6d624a8f1af835fa31e5a175537a4548068f86bdbbb1ae402c0f884d688395e5

Analysis

max time kernel
120s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 09:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14aff0d1e9c5b24975b9e24c339f5b00.exe
Size

581KB
MD5

14aff0d1e9c5b24975b9e24c339f5b00
SHA1

f8fd2e5b7982ab92e144e59012321e557f51d032
SHA256

6d624a8f1af835fa31e5a175537a4548068f86bdbbb1ae402c0f884d688395e5
SHA512

0f2cb2b183121b818319f7ae8a03d5fa21124d710efd69561febcbb5b02f829e3a2127697669ee26051acc7e74679b9dacfbb57190de0bf9a02f26fc09d967c0
SSDEEP

12288:m64hUnM8rC6ibkVAw9gPdR0YaFYponURzneJOYLT5go9Gl3:m64hmjrebk29PdR0Kponczne4W54

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2732	1431820951.exe

Loads dropped DLL 11 IoCs

pid	Process
2244	14aff0d1e9c5b24975b9e24c339f5b00.exe
2244	14aff0d1e9c5b24975b9e24c339f5b00.exe
2244	14aff0d1e9c5b24975b9e24c339f5b00.exe
2244	14aff0d1e9c5b24975b9e24c339f5b00.exe
2100	WerFault.exe
2100	WerFault.exe
2100	WerFault.exe
2100	WerFault.exe
2100	WerFault.exe
2100	WerFault.exe
2100	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2100	2732	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2820	wmic.exe
Token: SeSecurityPrivilege	2820	wmic.exe
Token: SeTakeOwnershipPrivilege	2820	wmic.exe
Token: SeLoadDriverPrivilege	2820	wmic.exe
Token: SeSystemProfilePrivilege	2820	wmic.exe
Token: SeSystemtimePrivilege	2820	wmic.exe
Token: SeProfSingleProcessPrivilege	2820	wmic.exe
Token: SeIncBasePriorityPrivilege	2820	wmic.exe
Token: SeCreatePagefilePrivilege	2820	wmic.exe
Token: SeBackupPrivilege	2820	wmic.exe
Token: SeRestorePrivilege	2820	wmic.exe
Token: SeShutdownPrivilege	2820	wmic.exe
Token: SeDebugPrivilege	2820	wmic.exe
Token: SeSystemEnvironmentPrivilege	2820	wmic.exe
Token: SeRemoteShutdownPrivilege	2820	wmic.exe
Token: SeUndockPrivilege	2820	wmic.exe
Token: SeManageVolumePrivilege	2820	wmic.exe
Token: 33	2820	wmic.exe
Token: 34	2820	wmic.exe
Token: 35	2820	wmic.exe
Token: SeIncreaseQuotaPrivilege	2820	wmic.exe
Token: SeSecurityPrivilege	2820	wmic.exe
Token: SeTakeOwnershipPrivilege	2820	wmic.exe
Token: SeLoadDriverPrivilege	2820	wmic.exe
Token: SeSystemProfilePrivilege	2820	wmic.exe
Token: SeSystemtimePrivilege	2820	wmic.exe
Token: SeProfSingleProcessPrivilege	2820	wmic.exe
Token: SeIncBasePriorityPrivilege	2820	wmic.exe
Token: SeCreatePagefilePrivilege	2820	wmic.exe
Token: SeBackupPrivilege	2820	wmic.exe
Token: SeRestorePrivilege	2820	wmic.exe
Token: SeShutdownPrivilege	2820	wmic.exe
Token: SeDebugPrivilege	2820	wmic.exe
Token: SeSystemEnvironmentPrivilege	2820	wmic.exe
Token: SeRemoteShutdownPrivilege	2820	wmic.exe
Token: SeUndockPrivilege	2820	wmic.exe
Token: SeManageVolumePrivilege	2820	wmic.exe
Token: 33	2820	wmic.exe
Token: 34	2820	wmic.exe
Token: 35	2820	wmic.exe
Token: SeIncreaseQuotaPrivilege	2760	wmic.exe
Token: SeSecurityPrivilege	2760	wmic.exe
Token: SeTakeOwnershipPrivilege	2760	wmic.exe
Token: SeLoadDriverPrivilege	2760	wmic.exe
Token: SeSystemProfilePrivilege	2760	wmic.exe
Token: SeSystemtimePrivilege	2760	wmic.exe
Token: SeProfSingleProcessPrivilege	2760	wmic.exe
Token: SeIncBasePriorityPrivilege	2760	wmic.exe
Token: SeCreatePagefilePrivilege	2760	wmic.exe
Token: SeBackupPrivilege	2760	wmic.exe
Token: SeRestorePrivilege	2760	wmic.exe
Token: SeShutdownPrivilege	2760	wmic.exe
Token: SeDebugPrivilege	2760	wmic.exe
Token: SeSystemEnvironmentPrivilege	2760	wmic.exe
Token: SeRemoteShutdownPrivilege	2760	wmic.exe
Token: SeUndockPrivilege	2760	wmic.exe
Token: SeManageVolumePrivilege	2760	wmic.exe
Token: 33	2760	wmic.exe
Token: 34	2760	wmic.exe
Token: 35	2760	wmic.exe
Token: SeIncreaseQuotaPrivilege	2608	wmic.exe
Token: SeSecurityPrivilege	2608	wmic.exe
Token: SeTakeOwnershipPrivilege	2608	wmic.exe
Token: SeLoadDriverPrivilege	2608	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2732	2244	14aff0d1e9c5b24975b9e24c339f5b00.exe	28
PID 2244 wrote to memory of 2732	2244	14aff0d1e9c5b24975b9e24c339f5b00.exe	28
PID 2244 wrote to memory of 2732	2244	14aff0d1e9c5b24975b9e24c339f5b00.exe	28
PID 2244 wrote to memory of 2732	2244	14aff0d1e9c5b24975b9e24c339f5b00.exe	28
PID 2732 wrote to memory of 2820	2732	1431820951.exe	29
PID 2732 wrote to memory of 2820	2732	1431820951.exe	29
PID 2732 wrote to memory of 2820	2732	1431820951.exe	29
PID 2732 wrote to memory of 2820	2732	1431820951.exe	29
PID 2732 wrote to memory of 2760	2732	1431820951.exe	32
PID 2732 wrote to memory of 2760	2732	1431820951.exe	32
PID 2732 wrote to memory of 2760	2732	1431820951.exe	32
PID 2732 wrote to memory of 2760	2732	1431820951.exe	32
PID 2732 wrote to memory of 2608	2732	1431820951.exe	34
PID 2732 wrote to memory of 2608	2732	1431820951.exe	34
PID 2732 wrote to memory of 2608	2732	1431820951.exe	34
PID 2732 wrote to memory of 2608	2732	1431820951.exe	34
PID 2732 wrote to memory of 2044	2732	1431820951.exe	36
PID 2732 wrote to memory of 2044	2732	1431820951.exe	36
PID 2732 wrote to memory of 2044	2732	1431820951.exe	36
PID 2732 wrote to memory of 2044	2732	1431820951.exe	36
PID 2732 wrote to memory of 1724	2732	1431820951.exe	38
PID 2732 wrote to memory of 1724	2732	1431820951.exe	38
PID 2732 wrote to memory of 1724	2732	1431820951.exe	38
PID 2732 wrote to memory of 1724	2732	1431820951.exe	38
PID 2732 wrote to memory of 2100	2732	1431820951.exe	40
PID 2732 wrote to memory of 2100	2732	1431820951.exe	40
PID 2732 wrote to memory of 2100	2732	1431820951.exe	40
PID 2732 wrote to memory of 2100	2732	1431820951.exe	40

C:\Users\Admin\AppData\Local\Temp\14aff0d1e9c5b24975b9e24c339f5b00.exe
"C:\Users\Admin\AppData\Local\Temp\14aff0d1e9c5b24975b9e24c339f5b00.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\1431820951.exe
  C:\Users\Admin\AppData\Local\Temp\1431820951.exe 6|8|7|0|3|0|1|8|2|1|0 KUhCRDozLyowHy9NTTtQRkQ8KB4uTj9MUE9PS0g8Oy8gKTxCU1FJQzUwNjIxKhkvQElDNS4fL0pKSERSQ1NXR0M9Ky4yNB0vUj1QVUVMV05SST1nbHJvOiknbHJzLkM9UUotTkdJLT5QTyZHTUZJGChDSUlCQ0dDPXExR0E2M0gsMUZISypDOUhHVCxOOEE9TRkvQTE8KS8vMC8YKEQvPSwpHi5ELTUmMR0vQyw7LDEaJz01Oi0wGC1PUkk8TkNRX09KR1VBPVE2ICxQUUdCVENOVz5VSUE8GC1PUkk8TkNRX005S0Q9Gic+WEJfVEpKPCApPVFFXENMPEpITj81GS9FT1JMXUFSSU9MRU89LxgtU0g7RkRZTFVeTVBLPRonT006Mh8nQlIxNxgoUlJOU0FLRF9RPUVDTE1EQUtARz9NS0w6IC5BUV5ST0ZNSUpFPGxwdGUaJ0tFUVVRRkdNR1lNTEVPX0M5V1I9LBgoSEZERFA7MCApQUxfQVlNOUtIQ1k9R0NPWU9MQ0M9YFllc2IgLjxNVk5GRzpEXElPNTQ1LiwsMi41My0qMTAgKUxCTUI9MCwxMDgtKjE5LSAuPE1WTkZHOkRcVEhFQzw1KSkwLy8wMC0oMjosKTMzLSpARR4uVTs1Rm93aWtkXyQyYC0nMCgoVmFsY29xayROUSs1JjEkM1wjUE9UNjMdMWErTmpiZGJucx0wZTcoKB4zXytxbiMyYSspJzAiM2EjRVNCMSYuKShsaGNjKkdfW2RvHS9USko8aG5saSUwYSQqZCQyYF9edC4uLykvMGRfa2Jnay5oZmRuJSxeS3VrVGhlY0NvcWZlb15kTFlsYGdfalhkYnBrZ3ckMmApLTMuODIqNjgxHypfZGx3bWRtYGRnWWdhZGVxHTBlMS4rKjgwMjcxLyQzYC0yNS8zNC4zODEwUWV4c1RTSXROV20oRmlsdEpLRGhPYyhxTFA0d0FFYjBGPEoySXlBaExCOGFQcmcxTHgscEpqO1xSeXQ0STt1allNLCxLQGdrUGc3MEU7MWpVeTcsSENBYVFQQmtZMWxhWTI7KFxsNnZhP3FqWUFcY1hqSm5QaGd1SD1wJS9iTTsvREt0QjtRLWdzS0JZR0tOOnJRekwwTWtBZVJlNW1hU0l2
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703546351.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703546351.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703546351.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703546351.txt bios get version
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703546351.txt bios get version
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703546351.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\1431820951.exe

Filesize
788KB

MD5
ad1b752c05bd56b0b40a7eb1e0cc877f

SHA1
cac56d3f0e2cb6db3052f0b5eb23d62dc7f8439d

SHA256
69a512cbf83a97951ee3576d83b71442fea4e74d18c4968c1141234b1b3ffb97

SHA512
124f2e6ea3f129e4a88be4fcbf90d3b305cfc19b815558024f4e71101dbebe98b0a43fa11a35db8fb4159007527a1596018ee0c7c67846c1a244cb976505240e

Download Submit
\Users\Admin\AppData\Local\Temp\1431820951.exe

Filesize
64KB

MD5
5631cd8e833f6295022023055e15ecae

SHA1
7cfca551fb2104072582a829f1d648ad839f15b3

SHA256
13efa98de48e1147f4eef31455a531640a7efb3b408ed8fc20818638acb29a14

SHA512
92bc56928a39c46403b1a55199e9c0f9730b59e7ec0d0143902427e763d4769da348f2a167ae9ee34bf485ba7d8f3d278a5a9feff8bff5325ed494c3f9e086da

Download Submit
\Users\Admin\AppData\Local\Temp\nst50C0.tmp\kaxgcem.dll

Filesize
153KB

MD5
64ffd6dbd03f55408fbc6640317368f0

SHA1
227d86d47d53d5f62a2227e6d2b282519d38005d

SHA256
b8d9b2c53ea62560b03c2ef9f139370380b4c931d1fc02172bc7e1a98e41ffc3

SHA512
ba03c31e00ec24a7bd4e59088feaee3eb389b459cbd041613222f95d9ea1689920127d390d81c2e0000ccf72f67a2043cf81dd324cab3c887003aa93783501c8

Download Submit
\Users\Admin\AppData\Local\Temp\nst50C0.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit