1198aff41fead64ca30573a740a94d0966884a885305e69bbd3137637a1e8648

Analysis

max time kernel
3s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ce6a74680f4ed4d478c411d5d42ffd9.exe
Size

696KB
MD5

5ce6a74680f4ed4d478c411d5d42ffd9
SHA1

dd5ee7fc7ef02ecdb791ec0edbc148807f6ed5b6
SHA256

1198aff41fead64ca30573a740a94d0966884a885305e69bbd3137637a1e8648
SHA512

6ff4a0336210ee48673be1d66eb62993102a78a1f98e5ed996d2a00c14d63fdc9c1b67c214d4cb80f4a7a77cd78593f96f296538531fcfa79c1d5ac96032a307
SSDEEP

12288:t8yfRbQEliesFKIYR8fi/RSSaTsMc9eUKcYJPkNbFVrYrgUKWrzFK:t8yfq5RxYR8K/8pYMc9eUKDkNbUMt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2088	1432274482.exe

Loads dropped DLL 4 IoCs

pid	Process
2408	5ce6a74680f4ed4d478c411d5d42ffd9.exe
2408	5ce6a74680f4ed4d478c411d5d42ffd9.exe
2408	5ce6a74680f4ed4d478c411d5d42ffd9.exe
2408	5ce6a74680f4ed4d478c411d5d42ffd9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2620	2088	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2276	wmic.exe
Token: SeSecurityPrivilege	2276	wmic.exe
Token: SeTakeOwnershipPrivilege	2276	wmic.exe
Token: SeLoadDriverPrivilege	2276	wmic.exe
Token: SeSystemProfilePrivilege	2276	wmic.exe
Token: SeSystemtimePrivilege	2276	wmic.exe
Token: SeProfSingleProcessPrivilege	2276	wmic.exe
Token: SeIncBasePriorityPrivilege	2276	wmic.exe
Token: SeCreatePagefilePrivilege	2276	wmic.exe
Token: SeBackupPrivilege	2276	wmic.exe
Token: SeRestorePrivilege	2276	wmic.exe
Token: SeShutdownPrivilege	2276	wmic.exe
Token: SeDebugPrivilege	2276	wmic.exe
Token: SeSystemEnvironmentPrivilege	2276	wmic.exe
Token: SeRemoteShutdownPrivilege	2276	wmic.exe
Token: SeUndockPrivilege	2276	wmic.exe
Token: SeManageVolumePrivilege	2276	wmic.exe
Token: 33	2276	wmic.exe
Token: 34	2276	wmic.exe
Token: 35	2276	wmic.exe
Token: SeIncreaseQuotaPrivilege	2276	wmic.exe
Token: SeSecurityPrivilege	2276	wmic.exe
Token: SeTakeOwnershipPrivilege	2276	wmic.exe
Token: SeLoadDriverPrivilege	2276	wmic.exe
Token: SeSystemProfilePrivilege	2276	wmic.exe
Token: SeSystemtimePrivilege	2276	wmic.exe
Token: SeProfSingleProcessPrivilege	2276	wmic.exe
Token: SeIncBasePriorityPrivilege	2276	wmic.exe
Token: SeCreatePagefilePrivilege	2276	wmic.exe
Token: SeBackupPrivilege	2276	wmic.exe
Token: SeRestorePrivilege	2276	wmic.exe
Token: SeShutdownPrivilege	2276	wmic.exe
Token: SeDebugPrivilege	2276	wmic.exe
Token: SeSystemEnvironmentPrivilege	2276	wmic.exe
Token: SeRemoteShutdownPrivilege	2276	wmic.exe
Token: SeUndockPrivilege	2276	wmic.exe
Token: SeManageVolumePrivilege	2276	wmic.exe
Token: 33	2276	wmic.exe
Token: 34	2276	wmic.exe
Token: 35	2276	wmic.exe
Token: SeIncreaseQuotaPrivilege	2720	wmic.exe
Token: SeSecurityPrivilege	2720	wmic.exe
Token: SeTakeOwnershipPrivilege	2720	wmic.exe
Token: SeLoadDriverPrivilege	2720	wmic.exe
Token: SeSystemProfilePrivilege	2720	wmic.exe
Token: SeSystemtimePrivilege	2720	wmic.exe
Token: SeProfSingleProcessPrivilege	2720	wmic.exe
Token: SeIncBasePriorityPrivilege	2720	wmic.exe
Token: SeCreatePagefilePrivilege	2720	wmic.exe
Token: SeBackupPrivilege	2720	wmic.exe
Token: SeRestorePrivilege	2720	wmic.exe
Token: SeShutdownPrivilege	2720	wmic.exe
Token: SeDebugPrivilege	2720	wmic.exe
Token: SeSystemEnvironmentPrivilege	2720	wmic.exe
Token: SeRemoteShutdownPrivilege	2720	wmic.exe
Token: SeUndockPrivilege	2720	wmic.exe
Token: SeManageVolumePrivilege	2720	wmic.exe
Token: 33	2720	wmic.exe
Token: 34	2720	wmic.exe
Token: 35	2720	wmic.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2088	2408	5ce6a74680f4ed4d478c411d5d42ffd9.exe	30
PID 2408 wrote to memory of 2088	2408	5ce6a74680f4ed4d478c411d5d42ffd9.exe	30
PID 2408 wrote to memory of 2088	2408	5ce6a74680f4ed4d478c411d5d42ffd9.exe	30
PID 2408 wrote to memory of 2088	2408	5ce6a74680f4ed4d478c411d5d42ffd9.exe	30
PID 2088 wrote to memory of 2276	2088	1432274482.exe	28
PID 2088 wrote to memory of 2276	2088	1432274482.exe	28
PID 2088 wrote to memory of 2276	2088	1432274482.exe	28
PID 2088 wrote to memory of 2276	2088	1432274482.exe	28
PID 2088 wrote to memory of 2720	2088	1432274482.exe	40
PID 2088 wrote to memory of 2720	2088	1432274482.exe	40
PID 2088 wrote to memory of 2720	2088	1432274482.exe	40
PID 2088 wrote to memory of 2720	2088	1432274482.exe	40
PID 2088 wrote to memory of 2756	2088	1432274482.exe	38
PID 2088 wrote to memory of 2756	2088	1432274482.exe	38
PID 2088 wrote to memory of 2756	2088	1432274482.exe	38
PID 2088 wrote to memory of 2756	2088	1432274482.exe	38

C:\Users\Admin\AppData\Local\Temp\5ce6a74680f4ed4d478c411d5d42ffd9.exe
"C:\Users\Admin\AppData\Local\Temp\5ce6a74680f4ed4d478c411d5d42ffd9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\1432274482.exe
  C:\Users\Admin\AppData\Local\Temp\1432274482.exe 9,9,0,3,8,0,6,2,2,6,7 JkdJQTU1MDMyGihKTEJNQUQ3Lh4pRzxLV0xKS0NCOysZJjtJUExJPjs2MSkoFy9AQUQ3Lh4pSUlGRFI7VFlHQjcxKC8xHSdTP1BUP0tWTFJJNWhucm40KCZqcnMmRD9RSSdNRkctPkhQKEdMQEgXJkNJQUNFR0I3GSY7MTouMCszLiopFyZELzUwGi1CLTYoFy9BLD0nLx4pPSw0LS4YL0pQTT5OOktfTUpJUD9BUzYXJlBPR0RPQVJZPkxDQToYL0pQTT5OOktfSzlNPzthaVpaXyUvKHBvcHFfHikncF5sY2J1bWxkHCkwX2R1XyMwKmNcWG4iKjBqbWEfKyclLisYLz9WQ1lOSUM9HSdFUkNdPUY7Q0lLPT0aLUZJTEtWQk9HV01DUDcpFyZURTlORVdNT1hMSUw6GC9QSzssGSY7Uy41IClQU0hNQERFXE9FRkFNRz5AREFEPVVMSjsaKEBKX09NTk5HSz82a2l1YhgvTENST0tFQE5EV1VNQ1BZPThQUzoqIClGRz4+TzQxHSdJTV1CU0c4RElAV0VIQVBTSUs8RDpeYWZxYxooO0ZXS0RPO0JdQ0k0MDErKTIrLDQyJy4oICxMSUdDOystKikyNSk1MjUeKT1GTk5JR0E+XVJDRjw0NSwqMikwLisuIS46MjE6LjUoO0YXJlU+NU1peGdmZVgcMmMsLiopJl1oZGdhcWFiZmMjLVsiRFNGPSsyLC4fLFkiV2ZmZGl1cSVHSyI1KyklLWApTmtgW2VrbCUsZDIoKRwqYihBbmBtTlttXyUyJhgvT1BKN2Fra3AiK2EfMGQfK11eZXEpLiovLytdXGppZGYuY2xkaR4pXVJyZlRja2M+aG5lbGxZZEdfbFtgXGlfYV1wZm13HytdKDQwKjIyLzMxMRwpZmFnd2hqbVtdZFhuXl9lbCMwYCorKjIvMDEvNTYfLF0wNC8oMDM0MjIqJ09tQ3FNTmUwW2Nia05RTXJDa0czSDorcUlKNWxOUTJtRWFFalJUXXJGZzJwUW0/clktUGpRK2NbUERGbVJVRGlEKVt2X2V0ZUkwXl1aZE5sWm1mc1dzaWBQM0NiSyxuYVErZmFiLzFhRHd1b0VfKGVhT1phYFU8X1k+RnFQRF5kWCw7YU95YW1kUkhvUnJbZllFSmFURlRwXGRAbFVlUipYUURmUClGckFtanBVc2hsQVNsY1pnamhSK2dRYkRNMFIwL2JSKC9sXz8xcmEvcWdZZEYtT21EeFgtP2lAbDJpZFFTZ1RAPVFiUGxuWzBDbEVgTG9GZHdxTlEqbENxVXRCeWlnVj4+MEF5R2FNdC5tQ0BNWWJqLDBGTw==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703679441.txt bios get version
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703679441.txt bios get version
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703679441.txt bios get version
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 372
    3⤵
    - Program crash
    PID:2620
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703679441.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2720

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703679441.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1432274482.exe

Filesize
51KB

MD5
4b4aedebddf10cfc9ea4cf8b2321f3ea

SHA1
b29898f3234c398704097b62e374b196912b88a0

SHA256
e5f348342fdea546e24b8d2614980d86ec4c9438d099739f28fd2700b7f2f35a

SHA512
f6ec03aeccf2c229d58a8d929e5f9239c3fcd1ad0b0b36607e0792214bdeebb8d4ef8f16be4e360ebd97cdb1ff84431e8e7bcb6914c0ddfe95375ef09c03afaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1432274482.exe

Filesize
14KB

MD5
03aa68cfefa73410964ccb59727d5586

SHA1
78923889ef59e38ff8b36a9b9e8882076a3da23f

SHA256
9fb0cff3185b897b0f206d532382344e060e91401dc73d3eeaccbddaa6936218

SHA512
e1f1043eeea32752616b71713787c5c6a6d106a840cfcfe1111e4760514ac69872bbf9ad0e8c15eba34737f5aad83208e4c978974c295d672716139171f6acb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703679441.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi564B.tmp\fnbvert.dll

Filesize
102KB

MD5
f91553754b164130dd1ae1ec2768c7a6

SHA1
b852f596f6b64f37dc6a679116b588488d452880

SHA256
55885b175e4c2bd6ce3268311aed9ca3d289ca0fa9f35b0b11f075e46f04df36

SHA512
f8707bc4d8a2b4fc5cd3d1a4a4d17bd8ff2ba5bce78ab2f523aaa26236a7c3020a6318a38b305f7dcfecfb90301ed289aae5be28d7b015944e8f9a77790d670a

Download Submit
\Users\Admin\AppData\Local\Temp\1432274482.exe

Filesize
101KB

MD5
eb9db87ac1914abcbeaa75b4d4a10014

SHA1
c1e4c3237c68588a9f55048c2b09aaab43509a52

SHA256
3a5a43dc8117b217e1cadfc3a32a3ebb70cfee844423c8ed5701b2522f7e2d44

SHA512
2407009a0f23859717e59db7847ce1bf0c9cbd3100a4322da3ba6ef2af2384081b307487069d4fbe59826df74214f0f46dba939aeae5360c7b79067e5c972b1f

Download Submit
\Users\Admin\AppData\Local\Temp\1432274482.exe

Filesize
12KB

MD5
1fa8f9c6ffd0389bcff4886ef2c51da9

SHA1
38d33f2dca6d041e8036302f90ca0846a69f4ec5

SHA256
86479e2cfb37fbd3e87ee133b302ceacc931d4b17ecd0def9cd5275cb19389c0

SHA512
677903a2c1ce338282b54eb93279574b7951830090095a25f74b07eafa1fd1e01850d65a2f06e3293019830fcb5945cf80daec01774350347636ada5bd86ca44

Download Submit
\Users\Admin\AppData\Local\Temp\1432274482.exe

Filesize
51KB

MD5
8d726e6266521958d94f7f3290cdc0bc

SHA1
6a794ac1befef01649a123f3846743f390278a82

SHA256
e9bc41cb5474c4c3e00c7d80e793eaa64b652ad4606f98ce45311f067ed5359c

SHA512
bb590b62ce1856cf672e9185a58b01350519e8a878520f0fb4ada886cfae90ca61495b84999ee646830b9275fec5df2b03e04d71e2a72668d0dd1d8145e228c2

Download Submit
\Users\Admin\AppData\Local\Temp\nsi564B.tmp\fnbvert.dll

Filesize
158KB

MD5
4dab253abac323efe6b7290426f69b8b

SHA1
e6f6f88a42416a9ce8b994d2a301b8e99ca664a8

SHA256
4b5103433cd2aec8bc27aafdcca1a4e04c5ad13ffff1e4c36e58cf534918fc85

SHA512
0085f2d755b4eef98816ed31f23701270aa62fb4aef697361b6e77eaec5aedec63e13855443fe5b8d5325985289dfbb9d95390ed86c54e0bcebdd8dd9f7f008d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi564B.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit