057c716f3dca233465562a4e5f2ef6c548efd056f800eca1f3e1893931097c73

Analysis

max time kernel
28s
max time network
62s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2637724dac659e63dc62eae3def0c079.exe
Size

581KB
MD5

2637724dac659e63dc62eae3def0c079
SHA1

614323ce1e7433e6a42a2cd1334e1a03a50faf2b
SHA256

057c716f3dca233465562a4e5f2ef6c548efd056f800eca1f3e1893931097c73
SHA512

e0bfed9f2306e4bff15a6aafd99bfde018320310ac023fdb09b22983e72e0a11693036d33df09420ebf28068e80ced1289c046eef125bd4d3ba10e57f30c0509
SSDEEP

12288:XKciKcfeIwjZ4d0cHa52bzy05qlYDf+zH+eI/hHNa273Ma4Z:XKRpWedNM2bzyGqlYehILa27caw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2488	1431615751.exe

Loads dropped DLL 11 IoCs

pid	Process
3028	2637724dac659e63dc62eae3def0c079.exe
3028	2637724dac659e63dc62eae3def0c079.exe
3028	2637724dac659e63dc62eae3def0c079.exe
3028	2637724dac659e63dc62eae3def0c079.exe
2856	WerFault.exe
2856	WerFault.exe
2856	WerFault.exe
2856	WerFault.exe
2856	WerFault.exe
2856	WerFault.exe
2856	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2856	2488	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2652	wmic.exe
Token: SeSecurityPrivilege	2652	wmic.exe
Token: SeTakeOwnershipPrivilege	2652	wmic.exe
Token: SeLoadDriverPrivilege	2652	wmic.exe
Token: SeSystemProfilePrivilege	2652	wmic.exe
Token: SeSystemtimePrivilege	2652	wmic.exe
Token: SeProfSingleProcessPrivilege	2652	wmic.exe
Token: SeIncBasePriorityPrivilege	2652	wmic.exe
Token: SeCreatePagefilePrivilege	2652	wmic.exe
Token: SeBackupPrivilege	2652	wmic.exe
Token: SeRestorePrivilege	2652	wmic.exe
Token: SeShutdownPrivilege	2652	wmic.exe
Token: SeDebugPrivilege	2652	wmic.exe
Token: SeSystemEnvironmentPrivilege	2652	wmic.exe
Token: SeRemoteShutdownPrivilege	2652	wmic.exe
Token: SeUndockPrivilege	2652	wmic.exe
Token: SeManageVolumePrivilege	2652	wmic.exe
Token: 33	2652	wmic.exe
Token: 34	2652	wmic.exe
Token: 35	2652	wmic.exe
Token: SeIncreaseQuotaPrivilege	2652	wmic.exe
Token: SeSecurityPrivilege	2652	wmic.exe
Token: SeTakeOwnershipPrivilege	2652	wmic.exe
Token: SeLoadDriverPrivilege	2652	wmic.exe
Token: SeSystemProfilePrivilege	2652	wmic.exe
Token: SeSystemtimePrivilege	2652	wmic.exe
Token: SeProfSingleProcessPrivilege	2652	wmic.exe
Token: SeIncBasePriorityPrivilege	2652	wmic.exe
Token: SeCreatePagefilePrivilege	2652	wmic.exe
Token: SeBackupPrivilege	2652	wmic.exe
Token: SeRestorePrivilege	2652	wmic.exe
Token: SeShutdownPrivilege	2652	wmic.exe
Token: SeDebugPrivilege	2652	wmic.exe
Token: SeSystemEnvironmentPrivilege	2652	wmic.exe
Token: SeRemoteShutdownPrivilege	2652	wmic.exe
Token: SeUndockPrivilege	2652	wmic.exe
Token: SeManageVolumePrivilege	2652	wmic.exe
Token: 33	2652	wmic.exe
Token: 34	2652	wmic.exe
Token: 35	2652	wmic.exe
Token: SeIncreaseQuotaPrivilege	2368	wmic.exe
Token: SeSecurityPrivilege	2368	wmic.exe
Token: SeTakeOwnershipPrivilege	2368	wmic.exe
Token: SeLoadDriverPrivilege	2368	wmic.exe
Token: SeSystemProfilePrivilege	2368	wmic.exe
Token: SeSystemtimePrivilege	2368	wmic.exe
Token: SeProfSingleProcessPrivilege	2368	wmic.exe
Token: SeIncBasePriorityPrivilege	2368	wmic.exe
Token: SeCreatePagefilePrivilege	2368	wmic.exe
Token: SeBackupPrivilege	2368	wmic.exe
Token: SeRestorePrivilege	2368	wmic.exe
Token: SeShutdownPrivilege	2368	wmic.exe
Token: SeDebugPrivilege	2368	wmic.exe
Token: SeSystemEnvironmentPrivilege	2368	wmic.exe
Token: SeRemoteShutdownPrivilege	2368	wmic.exe
Token: SeUndockPrivilege	2368	wmic.exe
Token: SeManageVolumePrivilege	2368	wmic.exe
Token: 33	2368	wmic.exe
Token: 34	2368	wmic.exe
Token: 35	2368	wmic.exe
Token: SeIncreaseQuotaPrivilege	2056	wmic.exe
Token: SeSecurityPrivilege	2056	wmic.exe
Token: SeTakeOwnershipPrivilege	2056	wmic.exe
Token: SeLoadDriverPrivilege	2056	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2488	3028	2637724dac659e63dc62eae3def0c079.exe	30
PID 3028 wrote to memory of 2488	3028	2637724dac659e63dc62eae3def0c079.exe	30
PID 3028 wrote to memory of 2488	3028	2637724dac659e63dc62eae3def0c079.exe	30
PID 3028 wrote to memory of 2488	3028	2637724dac659e63dc62eae3def0c079.exe	30
PID 2488 wrote to memory of 2652	2488	1431615751.exe	32
PID 2488 wrote to memory of 2652	2488	1431615751.exe	32
PID 2488 wrote to memory of 2652	2488	1431615751.exe	32
PID 2488 wrote to memory of 2652	2488	1431615751.exe	32
PID 2488 wrote to memory of 2368	2488	1431615751.exe	35
PID 2488 wrote to memory of 2368	2488	1431615751.exe	35
PID 2488 wrote to memory of 2368	2488	1431615751.exe	35
PID 2488 wrote to memory of 2368	2488	1431615751.exe	35
PID 2488 wrote to memory of 2056	2488	1431615751.exe	37
PID 2488 wrote to memory of 2056	2488	1431615751.exe	37
PID 2488 wrote to memory of 2056	2488	1431615751.exe	37
PID 2488 wrote to memory of 2056	2488	1431615751.exe	37
PID 2488 wrote to memory of 2916	2488	1431615751.exe	39
PID 2488 wrote to memory of 2916	2488	1431615751.exe	39
PID 2488 wrote to memory of 2916	2488	1431615751.exe	39
PID 2488 wrote to memory of 2916	2488	1431615751.exe	39
PID 2488 wrote to memory of 816	2488	1431615751.exe	41
PID 2488 wrote to memory of 816	2488	1431615751.exe	41
PID 2488 wrote to memory of 816	2488	1431615751.exe	41
PID 2488 wrote to memory of 816	2488	1431615751.exe	41
PID 2488 wrote to memory of 2856	2488	1431615751.exe	42
PID 2488 wrote to memory of 2856	2488	1431615751.exe	42
PID 2488 wrote to memory of 2856	2488	1431615751.exe	42
PID 2488 wrote to memory of 2856	2488	1431615751.exe	42

