15ed1fc6786b0bdc49b85880fba7b8b86e7bb9ce4bf95f70962119a078123e36

Analysis

max time kernel
0s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e94bc21bac9386cc3bd0ec8a2e553ca.exe
Size

759KB
MD5

5e94bc21bac9386cc3bd0ec8a2e553ca
SHA1

988a9b706696df7d3b3db2ea59d30c26cde5771c
SHA256

15ed1fc6786b0bdc49b85880fba7b8b86e7bb9ce4bf95f70962119a078123e36
SHA512

5a6f44786decde42c372bdc2117abece02495c1d11475c88ddba27ce0947bf83832c107e2019f2ff69639b30f2224dcfad9c8c1885ab3ea2c8122e31d11250f3
SSDEEP

12288:rK1IlmTeGRwMqnh3pT/T79c7L6Ex0xX1p2KCGeb03iTM9ubKfc8vy4h5:rK1BCLBnh3pTv9c3080euiTM9A86s

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2204	1432447320.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	5e94bc21bac9386cc3bd0ec8a2e553ca.exe
2064	5e94bc21bac9386cc3bd0ec8a2e553ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4916	2204	WerFault.exe	18

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3240	wmic.exe
Token: SeSecurityPrivilege	3240	wmic.exe
Token: SeTakeOwnershipPrivilege	3240	wmic.exe
Token: SeLoadDriverPrivilege	3240	wmic.exe
Token: SeSystemProfilePrivilege	3240	wmic.exe
Token: SeSystemtimePrivilege	3240	wmic.exe
Token: SeProfSingleProcessPrivilege	3240	wmic.exe
Token: SeIncBasePriorityPrivilege	3240	wmic.exe
Token: SeCreatePagefilePrivilege	3240	wmic.exe
Token: SeBackupPrivilege	3240	wmic.exe
Token: SeRestorePrivilege	3240	wmic.exe
Token: SeShutdownPrivilege	3240	wmic.exe
Token: SeDebugPrivilege	3240	wmic.exe
Token: SeSystemEnvironmentPrivilege	3240	wmic.exe
Token: SeRemoteShutdownPrivilege	3240	wmic.exe
Token: SeUndockPrivilege	3240	wmic.exe
Token: SeManageVolumePrivilege	3240	wmic.exe
Token: 33	3240	wmic.exe
Token: 34	3240	wmic.exe
Token: 35	3240	wmic.exe
Token: 36	3240	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2204	2064	5e94bc21bac9386cc3bd0ec8a2e553ca.exe	18
PID 2064 wrote to memory of 2204	2064	5e94bc21bac9386cc3bd0ec8a2e553ca.exe	18
PID 2064 wrote to memory of 2204	2064	5e94bc21bac9386cc3bd0ec8a2e553ca.exe	18
PID 2204 wrote to memory of 3240	2204	1432447320.exe	16
PID 2204 wrote to memory of 3240	2204	1432447320.exe	16
PID 2204 wrote to memory of 3240	2204	1432447320.exe	16

C:\Users\Admin\AppData\Local\Temp\5e94bc21bac9386cc3bd0ec8a2e553ca.exe
"C:\Users\Admin\AppData\Local\Temp\5e94bc21bac9386cc3bd0ec8a2e553ca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\1432447320.exe
  C:\Users\Admin\AppData\Local\Temp\1432447320.exe 3|8|1|0|4|7|4|1|8|2|6 LEhIRDkqNTIuMRosS1RCTEJAPCgeKUs9U1dLS0dIPDsrIiovcG5oYHRbcmheZWQ9Tl5lbFllXx0nQ0lPTUVDNTAxNCkxICs8RUM1LhosSFFPQE4/U1dHPjoqNTkwLBwuS0NMUz1RX1FLSDxgcm5tMi4vb2tyLTxDTUglU09MJj1PSCxDSz5OICs8SEg7SUNBNR8vQCo5LCkeKUEqPC0tGStDKzsnLhguRDA2KTAYLT4yNSwxHChMUUdCT0BMXlBOQlJAO1c3HSdPUks9UUJMXT9SREA9HChMUUdCT0BMXk49RkE8GC0/VT1eVU5FOR8nQ1JCV0JNQEVFTT07GixATlNQWD5RR1VNQko8NRwoUEc5TEVWR1RfUUtIPBgtUEo1MSArPU8wNR4pT01NVEVGQV5PQ0ZAR0xFRUY9Rj1TTEk1Hy9FTFtRTUxORkVEPXBrcWQYLUxCTFRSSkJKRldTTUJKXkQ9Uk88Kh4pRUFDRVQ2LR8nR01cPFhOPUZFQldDSEBKWFBQPkA8Xl9mcF0fL0BIU01ETTtBV0hQOSouMiYwKC4tMC4tMRwuTEdHQjUwNC8rMDMxMi4wGC5ES1BKS0c/PlxMSE1BNjEuKjIpLygwNSYvNjIvOCwwIkBN
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 868
    3⤵
    - Program crash
    PID:4916
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704519036.txt bios get version
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704519036.txt bios get version
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704519036.txt bios get version
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704519036.txt bios get version
    3⤵
    PID:4988

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704519036.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2204 -ip 2204
1⤵
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads