057c716f3dca233465562a4e5f2ef6c548efd056f800eca1f3e1893931097c73

Analysis

max time kernel
147s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2637724dac659e63dc62eae3def0c079.exe
Size

581KB
MD5

2637724dac659e63dc62eae3def0c079
SHA1

614323ce1e7433e6a42a2cd1334e1a03a50faf2b
SHA256

057c716f3dca233465562a4e5f2ef6c548efd056f800eca1f3e1893931097c73
SHA512

e0bfed9f2306e4bff15a6aafd99bfde018320310ac023fdb09b22983e72e0a11693036d33df09420ebf28068e80ced1289c046eef125bd4d3ba10e57f30c0509
SSDEEP

12288:XKciKcfeIwjZ4d0cHa52bzy05qlYDf+zH+eI/hHNa273Ma4Z:XKRpWedNM2bzyGqlYehILa27caw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
544	1431615751.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	2637724dac659e63dc62eae3def0c079.exe
2032	2637724dac659e63dc62eae3def0c079.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3948	544	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4568	wmic.exe
Token: SeSecurityPrivilege	4568	wmic.exe
Token: SeTakeOwnershipPrivilege	4568	wmic.exe
Token: SeLoadDriverPrivilege	4568	wmic.exe
Token: SeSystemProfilePrivilege	4568	wmic.exe
Token: SeSystemtimePrivilege	4568	wmic.exe
Token: SeProfSingleProcessPrivilege	4568	wmic.exe
Token: SeIncBasePriorityPrivilege	4568	wmic.exe
Token: SeCreatePagefilePrivilege	4568	wmic.exe
Token: SeBackupPrivilege	4568	wmic.exe
Token: SeRestorePrivilege	4568	wmic.exe
Token: SeShutdownPrivilege	4568	wmic.exe
Token: SeDebugPrivilege	4568	wmic.exe
Token: SeSystemEnvironmentPrivilege	4568	wmic.exe
Token: SeRemoteShutdownPrivilege	4568	wmic.exe
Token: SeUndockPrivilege	4568	wmic.exe
Token: SeManageVolumePrivilege	4568	wmic.exe
Token: 33	4568	wmic.exe
Token: 34	4568	wmic.exe
Token: 35	4568	wmic.exe
Token: 36	4568	wmic.exe
Token: SeIncreaseQuotaPrivilege	4568	wmic.exe
Token: SeSecurityPrivilege	4568	wmic.exe
Token: SeTakeOwnershipPrivilege	4568	wmic.exe
Token: SeLoadDriverPrivilege	4568	wmic.exe
Token: SeSystemProfilePrivilege	4568	wmic.exe
Token: SeSystemtimePrivilege	4568	wmic.exe
Token: SeProfSingleProcessPrivilege	4568	wmic.exe
Token: SeIncBasePriorityPrivilege	4568	wmic.exe
Token: SeCreatePagefilePrivilege	4568	wmic.exe
Token: SeBackupPrivilege	4568	wmic.exe
Token: SeRestorePrivilege	4568	wmic.exe
Token: SeShutdownPrivilege	4568	wmic.exe
Token: SeDebugPrivilege	4568	wmic.exe
Token: SeSystemEnvironmentPrivilege	4568	wmic.exe
Token: SeRemoteShutdownPrivilege	4568	wmic.exe
Token: SeUndockPrivilege	4568	wmic.exe
Token: SeManageVolumePrivilege	4568	wmic.exe
Token: 33	4568	wmic.exe
Token: 34	4568	wmic.exe
Token: 35	4568	wmic.exe
Token: 36	4568	wmic.exe
Token: SeIncreaseQuotaPrivilege	4988	wmic.exe
Token: SeSecurityPrivilege	4988	wmic.exe
Token: SeTakeOwnershipPrivilege	4988	wmic.exe
Token: SeLoadDriverPrivilege	4988	wmic.exe
Token: SeSystemProfilePrivilege	4988	wmic.exe
Token: SeSystemtimePrivilege	4988	wmic.exe
Token: SeProfSingleProcessPrivilege	4988	wmic.exe
Token: SeIncBasePriorityPrivilege	4988	wmic.exe
Token: SeCreatePagefilePrivilege	4988	wmic.exe
Token: SeBackupPrivilege	4988	wmic.exe
Token: SeRestorePrivilege	4988	wmic.exe
Token: SeShutdownPrivilege	4988	wmic.exe
Token: SeDebugPrivilege	4988	wmic.exe
Token: SeSystemEnvironmentPrivilege	4988	wmic.exe
Token: SeRemoteShutdownPrivilege	4988	wmic.exe
Token: SeUndockPrivilege	4988	wmic.exe
Token: SeManageVolumePrivilege	4988	wmic.exe
Token: 33	4988	wmic.exe
Token: 34	4988	wmic.exe
Token: 35	4988	wmic.exe
Token: 36	4988	wmic.exe
Token: SeIncreaseQuotaPrivilege	4988	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 544	2032	2637724dac659e63dc62eae3def0c079.exe	34
PID 2032 wrote to memory of 544	2032	2637724dac659e63dc62eae3def0c079.exe	34
PID 2032 wrote to memory of 544	2032	2637724dac659e63dc62eae3def0c079.exe	34
PID 544 wrote to memory of 4568	544	1431615751.exe	21
PID 544 wrote to memory of 4568	544	1431615751.exe	21
PID 544 wrote to memory of 4568	544	1431615751.exe	21
PID 544 wrote to memory of 4988	544	1431615751.exe	24
PID 544 wrote to memory of 4988	544	1431615751.exe	24
PID 544 wrote to memory of 4988	544	1431615751.exe	24
PID 544 wrote to memory of 5008	544	1431615751.exe	33
PID 544 wrote to memory of 5008	544	1431615751.exe	33
PID 544 wrote to memory of 5008	544	1431615751.exe	33
PID 544 wrote to memory of 1588	544	1431615751.exe	32
PID 544 wrote to memory of 1588	544	1431615751.exe	32
PID 544 wrote to memory of 1588	544	1431615751.exe	32
PID 544 wrote to memory of 1424	544	1431615751.exe	28
PID 544 wrote to memory of 1424	544	1431615751.exe	28
PID 544 wrote to memory of 1424	544	1431615751.exe	28

C:\Users\Admin\AppData\Local\Temp\2637724dac659e63dc62eae3def0c079.exe
"C:\Users\Admin\AppData\Local\Temp\2637724dac659e63dc62eae3def0c079.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\1431615751.exe
  C:\Users\Admin\AppData\Local\Temp\1431615751.exe 0!0!7!1!2!2!0!4!5!9!2 L1BCQzsvNzIrKB4vU05BTkdEOSsXLU5FTVZNUEtFPzQvIC89SFFSSUA4KTUwOC4fLUFJQDgnHi9QS05CU0NQWkBCPTIvMTcwICtOPFBWRUteU1BMOWNrcnA6KC5xcHYqPzxRSy1NTk4rQUxLJUdORkgfLUFMRT5CR0Q9GS5CLz0pLBctRDI2LC8eL0AuNCsxIChDMjstLRsmQjU9JjAeLVBOSjtTQ1RYT1BHVj0+UDsgL0lRTUJVP09WQ1VMOjweLVBOSjtTQ1RYTT9LRTlOXHJ1cB4xLkFyXV5iLGV4Xh8tQ1hBWkxQTD1hc3JuOisqW2o0Zm5tLGFvaSpqY3R1aS1jdmUcKjxWRV88TEJKSUpANB4vSEhSUl1CTkpOUUVSNjIeLVREPEVJWU9OXlNQTDkbJlRNPSsfLUJTLTgXLVJVR1NHS0VbUjxKQ09GREdLQUNATFBMPRkuR1FfTlBFUklNPjxycHVhGyZQRVROUUxHTkNaTFFFUlhDP1dTOS0XLUhJPURWOzEcKkBRX0RSTT9LST9aPExDUlJPUkNEOWFYanNlGS5CTVdKR0Y/RF9CTzswNCotKjYuNicwNTYgK09AS0U9KjMxLzYtMi43NyAoQ01VTkhKOEJfVEJMQzs1KywrLTIwKjQoMTovMTExNypJTB4tVT04Rm5lclokMGQ5Ki0nKShXYm1ibXdvJkVSKzYnLyMxYidQHDFiK15tJx4vUU1DO2h0bW8jMWEhLV0jMmZgZHIvLiwsKC9kZWxoZWwuZWldbSUyX1FzbFRlaFxCb3dna21fZElcZV9nZWteYmNwaGpwIzJmKjMxLzYtMi8uMyUrZWJtd2pnZl9kbVptX2VlbiApZDE0LDA0Lzc0KyojM2YsMDM0MC4xJzczOVNGUHRTUF5wTVhBKUtnMnpIdG5lWkRsckx3Yy1HOkxyTzx2MEtESXQ/VXMwRWhUcGJDNGBgMk5rYC9mcVY/XiMyYlsyVG1iQ1VcVTBwYGBUcm5VLW5rWEhPYmFsRmpJKWZ5YmdAYUtGY2REVUVmRmxQY2I/b2FgR3NtV2tqdEV0b2thbUNxYWs4bFMqZmpJQFF1XzFkbFhENW9SVnJkUFFrYF8zSm9JaC95VCwocEpXQ3VXZ1ZkVCl2amFARWlXak48UEQ5TlsxUHNSUmNiVzJKSWFVam1VLSh4WUdxa1Zrc3VGO0dzS2JzSVdtaGhQRWRGU1dhbWNoY21GV1piYGtlOUk8
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:544

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703579256.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703579256.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703579256.txt bios get version
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 544 -ip 544
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 952
1⤵
- Program crash
PID:3948

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703579256.txt bios get version
1⤵
PID:1588

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703579256.txt bios get version
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431615751.exe

Filesize
96KB

MD5
3cdb24719b21e04f44fc8b5847479b95

SHA1
a50ed8c0ed90a28f790c855ee0e295d25ba98e16

SHA256
3ca448ebde68e01dccd5c08f6599a7007745393f190c13d52889c1adfc63753c

SHA512
23b9e7f347ee98326ab4929d5d63db461a2cfd8d4f9922db6c5e76ce7343569e565308bed44aae000444dba0359da03a08844f8f385a04c088ebd41a63ddb0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431615751.exe

Filesize
93KB

MD5
10dd47a71936f84cf74db5f75aed4528

SHA1
52045f53c6cd300e89a6aed79ff0ac8330014517

SHA256
7beb0e8b4899345b5e50a06658902ff9e41efe9c026167749a1ebbfda7db8487

SHA512
4a35f64cec04146e9b91e21ded01db0221eb9b7c93063b2fc7ff7f73f862ac8b74df27c7368beeec500528c764b033b4d468307e37fbcd8985a5cc902e871833

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703579256.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa5499.tmp\csrozlb.dll

Filesize
153KB

MD5
a0c2ea555273caaf41082b501ce95c2f

SHA1
6194b509d65dd4d8dadd58ea1bfbba2718cbf29c

SHA256
c68bc4282358b4eeea2dfbf0e98f5c3e6346c8e751b08e1453c0f28f25822e5f

SHA512
943e9b15e34c302b6ff50abbd4a149deef650d047fbb7a7ba98e7a407f3b0e2675e246100d648f86df106f422543ab8d19f451c43c93320c7585dcb08a818b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa5499.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit