112777c4a3803494912afbc2a2de885770f05f9347a331a12e8cdac6878f3a8e

Analysis

max time kernel
98s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30f4e524132fa52c67d878c6eb2454a8.exe
Size

631KB
MD5

30f4e524132fa52c67d878c6eb2454a8
SHA1

93188357dc41042964f7066309ce0a45757f2567
SHA256

112777c4a3803494912afbc2a2de885770f05f9347a331a12e8cdac6878f3a8e
SHA512

3a1ad64ce1d7d7b203f13474cb119b2ce75090dc57229ee0829375baecdfce796570ccea18c8b7e113590f3dc8463405b1d6b78d78235b908c7e286c4203c3f1
SSDEEP

12288:y3mKn0Yw1RjSKDOFZgOYylHasdK6WPwVOVP8A:y3Hn0rSKaFZdbqPvFl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2608	1430946120.exe

Loads dropped DLL 11 IoCs

pid	Process
2652	30f4e524132fa52c67d878c6eb2454a8.exe
2652	30f4e524132fa52c67d878c6eb2454a8.exe
2652	30f4e524132fa52c67d878c6eb2454a8.exe
2652	30f4e524132fa52c67d878c6eb2454a8.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2296	2608	WerFault.exe	29

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe
Token: SeSystemProfilePrivilege	2816	wmic.exe
Token: SeSystemtimePrivilege	2816	wmic.exe
Token: SeProfSingleProcessPrivilege	2816	wmic.exe
Token: SeIncBasePriorityPrivilege	2816	wmic.exe
Token: SeCreatePagefilePrivilege	2816	wmic.exe
Token: SeBackupPrivilege	2816	wmic.exe
Token: SeRestorePrivilege	2816	wmic.exe
Token: SeShutdownPrivilege	2816	wmic.exe
Token: SeDebugPrivilege	2816	wmic.exe
Token: SeSystemEnvironmentPrivilege	2816	wmic.exe
Token: SeRemoteShutdownPrivilege	2816	wmic.exe
Token: SeUndockPrivilege	2816	wmic.exe
Token: SeManageVolumePrivilege	2816	wmic.exe
Token: 33	2816	wmic.exe
Token: 34	2816	wmic.exe
Token: 35	2816	wmic.exe
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe
Token: SeSystemProfilePrivilege	2816	wmic.exe
Token: SeSystemtimePrivilege	2816	wmic.exe
Token: SeProfSingleProcessPrivilege	2816	wmic.exe
Token: SeIncBasePriorityPrivilege	2816	wmic.exe
Token: SeCreatePagefilePrivilege	2816	wmic.exe
Token: SeBackupPrivilege	2816	wmic.exe
Token: SeRestorePrivilege	2816	wmic.exe
Token: SeShutdownPrivilege	2816	wmic.exe
Token: SeDebugPrivilege	2816	wmic.exe
Token: SeSystemEnvironmentPrivilege	2816	wmic.exe
Token: SeRemoteShutdownPrivilege	2816	wmic.exe
Token: SeUndockPrivilege	2816	wmic.exe
Token: SeManageVolumePrivilege	2816	wmic.exe
Token: 33	2816	wmic.exe
Token: 34	2816	wmic.exe
Token: 35	2816	wmic.exe
Token: SeIncreaseQuotaPrivilege	324	wmic.exe
Token: SeSecurityPrivilege	324	wmic.exe
Token: SeTakeOwnershipPrivilege	324	wmic.exe
Token: SeLoadDriverPrivilege	324	wmic.exe
Token: SeSystemProfilePrivilege	324	wmic.exe
Token: SeSystemtimePrivilege	324	wmic.exe
Token: SeProfSingleProcessPrivilege	324	wmic.exe
Token: SeIncBasePriorityPrivilege	324	wmic.exe
Token: SeCreatePagefilePrivilege	324	wmic.exe
Token: SeBackupPrivilege	324	wmic.exe
Token: SeRestorePrivilege	324	wmic.exe
Token: SeShutdownPrivilege	324	wmic.exe
Token: SeDebugPrivilege	324	wmic.exe
Token: SeSystemEnvironmentPrivilege	324	wmic.exe
Token: SeRemoteShutdownPrivilege	324	wmic.exe
Token: SeUndockPrivilege	324	wmic.exe
Token: SeManageVolumePrivilege	324	wmic.exe
Token: 33	324	wmic.exe
Token: 34	324	wmic.exe
Token: 35	324	wmic.exe
Token: SeIncreaseQuotaPrivilege	784	wmic.exe
Token: SeSecurityPrivilege	784	wmic.exe
Token: SeTakeOwnershipPrivilege	784	wmic.exe
Token: SeLoadDriverPrivilege	784	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2608	2652	30f4e524132fa52c67d878c6eb2454a8.exe	29
PID 2652 wrote to memory of 2608	2652	30f4e524132fa52c67d878c6eb2454a8.exe	29
PID 2652 wrote to memory of 2608	2652	30f4e524132fa52c67d878c6eb2454a8.exe	29
PID 2652 wrote to memory of 2608	2652	30f4e524132fa52c67d878c6eb2454a8.exe	29
PID 2608 wrote to memory of 2816	2608	1430946120.exe	30
PID 2608 wrote to memory of 2816	2608	1430946120.exe	30
PID 2608 wrote to memory of 2816	2608	1430946120.exe	30
PID 2608 wrote to memory of 2816	2608	1430946120.exe	30
PID 2608 wrote to memory of 324	2608	1430946120.exe	33
PID 2608 wrote to memory of 324	2608	1430946120.exe	33
PID 2608 wrote to memory of 324	2608	1430946120.exe	33
PID 2608 wrote to memory of 324	2608	1430946120.exe	33
PID 2608 wrote to memory of 784	2608	1430946120.exe	35
PID 2608 wrote to memory of 784	2608	1430946120.exe	35
PID 2608 wrote to memory of 784	2608	1430946120.exe	35
PID 2608 wrote to memory of 784	2608	1430946120.exe	35
PID 2608 wrote to memory of 1676	2608	1430946120.exe	37
PID 2608 wrote to memory of 1676	2608	1430946120.exe	37
PID 2608 wrote to memory of 1676	2608	1430946120.exe	37
PID 2608 wrote to memory of 1676	2608	1430946120.exe	37
PID 2608 wrote to memory of 2504	2608	1430946120.exe	39
PID 2608 wrote to memory of 2504	2608	1430946120.exe	39
PID 2608 wrote to memory of 2504	2608	1430946120.exe	39
PID 2608 wrote to memory of 2504	2608	1430946120.exe	39
PID 2608 wrote to memory of 2296	2608	1430946120.exe	41
PID 2608 wrote to memory of 2296	2608	1430946120.exe	41
PID 2608 wrote to memory of 2296	2608	1430946120.exe	41
PID 2608 wrote to memory of 2296	2608	1430946120.exe	41

