121dfd22ce9a17034540eca2202372ec95369fa9817c4de9f0eb65f5dbd9e019

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054caeb9d70b530cedc07f8db75a9d19.exe
Size

1.1MB
MD5

054caeb9d70b530cedc07f8db75a9d19
SHA1

1a33f62e16087651172531a3758c44b0d9e9463b
SHA256

121dfd22ce9a17034540eca2202372ec95369fa9817c4de9f0eb65f5dbd9e019
SHA512

b96bf358d6f0b24332de73f359d183058dda7a254f904b9a5861495eb4cd8527b93f5178a0923e8e98a26a68142f891502443ed0f6a8b99cf8d82b9bbbdf4005
SSDEEP

12288:kMiy4IadS4ms5I6e66fEheKhXsNtnQvMLOOar7nXDyyrwlKRtE9hTEnY54HIXjl+:kbSaE4mvt/Sunbx4beyA914o5/1duhf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	054caeb9d70b530cedc07f8db75a9d19.exe

Executes dropped EXE 2 IoCs

pid	Process
2680	File.exe
3176	1431518523.exe

Loads dropped DLL 2 IoCs

pid	Process
2680	File.exe
2680	File.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
396	3176	WerFault.exe	94

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	054caeb9d70b530cedc07f8db75a9d19.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	054caeb9d70b530cedc07f8db75a9d19.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	054caeb9d70b530cedc07f8db75a9d19.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
432	054caeb9d70b530cedc07f8db75a9d19.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	054caeb9d70b530cedc07f8db75a9d19.exe
Token: SeIncreaseQuotaPrivilege	3088	wmic.exe
Token: SeSecurityPrivilege	3088	wmic.exe
Token: SeTakeOwnershipPrivilege	3088	wmic.exe
Token: SeLoadDriverPrivilege	3088	wmic.exe
Token: SeSystemProfilePrivilege	3088	wmic.exe
Token: SeSystemtimePrivilege	3088	wmic.exe
Token: SeProfSingleProcessPrivilege	3088	wmic.exe
Token: SeIncBasePriorityPrivilege	3088	wmic.exe
Token: SeCreatePagefilePrivilege	3088	wmic.exe
Token: SeBackupPrivilege	3088	wmic.exe
Token: SeRestorePrivilege	3088	wmic.exe
Token: SeShutdownPrivilege	3088	wmic.exe
Token: SeDebugPrivilege	3088	wmic.exe
Token: SeSystemEnvironmentPrivilege	3088	wmic.exe
Token: SeRemoteShutdownPrivilege	3088	wmic.exe
Token: SeUndockPrivilege	3088	wmic.exe
Token: SeManageVolumePrivilege	3088	wmic.exe
Token: 33	3088	wmic.exe
Token: 34	3088	wmic.exe
Token: 35	3088	wmic.exe
Token: 36	3088	wmic.exe
Token: SeIncreaseQuotaPrivilege	3088	wmic.exe
Token: SeSecurityPrivilege	3088	wmic.exe
Token: SeTakeOwnershipPrivilege	3088	wmic.exe
Token: SeLoadDriverPrivilege	3088	wmic.exe
Token: SeSystemProfilePrivilege	3088	wmic.exe
Token: SeSystemtimePrivilege	3088	wmic.exe
Token: SeProfSingleProcessPrivilege	3088	wmic.exe
Token: SeIncBasePriorityPrivilege	3088	wmic.exe
Token: SeCreatePagefilePrivilege	3088	wmic.exe
Token: SeBackupPrivilege	3088	wmic.exe
Token: SeRestorePrivilege	3088	wmic.exe
Token: SeShutdownPrivilege	3088	wmic.exe
Token: SeDebugPrivilege	3088	wmic.exe
Token: SeSystemEnvironmentPrivilege	3088	wmic.exe
Token: SeRemoteShutdownPrivilege	3088	wmic.exe
Token: SeUndockPrivilege	3088	wmic.exe
Token: SeManageVolumePrivilege	3088	wmic.exe
Token: 33	3088	wmic.exe
Token: 34	3088	wmic.exe
Token: 35	3088	wmic.exe
Token: 36	3088	wmic.exe
Token: SeIncreaseQuotaPrivilege	784	wmic.exe
Token: SeSecurityPrivilege	784	wmic.exe
Token: SeTakeOwnershipPrivilege	784	wmic.exe
Token: SeLoadDriverPrivilege	784	wmic.exe
Token: SeSystemProfilePrivilege	784	wmic.exe
Token: SeSystemtimePrivilege	784	wmic.exe
Token: SeProfSingleProcessPrivilege	784	wmic.exe
Token: SeIncBasePriorityPrivilege	784	wmic.exe
Token: SeCreatePagefilePrivilege	784	wmic.exe
Token: SeBackupPrivilege	784	wmic.exe
Token: SeRestorePrivilege	784	wmic.exe
Token: SeShutdownPrivilege	784	wmic.exe
Token: SeDebugPrivilege	784	wmic.exe
Token: SeSystemEnvironmentPrivilege	784	wmic.exe
Token: SeRemoteShutdownPrivilege	784	wmic.exe
Token: SeUndockPrivilege	784	wmic.exe
Token: SeManageVolumePrivilege	784	wmic.exe
Token: 33	784	wmic.exe
Token: 34	784	wmic.exe
Token: 35	784	wmic.exe
Token: 36	784	wmic.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2680	432	054caeb9d70b530cedc07f8db75a9d19.exe	91
PID 432 wrote to memory of 2680	432	054caeb9d70b530cedc07f8db75a9d19.exe	91
PID 432 wrote to memory of 2680	432	054caeb9d70b530cedc07f8db75a9d19.exe	91
PID 2680 wrote to memory of 3176	2680	File.exe	94
PID 2680 wrote to memory of 3176	2680	File.exe	94
PID 2680 wrote to memory of 3176	2680	File.exe	94
PID 3176 wrote to memory of 3088	3176	1431518523.exe	93
PID 3176 wrote to memory of 3088	3176	1431518523.exe	93
PID 3176 wrote to memory of 3088	3176	1431518523.exe	93
PID 3176 wrote to memory of 784	3176	1431518523.exe	103
PID 3176 wrote to memory of 784	3176	1431518523.exe	103
PID 3176 wrote to memory of 784	3176	1431518523.exe	103
PID 3176 wrote to memory of 1008	3176	1431518523.exe	97
PID 3176 wrote to memory of 1008	3176	1431518523.exe	97
PID 3176 wrote to memory of 1008	3176	1431518523.exe	97
PID 3176 wrote to memory of 5080	3176	1431518523.exe	102
PID 3176 wrote to memory of 5080	3176	1431518523.exe	102
PID 3176 wrote to memory of 5080	3176	1431518523.exe	102
PID 3176 wrote to memory of 2440	3176	1431518523.exe	101
PID 3176 wrote to memory of 2440	3176	1431518523.exe	101
PID 3176 wrote to memory of 2440	3176	1431518523.exe	101

C:\Users\Admin\AppData\Local\Temp\054caeb9d70b530cedc07f8db75a9d19.exe
"C:\Users\Admin\AppData\Local\Temp\054caeb9d70b530cedc07f8db75a9d19.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\1431518523.exe
    C:\Users\Admin\AppData\Local\Temp\1431518523.exe 0/7/4/5/0/5/5/4/8/3/4 L0lFPz0sLiwvMBwvTFE9UEQ/OSgdK04+UFJPTUZFPDosIChARFNPREA1LjQ1Ly8bLz5EQDUtHC9JTkpEUD5QV0ZAPSwvLTUbKk89T1JFS1tQUkc4ZGxxbDooK25ycSlAPVBHLU1LSy08S0wmRkpGSBwqQ0dEP0NGQD0vUiwwY0BEXFZlIChALD1JUEk6Qk4gKEAtPSgsHCdBLz0mLRsvPy85JS4cLz0xOC0sGytIT0tETj9PX0tNRU4+P1k2HCpQTUpATUBQXz5RR0E4GytIT0tETj9PX0k8ST06HC8+VEBfUE1INR0rRVFBWkNIP0hBS0E9GStDT05PWzpPS1dMQU09LRsrTEU9TkRVSlVaUE5EOhwvT0k4MhsqQEsuOSAoTlBOT0RJPVxTRUU/Sk1AREk5REFVS0g4ICpET1dPUU5NRUhFOG9ubWIcL0tBT1VNSUVGRFtVTEFNXz88VUs6LiAoREREQFM5KR0rSUxbP1lJPElBQFtFRz9NWUtPQTw6YmFlb2AgKj9LT0tITzpAWklLOC0vNCoxLjEpMTI0KikwNCAoUERNQDgtLDAtNSwwMjIxGys8TFNORUs8RFpPRUVCOTUoLS4vLSstLScwOiwuNTAxJUxFHStVOjlIb3VkaGReITJfMSkwJiNTYWtgb3BvJk5PJjImMCEzWydST1IxMCEoPXBpaGBXYF1HYXEhMl8xLjcpLjIjJUdITUlHJS1eJ2RmZ2UkQ2BjZmolI0BkcmhpYCUtYTApKywuKy4yMikyMiNQXWZabmQlLWExKzQqMy8cKlVNRzlgcXBwHi9cJS1hISpjY2VtKnBwLC0uLitlbl9rIDJhTXFmUWVtXkBqd2lna1lhSWFnXWJlbVpgXW1ob3IhLWYsLy8pMi80MC4sJS1hLSwwLTUsMDIyLCAuXi4wMyoxLjQyLS0dMGIzKi0vOTEtLykvLlpATnVNTzwxWmdrd0ZPLzBIZFJfSz9zK0llVXNFQ2M1SWkxbEd5TW1MOzFnWU09M1Nmc0RJQkZSQ0NBcFxCRmZWQjQwSSxVcUdpTkJOMjtNVHlNaFVlLm9PY0FnZGg9bUd2NA==
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908096.txt bios get version
      4⤵
      PID:1008
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908096.txt bios get version
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908096.txt bios get version
      4⤵
      PID:5080
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908096.txt bios get version
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 956
      4⤵
      Program crash
      PID:396

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908096.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3176 -ip 3176
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703908096.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703908096.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703908096.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5247.tmp\nzhwgiu.dll

Filesize
153KB

MD5
f10c402fbfc9943ab636c7210c2244dc

SHA1
446e86eb4f7537ca83e6b0eecf2588d1d2bdd2af

SHA256
5c2b117014d669f9304f2467f2ab6b492a4fd90ddae0ed779877cd0f507da25c

SHA512
ad2c9e2bd2b0295c7d8168560d1947d1d007afb5622e4802b5a813b585e4ced7fee935502482bd58c956b7b0a4541ca04fdcb3960c996b29637ba3db4e306f29

Download Submit
memory/432-1-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/432-0-0x00007FF974B10000-0x00007FF9754B1000-memory.dmp

Filesize
9.6MB

Download
memory/432-17-0x000000001BCD0000-0x000000001BD48000-memory.dmp

Filesize
480KB

Download
memory/432-92-0x00007FF974B10000-0x00007FF9754B1000-memory.dmp

Filesize
9.6MB

Download