d9846ff8f97a24398c4b4fa22bf44d416e0d622d9078d91c6588d6d705d2eb21

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

222254cdaa2eccd1b0d490baa212f0af.exe
Size

581KB
MD5

222254cdaa2eccd1b0d490baa212f0af
SHA1

f98c31eaed3e7d4617ab89b9d966e40c41bae9ea
SHA256

d9846ff8f97a24398c4b4fa22bf44d416e0d622d9078d91c6588d6d705d2eb21
SHA512

f492b7df5539ead6c88fc5590d78136591e5defe4368df3ff28422a4694c2379fc8cf15d2ebe78b7aa5cee2aeb5b2273a3983fd5b49d3e8621918ac12f7628f4
SSDEEP

12288:4bDJhNH8ZkXWykEr8369tNFMP8NdHXpZ2achJC4+A:4nJbl+36tKPdhJ7v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	1431831751.exe

Loads dropped DLL 11 IoCs

pid	Process
2112	222254cdaa2eccd1b0d490baa212f0af.exe
2112	222254cdaa2eccd1b0d490baa212f0af.exe
2112	222254cdaa2eccd1b0d490baa212f0af.exe
2112	222254cdaa2eccd1b0d490baa212f0af.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2652	2756	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2828	wmic.exe
Token: SeSecurityPrivilege	2828	wmic.exe
Token: SeTakeOwnershipPrivilege	2828	wmic.exe
Token: SeLoadDriverPrivilege	2828	wmic.exe
Token: SeSystemProfilePrivilege	2828	wmic.exe
Token: SeSystemtimePrivilege	2828	wmic.exe
Token: SeProfSingleProcessPrivilege	2828	wmic.exe
Token: SeIncBasePriorityPrivilege	2828	wmic.exe
Token: SeCreatePagefilePrivilege	2828	wmic.exe
Token: SeBackupPrivilege	2828	wmic.exe
Token: SeRestorePrivilege	2828	wmic.exe
Token: SeShutdownPrivilege	2828	wmic.exe
Token: SeDebugPrivilege	2828	wmic.exe
Token: SeSystemEnvironmentPrivilege	2828	wmic.exe
Token: SeRemoteShutdownPrivilege	2828	wmic.exe
Token: SeUndockPrivilege	2828	wmic.exe
Token: SeManageVolumePrivilege	2828	wmic.exe
Token: 33	2828	wmic.exe
Token: 34	2828	wmic.exe
Token: 35	2828	wmic.exe
Token: SeIncreaseQuotaPrivilege	2828	wmic.exe
Token: SeSecurityPrivilege	2828	wmic.exe
Token: SeTakeOwnershipPrivilege	2828	wmic.exe
Token: SeLoadDriverPrivilege	2828	wmic.exe
Token: SeSystemProfilePrivilege	2828	wmic.exe
Token: SeSystemtimePrivilege	2828	wmic.exe
Token: SeProfSingleProcessPrivilege	2828	wmic.exe
Token: SeIncBasePriorityPrivilege	2828	wmic.exe
Token: SeCreatePagefilePrivilege	2828	wmic.exe
Token: SeBackupPrivilege	2828	wmic.exe
Token: SeRestorePrivilege	2828	wmic.exe
Token: SeShutdownPrivilege	2828	wmic.exe
Token: SeDebugPrivilege	2828	wmic.exe
Token: SeSystemEnvironmentPrivilege	2828	wmic.exe
Token: SeRemoteShutdownPrivilege	2828	wmic.exe
Token: SeUndockPrivilege	2828	wmic.exe
Token: SeManageVolumePrivilege	2828	wmic.exe
Token: 33	2828	wmic.exe
Token: 34	2828	wmic.exe
Token: 35	2828	wmic.exe
Token: SeIncreaseQuotaPrivilege	2700	wmic.exe
Token: SeSecurityPrivilege	2700	wmic.exe
Token: SeTakeOwnershipPrivilege	2700	wmic.exe
Token: SeLoadDriverPrivilege	2700	wmic.exe
Token: SeSystemProfilePrivilege	2700	wmic.exe
Token: SeSystemtimePrivilege	2700	wmic.exe
Token: SeProfSingleProcessPrivilege	2700	wmic.exe
Token: SeIncBasePriorityPrivilege	2700	wmic.exe
Token: SeCreatePagefilePrivilege	2700	wmic.exe
Token: SeBackupPrivilege	2700	wmic.exe
Token: SeRestorePrivilege	2700	wmic.exe
Token: SeShutdownPrivilege	2700	wmic.exe
Token: SeDebugPrivilege	2700	wmic.exe
Token: SeSystemEnvironmentPrivilege	2700	wmic.exe
Token: SeRemoteShutdownPrivilege	2700	wmic.exe
Token: SeUndockPrivilege	2700	wmic.exe
Token: SeManageVolumePrivilege	2700	wmic.exe
Token: 33	2700	wmic.exe
Token: 34	2700	wmic.exe
Token: 35	2700	wmic.exe
Token: SeIncreaseQuotaPrivilege	2564	wmic.exe
Token: SeSecurityPrivilege	2564	wmic.exe
Token: SeTakeOwnershipPrivilege	2564	wmic.exe
Token: SeLoadDriverPrivilege	2564	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2756	2112	222254cdaa2eccd1b0d490baa212f0af.exe	30
PID 2112 wrote to memory of 2756	2112	222254cdaa2eccd1b0d490baa212f0af.exe	30
PID 2112 wrote to memory of 2756	2112	222254cdaa2eccd1b0d490baa212f0af.exe	30
PID 2112 wrote to memory of 2756	2112	222254cdaa2eccd1b0d490baa212f0af.exe	30
PID 2756 wrote to memory of 2828	2756	1431831751.exe	29
PID 2756 wrote to memory of 2828	2756	1431831751.exe	29
PID 2756 wrote to memory of 2828	2756	1431831751.exe	29
PID 2756 wrote to memory of 2828	2756	1431831751.exe	29
PID 2756 wrote to memory of 2700	2756	1431831751.exe	39
PID 2756 wrote to memory of 2700	2756	1431831751.exe	39
PID 2756 wrote to memory of 2700	2756	1431831751.exe	39
PID 2756 wrote to memory of 2700	2756	1431831751.exe	39
PID 2756 wrote to memory of 2564	2756	1431831751.exe	34
PID 2756 wrote to memory of 2564	2756	1431831751.exe	34
PID 2756 wrote to memory of 2564	2756	1431831751.exe	34
PID 2756 wrote to memory of 2564	2756	1431831751.exe	34
PID 2756 wrote to memory of 2640	2756	1431831751.exe	38
PID 2756 wrote to memory of 2640	2756	1431831751.exe	38
PID 2756 wrote to memory of 2640	2756	1431831751.exe	38
PID 2756 wrote to memory of 2640	2756	1431831751.exe	38
PID 2756 wrote to memory of 2408	2756	1431831751.exe	36
PID 2756 wrote to memory of 2408	2756	1431831751.exe	36
PID 2756 wrote to memory of 2408	2756	1431831751.exe	36
PID 2756 wrote to memory of 2408	2756	1431831751.exe	36
PID 2756 wrote to memory of 2652	2756	1431831751.exe	40
PID 2756 wrote to memory of 2652	2756	1431831751.exe	40
PID 2756 wrote to memory of 2652	2756	1431831751.exe	40
PID 2756 wrote to memory of 2652	2756	1431831751.exe	40

C:\Users\Admin\AppData\Local\Temp\222254cdaa2eccd1b0d490baa212f0af.exe
"C:\Users\Admin\AppData\Local\Temp\222254cdaa2eccd1b0d490baa212f0af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\1431831751.exe
  C:\Users\Admin\AppData\Local\Temp\1431831751.exe 8!0!5!2!0!9!2!9!1!5!5 J1BEQj0qLikxGypLVT1OSTs7Jx8qST1UUk1SQkc7PCsbJ0REUVRAQjQxMi0vMhstQ0BCNC8bKkhSSkJVOlJWSD84KTY0MiAmUTxRUUBKX1BQTDRma3NrNScvbnB2JUI8UkYoTE9LK0FHTiVISUFHICpBTEBBQkg/OG9LRTRULUxHNlAsTU5GN0s+TDlHRlFCTRstRCg7KDArKy0gKkIyNCsoHyo/Kz0oLyAmQis8KCwYLz8zPSQvFy5LTUdEUEFUVk5JSFE8O1k4Hi9HUEZDUD5MX0BTTDg7Fy5LTUdEUEFUVkw4TEA4GC9AVkVWU0lLOBsnRVNDXzpLO0tEST09Gy1IRlFLXj1NR1dOQ1I0LhcuT0M5TkZXT0xdTFFHOBgvUUs9KR4mQ04sNSAqUFVFUkBMQFpPRUdBT0RDQEw8Qj1VTUo9Fy1AUlpNTU5PR008O2txcGAYL01DVExQRUhJQldVTkNSVkI4WE44KiAqRkk7Q088LBsnSU5dRFBMOExEPldFSUFSUE5LRD84XmFncWUXLTtOUklETzxCX0BONDUxKSkwLSw4JTArNBsqTElIQz0oMiowMy4uMjIwICZCRlZJR0dBP11UQEs8PDAqKTcqMDAoMyEzNSwvOjAwKjhLFy5QPDVNanhpY2pYJC1hLS4rKShOZ2VjanJrK0lSKy0sKCQuXSNXSlU2KyMqYSZPamlfY25rIyllMikoJS5gK2l0HDJcLCkuKycrY2diZCZCXWNmbSAmU0lLOGNsdGsjM1gjKWUgLV5nYHIxJS4oMCxfXXNkZW4lZ2VlaiAqZk1zbktnZGQ/am9uZ21hW0tYbVxiXXJaYmVnamZ4IC1eMS8xMS8xLTEyLB0yYWJvbmxjblxfZWFpX2dccBwxYSwsMyw2My0wLjAgLl42LS4zLC8tMS4rLFlSTDBLQkB5SlIsNkh3d2pLOlljSjxFc0tESHdAbFQyRVRILk1wQGpOZTxhWGQ2OUNnbnVGZUVqVUE0KklxRGVTckkuSXkra1BCLzJEUy9mWXA2LkplQGFZQmJzUGtjZlUtRTZeMEZsYSpAZVNldGVXV19uUENfLEswXnZVcUBEU09fSkssTE9KQklKTFBvJS1kUzxiSFJAK2JaQkhwWUJmeA==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762142.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762142.txt bios get version
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762142.txt bios get version
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762142.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2652

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762142.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
427KB

MD5
c2137e4cffb47cc323042423d3d32568

SHA1
2559a5ce559ee9be70dae47ae930c473dcde9b80

SHA256
229828af2c12b009c842c168d0c6b466931d72bde8c1a07c47382c079702b752

SHA512
7ef009100c0bf23b83ecb0be7a74d9538d779cdb5f82a0de1a50d89888941a1303c8535346c0558381800f4093229cc2671e5d5c01f44070cf182c5617240314

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
455KB

MD5
e571af4d7234b3a673a08725b0297805

SHA1
8544fc9d779354af28b09e4b7783ad898e5d237e

SHA256
07cfb10e7185510c4d612d3ffc76c47c6ecebb2d7313c142e375003d31ce4b60

SHA512
28e21a5fa0c558551e34234eb074a58f31a30f92f9c6f4d2fd5ff1cba3eedf84b5f3d92d2d9e58ab82714c363f274a4d651694a34ca56188d68c77224799913a

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703762142.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy11CD.tmp\cgibuti.dll

Filesize
153KB

MD5
9b081b4f84974a46cffcf1ef1a2e85f9

SHA1
70a1b83bad19d28195f2df22c3d213a04b42fb2b

SHA256
303f74df9812b639b66f919804039d1e295ffae8e543fa4349507110ac766752

SHA512
4539a458b1d2ba61ffcf71ea59addd13727d26606f73dbfb21053d68d5656010dae5791d486789c14653c6fb953a7dc284c3a80db2b1970a0e7f0778ab77dbbf

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
472KB

MD5
9fafa8934dbf994c85eead60608c69b3

SHA1
ccc24fdd056e94bfab1fc05f29261580ebbf6ba4

SHA256
763c78ba6bfb7cc69bb4d1d42f02a90f9ab7df348e7d065444896d3b8a7204c8

SHA512
9e54d5882be4e2d8e82aa08c90128edd35ae85a9bf46ca0be63ce9b4f72e9bad630b1d1babd495bf6768981514b1b08ae6611b9ecd8a56fa07f64264ec4b737d

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
740KB

MD5
f4fed7542cee445159a231e77713e921

SHA1
93686f13ab4a51649a0fe49bb9d88d5555f78ce3

SHA256
5b761aed50731faaf691d10680bed5fcd01835a75e158aff3a5eb9ec3d57fbb6

SHA512
c1d3a3eb347101545f69d0b3d05f5123c079d72ef55c133a66ba6a44453c1c3e89d4b4c2c28cc3de5af9782184507bc8311350d50de70f0daffe4a8da965abeb

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
362KB

MD5
e96aafd9a630c578237adb00ca009526

SHA1
5c920dd1613fb4b19227866b659ef1c4d73fc5f3

SHA256
9752006f63c52e313737ac1f0a6ee577d39154dfa64652be814ed32ea80f2e02

SHA512
cfa37f33bb4ebf41f9695f5e4b09a74d3e3e235596d4fdca297e640879ddb68121905922b33a4d4b1bdd14f224b7f467b39e3aa6f1ef2b6701a7247dffd3b3e3

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
214KB

MD5
5373da58cce24eae8b354028f27f5fdb

SHA1
e72a562f30a6a0c972be1395348e40ec25768109

SHA256
695a3c4e78c75fb395af91aac3238d488994a7d9cef75e99f13c16633a96a59d

SHA512
66ac8e5c88d6da69565e71b35edaf4a60f9184923c4206a60f4a2d237294ea43544d68eda536a173d6d8c414a91e87e96ec8a2f3fb0a1559e8810f2c292e4da5

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
227KB

MD5
4367c9c715e5ebe3fd2b1fbfab8b90ea

SHA1
e59ce31ce43751a2b842601d4f03c3c8fb2c5b1a

SHA256
c4b51a3ac65e7244711fb55263090d8211c189243637cb0096d5a90c87886e12

SHA512
409e8e3cd255dedb47d57311d95e2f131ecfaec06c738287a1b8ff6397e6c6a8c3374b4bca26704a815ac33296b8a98f4ae05923bbf289e10c6e5311cb32bbaf

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
239KB

MD5
5c220e4aea54215b832ec95de334601b

SHA1
9e9876e1b2f88b9aa8d65c1b51d9e75075964252

SHA256
e976bc0f8de56aa1913d0f1dede4435c4bbf53d3b18df4882852360d8e036a21

SHA512
c9040702835055bf0ed217a2728d109d8ad71744c8b63555fd671ed25eaf9993c24e8f6c6d9fe27a388d23e752d552c269824d474072a266daa1f79442e13ef6

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
246KB

MD5
d1a8285dbd11ccd5ef74452d9f243482

SHA1
2aa1e35101cf5d72df0079987c90850dd3f8b279

SHA256
cfcf81ed578edb675f00ae2088a221afd87907be0e689e6c60005b89abc2d536

SHA512
6e19234e07891dab110d6d9dbfa2691fe9cf3ec63340fb2c1de24b128be75aebb0c9d4aec85d4093fe5010dd449bc2b1ee123b8f3961219d01323179b8672b83

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
175KB

MD5
095d0c939f19233a9d87c569ebb41051

SHA1
642f3a0f86ccfbce30c87554289d3fae79d052f2

SHA256
01a89d2319fbdfa0bd7c3942c2e6c4e7bbd0ac6a99dbe3660fbfe4eafd9406eb

SHA512
1b2c7b217db4be162869283862c057c8fc3a9716970c170fd4167e14ba5da4d887c42a154014516f1f2f4058cecb0bfe205f82a8ef15eedf83860b96fbc1b665

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
177KB

MD5
83bb9040b70ec062bcda9b13def5e403

SHA1
87e2ea3338497e463d2cc4cb5c721d3550759917

SHA256
0a5c07f18c5dc808134bbcd4b57cb9e1d3b8bb2d2eaa9c59e84661516ca970bb

SHA512
13033f937e081bf1c2d0a78ab22f5e6d8682d17475302d66369e57e5b257408038b3bf1ac8e653621b0be4953cfc395bf4e05eca2c0bc5673e983d5c3eda8c80

Download Submit
\Users\Admin\AppData\Local\Temp\nsy11CD.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit