Analysis
-
max time kernel
0s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 13:27
Static task
static1
Behavioral task
behavioral1
Sample
21b8eb558dd2a2eae268325e5aaeca91.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
21b8eb558dd2a2eae268325e5aaeca91.exe
Resource
win10v2004-20231215-en
General
-
Target
21b8eb558dd2a2eae268325e5aaeca91.exe
-
Size
581KB
-
MD5
21b8eb558dd2a2eae268325e5aaeca91
-
SHA1
16a9030990ffe98bf1c8e45c932f18f4fd1bef23
-
SHA256
3e6b76d8a25998438b203e96af73c99ed5171b5565b0c43eb059bcc2739131e4
-
SHA512
bb98ef502998f106312e86d7a89e343e85e15714472ddb49758b03c1a737a76bd6e44f3904c3d6c51ecf1be08487b596cee48e9ef317e00b6c81a6d4c03d782f
-
SSDEEP
12288:R2hC73yJg1PYuWJp9f++3QLa3nL0lqLbt3nQgfGA2reW4AfAcktWTEmv:R0wug1gxfZ3QLKniqN3nQgf6rH4ckW7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3904 1431842551.exe -
Loads dropped DLL 2 IoCs
pid Process 1564 21b8eb558dd2a2eae268325e5aaeca91.exe 1564 21b8eb558dd2a2eae268325e5aaeca91.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4272 3904 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4708 wmic.exe Token: SeSecurityPrivilege 4708 wmic.exe Token: SeTakeOwnershipPrivilege 4708 wmic.exe Token: SeLoadDriverPrivilege 4708 wmic.exe Token: SeSystemProfilePrivilege 4708 wmic.exe Token: SeSystemtimePrivilege 4708 wmic.exe Token: SeProfSingleProcessPrivilege 4708 wmic.exe Token: SeIncBasePriorityPrivilege 4708 wmic.exe Token: SeCreatePagefilePrivilege 4708 wmic.exe Token: SeBackupPrivilege 4708 wmic.exe Token: SeRestorePrivilege 4708 wmic.exe Token: SeShutdownPrivilege 4708 wmic.exe Token: SeDebugPrivilege 4708 wmic.exe Token: SeSystemEnvironmentPrivilege 4708 wmic.exe Token: SeRemoteShutdownPrivilege 4708 wmic.exe Token: SeUndockPrivilege 4708 wmic.exe Token: SeManageVolumePrivilege 4708 wmic.exe Token: 33 4708 wmic.exe Token: 34 4708 wmic.exe Token: 35 4708 wmic.exe Token: 36 4708 wmic.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1564 wrote to memory of 3904 1564 21b8eb558dd2a2eae268325e5aaeca91.exe 28 PID 1564 wrote to memory of 3904 1564 21b8eb558dd2a2eae268325e5aaeca91.exe 28 PID 1564 wrote to memory of 3904 1564 21b8eb558dd2a2eae268325e5aaeca91.exe 28 PID 3904 wrote to memory of 4708 3904 1431842551.exe 25 PID 3904 wrote to memory of 4708 3904 1431842551.exe 25 PID 3904 wrote to memory of 4708 3904 1431842551.exe 25
Processes
-
C:\Users\Admin\AppData\Local\Temp\21b8eb558dd2a2eae268325e5aaeca91.exe"C:\Users\Admin\AppData\Local\Temp\21b8eb558dd2a2eae268325e5aaeca91.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\1431842551.exeC:\Users\Admin\AppData\Local\Temp\1431842551.exe 8#2#3#3#1#3#6#3#0#0#0 J05GQTwwKi8yIC9LUz9NSEE3LSAvTj1SVExRSENBPTAgJ0JGUFNGPjoyNzIvMB0sQkY+OjAgL0hQTEFUQE5cSUQ9KTQ2MR8sTUJSVkVKXVJPSzpicXRwOictcG91Kz5CU0stTE1NKkBNSitJTkZHHixAS0Y9SElEPW9ATUJKRS5GNTNPQExKNkpESUFEN0U6Nh0sQy43LjEwMC0eLEExOicuIC9EKzsqLh8sPjE9LTEYLUEyPCorHS9QUkdCUkBTXEpPSVZBO1c6HS5NTExEVUNMXUJSSz43HS9QUkdCUkBTXEg+TUU9GC1CVURcT09MPSAnQ1VCXkBHQUxJTj07HSxHTE1RX0JSR1VQQlE6Kh0vVEg5TEhWTlJZUlJMPRgtU0o8LxosRFMxNR4sT1RLTkZNRV9PQ0lATko/Rk1BRz1TT0k8HSlGU19STUxRRkxCN3FydWUYLU9CU1JMS0lOR1dTUEJRXD4+WVM9Kh4sRUhBP1U9MSAnR1BcQ1ZIPk1JQ1dDS0BRVkpRRUQ9Xl9pcGQdKUFPV05ETT5BXkZKOjY2LikuLys3KysxNSAvTEdKQjwuLjAxODQtMy8wHyw+TFdOTEc/QVxTRkdCPTUvKTUsLy8uLyc2OjUqOC0wKT5HHS9VQTVLbHdoaWZeJTJmLSwtKCdUY2tkb3drKUtRKjMoMCUzYiNVTFQ1MR8wYitUamdhYm1xHy9mNy4oIzBfKko7UUJKUx0xXyhxcx8wYTExJi4mKGtmZWIrR2VbaWwdLlJMST1odGxuIjBgIixjJTJmX2NxLi0tKy4xZGVrZ2RrLWZoY28lMl5QcmtTZmdiRG93ZmpsXmNKW2thZ2VqXWFib2lpdiUyZikyMC43MS8yMjQlKmRhbHZrZmxhZG1ZbF5kZG8fL2YxNCsvNTE0MiwxJTNmKjM0MzItLy4xNzZSVT9xUlFLLU9tODBKQGx2SUw2ZU9qQXdKUVhvQ0RvNEtiPy9LQkNuTUNrZ1FndC9Kdi50S3pRZFZQdDZIPWxnWVRFMklBQGNSZ0k0SmFxZ1dDPjJJQ29nUkVPaVcvbmVhR1EwYEM2eGBBaGdZR3BpVmpvZlJndHlPKG5AUC9KdFBDNHRMU0tFUXdUSVFrNTxOUUNDTU5CZ1ptRm9fUXZv2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703570998.txt bios get version3⤵PID:3304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 8563⤵
- Program crash
PID:4272
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703570998.txt bios get version3⤵PID:4252
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703570998.txt bios get version3⤵PID:3900
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703570998.txt bios get version3⤵PID:4804
-
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703570998.txt bios get serialnumber1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3904 -ip 39041⤵PID:1612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD56832bee2c65f1ec21d455589bc6800d1
SHA1c3b5b256d8badf9aa496e339e8e59ec5294370f5
SHA256e580f5b9b47ce675fc067336fc711a5fe8ab4064f2308290f4d82cd0b8b4dc65
SHA512cd5dd8bf595afc11b3f3043c410a123fc771a21820072f529d5180454a6957c286e835a5b113f53b9da0cf3ba35f57ae48375c71597b6cfcc89e1981839c51a1
-
Filesize
93KB
MD51522088d7220a0628c5b6aa7d94165a1
SHA171a0107b7712b865fe7568c9da211384267ef7e0
SHA2566789330d47c307a0ddcfaef99ec7dbbd8f2d0436f841d86ea89bfc0c11cd1036
SHA512495494ccd6db567385dbc786655520dd74704f8d5c8093dfa11874924eb69656efed2cbedd9ad19dc76dfa536d8e629e39cf977b6ca2fb9e0708b6bdeb849b82
-
Filesize
58B
MD5dd876faf0fd44a5fab3e82368e2e8b15
SHA101b04083fa278dda3a81705ca5abcfee487a3c90
SHA2565602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9
SHA512e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
153KB
MD5fbc2f25eece1f6307c2988c4e34d2e30
SHA1a1bf3b628c671cbb1528122e554086e851ff8073
SHA25601ac6332290592c8d229fb2a650c7ce6fde6a3fe40025045adafb76b718cf140
SHA512d54f8f2bcf2183c448e336543a592f318b91cd8563a2fee436d451d82640fec1fe0927a807e505664c31b3502766cb71bc7628fa6a0b351fb271b1fa13f2909e
-
Filesize
40KB
MD55f13dbc378792f23e598079fc1e4422b
SHA15813c05802f15930aa860b8363af2b58426c8adf
SHA2566e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
SHA5129270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5