C:\Users\Admin\AppData\Local\Temp\2637724dac659e63dc62eae3def0c079.exe
"C:\Users\Admin\AppData\Local\Temp\2637724dac659e63dc62eae3def0c079.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\1431615751.exe
  C:\Users\Admin\AppData\Local\Temp\1431615751.exe 0!0!7!1!2!2!0!4!5!9!2 L1BCQzsvNzIrKB4vU05BTkdEOSsXLU5FTVZNUEtFPzQvIC89SFFSSUA4KTUwOC4fLUFJQDgnHi9QS05CU0NQWkBCPTIvMTcwICtOPFBWRUteU1BMOWNrcnA6KC5xcHYqPzxRSy1NTk4rQUxLJUdORkgfLUFMRT5CR0Q9GS5CLz0pLBctRDI2LC8eL0AuNCsxIChDMjstLRsmQjU9JjAeLVBOSjtTQ1RYT1BHVj0+UDsgL0lRTUJVP09WQ1VMOjweLVBOSjtTQ1RYTT9LRTlOXHJ1cB4xLkFyXV5iLGV4Xh8tQ1hBWkxQTD1hc3JuOisqW2o0Zm5tLGFvaSpqY3R1aS1jdmUcKjxWRV88TEJKSUpANB4vSEhSUl1CTkpOUUVSNjIeLVREPEVJWU9OXlNQTDkbJlRNPSsfLUJTLTgXLVJVR1NHS0VbUjxKQ09GREdLQUNATFBMPRkuR1FfTlBFUklNPjxycHVhGyZQRVROUUxHTkNaTFFFUlhDP1dTOS0XLUhJPURWOzEcKkBRX0RSTT9LST9aPExDUlJPUkNEOWFYanNlGS5CTVdKR0Y/RF9CTzswNCotKjYuNicwNTYgK09AS0U9KjMxLzYtMi43NyAoQ01VTkhKOEJfVEJMQzs1KywrLTIwKjQoMTovMTExNypJTB4tVT04Rm5lclokMGQ5Ki0nKShXYm1ibXdvJkVSKzYnLyMxYidQHDFiK15tJx4vUU1DO2h0bW8jMWEhLV0jMmZgZHIvLiwsKC9kZWxoZWwuZWldbSUyX1FzbFRlaFxCb3dna21fZElcZV9nZWteYmNwaGpwIzJmKjMxLzYtMi8uMyUrZWJtd2pnZl9kbVptX2VlbiApZDE0LDA0Lzc0KyojM2YsMDM0MC4xJzczOVNGUHRTUF5wTVhBKUtnMnpIdG5lWkRsckx3Yy1HOkxyTzx2MEtESXQ/VXMwRWhUcGJDNGBgMk5rYC9mcVY/XiMyYlsyVG1iQ1VcVTBwYGBUcm5VLW5rWEhPYmFsRmpJKWZ5YmdAYUtGY2REVUVmRmxQY2I/b2FgR3NtV2tqdEV0b2thbUNxYWs4bFMqZmpJQFF1XzFkbFhENW9SVnJkUFFrYF8zSm9JaC95VCwocEpXQ3VXZ1ZkVCl2amFARWlXak48UEQ5TlsxUHNSUmNiVzJKSWFVam1VLSh4WUdxa1Zrc3VGO0dzS2JzSVdtaGhQRWRGU1dhbWNoY21GV1piYGtlOUk8
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703579365.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703579365.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703579365.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703579365.txt bios get version
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703579365.txt bios get version
    3⤵
    PID:816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431615751.exe

Filesize
788KB

MD5
2879906f31b3c95628fb7acc8c7be337

SHA1
fba075444b949acd6949f045e65458d642dd420b

SHA256
6d5f5a1aa519b0364df83eaa25ebbd642152ae3f1e7d5920936bb49b1e00aa49

SHA512
d307626bcd2798e2282d9dd67d9e23f01523a2a9c849e4d3f3446b4a10935e5dc0c8958e52baf636b3e751649093333d30ea037fdec190ee4c1200ed023f2d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431615751.exe

Filesize
95KB

MD5
23e8f78f03f463ee6f4c59e72dacd7ac

SHA1
b14fb7f80056aa261e5e285e2bf363bf1dbbcdd0

SHA256
ca6ae8c1fbf02b6b4b6ca9a4c3cf1013fe271848be2242812c6fe55643ee60d1

SHA512
265e96292c29c879d894f071b40fb710deb03af083645c2c80aa55c95ac3b42066804aaff2b2ed9e531ee8d0f0034824e57bade41b31f711f01919b2cd020c8d

Download Submit
\Users\Admin\AppData\Local\Temp\1431615751.exe

Filesize
331KB

MD5
e540510b592ee492ad9a3da5ca229904

SHA1
43d2b4afe949747ab87e5bfa1a4bd62797afa0d0

SHA256
47679d83fc87cf6555d424c2fdd273df7d3385481cd9068f411158b8de7bb2cd

SHA512
ac22ff46ebeffebcaa90090fd3ef0c3c046bc0a7a2c4363da5cce5de9c096dc68f5d2c0670acc8225957e799c5c680f4fb8abfff17b89757f78568373ed90ea8

Download Submit
\Users\Admin\AppData\Local\Temp\1431615751.exe

Filesize
96KB

MD5
3cdb24719b21e04f44fc8b5847479b95

SHA1
a50ed8c0ed90a28f790c855ee0e295d25ba98e16

SHA256
3ca448ebde68e01dccd5c08f6599a7007745393f190c13d52889c1adfc63753c

SHA512
23b9e7f347ee98326ab4929d5d63db461a2cfd8d4f9922db6c5e76ce7343569e565308bed44aae000444dba0359da03a08844f8f385a04c088ebd41a63ddb0f6

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF8C.tmp\csrozlb.dll

Filesize
153KB

MD5
a0c2ea555273caaf41082b501ce95c2f

SHA1
6194b509d65dd4d8dadd58ea1bfbba2718cbf29c

SHA256
c68bc4282358b4eeea2dfbf0e98f5c3e6346c8e751b08e1453c0f28f25822e5f

SHA512
943e9b15e34c302b6ff50abbd4a149deef650d047fbb7a7ba98e7a407f3b0e2675e246100d648f86df106f422543ab8d19f451c43c93320c7585dcb08a818b8c

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF8C.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit