20f5165c9cb29da328e19ff28b1e21045a35e6aaad440f0cba6ba64cdd0252c6

General

Target

f62b5a34121584a434d80c62e39e45f6.exe
Size

581KB
MD5

f62b5a34121584a434d80c62e39e45f6
SHA1

9c02da08b660db79e546d39f50e206eaae00d08b
SHA256

20f5165c9cb29da328e19ff28b1e21045a35e6aaad440f0cba6ba64cdd0252c6
SHA512

feedb9896f8045114757e9415e37ef9a65d20b3ac2bc14ba37f71ae12967eaaa45375c9270fd8cfce65402131b9330459c43d875d32a806d83bfb6722e1441a6
SSDEEP

12288:wmyLVVRB5RhLEundvRr9vwWv5g0Wq/v9JzeirLMWRMrTua:wmsVVfhLvJ9vNvWti9JzvY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3564	1431864151.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	f62b5a34121584a434d80c62e39e45f6.exe
2404	f62b5a34121584a434d80c62e39e45f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2772	3564	WerFault.exe	24

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3544	wmic.exe
Token: SeSecurityPrivilege	3544	wmic.exe
Token: SeTakeOwnershipPrivilege	3544	wmic.exe
Token: SeLoadDriverPrivilege	3544	wmic.exe
Token: SeSystemProfilePrivilege	3544	wmic.exe
Token: SeSystemtimePrivilege	3544	wmic.exe
Token: SeProfSingleProcessPrivilege	3544	wmic.exe
Token: SeIncBasePriorityPrivilege	3544	wmic.exe
Token: SeCreatePagefilePrivilege	3544	wmic.exe
Token: SeBackupPrivilege	3544	wmic.exe
Token: SeRestorePrivilege	3544	wmic.exe
Token: SeShutdownPrivilege	3544	wmic.exe
Token: SeDebugPrivilege	3544	wmic.exe
Token: SeSystemEnvironmentPrivilege	3544	wmic.exe
Token: SeRemoteShutdownPrivilege	3544	wmic.exe
Token: SeUndockPrivilege	3544	wmic.exe
Token: SeManageVolumePrivilege	3544	wmic.exe
Token: 33	3544	wmic.exe
Token: 34	3544	wmic.exe
Token: 35	3544	wmic.exe
Token: 36	3544	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 3564	2404	f62b5a34121584a434d80c62e39e45f6.exe	24
PID 2404 wrote to memory of 3564	2404	f62b5a34121584a434d80c62e39e45f6.exe	24
PID 2404 wrote to memory of 3564	2404	f62b5a34121584a434d80c62e39e45f6.exe	24
PID 3564 wrote to memory of 3544	3564	1431864151.exe	19
PID 3564 wrote to memory of 3544	3564	1431864151.exe	19
PID 3564 wrote to memory of 3544	3564	1431864151.exe	19

C:\Users\Admin\AppData\Local\Temp\f62b5a34121584a434d80c62e39e45f6.exe
"C:\Users\Admin\AppData\Local\Temp\f62b5a34121584a434d80c62e39e45f6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\1431864151.exe
  C:\Users\Admin\AppData\Local\Temp\1431864151.exe 2/7/2/2/6/0/6/0/2/9/1 LUlHQjczKjIwFy5RTkBOQ0Q3MB4mTUNNVU1MS0NEOycfLT1HUU5JPj0wLjE1LR4tPUk+PS4XLk5LTUJPQ05fRzs8Ly83MhovTUVQTURQWFNQRj1idHJnOS0ocXBwLj5FUUIsUkhOKztQSi5HRUVNGS1BRkk9S0c7PHUyMzRJUU9LP0pTMkhTN0VHTk43P1FERx4tPjE3MS8nMS8ZLUIsPScxHiZDMTYrLxovPjQ7JDAeKEIzNy0rIC1HUU09U0FOX0pSR01AQVI7HilQTE9CTEJSWENTRkE3IC1HUU09U0FOX0hBSzw8HihDVj9fT1JKNB8tPlZDWUNHREpATUM2Hi1CT01UXTlRTVBRQ0w9KiAtS0c/R0lXSVVZVVBDPB4oVEs3MhovQkowOxktUE9OTklLPF5VPkpBSU0/SUs4RkNOUEo3IClJUVZRU0dSR0dFN3RwbGQeKFBDTlVMTkdFRl1OUUNMXz5BV0o8MBktRkNEP1g7KB8tQlFdPllIQUtAQl0+TEFMWUpUQzs8ZFpqcV8gKURNTk1KSD9CWUlKPTQtLTAtNywyMygyMiofLU1HSz89KzQxKDc1LTEwLiApRE1OTUpIP0JZVENNQzQ0LSo1LSwwKzUoKTkzKzguLipKTR4mVD82S210aWZsXxwxZC4sLiUoUWlsW251bClMTiswLi8cMmAkVU1RNi4lMVkqUmtnYl9ubiUwXTYsKSMxXCtsdiMqYC8qLC4jK2ZpaVwqRV5haWkgKVVQQzxmbXJuHzNbJTBdJDBfZWNuMSgwLygwYl5xZ2FuKGlsXW4jK2RQb25OaWtcQ21wbGppYV5NX2VgZV5wXV5lamxtcCQwXy8yLTEyNzIqMTQeMGReb3FuamZgYmZfbFtnX3IjKWUvLTEvMjcuMzAtJDFfLy4yMS85Lyg1MClYa1BzTmpHaU9rMTFLTkFyTWYsaU08aTBHVD95SGRyN0RSUypLc1ZyRXgyZld4PzFHQ3VlTFI6ZVdkSTJMUWJrVnJtNkZDbWtYO0w3Q1I/Yld0UTZBeDZmWFVma1RHalBhRUoxYVFWdGRVXmtWZkxtU21Qblg7dzFGUk9yUmZCU0lTN01TeExIUERQOlFqR0dMKmhMUmlQa1g/bnNcVF13
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704828746.txt bios get version
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 852
    3⤵
    - Program crash
    PID:2772
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704828746.txt bios get version
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704828746.txt bios get version
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704828746.txt bios get version
    3⤵
    PID:4604

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704828746.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3564 -ip 3564
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431864151.exe

Filesize
8KB

MD5
fd706253f90683b40f4768449839f61b

SHA1
7d87f9d512d79ea4e491b54230c71d63254db44e

SHA256
40fd57c73c77bbcfab4db96591550dcd366f172224243d91da6b47b405806113

SHA512
5604c859b26525e66507ca5f65e28097ca77026bc4bf8d9ee157ed415215d1c5a783a359e84a3c67398068e3cfc13388bf7252012c2b0da8c9ac40c54a5f0260

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704828746.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4874.tmp\abqwqpt.dll

Filesize
152KB

MD5
03857306a9670f71ebf988c65ee9b023

SHA1
fa20b2023641d2b3d5cdf63d64f84e10c4c16d70

SHA256
a29679b9fc7a3bc7a663faa6810cca1dcb6c561d9f9ca49df3c0c12e74abde6b

SHA512
0cb414133ff33b1c88fcb3f350e1266e698801c5037ec10f5886c649c095018ebd67fd2c0d912807c14587eb5a8746e3484c2eff25a244a979269696da48126a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4874.tmp\abqwqpt.dll

Filesize
92KB

MD5
096b9f6fdcb619f76932914bb890fd6c

SHA1
5f2025d283ef9e2ae95439d9459a843a0871dd32

SHA256
d563db6d517c8bee9a190ab0d176bb93966e72f32a1c8b17ce94e407411e23bf

SHA512
fabca7e8022a1693bddc025634320447056e4cd61662b35f54e40af6cd065c9a918ddc7c3d2fcb14e000b9cb1740b149d895fd2003edfc17006dcac6ca7b269c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4874.tmp\nsisunz.dll

Filesize
32KB

MD5
7039b6e8250a8987f8fb4a734f433b54

SHA1
11bd994a846da8728aa8f542f93bda40d1fe1150

SHA256
c6e0a27ea23eb08817ce976f3bca46b486e06d43e5b2a81c421867489841d268

SHA512
94437adbfd5bb6f7bd005eef3522660be5e88796bc8fa7d7ca40ee5a81193a9e5228efc2c2bd8488795494e4089812cf448e07eab9a15541ecbcbc94754d07ef

Download Submit

Analysis

Sharing