d9846ff8f97a24398c4b4fa22bf44d416e0d622d9078d91c6588d6d705d2eb21

General

Target

222254cdaa2eccd1b0d490baa212f0af.exe
Size

581KB
MD5

222254cdaa2eccd1b0d490baa212f0af
SHA1

f98c31eaed3e7d4617ab89b9d966e40c41bae9ea
SHA256

d9846ff8f97a24398c4b4fa22bf44d416e0d622d9078d91c6588d6d705d2eb21
SHA512

f492b7df5539ead6c88fc5590d78136591e5defe4368df3ff28422a4694c2379fc8cf15d2ebe78b7aa5cee2aeb5b2273a3983fd5b49d3e8621918ac12f7628f4
SSDEEP

12288:4bDJhNH8ZkXWykEr8369tNFMP8NdHXpZ2achJC4+A:4nJbl+36tKPdhJ7v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3960	1431831751.exe

Loads dropped DLL 2 IoCs

pid	Process
4864	222254cdaa2eccd1b0d490baa212f0af.exe
4864	222254cdaa2eccd1b0d490baa212f0af.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
852	3960	WerFault.exe	23

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	116	wmic.exe
Token: SeSecurityPrivilege	116	wmic.exe
Token: SeTakeOwnershipPrivilege	116	wmic.exe
Token: SeLoadDriverPrivilege	116	wmic.exe
Token: SeSystemProfilePrivilege	116	wmic.exe
Token: SeSystemtimePrivilege	116	wmic.exe
Token: SeProfSingleProcessPrivilege	116	wmic.exe
Token: SeIncBasePriorityPrivilege	116	wmic.exe
Token: SeCreatePagefilePrivilege	116	wmic.exe
Token: SeBackupPrivilege	116	wmic.exe
Token: SeRestorePrivilege	116	wmic.exe
Token: SeShutdownPrivilege	116	wmic.exe
Token: SeDebugPrivilege	116	wmic.exe
Token: SeSystemEnvironmentPrivilege	116	wmic.exe
Token: SeRemoteShutdownPrivilege	116	wmic.exe
Token: SeUndockPrivilege	116	wmic.exe
Token: SeManageVolumePrivilege	116	wmic.exe
Token: 33	116	wmic.exe
Token: 34	116	wmic.exe
Token: 35	116	wmic.exe
Token: 36	116	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 3960	4864	222254cdaa2eccd1b0d490baa212f0af.exe	23
PID 4864 wrote to memory of 3960	4864	222254cdaa2eccd1b0d490baa212f0af.exe	23
PID 4864 wrote to memory of 3960	4864	222254cdaa2eccd1b0d490baa212f0af.exe	23
PID 3960 wrote to memory of 116	3960	1431831751.exe	21
PID 3960 wrote to memory of 116	3960	1431831751.exe	21
PID 3960 wrote to memory of 116	3960	1431831751.exe	21

C:\Users\Admin\AppData\Local\Temp\222254cdaa2eccd1b0d490baa212f0af.exe
"C:\Users\Admin\AppData\Local\Temp\222254cdaa2eccd1b0d490baa212f0af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Local\Temp\1431831751.exe
  C:\Users\Admin\AppData\Local\Temp\1431831751.exe 8!0!5!2!0!9!2!9!1!5!5 J1BEQj0qLikxGypLVT1OSTs7Jx8qST1UUk1SQkc7PCsbJ0REUVRAQjQxMi0vMhstQ0BCNC8bKkhSSkJVOlJWSD84KTY0MiAmUTxRUUBKX1BQTDRma3NrNScvbnB2JUI8UkYoTE9LK0FHTiVISUFHICpBTEBBQkg/OG9LRTRULUxHNlAsTU5GN0s+TDlHRlFCTRstRCg7KDArKy0gKkIyNCsoHyo/Kz0oLyAmQis8KCwYLz8zPSQvFy5LTUdEUEFUVk5JSFE8O1k4Hi9HUEZDUD5MX0BTTDg7Fy5LTUdEUEFUVkw4TEA4GC9AVkVWU0lLOBsnRVNDXzpLO0tEST09Gy1IRlFLXj1NR1dOQ1I0LhcuT0M5TkZXT0xdTFFHOBgvUUs9KR4mQ04sNSAqUFVFUkBMQFpPRUdBT0RDQEw8Qj1VTUo9Fy1AUlpNTU5PR008O2txcGAYL01DVExQRUhJQldVTkNSVkI4WE44KiAqRkk7Q088LBsnSU5dRFBMOExEPldFSUFSUE5LRD84XmFncWUXLTtOUklETzxCX0BONDUxKSkwLSw4JTArNBsqTElIQz0oMiowMy4uMjIwICZCRlZJR0dBP11UQEs8PDAqKTcqMDAoMyEzNSwvOjAwKjhLFy5QPDVNanhpY2pYJC1hLS4rKShOZ2VjanJrK0lSKy0sKCQuXSNXSlU2KyMqYSZPamlfY25rIyllMikoJS5gK2l0HDJcLCkuKycrY2diZCZCXWNmbSAmU0lLOGNsdGsjM1gjKWUgLV5nYHIxJS4oMCxfXXNkZW4lZ2VlaiAqZk1zbktnZGQ/am9uZ21hW0tYbVxiXXJaYmVnamZ4IC1eMS8xMS8xLTEyLB0yYWJvbmxjblxfZWFpX2dccBwxYSwsMyw2My0wLjAgLl42LS4zLC8tMS4rLFlSTDBLQkB5SlIsNkh3d2pLOlljSjxFc0tESHdAbFQyRVRILk1wQGpOZTxhWGQ2OUNnbnVGZUVqVUE0KklxRGVTckkuSXkra1BCLzJEUy9mWXA2LkplQGFZQmJzUGtjZlUtRTZeMEZsYSpAZVNldGVXV19uUENfLEswXnZVcUBEU09fSkssTE9KQklKTFBvJS1kUzxiSFJAK2JaQkhwWUJmeA==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762149.txt bios get version
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762149.txt bios get version
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762149.txt bios get version
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762149.txt bios get version
    3⤵
    PID:656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 952
    3⤵
    - Program crash
    PID:852

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703762149.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3960 -ip 3960
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsh4036.tmp\cgibuti.dll

Filesize
32KB

MD5
c4e400219f4241936a66e483cf650716

SHA1
0ca69b0c11044230ea7f449feab624799a74e1fa

SHA256
d8c27a69f7c9be1aab181454f131e2d66f30680673dcc68d3e07531ba1590302

SHA512
b0d5effc109e9f96ee6aaac519c2d40660aa7c8d0e6ba1bff9e5f6888f647d22fd6b29da024b785ed8ad748e22a6ed11011849aebfeaba947ed48cbeadcc28b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4036.tmp\cgibuti.dll

Filesize
1KB

MD5
701f64e8bdd6461ca3c97dc13484c986

SHA1
ed966fc41b8071a8885dadda59f32d5a2d9314d7

SHA256
59532d0b8ecbbae4ada923f1f5edbf7841c04d1b6fec9750197251af5e3d2a2d

SHA512
bcc1a97c36782e62086e644ce15f6c6f9c0c310f68f9a0f4d4d838a430b961168089c924d489e5771a45043d9fd799a21f23d39490da3a19a85620e1778b8733

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4036.tmp\nsisunz.dll

Filesize
40B

MD5
5bda86c200ce3cb2d69c723a5e33ee7f

SHA1
3ae6b41ddd271eae3225285844afba2a67f6664a

SHA256
74db2527f5f87d5916b041b6a45fb9b0f650c756f13f295344c9c1e6778b6d27

SHA512
7485c29cef947a0b16b6b58a524f3e656e73215bfe225c980616669f7d5690d1b8fa193efd61c374304d0eff85fcea7aef7352b7d9c08953dc8e11507a0a8148

Download Submit

Analysis

Sharing