f9d73c1660648ef1532ae81bff39fe841ea8fdb8e055ed71aeac8cb994b91c15

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16b8e3f1567c468caf665b71f8f0db22.exe
Size

581KB
MD5

16b8e3f1567c468caf665b71f8f0db22
SHA1

f67d473277a11ca6369987347935cc96b24e25de
SHA256

f9d73c1660648ef1532ae81bff39fe841ea8fdb8e055ed71aeac8cb994b91c15
SHA512

103d0c89fe7c4d814d29c339b448f2bb8cf861255e2029936c424dc70913bee8eeffab983c6ada053a54fab1536326f0e885a220c1d2491893eb14191eea1a06
SSDEEP

12288:/z4hUnM8rC6ibkVAw9gPdR0YaFYponURzneJOYLT5go9Gl1:/z4hmjrebk29PdR0Kponczne4W5C

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3040	1431820951.exe

Loads dropped DLL 11 IoCs

pid	Process
2040	16b8e3f1567c468caf665b71f8f0db22.exe
2040	16b8e3f1567c468caf665b71f8f0db22.exe
2040	16b8e3f1567c468caf665b71f8f0db22.exe
2040	16b8e3f1567c468caf665b71f8f0db22.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2180	3040	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: SeIncreaseQuotaPrivilege	2736	wmic.exe
Token: SeSecurityPrivilege	2736	wmic.exe
Token: SeTakeOwnershipPrivilege	2736	wmic.exe
Token: SeLoadDriverPrivilege	2736	wmic.exe
Token: SeSystemProfilePrivilege	2736	wmic.exe
Token: SeSystemtimePrivilege	2736	wmic.exe
Token: SeProfSingleProcessPrivilege	2736	wmic.exe
Token: SeIncBasePriorityPrivilege	2736	wmic.exe
Token: SeCreatePagefilePrivilege	2736	wmic.exe
Token: SeBackupPrivilege	2736	wmic.exe
Token: SeRestorePrivilege	2736	wmic.exe
Token: SeShutdownPrivilege	2736	wmic.exe
Token: SeDebugPrivilege	2736	wmic.exe
Token: SeSystemEnvironmentPrivilege	2736	wmic.exe
Token: SeRemoteShutdownPrivilege	2736	wmic.exe
Token: SeUndockPrivilege	2736	wmic.exe
Token: SeManageVolumePrivilege	2736	wmic.exe
Token: 33	2736	wmic.exe
Token: 34	2736	wmic.exe
Token: 35	2736	wmic.exe
Token: SeIncreaseQuotaPrivilege	2828	wmic.exe
Token: SeSecurityPrivilege	2828	wmic.exe
Token: SeTakeOwnershipPrivilege	2828	wmic.exe
Token: SeLoadDriverPrivilege	2828	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 3040	2040	16b8e3f1567c468caf665b71f8f0db22.exe	29
PID 2040 wrote to memory of 3040	2040	16b8e3f1567c468caf665b71f8f0db22.exe	29
PID 2040 wrote to memory of 3040	2040	16b8e3f1567c468caf665b71f8f0db22.exe	29
PID 2040 wrote to memory of 3040	2040	16b8e3f1567c468caf665b71f8f0db22.exe	29
PID 3040 wrote to memory of 2620	3040	1431820951.exe	17
PID 3040 wrote to memory of 2620	3040	1431820951.exe	17
PID 3040 wrote to memory of 2620	3040	1431820951.exe	17
PID 3040 wrote to memory of 2620	3040	1431820951.exe	17
PID 3040 wrote to memory of 2736	3040	1431820951.exe	28
PID 3040 wrote to memory of 2736	3040	1431820951.exe	28
PID 3040 wrote to memory of 2736	3040	1431820951.exe	28
PID 3040 wrote to memory of 2736	3040	1431820951.exe	28
PID 3040 wrote to memory of 2828	3040	1431820951.exe	26
PID 3040 wrote to memory of 2828	3040	1431820951.exe	26
PID 3040 wrote to memory of 2828	3040	1431820951.exe	26
PID 3040 wrote to memory of 2828	3040	1431820951.exe	26
PID 3040 wrote to memory of 2532	3040	1431820951.exe	25
PID 3040 wrote to memory of 2532	3040	1431820951.exe	25
PID 3040 wrote to memory of 2532	3040	1431820951.exe	25
PID 3040 wrote to memory of 2532	3040	1431820951.exe	25
PID 3040 wrote to memory of 2544	3040	1431820951.exe	24
PID 3040 wrote to memory of 2544	3040	1431820951.exe	24
PID 3040 wrote to memory of 2544	3040	1431820951.exe	24
PID 3040 wrote to memory of 2544	3040	1431820951.exe	24
PID 3040 wrote to memory of 2180	3040	1431820951.exe	23
PID 3040 wrote to memory of 2180	3040	1431820951.exe	23
PID 3040 wrote to memory of 2180	3040	1431820951.exe	23
PID 3040 wrote to memory of 2180	3040	1431820951.exe	23

C:\Users\Admin\AppData\Local\Temp\16b8e3f1567c468caf665b71f8f0db22.exe
"C:\Users\Admin\AppData\Local\Temp\16b8e3f1567c468caf665b71f8f0db22.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\1431820951.exe
  C:\Users\Admin\AppData\Local\Temp\1431820951.exe 2\5\0\2\6\5\1\2\2\3\3 LUtJQjcuLzAwHSxRUEJOQz88Lh4sS0NPV01MRkhCOy0dLT9JUU5EQzswNC81LSAtPURDOy4dLE5NT0JPPlNdR0E6LzE5MhoqUkNQU0JQWlVQRjhncnJtNy0qc3BwKUNDUUgqUkpQKztLTyxHS0NNGy9BRkRCSUdBOnUtU1ItSUlDTEdMTzBJN0VCU1NFPy00SyAtPiw8Ly8tLTMbL0IsOCwvHixBMTgtLxoqQzI7Ki4eKkQzNygwHi1NT00/VUFOWk9QR1M+QVQ9HilLUU1CUkBSWkVTRjw8Hi1NT00/VUFOWk0/S0I6HipFVj9aVFBKOh0tQFhDWT5MQkpGS0M4IC1CSlJSXT9PTVJTQ0w4Lx4tUUU/SUtXSVBeU1BJOh4qVks3LR8tQlAuOxsvUE9JU0dLQlxVQExBSUhER0s+RENQUko3Gy5HUVxPU0lUR0dAPHJwcmIeKlJDTlBRTEdLRF1QU0NMWkM/V1A6MBsvRkM/RFY7Lh0tRFNdPlRNP0tGQF1ATkFMVE9SQ0E6ZFxscV8bLkJNVEtKSkFCWURPOzQzKy8rMiwyKTA0MR0sUkRNQzcsMzEvNTAvKzcwGipDTVVLSU08RF1ORExDOzIsLzIvMCosNCgwNzIvNTEwJDxMHi1SPjtIb3hjZ2tfIy9jMykwKSJSaGxibHRxJk5SJTEtLyMwXylST1UwLyQxYChRcGRkY2hvJDBkNCsuIDNgJW11IzFeLi8pMCclZ2hpYyhEY15rbRoqVFBKOmVyb3AjLVwkMGQiL2RiZXIrKS8vLy5hY25pZWgpaGxkbCIwYVJzaE9oa2NBbHVpbG1bX0xfbF5kY21fYl9ra213Ii9kLDQxKzMyLy40MSMtZmJpcm1qbV5ha1xuX2FgcSMwYy4yLjE2LSwvNTIiMGQrMzYwNDEuLzA1L1UySG1OUjJ3TS82MUt3MnRLdjNiS0I8M0tOTHBIVXQzSU9BdUdkWXJNZmRqVUMyK0Z4ZXNKQU9lWEI/NEpnaWRUeEA5Sj0vZFd4TjNITnNiU2VUNklmaGpVbVhlUzFUZF9UTzFhMEwrYmtlZFRra3BXZ2NnV3guLUlmMUpHUDRIT2hXSE8wMm5MeUBITy5MTlAuP3JMLmVkVkVBdmBOanA=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3040

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703550284.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:2180

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703550284.txt bios get version
1⤵
PID:2544

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703550284.txt bios get version
1⤵
PID:2532

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703550284.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703550284.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy85B.tmp\kaxgcem.dll

Filesize
92KB

MD5
efbfcf928063934c1664c519bab5a3af

SHA1
100547b872b7e86084b1507baba60b4017d36c2e

SHA256
2681d7fd596544bd7d33f25207cb7e70c57b0bba840711604a0da3b52e9bae7d

SHA512
800dc6a1e18c8a40693e42d30c7a794027e39a39104a7473439437a54987d3731acca0cbe30763b030d8cf5deacf2cd6fa84654ac10ef60c1cffd5f88e8ff30e

Download Submit