C:\Users\Admin\AppData\Local\Temp\30f4e524132fa52c67d878c6eb2454a8.exe
"C:\Users\Admin\AppData\Local\Temp\30f4e524132fa52c67d878c6eb2454a8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\1430946120.exe
  C:\Users\Admin\AppData\Local\Temp\1430946120.exe 4!0!2!6!7!6!6!6!7!5!6 K1BHPjYrMy0vLhorU1M8SUM+NykbKUpFUlFITEVDPTgrITIuamtpXm9cb2hdbWM3S19jZ1piXxwvQkNMTkM+Ni0xMzEwGig9Qz42KxorUFBJPU89TlhEPjkyNDMtLRopTEBMUkVQWU5MRjdhb25sOi0pbGxwKD1ATUctUklJJztKSSlDSkZNGig9RkM8RkNAPR4pPSs3JyobKUAyOycqGik+LDgnLSAtPi03JysZKj4xPSsrGSlKTEg/Tz9UXUpLQ1A7PFQ3HC9OTEg+Tz1NWj9RTD83GSlKTEg/Tz9UXUg6Rz83GSo/VEVdT0tGNxooQFJBX0FHPUZDSD44GitITU1NWTxMSFJNQVI7LxkpTkI6SUVVT1NZTkxGNxkqUEk9MBooPk0rNhspTlVMTkJHP1lQQEY/T0s/Qkc7QT5QTEg9HilCTVlMTklORU1DN21sb18ZKkxBVFNMR0NIQVhQTUFSXT46U003KxspRElCP1E3KxooRE1bRFdIOkdDPVhASD9SV0pNPz43X1xmb2UeKT1JUUhFSjtAX0dKNjIyKCsuLSoxNSwnMDAaKE9DSUU7Ky0tKjMuLSsvMh4pPUlRSEVKO0BfUkNGPzcvKDEpLjAvLyMrKjQtLTQtMihKRhopTzo4GitVUEY2Ym5uaSAtXSUwYB4sYGFeb2wqZmdmXjJeX2xmbmtwLF1oZx8sX01valRnZ14+aXFnZ2ldZEtbZ1thX2taXmFwamlyHyxgKy0sLjIwLCssLCwrLSwhMmReaHFoZmhcXmlhbFtgX2wfK2FhYXQzMB4tYGoeLl4tOTEwLB8sMF0gLWAyNTEqLB8sL2cfL2QwMDIuLR8rMWghM2IrJGpsaV1wXXBuX2deHy1eS2BjaWFlXx4sMGBiZ19qYWtfHi1eTF5kZ11nYw==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703817093.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703817093.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703817093.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:784
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703817093.txt bios get version
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703817093.txt bios get version
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703817093.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstBDC4.tmp\frjhhh.dll

Filesize
121KB

MD5
8e829dbcecc3f95bc28378783fc644a5

SHA1
70d5ace6debcc9258ac9b34e4c1b59a09351aa14

SHA256
23a551a312cb3c6ddd25a30fb1c04887d3b7fccf2e567fdac2ffa7cc1c541a3e

SHA512
4bae3ad907b33676da626113b9a1833873d052c10a16399f4298273c96160a01fd1da7b19e99414ed87456e9f010510ea6f798e09a01ffd39e952efdf771db60

Download Submit
\Users\Admin\AppData\Local\Temp\1430946120.exe

Filesize
928KB

MD5
673c9e5def8acc706909662cdefdc6f7

SHA1
07b03de8e3ff75df000a60b21b5bf16dd4a33864

SHA256
92e26e0241270b21ddcf80c51b9e232963734dd1d0f0872914f92bba5904d2e9

SHA512
34639a539e179f3a58a089ce19826eb3aa9a6d28034c90bd9a9dab810477ef5884064598cb71dca52575908dc73cab4e79f26bdb76fc9e97a921dea25c730362

Download Submit
\Users\Admin\AppData\Local\Temp\1430946120.exe

Filesize
851KB

MD5
d04e48bbeda09ec391667c6b364e1e0e

SHA1
1249fa6acbffac17553bcf72d24ceefbd2d24b12

SHA256
909ac0836f18b7df05d37e5011ea678045cc927c4fa5cdd51713de12120e66eb

SHA512
66b87dfdcca38710ef633ff83614838e88af4ef521c4c700ee89a5296bb9ed2d0f93692c3fccac4301716610d60602f60c116d2499833e9caec11b4e983fb58c

Download Submit
\Users\Admin\AppData\Local\Temp\1430946120.exe

Filesize
926KB

MD5
06f46acece0afc3d66ca5b5bf30718b6

SHA1
ae0e4767c762d3a26a605ec77d1ea64cac05d78d

SHA256
c093d3b02dff651b901c20aa5b99f7d6fc3b40e3a7fd58759f2a392582cc6b1b

SHA512
5c675ae2e72b7979bc34bdf71ed571ef2a0963eeee446354e77cffedd0d4abbe010881e3b45c57e8fd878a016fcb01ba72696c9110d98a602c54ef7034cd54aa

Download Submit
\Users\Admin\AppData\Local\Temp\1430946120.exe

Filesize
828KB

MD5
0251f6bbdb3f1a8725550d3ed02c9599

SHA1
57b5b2843079ab99bc59c4f87c38efdd9f3a1391

SHA256
63029d8eadac2cc60817816eed818a9e79e3b08626c43febe5074062a5cf4ad7

SHA512
92f0ebb23b71d534e823e5433309bce0e529cd15fb76b1a5e5ede479307477241605005c73b917a744d9e854b8f564581f194f87abb64bc6c2987df6d52fcc44

Download Submit
\Users\Admin\AppData\Local\Temp\1430946120.exe

Filesize
771KB

MD5
5a36a322f5842fc492039562c4d1ba27

SHA1
a6eaf0f88f9aea2424f39e57c9058eb12677de85

SHA256
6a3fad198dea3901a8b1fc6074b2c051b7e9b30ce7ec75dc9be37eb518878138

SHA512
9a4cd7844557db0b6f6a95eef25c7e530c7c1f45c06cab35cb27dd1f3ded5320dcb9d57e21aceb5ee303bc9a42eacf1d0e08eb609e11502ab30bc09b3a971f95

Download Submit
\Users\Admin\AppData\Local\Temp\1430946120.exe

Filesize
768KB

MD5
f9edfb208069794c3cfad896af210c74

SHA1
62975e64aff03009840889f66476c81a9e4a25e2

SHA256
8817e1611657eea222bf740a2454c3c341e16479fde8fcb1d3eeaac16e50120a

SHA512
d367aed768bb0856e6a2a7e7595d5215bf645748014f1c99861dd9976f2adcc5d507f171e58ef639c232e33a7358c0ca6277c95d2a5a345d7b6eecc2330fab48

Download Submit
\Users\Admin\AppData\Local\Temp\1430946120.exe

Filesize
447KB

MD5
a8a2657030b888b21f751b5a270e038e

SHA1
b91c01bdec246d89874ddb372f710bee034da419

SHA256
d42bf04e624687a904cd17b06a7280ae4dc9a6d8b960e5dd31e1a01960014590

SHA512
8a7060e1582d252487ecf9be992892d06253dd2c3c79c5ca812a30c5e67f0dd02fb9bc3632893f8490f4bcca2408d0d8aff8be96e55fcabd7f1c7307a0ab05e9

Download Submit
\Users\Admin\AppData\Local\Temp\nstBDC4.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit