2408acbb3fa847d110ee3326d753970b9083ef06fb34abc6bcc20f16a088678f

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

241dd0747a046f88a4000c24a20e3c0e.exe
Size

695KB
MD5

241dd0747a046f88a4000c24a20e3c0e
SHA1

ca7df76dc905879693c83fd902d8d03a61e73d85
SHA256

2408acbb3fa847d110ee3326d753970b9083ef06fb34abc6bcc20f16a088678f
SHA512

079ae137030379c840421e14de4cdced3fc1c87e4ba009c6f6f66e07a81bd97e7030a0bb493ba5196b7654b993d1cba5d75c4c14a0b7ace6fb2e8a02c9476ea4
SSDEEP

12288:WoNHkHVp/ROGY4ZWqHKgvIsfvFqSAmvPtl+T8iYMZN9NbMeYA3wbIrICxd1e:WoaulmKgvn5AmvjoHN9NbMeBDG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3404	1432242082.exe

Loads dropped DLL 2 IoCs

pid	Process
4508	241dd0747a046f88a4000c24a20e3c0e.exe
4508	241dd0747a046f88a4000c24a20e3c0e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4428	3404	WerFault.exe	22

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4848	wmic.exe
Token: SeSecurityPrivilege	4848	wmic.exe
Token: SeTakeOwnershipPrivilege	4848	wmic.exe
Token: SeLoadDriverPrivilege	4848	wmic.exe
Token: SeSystemProfilePrivilege	4848	wmic.exe
Token: SeSystemtimePrivilege	4848	wmic.exe
Token: SeProfSingleProcessPrivilege	4848	wmic.exe
Token: SeIncBasePriorityPrivilege	4848	wmic.exe
Token: SeCreatePagefilePrivilege	4848	wmic.exe
Token: SeBackupPrivilege	4848	wmic.exe
Token: SeRestorePrivilege	4848	wmic.exe
Token: SeShutdownPrivilege	4848	wmic.exe
Token: SeDebugPrivilege	4848	wmic.exe
Token: SeSystemEnvironmentPrivilege	4848	wmic.exe
Token: SeRemoteShutdownPrivilege	4848	wmic.exe
Token: SeUndockPrivilege	4848	wmic.exe
Token: SeManageVolumePrivilege	4848	wmic.exe
Token: 33	4848	wmic.exe
Token: 34	4848	wmic.exe
Token: 35	4848	wmic.exe
Token: 36	4848	wmic.exe
Token: SeIncreaseQuotaPrivilege	4848	wmic.exe
Token: SeSecurityPrivilege	4848	wmic.exe
Token: SeTakeOwnershipPrivilege	4848	wmic.exe
Token: SeLoadDriverPrivilege	4848	wmic.exe
Token: SeSystemProfilePrivilege	4848	wmic.exe
Token: SeSystemtimePrivilege	4848	wmic.exe
Token: SeProfSingleProcessPrivilege	4848	wmic.exe
Token: SeIncBasePriorityPrivilege	4848	wmic.exe
Token: SeCreatePagefilePrivilege	4848	wmic.exe
Token: SeBackupPrivilege	4848	wmic.exe
Token: SeRestorePrivilege	4848	wmic.exe
Token: SeShutdownPrivilege	4848	wmic.exe
Token: SeDebugPrivilege	4848	wmic.exe
Token: SeSystemEnvironmentPrivilege	4848	wmic.exe
Token: SeRemoteShutdownPrivilege	4848	wmic.exe
Token: SeUndockPrivilege	4848	wmic.exe
Token: SeManageVolumePrivilege	4848	wmic.exe
Token: 33	4848	wmic.exe
Token: 34	4848	wmic.exe
Token: 35	4848	wmic.exe
Token: 36	4848	wmic.exe
Token: SeIncreaseQuotaPrivilege	1316	wmic.exe
Token: SeSecurityPrivilege	1316	wmic.exe
Token: SeTakeOwnershipPrivilege	1316	wmic.exe
Token: SeLoadDriverPrivilege	1316	wmic.exe
Token: SeSystemProfilePrivilege	1316	wmic.exe
Token: SeSystemtimePrivilege	1316	wmic.exe
Token: SeProfSingleProcessPrivilege	1316	wmic.exe
Token: SeIncBasePriorityPrivilege	1316	wmic.exe
Token: SeCreatePagefilePrivilege	1316	wmic.exe
Token: SeBackupPrivilege	1316	wmic.exe
Token: SeRestorePrivilege	1316	wmic.exe
Token: SeShutdownPrivilege	1316	wmic.exe
Token: SeDebugPrivilege	1316	wmic.exe
Token: SeSystemEnvironmentPrivilege	1316	wmic.exe
Token: SeRemoteShutdownPrivilege	1316	wmic.exe
Token: SeUndockPrivilege	1316	wmic.exe
Token: SeManageVolumePrivilege	1316	wmic.exe
Token: 33	1316	wmic.exe
Token: 34	1316	wmic.exe
Token: 35	1316	wmic.exe
Token: 36	1316	wmic.exe
Token: SeIncreaseQuotaPrivilege	1316	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3404	4508	241dd0747a046f88a4000c24a20e3c0e.exe	22
PID 4508 wrote to memory of 3404	4508	241dd0747a046f88a4000c24a20e3c0e.exe	22
PID 4508 wrote to memory of 3404	4508	241dd0747a046f88a4000c24a20e3c0e.exe	22
PID 3404 wrote to memory of 4848	3404	1432242082.exe	25
PID 3404 wrote to memory of 4848	3404	1432242082.exe	25
PID 3404 wrote to memory of 4848	3404	1432242082.exe	25
PID 3404 wrote to memory of 1316	3404	1432242082.exe	29
PID 3404 wrote to memory of 1316	3404	1432242082.exe	29
PID 3404 wrote to memory of 1316	3404	1432242082.exe	29
PID 3404 wrote to memory of 1840	3404	1432242082.exe	33
PID 3404 wrote to memory of 1840	3404	1432242082.exe	33
PID 3404 wrote to memory of 1840	3404	1432242082.exe	33
PID 3404 wrote to memory of 2816	3404	1432242082.exe	40
PID 3404 wrote to memory of 2816	3404	1432242082.exe	40
PID 3404 wrote to memory of 2816	3404	1432242082.exe	40
PID 3404 wrote to memory of 3276	3404	1432242082.exe	36
PID 3404 wrote to memory of 3276	3404	1432242082.exe	36
PID 3404 wrote to memory of 3276	3404	1432242082.exe	36

C:\Users\Admin\AppData\Local\Temp\241dd0747a046f88a4000c24a20e3c0e.exe
"C:\Users\Admin\AppData\Local\Temp\241dd0747a046f88a4000c24a20e3c0e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Local\Temp\1432242082.exe
  C:\Users\Admin\AppData\Local\Temp\1432242082.exe 4]3]6]1]8]8]4]9]4]9]7 K01DQzUrLCkuFyhPUjxPQTw5JxwmR0FRUU5KQ0U7OScZK0FDUkxBQDQuJys1NBouO0FANCwXKExPSUNNO1BWRTs2LTMzMxgnTzxOTT5OXE9RRDVka3BnMyssbXFuJkA8T0ImUExKLDlITCVFRT9LHSlCREE/QkU7NnMvLkY6TkI/Ly4tQEEsR0E/UEZCRkpARhouPCk5KjIsLTEvGi48KjkkLRcoQDA3LCkYKzswNCYtHSlDLTUpKBwmSU5MPlQ7TFtHTkBPPUBTPBgnTElLO04/UVlETUQ9NBwmSU5MPlQ7TFtFPUQ+OR0pRFA9W0xOQzYcLD9XPVc/REBDQkpCNx8nQEtKUFY7TkxRUj1KOSgcJk1EPkhKUUdRVlFJRTkdKVVFNS4XKztMLToaLkpNSktFRD5bVD9LO0dJPEVEOkNCT1FENRwmRUpYTlJIU0FFQTRwaW5hHSlRPUxRSUpAR0NcT1I9Sls7PVBMOS8aLkBBQDxUNCocLENSVzxVRT1EQj9cP007SlVHUDw9OWNba2tdHCZARlBKSUlAPFdFRzkwLiovLC8mKS4vKjArHCxOSEU9OSgwKisuMTEzLSkcJkBGUEpJSUA8V1BASTw2MSwsMCcqLCgxISosNy0vMi0tIUxEGStSOzxFZ3ZgaGNaIS9gNCYoJx9TYGdgbHFyI0ZQIjIlKiEwXCpqbiEqXSkuKi0jKj9dX2JrHCtiLyowKCgtJy0iP2VvX2VncCEpYikuKi0aLk1KSDRka21sIi1gHSpiHC5dYGFxKy0oKS0oYFxsZWRoLWFmYmYhKV9OcmhTYWVhO2tuZ2hsW2NFWWpYY1xrW2Ffb2RndRwuXSowMCwxLC8wLDMcK2JhaXZmZGtYYGRaal5hZGodLl0tKywuLy42LC0zHC9dLDEuKy8vLy4uMihTQz90TDxfMFhQamxHZz91QU9JL0lgZG5LdEBfWXZmb0VNYy1CMVsvR0o+YUVmZHNNTE1wQ2Y4X1RnPzVDPD1jVjpwLkhzbl9RdjwwQz09alJSLC9GYG9jUi5PbFk/LV1RaUQrXlRMd1s/NGNVKU9lVlFRYlF2Z3VETUpFSS8xPU1KLClGUDY+TE1gP0hCQUJNQi9OSChjY11NcWtfPlhq
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703769649.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703769649.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703769649.txt bios get version
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703769649.txt bios get version
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 952
    3⤵
    - Program crash
    PID:4428
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703769649.txt bios get version
    3⤵
    PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3404 -ip 3404
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1432242082.exe

Filesize
144KB

MD5
f26c4282b62edb694dd90cda8b6d2e51

SHA1
1801b92f1f6f48fbb08c01ee3e6f935da6bfd1ae

SHA256
d19d3f95af4921a27ec0f7de335b5b04da9b22aafee11a4efe33e379297a9311

SHA512
d62d33bf978dd907b2be6274b2a6fab32aace1d3af98e834e70a613a45108879d7523b9d8914f558388059a234ee67aa65844192c22d01511d84983b3927706f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1432242082.exe

Filesize
155KB

MD5
44fca83dcf0b83c21c55e072bfd60bb9

SHA1
8e4c95b749558ed78f8912d4f4d28921388fb85c

SHA256
bb2ea49f1e02a2afe05bc93481e12c650196d4cdd847e8c5235ddb6bb4f7ce86

SHA512
7e4713853f22968c7902b8de27c03cf2bd64fee7930a9a6c0b5b90ab4f9bab5727f03dc60dbe0572cc8ed6aa29ebff903c56f42824ab8c413413c426b24151bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703769649.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703769649.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703769649.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn422A.tmp\jtbtjyt.dll

Filesize
124KB

MD5
a9104e2ac2c6bea76b2a951cc3b4a59c

SHA1
343c13abb0dd3145eb2e9da6705f3fe5832c8c90

SHA256
5c1fa92affeec1bf3c2ddf4a5d00f3e0f148ee9b9f5ee0c06a8ca65bed4cb424

SHA512
fa1e603544a563ad2624f8a1abb59ddb02fcf34e6558e3eeb3300542c61be73221316a15d0b8fb958175091630287180261af3102e0840f8a8a5624003e0299b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn422A.tmp\jtbtjyt.dll

Filesize
148KB

MD5
ab1b1e5ed8c085f84348703482272662

SHA1
c47e159990952195b8b6c740a2c0d1b7317cb059

SHA256
c31b50b0ab9fc23f666668addb35472cfa87f8638928daa288d302a5d558546a

SHA512
9eea80bd1928602f5a504f20fe69a83e1f7ad66bff28edb152c40279b893723d70caba7ff0eedd02d8f384ace73b14b2141dbbade6522b67c0fbdec8a265021f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn422A.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit