f0d3cf1646d28ba43be8c3b8e4ea75a6b79dd213bff0d8290f2e87afd51e1a49

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 10:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

163678e33957c8c97d647d6d6cd4716b.exe
Size

633KB
MD5

163678e33957c8c97d647d6d6cd4716b
SHA1

2b9aa1129cf0907bf5c4119bb30760a637544eca
SHA256

f0d3cf1646d28ba43be8c3b8e4ea75a6b79dd213bff0d8290f2e87afd51e1a49
SHA512

47b143b315f66a71e97c2de6bc4403cf484ecd32d3d21c42f75cb0c22dd30854c9f36d17f49b9005f2b17bf1fadaaba16570db4e2b8f501d7e2df90901a61618
SSDEEP

12288:lxLXEJV4XMYQeVt140lfOXNQch/7PS14Hb65D1Tfbrni7aWuZcEJYc0n:lxLIV4XMYh14Eit/7R765D1TfbDgavZ4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1804	1430730120.exe

Loads dropped DLL 2 IoCs

pid	Process
748	163678e33957c8c97d647d6d6cd4716b.exe
748	163678e33957c8c97d647d6d6cd4716b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4556	1804	WerFault.exe	24

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1784	wmic.exe
Token: SeSecurityPrivilege	1784	wmic.exe
Token: SeTakeOwnershipPrivilege	1784	wmic.exe
Token: SeLoadDriverPrivilege	1784	wmic.exe
Token: SeSystemProfilePrivilege	1784	wmic.exe
Token: SeSystemtimePrivilege	1784	wmic.exe
Token: SeProfSingleProcessPrivilege	1784	wmic.exe
Token: SeIncBasePriorityPrivilege	1784	wmic.exe
Token: SeCreatePagefilePrivilege	1784	wmic.exe
Token: SeBackupPrivilege	1784	wmic.exe
Token: SeRestorePrivilege	1784	wmic.exe
Token: SeShutdownPrivilege	1784	wmic.exe
Token: SeDebugPrivilege	1784	wmic.exe
Token: SeSystemEnvironmentPrivilege	1784	wmic.exe
Token: SeRemoteShutdownPrivilege	1784	wmic.exe
Token: SeUndockPrivilege	1784	wmic.exe
Token: SeManageVolumePrivilege	1784	wmic.exe
Token: 33	1784	wmic.exe
Token: 34	1784	wmic.exe
Token: 35	1784	wmic.exe
Token: 36	1784	wmic.exe
Token: SeIncreaseQuotaPrivilege	1784	wmic.exe
Token: SeSecurityPrivilege	1784	wmic.exe
Token: SeTakeOwnershipPrivilege	1784	wmic.exe
Token: SeLoadDriverPrivilege	1784	wmic.exe
Token: SeSystemProfilePrivilege	1784	wmic.exe
Token: SeSystemtimePrivilege	1784	wmic.exe
Token: SeProfSingleProcessPrivilege	1784	wmic.exe
Token: SeIncBasePriorityPrivilege	1784	wmic.exe
Token: SeCreatePagefilePrivilege	1784	wmic.exe
Token: SeBackupPrivilege	1784	wmic.exe
Token: SeRestorePrivilege	1784	wmic.exe
Token: SeShutdownPrivilege	1784	wmic.exe
Token: SeDebugPrivilege	1784	wmic.exe
Token: SeSystemEnvironmentPrivilege	1784	wmic.exe
Token: SeRemoteShutdownPrivilege	1784	wmic.exe
Token: SeUndockPrivilege	1784	wmic.exe
Token: SeManageVolumePrivilege	1784	wmic.exe
Token: 33	1784	wmic.exe
Token: 34	1784	wmic.exe
Token: 35	1784	wmic.exe
Token: 36	1784	wmic.exe
Token: SeIncreaseQuotaPrivilege	4816	wmic.exe
Token: SeSecurityPrivilege	4816	wmic.exe
Token: SeTakeOwnershipPrivilege	4816	wmic.exe
Token: SeLoadDriverPrivilege	4816	wmic.exe
Token: SeSystemProfilePrivilege	4816	wmic.exe
Token: SeSystemtimePrivilege	4816	wmic.exe
Token: SeProfSingleProcessPrivilege	4816	wmic.exe
Token: SeIncBasePriorityPrivilege	4816	wmic.exe
Token: SeCreatePagefilePrivilege	4816	wmic.exe
Token: SeBackupPrivilege	4816	wmic.exe
Token: SeRestorePrivilege	4816	wmic.exe
Token: SeShutdownPrivilege	4816	wmic.exe
Token: SeDebugPrivilege	4816	wmic.exe
Token: SeSystemEnvironmentPrivilege	4816	wmic.exe
Token: SeRemoteShutdownPrivilege	4816	wmic.exe
Token: SeUndockPrivilege	4816	wmic.exe
Token: SeManageVolumePrivilege	4816	wmic.exe
Token: 33	4816	wmic.exe
Token: 34	4816	wmic.exe
Token: 35	4816	wmic.exe
Token: 36	4816	wmic.exe
Token: SeIncreaseQuotaPrivilege	4816	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1804	748	163678e33957c8c97d647d6d6cd4716b.exe	24
PID 748 wrote to memory of 1804	748	163678e33957c8c97d647d6d6cd4716b.exe	24
PID 748 wrote to memory of 1804	748	163678e33957c8c97d647d6d6cd4716b.exe	24
PID 1804 wrote to memory of 1784	1804	1430730120.exe	22
PID 1804 wrote to memory of 1784	1804	1430730120.exe	22
PID 1804 wrote to memory of 1784	1804	1430730120.exe	22
PID 1804 wrote to memory of 4816	1804	1430730120.exe	34
PID 1804 wrote to memory of 4816	1804	1430730120.exe	34
PID 1804 wrote to memory of 4816	1804	1430730120.exe	34
PID 1804 wrote to memory of 2416	1804	1430730120.exe	29
PID 1804 wrote to memory of 2416	1804	1430730120.exe	29
PID 1804 wrote to memory of 2416	1804	1430730120.exe	29
PID 1804 wrote to memory of 3360	1804	1430730120.exe	33
PID 1804 wrote to memory of 3360	1804	1430730120.exe	33
PID 1804 wrote to memory of 3360	1804	1430730120.exe	33
PID 1804 wrote to memory of 3388	1804	1430730120.exe	32
PID 1804 wrote to memory of 3388	1804	1430730120.exe	32
PID 1804 wrote to memory of 3388	1804	1430730120.exe	32

C:\Users\Admin\AppData\Local\Temp\163678e33957c8c97d647d6d6cd4716b.exe
"C:\Users\Admin\AppData\Local\Temp\163678e33957c8c97d647d6d6cd4716b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\1430730120.exe
  C:\Users\Admin\AppData\Local\Temp\1430730120.exe 2\5\8\2\0\0\3\9\8\9\5 LUtBQj0xNiouKhstTk1AUElBNCgXKkxATFVPUkhAPDQsIy0obnJvYWxba2lfaF07UmVmZFleYB4qPEdTVEY7NSkyNSwqHi9DRjs1JxstS0pNRFVAS1dAPzstLjc0Mx0mSzxNVEBKXVVSSTRga29uNSctc3JzJTw8TkkoTE1QLT5HSCVETEFHHi9DSUA7QkRCOBgtRDE6JCkXKkItNSsxICw7KzQoLxsnQjQ9KigYJj8zOCUvIC9NSUc7UEFPV05SSVM4O1A4HipIUE9EUjpMVkBTRzk7IC9NSUc7UEFPV0xBTUI0GCZAVkBXU1JMOhcnPFNDWjtLRExGRT00Gy1DR1FUXz9JR05OQ001MyAvUT85RUZXSk1dVVJJNBgmUUs4Kh4vRFAoNRcqUFBGUklNQlZPPEdBSkVDSU0+Pj1MTUo4GC1JU1xJTUVPR0g9O3RyclwYJk1DT01QTklLPldMTkNNV0JBWVA0KhcqRkQ8Q1g9LhcnQE5dP1FMQU1GOlc8SUFNUU5URUE0XlhncWAYLURPVEVERjxCWkFOPTc2JSkpLywsKTEuMi8sGCZPR0g9OzE0MCcvKi43MyoeL0RMTkZDSj8/V1JJTUI0LSYvLS0oLzUqLicyJzE4LSooQU0dJk04OB4qTVBMPWVrbGcgMVwdMGYlL11fXG9wKV5nbGU1W11qZnJqaCxjb2ocKl1Nc2lMZ21lQWZvZWdtXFxLYW5eXl1pWmJgaGpveSIpXiktMC0qMDIyLykqKS0wICpkZG90ZWRmXGJoWWxhZ2JpHSlhZWBsMzYlMF1oHC5iLDExNjMiKS5bIDFfKjU3MS8cKi1nIy5cMDY5MSodKTFsICtiMSttaWdbcGFvZl9tZSIqXElgZ2hZZWUlLy1eYGdjaVlrZSUwW0pcZGtcX2M=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703549308.txt bios get version
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703549308.txt bios get version
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703549308.txt bios get version
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703549308.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 924
    3⤵
    - Program crash
    PID:4556

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703549308.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1804 -ip 1804
1⤵
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1430730120.exe

Filesize
92KB

MD5
4fa971a165aba5ca9b8982c8d0d71966

SHA1
1c0054521d98979740f9be1d724c1a36f33cd9bc

SHA256
1d2934fbfd11deea34bce0fe55e14224a5670f65dc1d2886c2a233acbbe9ed44

SHA512
2b780b510525b5750c16ded55e1218dfc6cfe7b1e12245004efb8d3c6122254a49047186a01ff2f130f1d66b6d6f065f4a2b2f876799d25110ddf94404a44ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1430730120.exe

Filesize
381KB

MD5
51c597cbc8d363c894a74a33c6f80c62

SHA1
82312ce73ac1cbf292143d63c884fc0fffe93c36

SHA256
2129605821895dcf5ca17d5e43abf23da89bd9376dd9ddbd9d826c10e720bba0

SHA512
b813b4fff3e46fcf1443207f90f84864a67dc99aabd167212ee38d52912db6073fdfb98e7572574225d79527464d3938773b1d195e14811238ff1d4f9f208dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703549308.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703549308.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703549308.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4324.tmp\dsvfr.dll

Filesize
126KB

MD5
c77a97b9a08e2e742170cc1aa7c2fcb1

SHA1
98d637e1f3cf0fdebd74bf821aaf43bd42590a06

SHA256
e9f06c5e19f0682473abc1f73fd7c400dbb0d79124c161f4f863a2be7249ac72

SHA512
f73d8ba2dc2bb0707edbc0ba1fd9b89742fc91f787c5c58f9243dad42a2de64d655bd34068d3a92a7630810249f3fdeb389b2318a3d1482f29b5ce79e0fbc575

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4324.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit