2dc58b31ddd1ab485f4c2327fb73c513efa9775486503a00656cd364a4c59361

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

046db1aeae13d2d94b9a7c0e993ad9f9.exe
Size

648KB
MD5

046db1aeae13d2d94b9a7c0e993ad9f9
SHA1

21d36be14de2bf33e641401cd6b74bf573fd8b78
SHA256

2dc58b31ddd1ab485f4c2327fb73c513efa9775486503a00656cd364a4c59361
SHA512

167b3b9cdfe4f841eba5d7955c7c90a3a45aa610a6322b4925726750156e3fd76d31b5ff44fb340636cddf7446203b0ea53026e2a352406c2a8e9bb89ec404ca
SSDEEP

12288:2Qk8Fs2pPcx5AL6AnR9SUCnp4XS3h1GvLzZUBlG7BAJ0+bcqc7Db:2QtVPcHq609LqKSR1QZtt+bk7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2784	1430995618.exe

Loads dropped DLL 11 IoCs

pid	Process
2964	046db1aeae13d2d94b9a7c0e993ad9f9.exe
2964	046db1aeae13d2d94b9a7c0e993ad9f9.exe
2964	046db1aeae13d2d94b9a7c0e993ad9f9.exe
2964	046db1aeae13d2d94b9a7c0e993ad9f9.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1632	2784	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2840	wmic.exe
Token: SeSecurityPrivilege	2840	wmic.exe
Token: SeTakeOwnershipPrivilege	2840	wmic.exe
Token: SeLoadDriverPrivilege	2840	wmic.exe
Token: SeSystemProfilePrivilege	2840	wmic.exe
Token: SeSystemtimePrivilege	2840	wmic.exe
Token: SeProfSingleProcessPrivilege	2840	wmic.exe
Token: SeIncBasePriorityPrivilege	2840	wmic.exe
Token: SeCreatePagefilePrivilege	2840	wmic.exe
Token: SeBackupPrivilege	2840	wmic.exe
Token: SeRestorePrivilege	2840	wmic.exe
Token: SeShutdownPrivilege	2840	wmic.exe
Token: SeDebugPrivilege	2840	wmic.exe
Token: SeSystemEnvironmentPrivilege	2840	wmic.exe
Token: SeRemoteShutdownPrivilege	2840	wmic.exe
Token: SeUndockPrivilege	2840	wmic.exe
Token: SeManageVolumePrivilege	2840	wmic.exe
Token: 33	2840	wmic.exe
Token: 34	2840	wmic.exe
Token: 35	2840	wmic.exe
Token: SeIncreaseQuotaPrivilege	2840	wmic.exe
Token: SeSecurityPrivilege	2840	wmic.exe
Token: SeTakeOwnershipPrivilege	2840	wmic.exe
Token: SeLoadDriverPrivilege	2840	wmic.exe
Token: SeSystemProfilePrivilege	2840	wmic.exe
Token: SeSystemtimePrivilege	2840	wmic.exe
Token: SeProfSingleProcessPrivilege	2840	wmic.exe
Token: SeIncBasePriorityPrivilege	2840	wmic.exe
Token: SeCreatePagefilePrivilege	2840	wmic.exe
Token: SeBackupPrivilege	2840	wmic.exe
Token: SeRestorePrivilege	2840	wmic.exe
Token: SeShutdownPrivilege	2840	wmic.exe
Token: SeDebugPrivilege	2840	wmic.exe
Token: SeSystemEnvironmentPrivilege	2840	wmic.exe
Token: SeRemoteShutdownPrivilege	2840	wmic.exe
Token: SeUndockPrivilege	2840	wmic.exe
Token: SeManageVolumePrivilege	2840	wmic.exe
Token: 33	2840	wmic.exe
Token: 34	2840	wmic.exe
Token: 35	2840	wmic.exe
Token: SeIncreaseQuotaPrivilege	2564	wmic.exe
Token: SeSecurityPrivilege	2564	wmic.exe
Token: SeTakeOwnershipPrivilege	2564	wmic.exe
Token: SeLoadDriverPrivilege	2564	wmic.exe
Token: SeSystemProfilePrivilege	2564	wmic.exe
Token: SeSystemtimePrivilege	2564	wmic.exe
Token: SeProfSingleProcessPrivilege	2564	wmic.exe
Token: SeIncBasePriorityPrivilege	2564	wmic.exe
Token: SeCreatePagefilePrivilege	2564	wmic.exe
Token: SeBackupPrivilege	2564	wmic.exe
Token: SeRestorePrivilege	2564	wmic.exe
Token: SeShutdownPrivilege	2564	wmic.exe
Token: SeDebugPrivilege	2564	wmic.exe
Token: SeSystemEnvironmentPrivilege	2564	wmic.exe
Token: SeRemoteShutdownPrivilege	2564	wmic.exe
Token: SeUndockPrivilege	2564	wmic.exe
Token: SeManageVolumePrivilege	2564	wmic.exe
Token: 33	2564	wmic.exe
Token: 34	2564	wmic.exe
Token: 35	2564	wmic.exe
Token: SeIncreaseQuotaPrivilege	2564	wmic.exe
Token: SeSecurityPrivilege	2564	wmic.exe
Token: SeTakeOwnershipPrivilege	2564	wmic.exe
Token: SeLoadDriverPrivilege	2564	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2784	2964	046db1aeae13d2d94b9a7c0e993ad9f9.exe	28
PID 2964 wrote to memory of 2784	2964	046db1aeae13d2d94b9a7c0e993ad9f9.exe	28
PID 2964 wrote to memory of 2784	2964	046db1aeae13d2d94b9a7c0e993ad9f9.exe	28
PID 2964 wrote to memory of 2784	2964	046db1aeae13d2d94b9a7c0e993ad9f9.exe	28
PID 2784 wrote to memory of 2840	2784	1430995618.exe	29
PID 2784 wrote to memory of 2840	2784	1430995618.exe	29
PID 2784 wrote to memory of 2840	2784	1430995618.exe	29
PID 2784 wrote to memory of 2840	2784	1430995618.exe	29
PID 2784 wrote to memory of 2564	2784	1430995618.exe	32
PID 2784 wrote to memory of 2564	2784	1430995618.exe	32
PID 2784 wrote to memory of 2564	2784	1430995618.exe	32
PID 2784 wrote to memory of 2564	2784	1430995618.exe	32
PID 2784 wrote to memory of 2624	2784	1430995618.exe	34
PID 2784 wrote to memory of 2624	2784	1430995618.exe	34
PID 2784 wrote to memory of 2624	2784	1430995618.exe	34
PID 2784 wrote to memory of 2624	2784	1430995618.exe	34
PID 2784 wrote to memory of 2904	2784	1430995618.exe	37
PID 2784 wrote to memory of 2904	2784	1430995618.exe	37
PID 2784 wrote to memory of 2904	2784	1430995618.exe	37
PID 2784 wrote to memory of 2904	2784	1430995618.exe	37
PID 2784 wrote to memory of 2940	2784	1430995618.exe	38
PID 2784 wrote to memory of 2940	2784	1430995618.exe	38
PID 2784 wrote to memory of 2940	2784	1430995618.exe	38
PID 2784 wrote to memory of 2940	2784	1430995618.exe	38
PID 2784 wrote to memory of 1632	2784	1430995618.exe	40
PID 2784 wrote to memory of 1632	2784	1430995618.exe	40
PID 2784 wrote to memory of 1632	2784	1430995618.exe	40
PID 2784 wrote to memory of 1632	2784	1430995618.exe	40

C:\Users\Admin\AppData\Local\Temp\046db1aeae13d2d94b9a7c0e993ad9f9.exe
"C:\Users\Admin\AppData\Local\Temp\046db1aeae13d2d94b9a7c0e993ad9f9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\1430995618.exe
  C:\Users\Admin\AppData\Local\Temp\1430995618.exe 6#2#3#9#8#5#0#7#0#1#2 KU5GOzUsOSw2Mh4pUVI5SERENjAfLUhDUU5HTUtCRDwvHzAtZ2pqZG5jc2xba2I0SmBpZmFmYxotQUBLT0k9PTE1MS8vFyc+ST09Lx4pTk9GPFBDTV9IQjcwMzAsLiAoU0RQUENPVk1NTDZoc3JqOCwma212J0REUUUrUUZIKEFJUC1HSERMFyc+TEJDSkc+Ox0mPCw9JjEfLT4wOiQpGy89MzwrKx4sOyw4LSogLkIvOyooGCpQS09DUz1SXEdKRFY6Q1g7Gi1NSUc/VTxUXkNPSj40GCpQS09DUz1SXEU5SEU2IC5DUkNcTEpHPRkvRFY/XUBEPEdJR0U8HilGTEpMWkJLT1ZRP1A6LBgqVEFBTUlTTVJWTU1MNiAuVEc7LxcnP1MqPR8tTFNLS0FIRVhXREo9TUo8QUhBQEVUUEY7HSZBTl9LVU1SQ0tCNGxtdV4gLlA/UlJJRkROQF9UUT9QXDs5VFM2Mh8tQkdBPFA4MRkvSFFZQlZFOUhJPF9ETD1QVkdMQEQ2ZmBqbWMdJjxKV0dMTj8+XUZHNSw3MS44MSgxKysrGy9NSUxDNy8xKiksNys1MzUaLUFGT0lMSEFDXU5HSjw1MC8yLzEuKzMnKCk1NS46MzUkP0oXJ1BBNiAuU0xKOl9sb3AeM2AjLGQiKV5iZW1yLWRjamIvXGBzZHRubihhbGQdLWZLdW1SY2tiO2dybmVvYGJHX2tYX2ByWGRkbmZtdhwqYTIrMjEwLDAvKSotMisyJDBgYmxuZmdvWmRsX2hfZFxqIDJfZ2RyLzQiKl5rJSxkMDctNDAcKjFkHjNjMDE1LikdLTZlJTJiLDQ2KysgMi9uJDFeLyhnampkbmNzbFtrYhwrX1JeaWxfYWMiKS5haWVlbV9nYyIqXE1lYm1gZV8=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703916433.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703916433.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703916433.txt bios get version
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703916433.txt bios get version
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703916433.txt bios get version
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
192KB

MD5
b621d0187af4b1867b2462c36f8e3dcf

SHA1
52e85624a6abe0872a1fe12d889ac75d85c3e3d8

SHA256
22f43d801ed1f17b4c6d02216c5bb8e8f615d715535b64c2b69f6b22afd99057

SHA512
ffccac9c960708017e1ce5d539a6acdddeb4107a9806ea8f273e7e33d9eee600048cdbf82888ac87e7942166812295be2cbe0b24140567b57224c34226557d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
92KB

MD5
ffcd0b6903a05940a25526bdedddf4c6

SHA1
96c7b2ee2d3c70e1b25e7b67ecbfb15152aa497b

SHA256
378428e139ad2d821a29b48c29ff8f41fae3798dc181411528940484554b68a3

SHA512
c84642e7fcb6d1a000f430d80a7d4e1e019043305bcbf016ba7da400e4d00b626322999dd3aee9d8c859909e81feb7e505f16ed338fe22ced9dfd908f7c2d69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703916433.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703916433.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703916433.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5BA8.tmp\eqtyact.dll

Filesize
153KB

MD5
579e648da79a708b00d8bb322865a4fa

SHA1
f645f2e6280a97d6ba2e3226095620cc4a9024e5

SHA256
04e0e019fb9fa13892e12dd64703f7c2852cb2a82aa4e6e2252965ce334f18d8

SHA512
cf28629517d136dc850c573b0e67d01ca3694158488d2840904ff4244aa848595b4fabea606dd0929f936c6fa149c534a26d24b62b4e7648771e012b93781f15

Download Submit
\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
640KB

MD5
13bc52d6789aeb38177cc9d000ae9437

SHA1
363195ba52e5ece29012363a08e5d356ac25f47d

SHA256
1bf4d62c71a0bc73c8b7176c5df603647ed0db79c6aa0f7ec87d7c631ba598cd

SHA512
9e059311a9553b36198e942ff9645e457c33c8aba0a257a94652f022215da7f1b47962710acc629cb14f43db5e428c93d5b25842f9327287f5df7a2614122cb4

Download Submit
\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
128KB

MD5
ea789dc7f922feb319702de8553b9f80

SHA1
090b9e682967067dc3d1b265164bbaa623eeae56

SHA256
617b20c68375fba6dcec04b035144d77db796ee20284cff4d78675e70bb189c2

SHA512
a078c02c25bd2f37a7485cd36eb0ed842a38dec965ab905bebcc7c20d0dba7d4d95ec3599e0e12477f3ee2e7bd1fd095131f06041b409f39575f92b2dfc5c3d0

Download Submit
\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
27KB

MD5
3f30f1159151e2920278e76ace931244

SHA1
b7a8f9ec31be32468eb3ca7d24583d2a75bf3558

SHA256
eadb5741a61dcda498a189e66a1889ce447f52387b553cfa4d47ac82d545dc68

SHA512
437c3eaabac40f058aff6a12425caa54bd6816773242658b5f07b480d64ea203848e21608161c40d25b4172ffd71155e70195b230b5d8efea3c5714c3a7fbc84

Download Submit
\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
52KB

MD5
fed8f7f3ac052aad729d827ec28bd858

SHA1
aa994630795b265adacba63f02114c6b2cf21c52

SHA256
e3b80c9931b215fdf9771e84f3722befc3c93ba113abe329d41041a61bf5f7b4

SHA512
f5cac2a755d8be69f8b75718c2ebd98a89da45cd7761317e8998c8919b5f6bae4544b639db46b39acced14e9de566dcb73e1ba42bae7b12b74585255bb0ad589

Download Submit
\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
28KB

MD5
f692b976ad84a597f8805a940a2175ed

SHA1
e663c098b5c177d87376a21befc29ec832ec02d4

SHA256
3649138e162d5784c9a4d2f7fe778a381ccff0d0589115b300713ce1f84e0ef2

SHA512
d0ecd011b2e34da37184e19998f28da49daade3e456b63b1989e3f21dee69206f554fb3cf86ed67c4426270b37d13d5fafd36654b131a0cdd8fcade2cf414478

Download Submit
\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
43KB

MD5
9581b92f7c7cc8608a6db55e724575d1

SHA1
8c57d505cfcbf25eac7e86b7b71198766be1b33d

SHA256
c78ef9b57dd66424017f4ab06b7324e7cb6fb8c5b162ff15f5bf0350e71fc690

SHA512
75221cfcca2571aa45f26cbe962cea343be6cdbca203431af56ac358402de37bdae662e9bf90015d3be8eb77ba91346d83660210531486dcf0fa2ecfcf6ffe51

Download Submit
\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
45KB

MD5
fed907f7bdf41c43a9cafc0c45cae173

SHA1
7b681351cd2ae01cfaf4fa583fa9ae8fd289abe8

SHA256
a834f596d54ed7eead9f81b8ed27114dbca10f3ee89257da68e5cb696f1e9f85

SHA512
e9646fbbb3ae4b96210963079d391d102d9dd27bf2dc59dfda8353cc3d15af4823a40eb112b4e135c2d262672b8f590682202c35de8c0b64da46e6da554d355e

Download Submit
\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
40KB

MD5
ff7776050787c18b3c2043152c67ad7e

SHA1
7c832d905c4bf727eb76162fe524912eff64339b

SHA256
27c05a6584d5060a18c92982eeb31c88ff426f20a25ba45eed818015b3aa482c

SHA512
cd84fc2db2816656e5785cadb21c41d6fa165ed12f4bcc341af002358837fca465b30f5b0edadbd07a7ae32aa2ad8d2c51f08acabeec6b36db0ec9fdd9b94112

Download Submit
\Users\Admin\AppData\Local\Temp\1430995618.exe

Filesize
136KB

MD5
6be818e8344d46cf64cb59db98056a7f

SHA1
9be4126d96511e20440b0e43e8fc86f6fce2cdd2

SHA256
5480a4db41d9b1724275680f5f9e8b581f626c39f08cd2e4e9f30dc04dd89c8e

SHA512
7a52522f387b1c0fe3d190e7c4a765b78fba05c42bd27aa815e8fe4e3f609002b669534e43a4c98d96cefd1f8dabcf1c5a7fab247d9b4f0fdd177510eeaf6bb3

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5BA8.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit