78f0a1d7399810a099e0e39103b3e82941b2c19fc2b4be143d506514e1630d39

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a6d0a46d525198ca8b8bf5b16c56daa.exe
Size

420KB
MD5

7a6d0a46d525198ca8b8bf5b16c56daa
SHA1

03aad0d2b5e49c7c2363132d706fb32bf63bbb16
SHA256

78f0a1d7399810a099e0e39103b3e82941b2c19fc2b4be143d506514e1630d39
SHA512

0bb467dbce799b4a647318b1050dff138c6fe166ebcc5ebfc590171b7a6d06c622514d5fa70c680d068199b0567118f2f0a3a50133e3e6e8084f99e352d39bae
SSDEEP

12288:LF41bnee4OxQ7h6NIoRwnuFjfMmKU4NN0R1:LFsneim6NpRwnuZMmE6f

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2684	7za.exe

Loads dropped DLL 7 IoCs

pid	Process
1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe
1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe
1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe
1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe
1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe
1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe
1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe
Token: SeManageVolumePrivilege	1904	WMIC.exe
Token: 33	1904	WMIC.exe
Token: 34	1904	WMIC.exe
Token: 35	1904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe
Token: SeManageVolumePrivilege	1904	WMIC.exe
Token: 33	1904	WMIC.exe
Token: 34	1904	WMIC.exe
Token: 35	1904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2864	WMIC.exe
Token: SeSecurityPrivilege	2864	WMIC.exe
Token: SeTakeOwnershipPrivilege	2864	WMIC.exe
Token: SeLoadDriverPrivilege	2864	WMIC.exe
Token: SeSystemProfilePrivilege	2864	WMIC.exe
Token: SeSystemtimePrivilege	2864	WMIC.exe
Token: SeProfSingleProcessPrivilege	2864	WMIC.exe
Token: SeIncBasePriorityPrivilege	2864	WMIC.exe
Token: SeCreatePagefilePrivilege	2864	WMIC.exe
Token: SeBackupPrivilege	2864	WMIC.exe
Token: SeRestorePrivilege	2864	WMIC.exe
Token: SeShutdownPrivilege	2864	WMIC.exe
Token: SeDebugPrivilege	2864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2864	WMIC.exe
Token: SeRemoteShutdownPrivilege	2864	WMIC.exe
Token: SeUndockPrivilege	2864	WMIC.exe
Token: SeManageVolumePrivilege	2864	WMIC.exe
Token: 33	2864	WMIC.exe
Token: 34	2864	WMIC.exe
Token: 35	2864	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2864	WMIC.exe
Token: SeSecurityPrivilege	2864	WMIC.exe
Token: SeTakeOwnershipPrivilege	2864	WMIC.exe
Token: SeLoadDriverPrivilege	2864	WMIC.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1904	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	16
PID 1320 wrote to memory of 1904	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	16
PID 1320 wrote to memory of 1904	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	16
PID 1320 wrote to memory of 1904	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	16
PID 1320 wrote to memory of 2864	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	24
PID 1320 wrote to memory of 2864	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	24
PID 1320 wrote to memory of 2864	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	24
PID 1320 wrote to memory of 2864	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	24
PID 1320 wrote to memory of 2120	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	23
PID 1320 wrote to memory of 2120	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	23
PID 1320 wrote to memory of 2120	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	23
PID 1320 wrote to memory of 2120	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	23
PID 1320 wrote to memory of 2924	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	20
PID 1320 wrote to memory of 2924	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	20
PID 1320 wrote to memory of 2924	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	20
PID 1320 wrote to memory of 2924	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	20
PID 1320 wrote to memory of 2684	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	22
PID 1320 wrote to memory of 2684	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	22
PID 1320 wrote to memory of 2684	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	22
PID 1320 wrote to memory of 2684	1320	7a6d0a46d525198ca8b8bf5b16c56daa.exe	22

C:\Users\Admin\AppData\Local\Temp\7a6d0a46d525198ca8b8bf5b16c56daa.exe
"C:\Users\Admin\AppData\Local\Temp\7a6d0a46d525198ca8b8bf5b16c56daa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\nsi89A.tmp\7za.exe
  7za.exe e -y -p"9515034d3bb1e50eb83511c43eb0981e" [RANDOM_STRING].7z
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:2120
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi89A.tmp\7za.exe

Filesize
94KB

MD5
4bd15d2a689e1ee88eeea2c4f1a5017a

SHA1
e5b2a5f76ea9480247442a4ed1ce11b6c0a5e8a0

SHA256
798f583b531b589f0df213c00ac09af2e6d4a8281a41934ddeb3ee1972a0ef37

SHA512
ebd601c96421bd27bacf436d4166fb7f58c4782d373ebdccc4f7fdc2b6655a9d820e40ec4fa2262109162261c71552fb262f630e1467cbff9abd6a7961f89a30

Download Submit
\Users\Admin\AppData\Local\Temp\nsi89A.tmp\7za.exe

Filesize
92KB

MD5
50149dbc80ef143d3fb21432d59e1379

SHA1
81553f5192f4582f93eb7634bd8fe65d9f64f8c9

SHA256
c2d7823075f60743739f58473a0f11d36ef48965dddd884cf97dc9069b90fde9

SHA512
d43715e4a2402670d47a51b6d29715379f2b0eac7a5223558441938e476c87c95b6c32618ffdc6a24151e8ae9bc984bdf62943e0d4e1112da5bbfda2a1b67ca6

Download Submit
\Users\Admin\AppData\Local\Temp\nsi89A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit