12036799c69f1a0c72bacf52238610af17a30aba78badb4264b953be9c205b6d

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26944ecfc4a80356a360bde9b70b78ad.exe
Size

218KB
MD5

26944ecfc4a80356a360bde9b70b78ad
SHA1

f15c9672befaf37134333ff22826d0cf7e1a6140
SHA256

12036799c69f1a0c72bacf52238610af17a30aba78badb4264b953be9c205b6d
SHA512

fc5e48dfde15dee571d0ee3e2e02ebec9f468d0f3825700f61d1322c7140110e1327e2ef51b10150dbe94c181c3350abed1b4f835840c53dcf514bb28e5ff81a
SSDEEP

3072:QgXdZt9P6D3XJr3wOMMY0B/UkoLJyMlVdeiag95q5OU3XpzswKFszJNXH/wODa:Qe34F3wOY0ZqyMheiaKqAU+wKsz73I9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4340	lzma.exe
1684	biSetup54553.exe

Loads dropped DLL 13 IoCs

pid	Process
2112	26944ecfc4a80356a360bde9b70b78ad.exe
2112	26944ecfc4a80356a360bde9b70b78ad.exe
2112	26944ecfc4a80356a360bde9b70b78ad.exe
2112	26944ecfc4a80356a360bde9b70b78ad.exe
2112	26944ecfc4a80356a360bde9b70b78ad.exe
2112	26944ecfc4a80356a360bde9b70b78ad.exe
2112	26944ecfc4a80356a360bde9b70b78ad.exe
2112	26944ecfc4a80356a360bde9b70b78ad.exe
2112	26944ecfc4a80356a360bde9b70b78ad.exe
2112	26944ecfc4a80356a360bde9b70b78ad.exe
2112	26944ecfc4a80356a360bde9b70b78ad.exe
2112	26944ecfc4a80356a360bde9b70b78ad.exe
2112	26944ecfc4a80356a360bde9b70b78ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2580	WMIC.exe
Token: SeSecurityPrivilege	2580	WMIC.exe
Token: SeTakeOwnershipPrivilege	2580	WMIC.exe
Token: SeLoadDriverPrivilege	2580	WMIC.exe
Token: SeSystemProfilePrivilege	2580	WMIC.exe
Token: SeSystemtimePrivilege	2580	WMIC.exe
Token: SeProfSingleProcessPrivilege	2580	WMIC.exe
Token: SeIncBasePriorityPrivilege	2580	WMIC.exe
Token: SeCreatePagefilePrivilege	2580	WMIC.exe
Token: SeBackupPrivilege	2580	WMIC.exe
Token: SeRestorePrivilege	2580	WMIC.exe
Token: SeShutdownPrivilege	2580	WMIC.exe
Token: SeDebugPrivilege	2580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2580	WMIC.exe
Token: SeRemoteShutdownPrivilege	2580	WMIC.exe
Token: SeUndockPrivilege	2580	WMIC.exe
Token: SeManageVolumePrivilege	2580	WMIC.exe
Token: 33	2580	WMIC.exe
Token: 34	2580	WMIC.exe
Token: 35	2580	WMIC.exe
Token: 36	2580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2580	WMIC.exe
Token: SeSecurityPrivilege	2580	WMIC.exe
Token: SeTakeOwnershipPrivilege	2580	WMIC.exe
Token: SeLoadDriverPrivilege	2580	WMIC.exe
Token: SeSystemProfilePrivilege	2580	WMIC.exe
Token: SeSystemtimePrivilege	2580	WMIC.exe
Token: SeProfSingleProcessPrivilege	2580	WMIC.exe
Token: SeIncBasePriorityPrivilege	2580	WMIC.exe
Token: SeCreatePagefilePrivilege	2580	WMIC.exe
Token: SeBackupPrivilege	2580	WMIC.exe
Token: SeRestorePrivilege	2580	WMIC.exe
Token: SeShutdownPrivilege	2580	WMIC.exe
Token: SeDebugPrivilege	2580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2580	WMIC.exe
Token: SeRemoteShutdownPrivilege	2580	WMIC.exe
Token: SeUndockPrivilege	2580	WMIC.exe
Token: SeManageVolumePrivilege	2580	WMIC.exe
Token: 33	2580	WMIC.exe
Token: 34	2580	WMIC.exe
Token: 35	2580	WMIC.exe
Token: 36	2580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2472	WMIC.exe
Token: SeSecurityPrivilege	2472	WMIC.exe
Token: SeTakeOwnershipPrivilege	2472	WMIC.exe
Token: SeLoadDriverPrivilege	2472	WMIC.exe
Token: SeSystemProfilePrivilege	2472	WMIC.exe
Token: SeSystemtimePrivilege	2472	WMIC.exe
Token: SeProfSingleProcessPrivilege	2472	WMIC.exe
Token: SeIncBasePriorityPrivilege	2472	WMIC.exe
Token: SeCreatePagefilePrivilege	2472	WMIC.exe
Token: SeBackupPrivilege	2472	WMIC.exe
Token: SeRestorePrivilege	2472	WMIC.exe
Token: SeShutdownPrivilege	2472	WMIC.exe
Token: SeDebugPrivilege	2472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2472	WMIC.exe
Token: SeRemoteShutdownPrivilege	2472	WMIC.exe
Token: SeUndockPrivilege	2472	WMIC.exe
Token: SeManageVolumePrivilege	2472	WMIC.exe
Token: 33	2472	WMIC.exe
Token: 34	2472	WMIC.exe
Token: 35	2472	WMIC.exe
Token: 36	2472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2472	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1684	biSetup54553.exe
1684	biSetup54553.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2580	2112	26944ecfc4a80356a360bde9b70b78ad.exe	19
PID 2112 wrote to memory of 2580	2112	26944ecfc4a80356a360bde9b70b78ad.exe	19
PID 2112 wrote to memory of 2580	2112	26944ecfc4a80356a360bde9b70b78ad.exe	19
PID 2112 wrote to memory of 2472	2112	26944ecfc4a80356a360bde9b70b78ad.exe	25
PID 2112 wrote to memory of 2472	2112	26944ecfc4a80356a360bde9b70b78ad.exe	25
PID 2112 wrote to memory of 2472	2112	26944ecfc4a80356a360bde9b70b78ad.exe	25
PID 2112 wrote to memory of 4824	2112	26944ecfc4a80356a360bde9b70b78ad.exe	27
PID 2112 wrote to memory of 4824	2112	26944ecfc4a80356a360bde9b70b78ad.exe	27
PID 2112 wrote to memory of 4824	2112	26944ecfc4a80356a360bde9b70b78ad.exe	27
PID 2112 wrote to memory of 5108	2112	26944ecfc4a80356a360bde9b70b78ad.exe	29
PID 2112 wrote to memory of 5108	2112	26944ecfc4a80356a360bde9b70b78ad.exe	29
PID 2112 wrote to memory of 5108	2112	26944ecfc4a80356a360bde9b70b78ad.exe	29
PID 2112 wrote to memory of 4340	2112	26944ecfc4a80356a360bde9b70b78ad.exe	34
PID 2112 wrote to memory of 4340	2112	26944ecfc4a80356a360bde9b70b78ad.exe	34
PID 2112 wrote to memory of 4340	2112	26944ecfc4a80356a360bde9b70b78ad.exe	34
PID 2112 wrote to memory of 1684	2112	26944ecfc4a80356a360bde9b70b78ad.exe	30
PID 2112 wrote to memory of 1684	2112	26944ecfc4a80356a360bde9b70b78ad.exe	30
PID 2112 wrote to memory of 1684	2112	26944ecfc4a80356a360bde9b70b78ad.exe	30
PID 1684 wrote to memory of 4032	1684	biSetup54553.exe	32
PID 1684 wrote to memory of 4032	1684	biSetup54553.exe	32
PID 1684 wrote to memory of 4032	1684	biSetup54553.exe	32

C:\Users\Admin\AppData\Local\Temp\26944ecfc4a80356a360bde9b70b78ad.exe
"C:\Users\Admin\AppData\Local\Temp\26944ecfc4a80356a360bde9b70b78ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:4824
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:5108
- C:\Users\Admin\AppData\Local\Temp\nsv4864.tmp\biSetup54553.exe
  "C:\Users\Admin\AppData\Local\Temp\nsv4864.tmp\biSetup54553.exe" /initurl http://d3jsbkpsgh9q55.cloudfront.net/init/26944ecfc4a80356a360bde9b70b78ad/:uid:? /affid "-" /id "0" /name " " /uniqid 26944ecfc4a80356a360bde9b70b78ad /uuid 00000000-0000-0000-0000-000000000000 /biosserial /biosversion ROCKS - 1 /csname Standard PC (Q35 + ICH9, 2009)
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic bios get serialnumber, version
    3⤵
    PID:4032
- C:\Users\Admin\AppData\Local\Temp\nsv4864.tmp\lzma.exe
  "C:\Users\Admin\AppData\Local\Temp\nsv4864.tmp\lzma.exe" "d" "C:\Users\Admin\AppData\Local\Temp\nsv4864.tmp\or0si5r5mldkcsh" "C:\Users\Admin\AppData\Local\Temp\nsv4864.tmp\biSetup54553.exe"
  2⤵
  - Executes dropped EXE
  PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsv4864.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv4864.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
memory/1684-67-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download