9fc156cef9a95b540093f02f9e7108f8cc21f02496ecb9d867e5743ded8c96b1

Analysis

max time kernel
121s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 09:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15a6e14d56c507b0befb14f8207bf9cc.exe
Size

677KB
MD5

15a6e14d56c507b0befb14f8207bf9cc
SHA1

51f94a6c7527ef6691da1b54929fa31cdbee7572
SHA256

9fc156cef9a95b540093f02f9e7108f8cc21f02496ecb9d867e5743ded8c96b1
SHA512

c0ced85fc173df95db695d32df2893a79e1cb8d77c12747e50ce3926ca254f668fc62613c5fac5670bad81375d445f1ecf272a215e937a5fbfa237c1c4aec5f8
SSDEEP

12288:h44SQE4vlI/Dsyw/yZAP58CyoPeMa6DKacs79veDlMDAimQQRd8:h4Hbu4AP5xyMe56DK69veCUsR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2784	1432144931.exe

Loads dropped DLL 11 IoCs

pid	Process
1740	15a6e14d56c507b0befb14f8207bf9cc.exe
1740	15a6e14d56c507b0befb14f8207bf9cc.exe
1740	15a6e14d56c507b0befb14f8207bf9cc.exe
1740	15a6e14d56c507b0befb14f8207bf9cc.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
812	2784	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3004	wmic.exe
Token: SeSecurityPrivilege	3004	wmic.exe
Token: SeTakeOwnershipPrivilege	3004	wmic.exe
Token: SeLoadDriverPrivilege	3004	wmic.exe
Token: SeSystemProfilePrivilege	3004	wmic.exe
Token: SeSystemtimePrivilege	3004	wmic.exe
Token: SeProfSingleProcessPrivilege	3004	wmic.exe
Token: SeIncBasePriorityPrivilege	3004	wmic.exe
Token: SeCreatePagefilePrivilege	3004	wmic.exe
Token: SeBackupPrivilege	3004	wmic.exe
Token: SeRestorePrivilege	3004	wmic.exe
Token: SeShutdownPrivilege	3004	wmic.exe
Token: SeDebugPrivilege	3004	wmic.exe
Token: SeSystemEnvironmentPrivilege	3004	wmic.exe
Token: SeRemoteShutdownPrivilege	3004	wmic.exe
Token: SeUndockPrivilege	3004	wmic.exe
Token: SeManageVolumePrivilege	3004	wmic.exe
Token: 33	3004	wmic.exe
Token: 34	3004	wmic.exe
Token: 35	3004	wmic.exe
Token: SeIncreaseQuotaPrivilege	3004	wmic.exe
Token: SeSecurityPrivilege	3004	wmic.exe
Token: SeTakeOwnershipPrivilege	3004	wmic.exe
Token: SeLoadDriverPrivilege	3004	wmic.exe
Token: SeSystemProfilePrivilege	3004	wmic.exe
Token: SeSystemtimePrivilege	3004	wmic.exe
Token: SeProfSingleProcessPrivilege	3004	wmic.exe
Token: SeIncBasePriorityPrivilege	3004	wmic.exe
Token: SeCreatePagefilePrivilege	3004	wmic.exe
Token: SeBackupPrivilege	3004	wmic.exe
Token: SeRestorePrivilege	3004	wmic.exe
Token: SeShutdownPrivilege	3004	wmic.exe
Token: SeDebugPrivilege	3004	wmic.exe
Token: SeSystemEnvironmentPrivilege	3004	wmic.exe
Token: SeRemoteShutdownPrivilege	3004	wmic.exe
Token: SeUndockPrivilege	3004	wmic.exe
Token: SeManageVolumePrivilege	3004	wmic.exe
Token: 33	3004	wmic.exe
Token: 34	3004	wmic.exe
Token: 35	3004	wmic.exe
Token: SeIncreaseQuotaPrivilege	2588	wmic.exe
Token: SeSecurityPrivilege	2588	wmic.exe
Token: SeTakeOwnershipPrivilege	2588	wmic.exe
Token: SeLoadDriverPrivilege	2588	wmic.exe
Token: SeSystemProfilePrivilege	2588	wmic.exe
Token: SeSystemtimePrivilege	2588	wmic.exe
Token: SeProfSingleProcessPrivilege	2588	wmic.exe
Token: SeIncBasePriorityPrivilege	2588	wmic.exe
Token: SeCreatePagefilePrivilege	2588	wmic.exe
Token: SeBackupPrivilege	2588	wmic.exe
Token: SeRestorePrivilege	2588	wmic.exe
Token: SeShutdownPrivilege	2588	wmic.exe
Token: SeDebugPrivilege	2588	wmic.exe
Token: SeSystemEnvironmentPrivilege	2588	wmic.exe
Token: SeRemoteShutdownPrivilege	2588	wmic.exe
Token: SeUndockPrivilege	2588	wmic.exe
Token: SeManageVolumePrivilege	2588	wmic.exe
Token: 33	2588	wmic.exe
Token: 34	2588	wmic.exe
Token: 35	2588	wmic.exe
Token: SeIncreaseQuotaPrivilege	2588	wmic.exe
Token: SeSecurityPrivilege	2588	wmic.exe
Token: SeTakeOwnershipPrivilege	2588	wmic.exe
Token: SeLoadDriverPrivilege	2588	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2784	1740	15a6e14d56c507b0befb14f8207bf9cc.exe	28
PID 1740 wrote to memory of 2784	1740	15a6e14d56c507b0befb14f8207bf9cc.exe	28
PID 1740 wrote to memory of 2784	1740	15a6e14d56c507b0befb14f8207bf9cc.exe	28
PID 1740 wrote to memory of 2784	1740	15a6e14d56c507b0befb14f8207bf9cc.exe	28
PID 2784 wrote to memory of 3004	2784	1432144931.exe	29
PID 2784 wrote to memory of 3004	2784	1432144931.exe	29
PID 2784 wrote to memory of 3004	2784	1432144931.exe	29
PID 2784 wrote to memory of 3004	2784	1432144931.exe	29
PID 2784 wrote to memory of 2588	2784	1432144931.exe	32
PID 2784 wrote to memory of 2588	2784	1432144931.exe	32
PID 2784 wrote to memory of 2588	2784	1432144931.exe	32
PID 2784 wrote to memory of 2588	2784	1432144931.exe	32
PID 2784 wrote to memory of 2308	2784	1432144931.exe	35
PID 2784 wrote to memory of 2308	2784	1432144931.exe	35
PID 2784 wrote to memory of 2308	2784	1432144931.exe	35
PID 2784 wrote to memory of 2308	2784	1432144931.exe	35
PID 2784 wrote to memory of 2820	2784	1432144931.exe	36
PID 2784 wrote to memory of 2820	2784	1432144931.exe	36
PID 2784 wrote to memory of 2820	2784	1432144931.exe	36
PID 2784 wrote to memory of 2820	2784	1432144931.exe	36
PID 2784 wrote to memory of 2880	2784	1432144931.exe	39
PID 2784 wrote to memory of 2880	2784	1432144931.exe	39
PID 2784 wrote to memory of 2880	2784	1432144931.exe	39
PID 2784 wrote to memory of 2880	2784	1432144931.exe	39
PID 2784 wrote to memory of 812	2784	1432144931.exe	40
PID 2784 wrote to memory of 812	2784	1432144931.exe	40
PID 2784 wrote to memory of 812	2784	1432144931.exe	40
PID 2784 wrote to memory of 812	2784	1432144931.exe	40

C:\Users\Admin\AppData\Local\Temp\15a6e14d56c507b0befb14f8207bf9cc.exe
"C:\Users\Admin\AppData\Local\Temp\15a6e14d56c507b0befb14f8207bf9cc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\1432144931.exe
  C:\Users\Admin\AppData\Local\Temp\1432144931.exe 1,9,4,0,3,3,4,4,1,3,8 LkdFRDo0LywxHSdSTD5QRkE5LB8sRkRLU09PSEVAPC4YLjtFU1FGQDkxMS0zKhwvQEZAOS8dJ09JS0RSQFBbSEE1MC01NB0sT0FRUz1RVlFSSTpkcHNtMi4mb3JzK0BBUkglU0ZMLT5NTCpISz5OFytDSUY/R0hBNTInLDcvLzQyNTEYLjstPS41LDI0HSdDKTktLh0rQDI6JTAXK0QxOiktHyw8NDQpMR0sTE5OQU1CS1tQT0ZSPUJWNR8mTFJMQVE/U1w9VEM9PR0sTE5OQU1CS1tOPkpBOR8sPVc8W1VPSTkcLkJQRFY/TUFJRUpEOhguP0tTUVw+Tk5US0RJOTIdLFBEQEtDWEZRX1JPSDkfLE5MNC4gLEFPLTwdJ1FMSlRGSkFbVkJEQkZJRUZKPUNEUkpLNBwvRlBbTlRLTEhEQT1xb3FhHyxKREtRUktGSkNeUktESVtEPlZPOTEdJ0dAQEVVOi0cLkZLXjtVTj5KRT9eQkZCSVVQUUJAOWVeZHJcHC9BTFNKS0w5Q1ZFUDo0LCo2LiYxKi0uLjAxHC5RQUw8OTExMC4tMzYqNC8cL0FMU0pLTDlDVlBJSkI5MS4vKC4pLDEyJzM2MDEyMC8mUEodK1FAOkVucWVsaV4hLmUyJi8iJFdma2BrdnAjTUsnNisuIS9hKE9OTjI0Jig9bG9pXVZcXktmcSEuZTIrNiUvNiglR0RTSkQkKV8raWZnYSpEXWJiaykoQGRubmpdJCliNC8rLCoxMCkwJS01LyhPXWVeamgcLmYyMDMqMjMYLkxOTDplcHBvIitgHC5mIi9iY2RxJi8oLjNlK2VqZWwdMV1OdWtRZWlkQWd2ZWhvXmFJXW1eX2RpW2RibWhreCIqZSgwMy8uMDUxMykkKWIxMTAuLTM2KjUoITJjLjAvMS4sOCkyMSIwYjU4NCozJzE0MzIvVGt1bE06NCUvY112anVEaCdsSFMtM0hpTm9MOixoXlFNa0t3W3ZBaWsySHVCZ0g8UGhKaXQvST9JYVIxUV1ZakdlS1NKaks7QXRJdjRwS3dBaFhSNW9eQGN1RVBFYF5qaHY=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703713888.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703713888.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703713888.txt bios get version
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703713888.txt bios get version
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703713888.txt bios get version
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1432144931.exe

Filesize
365KB

MD5
ce5577de2b4867ec0794af48ce47e25c

SHA1
644473a404b75ef7f2520f0bb851b75a038ecd52

SHA256
0fbd4156c110b9cea92921ce7ed151852d8290c961550d6fd7039fa167585b6c

SHA512
7f1f9d31743a5c99e688b36d9adfef538fc1847729df1801823b5d1b2a636932a96002b86728413c8fa8cb522a26cb43460b6f0c0752a0c8b2e6a4478430b26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1432144931.exe

Filesize
478KB

MD5
8279cfa44384e694fcf9e354e032a948

SHA1
fbd4226d80359107459b4cd19f53077c5ca7041b

SHA256
9c87e5ada0552a28fe1b91000a12693c453adbb5ac30275551fca0d51eec59f6

SHA512
d2af6450fcbcbadf83d900538c02d4cab8f5f71ec3ae9240b51d7f6f4af97fecffa087ec97f8654981589838f7877f95c2d7a5a20c50be52d4e67429f15c7b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703713888.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703713888.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703713888.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj827A.tmp\frxdwew.dll

Filesize
158KB

MD5
c2bc7115e45cd13205ae5537c9d85947

SHA1
06ba255cac7dd364160923898c0087e966e63505

SHA256
8f8722ed438b81ae932e3815fe3287e35fe275d75cd9ca693509f980f9fd49ae

SHA512
7962d572a3ace8d2aa7a336669e442b8ae0497df4c15bcca01b72391299712885263f18d8ca4099ee4b5dfd233977f0fb3d1565261e6a25652d5f9e8e8d7cde2

Download Submit
\Users\Admin\AppData\Local\Temp\1432144931.exe

Filesize
697KB

MD5
448b946210915707c01f2b234e1f1f1e

SHA1
5c853f0918e7e2faa05e21edc4762cbf1d541bea

SHA256
5d6c7751f7f93865e728a4a965db766072a354295084d2eb97eae5d249cea91b

SHA512
7bd42ab5d79d66edc255df8912ac92ed9ab4f880e4d091609ee978f2634969775d2db1d4aa425b271a6061ad985a0845d75a04279c048143c345f7679bf5741f

Download Submit
\Users\Admin\AppData\Local\Temp\1432144931.exe

Filesize
569KB

MD5
d83ebcd4bf8c1eb81429c05fc2dd33d5

SHA1
b8150d3fbdf20921df1481471fbcf2a72278d628

SHA256
4e4d18034d879d4a3dc01cdf45381c85bfc5ecd74075b8ea2b7bc62eb01133a6

SHA512
4035a37b77dc1919d19196c59941677865a3e6b28d88b887fde31460f937464e3b61fd67e7fb74be5d8b38b493929f2920864ca4326e09acfcff46fb1f4571ab

Download Submit
\Users\Admin\AppData\Local\Temp\1432144931.exe

Filesize
69KB

MD5
861c118c7ec77d0d883d9783175a742e

SHA1
97a6c1fb667a6e0ed6b210b7f74b69069c516f94

SHA256
9ff96d328fc0996daaebf92a41a7e5def5126a1626a6305e80dbc175d8dd6fe8

SHA512
b6abe3440a5bef95fa488987d09f2fd2db3830a68786e6706b286b1dfe9fbc6493f794d0917c50cc9d2847b6f3a457a0691a7254011a7bac91f2d533e2971af0

Download Submit
\Users\Admin\AppData\Local\Temp\1432144931.exe

Filesize
79KB

MD5
36b593ae5634fba53d6c85cebbf33391

SHA1
b3779a878260f3741ca3e821650e0da69de83798

SHA256
f4a73664969fc7bba0d33d1f3b1301ba157cbc5fcb65c4735234769d5cb64095

SHA512
ace010edead8c14bab4af702c667a1d02106b44b4ea1f909f79f65d91f4d24cd96fa9bfdbfcfb769545c914ac80cc9c9f1e12b4d5a19757ea6c13cb81b21bbba

Download Submit
\Users\Admin\AppData\Local\Temp\1432144931.exe

Filesize
80KB

MD5
40164cf94d5b44ae1e941b98233ad93e

SHA1
1b748edf08cab446d3fa0173c3bc0da013a5c32f

SHA256
9b8b1d52a4a2876fc89494b008037f07fc771230ead4891cdb46147d30ea68c8

SHA512
381477761bc6c531a965270f648aa39d96641435fa223027d57506782fb425ca3ecba8e3e2d6aea28509eb098130699a40859962bcc538dbe8fb723a25112e5a

Download Submit
\Users\Admin\AppData\Local\Temp\1432144931.exe

Filesize
86KB

MD5
6aef25dbab6f7315628d06748fe0dc50

SHA1
323655076f6b7e65521ffdb1f27f8bbef881d23a

SHA256
2a59e0384fc12e24856cf8a12040af0e7f594723a0c431a6d92e0d6d69aa8355

SHA512
67c25e5cfe5bea4b2b0a118ea0a0ce017db5973d3fa47256857ed583df5f9bb6fecb398b76e9de561a0f4b90735ae3039171d7eea187f21f0bd24c3c7ace3b38

Download Submit
\Users\Admin\AppData\Local\Temp\1432144931.exe

Filesize
162KB

MD5
0c3f362e55e734388d2e28be8018befc

SHA1
7534ba01970a3bec790256d4a53a5fd079a4f106

SHA256
69b48034fb7750705764ad7164d67bbf4655c843ff0e8c866a99d22316aee816

SHA512
ef3acb5764cfa4d32f4ac5d5dc2603e257979a7cd0d41eb6d23168fc11b45bafd7adf393fd3432f5b90b82015ea83b70e1856c9a0b7c1d46f121e9a4dc1450c3

Download Submit
\Users\Admin\AppData\Local\Temp\1432144931.exe

Filesize
99KB

MD5
15d498b21e4136e6db65c9b603f675d3

SHA1
4cdc166c22e3fc8a3004f6ff1cb5ad8b24387be7

SHA256
1bb91425fc6ad593226820bbd4ef883c96db0e214d1af1a66e697df7f8137e84

SHA512
f6cbb5be85c3b1b0a97bc302ba21e5fc9d4c6aefd185256f2d89044ee0f3d96892c0b572eaac02dbb05f5a538860a0980fdae890defc7e0280313e1a38b1905f

Download Submit
\Users\Admin\AppData\Local\Temp\1432144931.exe

Filesize
215KB

MD5
b94493cb698c81bb0dac83f481a6bfa8

SHA1
f75eba6f9bdc54ddc5f246c14e03dc96d57bed56

SHA256
e60d27a4d75b95f01f84e941b883151fc03abc38032d2e262cdf753d564738d0

SHA512
153671ff34c046da0f9b18ef351a569ab732468b84b19dd28c2eeb05de2e6b81ece56485fcc558745f57f65ea2804039b570e240564449db0877ced31bba830d

Download Submit
\Users\Admin\AppData\Local\Temp\nsj827A.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit