24b2544b17d6d05655992dd686239e306bb471450fcc871a72178fc89b1309ad

Analysis

max time kernel
179s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 13:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

22316455708250fc1f7a3e559c5946e8.exe
Size

581KB
MD5

22316455708250fc1f7a3e559c5946e8
SHA1

ca27adc10987375f71e983dbac0a135871aa02cf
SHA256

24b2544b17d6d05655992dd686239e306bb471450fcc871a72178fc89b1309ad
SHA512

e31b10a313d01b55191aa16a018c5942d9e56c65cffaf4faa8e5633d093773d61d8c64388798cc0605f144565b4458d41dfd0bfc44b8e8c900946dd396d5f9bc
SSDEEP

12288:EcC73yJg1PYuWJp9f++3QLa3nL0lqLbt3nQgfGA2reW4AfAcktWTEmj:Ecwug1gxfZ3QLKniqN3nQgf6rH4ckW3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3668	1431842551.exe

Loads dropped DLL 2 IoCs

pid	Process
1748	22316455708250fc1f7a3e559c5946e8.exe
1748	22316455708250fc1f7a3e559c5946e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1172	3668	WerFault.exe	91

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2656	wmic.exe
Token: SeSecurityPrivilege	2656	wmic.exe
Token: SeTakeOwnershipPrivilege	2656	wmic.exe
Token: SeLoadDriverPrivilege	2656	wmic.exe
Token: SeSystemProfilePrivilege	2656	wmic.exe
Token: SeSystemtimePrivilege	2656	wmic.exe
Token: SeProfSingleProcessPrivilege	2656	wmic.exe
Token: SeIncBasePriorityPrivilege	2656	wmic.exe
Token: SeCreatePagefilePrivilege	2656	wmic.exe
Token: SeBackupPrivilege	2656	wmic.exe
Token: SeRestorePrivilege	2656	wmic.exe
Token: SeShutdownPrivilege	2656	wmic.exe
Token: SeDebugPrivilege	2656	wmic.exe
Token: SeSystemEnvironmentPrivilege	2656	wmic.exe
Token: SeRemoteShutdownPrivilege	2656	wmic.exe
Token: SeUndockPrivilege	2656	wmic.exe
Token: SeManageVolumePrivilege	2656	wmic.exe
Token: 33	2656	wmic.exe
Token: 34	2656	wmic.exe
Token: 35	2656	wmic.exe
Token: 36	2656	wmic.exe
Token: SeIncreaseQuotaPrivilege	2656	wmic.exe
Token: SeSecurityPrivilege	2656	wmic.exe
Token: SeTakeOwnershipPrivilege	2656	wmic.exe
Token: SeLoadDriverPrivilege	2656	wmic.exe
Token: SeSystemProfilePrivilege	2656	wmic.exe
Token: SeSystemtimePrivilege	2656	wmic.exe
Token: SeProfSingleProcessPrivilege	2656	wmic.exe
Token: SeIncBasePriorityPrivilege	2656	wmic.exe
Token: SeCreatePagefilePrivilege	2656	wmic.exe
Token: SeBackupPrivilege	2656	wmic.exe
Token: SeRestorePrivilege	2656	wmic.exe
Token: SeShutdownPrivilege	2656	wmic.exe
Token: SeDebugPrivilege	2656	wmic.exe
Token: SeSystemEnvironmentPrivilege	2656	wmic.exe
Token: SeRemoteShutdownPrivilege	2656	wmic.exe
Token: SeUndockPrivilege	2656	wmic.exe
Token: SeManageVolumePrivilege	2656	wmic.exe
Token: 33	2656	wmic.exe
Token: 34	2656	wmic.exe
Token: 35	2656	wmic.exe
Token: 36	2656	wmic.exe
Token: SeIncreaseQuotaPrivilege	384	wmic.exe
Token: SeSecurityPrivilege	384	wmic.exe
Token: SeTakeOwnershipPrivilege	384	wmic.exe
Token: SeLoadDriverPrivilege	384	wmic.exe
Token: SeSystemProfilePrivilege	384	wmic.exe
Token: SeSystemtimePrivilege	384	wmic.exe
Token: SeProfSingleProcessPrivilege	384	wmic.exe
Token: SeIncBasePriorityPrivilege	384	wmic.exe
Token: SeCreatePagefilePrivilege	384	wmic.exe
Token: SeBackupPrivilege	384	wmic.exe
Token: SeRestorePrivilege	384	wmic.exe
Token: SeShutdownPrivilege	384	wmic.exe
Token: SeDebugPrivilege	384	wmic.exe
Token: SeSystemEnvironmentPrivilege	384	wmic.exe
Token: SeRemoteShutdownPrivilege	384	wmic.exe
Token: SeUndockPrivilege	384	wmic.exe
Token: SeManageVolumePrivilege	384	wmic.exe
Token: 33	384	wmic.exe
Token: 34	384	wmic.exe
Token: 35	384	wmic.exe
Token: 36	384	wmic.exe
Token: SeIncreaseQuotaPrivilege	384	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 3668	1748	22316455708250fc1f7a3e559c5946e8.exe	91
PID 1748 wrote to memory of 3668	1748	22316455708250fc1f7a3e559c5946e8.exe	91
PID 1748 wrote to memory of 3668	1748	22316455708250fc1f7a3e559c5946e8.exe	91
PID 3668 wrote to memory of 2656	3668	1431842551.exe	93
PID 3668 wrote to memory of 2656	3668	1431842551.exe	93
PID 3668 wrote to memory of 2656	3668	1431842551.exe	93
PID 3668 wrote to memory of 384	3668	1431842551.exe	96
PID 3668 wrote to memory of 384	3668	1431842551.exe	96
PID 3668 wrote to memory of 384	3668	1431842551.exe	96
PID 3668 wrote to memory of 2160	3668	1431842551.exe	97
PID 3668 wrote to memory of 2160	3668	1431842551.exe	97
PID 3668 wrote to memory of 2160	3668	1431842551.exe	97
PID 3668 wrote to memory of 4388	3668	1431842551.exe	100
PID 3668 wrote to memory of 4388	3668	1431842551.exe	100
PID 3668 wrote to memory of 4388	3668	1431842551.exe	100
PID 3668 wrote to memory of 2620	3668	1431842551.exe	102
PID 3668 wrote to memory of 2620	3668	1431842551.exe	102
PID 3668 wrote to memory of 2620	3668	1431842551.exe	102

C:\Users\Admin\AppData\Local\Temp\22316455708250fc1f7a3e559c5946e8.exe
"C:\Users\Admin\AppData\Local\Temp\22316455708250fc1f7a3e559c5946e8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\1431842551.exe
  C:\Users\Admin\AppData\Local\Temp\1431842551.exe 9,9,8,3,2,9,5,5,7,3,8 JkdBQTsqKy0rHSdKTDpNRzs4KxksRjxLT0xQQkQ/Ni0YJjtBUFJAPzgrNCouKRgsQUA/OCkdJ0dJR0FTOk9aQkE1KC0xMR4mTkBLUz1JVk1PSjRjb21tMiYma290JT9ATEglS0ZIKj9HSylCSz5GFydASkA+RkJBNW5DMS1MLjRETU8pTEJFNkknTkw7T0M7TBgsQig4LCotKCwXJ0EwNCgsGSw8KjQlLh4mPy82KikXJjwyOyQsGyhNSkY7TUBSVktNQlM5OlA1HS1HTUo9UjtLVj1SSjg4GyhNSkY7TUBSVkk8RkI1FyY9VUNWUE1FOhgmPFBCXTpIP0VGRjw0GCxGRk5PWD9KRk5LQlA0KxsoUUA4RUNWTUxaUEtJNRcmTko7KRsqPVApNBcnT1NFT0RGQldOPERATURAREY+PzxMSkk7FypETFxKTEVMRks8OG9rcl0XJkpCUkxNSUJLP1ZMS0JQVj88UlA1KRcnRUc7QFM2LhgmQEtcQlBJPEZGO1Y8RkBQUEtPPkE1XVhkcGMXKj9IVEZDRjlBXUBLOC8zJignKis2JSwvLh0nS0BFQjsoLy4qNSwrLCgzHiY/SlBLREY4PFxSQEhANjInKC4nLy4oMCUvNyssMSgzKDhIGyhSOTREZ3dnY2dcHi9eLCUoKCZOZGldbG9qIkZRKS0pLB4wWiJOR1Q0KyAuWyhMaWBcYmxrIC1fNCYnHCtfKWlxICxeKSglKCYpY2RmXig/XFpjbB4mUE1FOmBra2giMVggLV8iKl1eXXEvJSssKi5cXGphZGwlZGlfbB0pXUpybEtkaF5BZ25lZGxfW0hcZ15fXGlXYWNnZ2pyIipdKCwwLy8vLy4tMBwpXmFtbmlnaF5cZFhmXmVcbSArYykrKik1MiswKzEiK10uLzAuKC0zLzIoLVA+MnZLdVRySypmK0V2bWlGdEdoSDs4bklCQHREQFIqQ2FRMUtfMGpIQTleT0tsNERPPG5IOy9fUkB1KUVkLWpRcTwpR3duaFNiLSpCYT1pV2ArLkRBPV5PKkduUVIsX1dOLytbLjdrXWgpalFkZ2BVVVFrU2NXb0pLY3NSOjN1S0NKREJjMkdLT2NDSD0oRElodjxLUUJqWT49Zl5CXnQ=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762524.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762524.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762524.txt bios get version
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762524.txt bios get version
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762524.txt bios get version
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 924
    3⤵
    - Program crash
    PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3668 -ip 3668
1⤵
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431842551.exe

Filesize
629KB

MD5
dde640f680eac335178e2154ef5c9c59

SHA1
d9e85d415e4ff966d3b4dc89af959d71b02520e5

SHA256
6b74fe3f2fcad45c8b645839b8468f50804a18d0e9aa5ef439329aba0b864969

SHA512
1918650377166ab424b241e09da6fdb2904ce2295335c59a9523b7b16ba6f9818eacb29eb350ca1b2341ac551629e625c3a8fd0d11dfe6c66ccb66d7f5af7b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431842551.exe

Filesize
661KB

MD5
fb7e5073b6ff38fc8e9a36afa6089366

SHA1
4d7fa4b7db0c7390fc28a3442a10a48a1fb92cc3

SHA256
cc2ee35c7f2455fa7059257eaa52d6d937881b75fa43412dd006d17a40771ae4

SHA512
560c2eaa81de28551ca19378e3a20cb5c69c5d09ee132eb68dea270cb5d4ce5c3aaf6dab37303e76eb6fe63636ba11ecde9f1e75b546850b29dd138cf73b654e

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703762524.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703762524.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703762524.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg75F.tmp\nraigbw.dll

Filesize
153KB

MD5
fbc2f25eece1f6307c2988c4e34d2e30

SHA1
a1bf3b628c671cbb1528122e554086e851ff8073

SHA256
01ac6332290592c8d229fb2a650c7ce6fde6a3fe40025045adafb76b718cf140

SHA512
d54f8f2bcf2183c448e336543a592f318b91cd8563a2fee436d451d82640fec1fe0927a807e505664c31b3502766cb71bc7628fa6a0b351fb271b1fa13f2909e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg75F.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit