	wmic.exe
Token: 34	2764	wmic.exe
Token: 35	2764	wmic.exe
Token: SeIncreaseQuotaPrivilege	2348	wmic.exe
Token: SeSecurityPrivilege	2348	wmic.exe
Token: SeTakeOwnershipPrivilege	2348	wmic.exe
Token: SeLoadDriverPrivilege	2348	wmic.exe
Token: SeSystemProfilePrivilege	2348	wmic.exe
Token: SeSystemtimePrivilege	2348	wmic.exe
Token: SeProfSingleProcessPrivilege	2348	wmic.exe
Token: SeIncBasePriorityPrivilege	2348	wmic.exe
Token: SeCreatePagefilePrivilege	2348	wmic.exe
Token: SeBackupPrivilege	2348	wmic.exe
Token: SeRestorePrivilege	2348	wmic.exe
Token: SeShutdownPrivilege	2348	wmic.exe
Token: SeDebugPrivilege	2348	wmic.exe
Token: SeSystemEnvironmentPrivilege	2348	wmic.exe
Token: SeRemoteShutdownPrivilege	2348	wmic.exe
Token: SeUndockPrivilege	2348	wmic.exe
Token: SeManageVolumePrivilege	2348	wmic.exe
Token: 33	2348	wmic.exe
Token: 34	2348	wmic.exe
Token: 35	2348	wmic.exe
Token: SeIncreaseQuotaPrivilege	2348	wmic.exe
Token: SeSecurityPrivilege	2348	wmic.exe
Token: SeTakeOwnershipPrivilege	2348	wmic.exe
Token: SeLoadDriverPrivilege	2348	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2436	1228	10d18b735360bc7b904c3208f63ba1aa.exe	28
PID 1228 wrote to memory of 2436	1228	10d18b735360bc7b904c3208f63ba1aa.exe	28
PID 1228 wrote to memory of 2436	1228	10d18b735360bc7b904c3208f63ba1aa.exe	28
PID 1228 wrote to memory of 2436	1228	10d18b735360bc7b904c3208f63ba1aa.exe	28
PID 2436 wrote to memory of 2764	2436	1431982951.exe	29
PID 2436 wrote to memory of 2764	2436	1431982951.exe	29
PID 2436 wrote to memory of 2764	2436	1431982951.exe	29
PID 2436 wrote to memory of 2764	2436	1431982951.exe	29
PID 2436 wrote to memory of 2348	2436	1431982951.exe	33
PID 2436 wrote to memory of 2348	2436	1431982951.exe	33
PID 2436 wrote to memory of 2348	2436	1431982951.exe	33
PID 2436 wrote to memory of 2348	2436	1431982951.exe	33
PID 2436 wrote to memory of 2612	2436	1431982951.exe	35
PID 2436 wrote to memory of 2612	2436	1431982951.exe	35
PID 2436 wrote to memory of 2612	2436	1431982951.exe	35
PID 2436 wrote to memory of 2612	2436	1431982951.exe	35
PID 2436 wrote to memory of 2872	2436	1431982951.exe	36
PID 2436 wrote to memory of 2872	2436	1431982951.exe	36
PID 2436 wrote to memory of 2872	2436	1431982951.exe	36
PID 2436 wrote to memory of 2872	2436	1431982951.exe	36
PID 2436 wrote to memory of 1940	2436	1431982951.exe	38
PID 2436 wrote to memory of 1940	2436	1431982951.exe	38
PID 2436 wrote to memory of 1940	2436	1431982951.exe	38
PID 2436 wrote to memory of 1940	2436	1431982951.exe	38
PID 2436 wrote to memory of 2204	2436	1431982951.exe	40
PID 2436 wrote to memory of 2204	2436	1431982951.exe	40
PID 2436 wrote to memory of 2204	2436	1431982951.exe	40
PID 2436 wrote to memory of 2204	2436	1431982951.exe	40

C:\Users\Admin\AppData\Local\Temp\10d18b735360bc7b904c3208f63ba1aa.exe
"C:\Users\Admin\AppData\Local\Temp\10d18b735360bc7b904c3208f63ba1aa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\1431982951.exe
  C:\Users\Admin\AppData\Local\Temp\1431982951.exe 2!0!6!2!3!9!1!7!3!4!2 LVBDQjoqOCozHC1RVTxORjs8KR0rTENUUU1PQkg9Oi0eLURDUVFAQzYvLjExNBotQEBDNi0cLU5SSUJSOlNYRkA7MDEvLzMXLkxCTlRDUllTT0M8YXFwbjgvKXFvbS09Qk9JK1RJTio4T0krRUxETxotQENIPEhFQjsgKUIuNCwqHStCMD0nLx0mQyw6KS8eLz4yOiQwGSxAMzstKx4sR1FIQVFBUl9KUEZNQDxWOR4tUExNQUxCTVxBU0pBNx4sR1FIQVFBUl9IP0o8PBksQVZDX09QSTQfKEJUQ11DR0JJQE0+OhwtRk9NUlw5UUhUT0NQPSoeLEtHOktHV01VWVNPQzwZLFJLOzIaLUFKMDYdK1BTTk5HSjxeUEJIQU1NP0dKOEY+Uk5KOyApR1BWUU5LUEdLRTdyb2xkGSxOQ1JVTExGRUZYUk9DUF8+P1ZKPCsdK0ZHRD9WOigfKEZPXUJZSD9KQEJYQkpBUFlKUkI7PF9eaHFjIClCTE5NRUw9Ql1JSjsuLzgnLy0wLDEyMyspMSkdK1JHTT87LisyKjY1LjA1MR4sO05QS0hNP0RZUkZERDYyKy82LywuLiwpKi42LjI6KzUnR0wZLFE/O01peGZja1oiLmQyLiopJVpuZm1dcmdiZmMiKmEkSk9HQysxLC0cMlsoU2dsZGl1cCJNTSgxLC8pGi1SSUs2ZXBybiUtXyIpZR4vYmVjdCssLSgwKmFhcWdnaCxmZWVoIi5kUHVoUmZkZD1sc2xqb1tiSlhtWmRhcF1kX25pZngeL2IvMjMrNzYnMS8tITBkZGl1a2NuWmFpX2xhYWNvHDFfLjAxLzkzLi8tLx4wYjIvNi4wMCw2MTQ0VzBSb1F3THdIamcvSkQ/cktKQWBMdTZyTD1xcT9sYDVIQS56RmhCXVljVmxHa1ZkX0RFcVFEVmJMbC9qXig3Z1cucnNiUGppUUY/dUR3MjBSa2VnR0x1XWJBUW5XQThoRVA1WFhtYWZKY3duRnZAZFdlZTNIMXFUTUZDa1RqMmZZY1Zt
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703691302.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703691302.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703691302.txt bios get version
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703691302.txt bios get version
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703691302.txt bios get version
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703691302.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703691302.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703691302.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5B2B.tmp\moclzax.dll

Filesize
158KB

MD5
2b49c710800a90bf9f506ca581deba8f

SHA1
a4bed38d25b8cfbc193429577471f660f0e5193f

SHA256
87addad217a726e54a71fd4bfd4e6fe5e9075e17bafa764f509f850166a13e3a

SHA512
0acb598e2ae5d8bc421680d70ba19bef605dc68c1f8bf0382797d9a90efe275d51cc91b4f7ae26b71e840dc332142de3fc567b174273237a716d674655c1583d

Download Submit
\Users\Admin\AppData\Local\Temp\1431982951.exe

Filesize
1021KB

MD5
8641516922b21628b27d060ae93f8455

SHA1
456d07b5a24ed1f789d341de19f428783e5f0845

SHA256
137ab8390615e177dcfb645c562f4507a3721d3fde6a513a9affb96d27ac7b80

SHA512
d80f3f7f34f419710e4db8ef977246b5a05945225d89dec66678790c1cc3815758a73d66b3b1f81bb4f9c7bfba3955c18af9936592e5258e56833b16fad0c9f3

Download Submit
\Users\Admin\AppData\Local\Temp\1431982951.exe

Filesize
947KB

MD5
df99304e08329b93e7e86f03673b64d6

SHA1
e51979454f2bfd14386a0b40fc6a4941aa932644

SHA256
cf7d12481f899713a367aff178dcefb9fd94ea4948f0399ba96f4d89f0ea0fef

SHA512
8f167b32537fafed5371ab2ca4b5cc7cdc9b983562e40291d744df667d5133c36f82bd4a62367de697f31a10d4a3b7a9f076645ccc0b8a0b07538e3a7dabe3fc

Download Submit
\Users\Admin\AppData\Local\Temp\1431982951.exe

Filesize
959KB

MD5
68df0a5f92588befe850e5f6a81eb835

SHA1
ddd35b3b516c26f2b89828439abb50edbc3d4ea2

SHA256
2376951c80bacbc9fb1f93cf8bfefb7ead8e1e9616b2bf7cd564c9db116dfe3d

SHA512
8dcea66cb77aa6578c479cccf3a6231101f8a94e8ecf6fb57bf4ff714f54d5948f48a94d424df3a86c9daf0a89f98868cc9cf84f9a6cf060f8756afe2bd593a6

Download Submit
\Users\Admin\AppData\Local\Temp\1431982951.exe

Filesize
755KB

MD5
24071145d712dca0cf5172f936441d35

SHA1
65c5fd567ce25bc9807cb2a8e5aadd153420310e

SHA256
e55e44e21e48a4d2950aa185ab2626735e8c72553d26420c1172f639afb0b2ad

SHA512
fe01208bec239c108605a139a527b5dcd0af99ac9b9be60cfdd15456cd50354f6dc021aee33466ce090c8488d2b16ef893226bc63e2f4d6b652fecbb84fab4a0

Download Submit
\Users\Admin\AppData\Local\Temp\1431982951.exe

Filesize
599KB

MD5
4acaf474c4589b2e586652159292cb13

SHA1
22c8b5d6e9157a6a9f1370d13a2a8d4cc90566ff

SHA256
420f86608a2b586a07a00fe0d9511527435f0be77c18cfd01e980dfa6e704b3b

SHA512
42701769c8c4b92b7f039d7db81a3679fdc4e022b35d04d0ac29b7960c7096e86c6f93b5e48a50110147f04cbc57d5b726ead2d16da52674a0f189e56d28ee4c

Download Submit
\Users\Admin\AppData\Local\Temp\1431982951.exe

Filesize
595KB

MD5
279eb0e94d4640401576d696ecf1e30d

SHA1
ce707c382e54e9c0d23ec1ce9d0592ab4ecf37ca

SHA256
2080c44b7de2dbd5bc1c4849a4e570a8c464c98d04a993bfaf4df178012e9ad3

SHA512
e3efe70fbd3f36218dd8c6260c6dced96c00dfed66bcc8f7b05ec9faa166b1d5b392eeb5e7cc134949d2327f89c84bbef3327c8b367d983b6ae2a5687ab18a9f

Download Submit
\Users\Admin\AppData\Local\Temp\1431982951.exe

Filesize
518KB

MD5
74abe36c2cd4c295ba18a2c8f3159136

SHA1
cbb70aa05ff29aeb40b9dad9003231f376a3b8bc

SHA256
455b23baeeee48ffa22c86cfbe28422be0d094cc8f41f611591374329f1211a2

SHA512
39094cbcd06d1553eefa903c454dd1ae9cc6a334b1494f6dcfee59512a4b51a84508792b59919f298a494b680ee4c1ce0780f5aa3c4462b5b37b0b81a198c43b

Download Submit
\Users\Admin\AppData\Local\Temp\1431982951.exe

Filesize
520KB

MD5
3d64029ae5742a2a07b742c84d9b7420

SHA1
325225a4beb2d97bd74ad9d99827540d18b58676

SHA256
d2b483556097c020ab3c9bdbd8fd1e71daf82487361978bf75ac4e826f2e1679

SHA512
33446612dc53f7dce82dfa15fd9c53b9f65e84d3424dd6f1cce4aad3c456f55f63b254546b3ee1e8aa4a5df8e9cdf3d981252fadfa90c60102f8dbfac69b0577

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5B2B.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit