04a6be233b972390e7df3f355015976dfcab66c581aebb2fb6153c569dbd8824

Analysis

max time kernel
2s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06aba9e95708b03bb8ee137f74004be9.exe
Size

674KB
MD5

06aba9e95708b03bb8ee137f74004be9
SHA1

267bc1c126e088e830023c574a7900786ab407e7
SHA256

04a6be233b972390e7df3f355015976dfcab66c581aebb2fb6153c569dbd8824
SHA512

f0b57f643acbe88012e94c39ecd3307d1803d0fd5d067900fdb038314ec4c6ce792036eaf5650bdcae5b6673a39286d7c5803f886e71ff2f256e624a9090ff75
SSDEEP

12288:MAZbA7W1lz0wdsDQ4ppCOVsmWxnPXC+UpSb6/9ulv96Rg63FS:MAZbBz0wCsatWxnf4kg9ulF6m6Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	1430995632.exe

Loads dropped DLL 4 IoCs

pid	Process
2408	06aba9e95708b03bb8ee137f74004be9.exe
2408	06aba9e95708b03bb8ee137f74004be9.exe
2408	06aba9e95708b03bb8ee137f74004be9.exe
2408	06aba9e95708b03bb8ee137f74004be9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2932	2740	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2876	wmic.exe
Token: SeSecurityPrivilege	2876	wmic.exe
Token: SeTakeOwnershipPrivilege	2876	wmic.exe
Token: SeLoadDriverPrivilege	2876	wmic.exe
Token: SeSystemProfilePrivilege	2876	wmic.exe
Token: SeSystemtimePrivilege	2876	wmic.exe
Token: SeProfSingleProcessPrivilege	2876	wmic.exe
Token: SeIncBasePriorityPrivilege	2876	wmic.exe
Token: SeCreatePagefilePrivilege	2876	wmic.exe
Token: SeBackupPrivilege	2876	wmic.exe
Token: SeRestorePrivilege	2876	wmic.exe
Token: SeShutdownPrivilege	2876	wmic.exe
Token: SeDebugPrivilege	2876	wmic.exe
Token: SeSystemEnvironmentPrivilege	2876	wmic.exe
Token: SeRemoteShutdownPrivilege	2876	wmic.exe
Token: SeUndockPrivilege	2876	wmic.exe
Token: SeManageVolumePrivilege	2876	wmic.exe
Token: 33	2876	wmic.exe
Token: 34	2876	wmic.exe
Token: 35	2876	wmic.exe
Token: SeIncreaseQuotaPrivilege	2876	wmic.exe
Token: SeSecurityPrivilege	2876	wmic.exe
Token: SeTakeOwnershipPrivilege	2876	wmic.exe
Token: SeLoadDriverPrivilege	2876	wmic.exe
Token: SeSystemProfilePrivilege	2876	wmic.exe
Token: SeSystemtimePrivilege	2876	wmic.exe
Token: SeProfSingleProcessPrivilege	2876	wmic.exe
Token: SeIncBasePriorityPrivilege	2876	wmic.exe
Token: SeCreatePagefilePrivilege	2876	wmic.exe
Token: SeBackupPrivilege	2876	wmic.exe
Token: SeRestorePrivilege	2876	wmic.exe
Token: SeShutdownPrivilege	2876	wmic.exe
Token: SeDebugPrivilege	2876	wmic.exe
Token: SeSystemEnvironmentPrivilege	2876	wmic.exe
Token: SeRemoteShutdownPrivilege	2876	wmic.exe
Token: SeUndockPrivilege	2876	wmic.exe
Token: SeManageVolumePrivilege	2876	wmic.exe
Token: 33	2876	wmic.exe
Token: 34	2876	wmic.exe
Token: 35	2876	wmic.exe
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe
Token: SeSystemProfilePrivilege	2816	wmic.exe
Token: SeSystemtimePrivilege	2816	wmic.exe
Token: SeProfSingleProcessPrivilege	2816	wmic.exe
Token: SeIncBasePriorityPrivilege	2816	wmic.exe
Token: SeCreatePagefilePrivilege	2816	wmic.exe
Token: SeBackupPrivilege	2816	wmic.exe
Token: SeRestorePrivilege	2816	wmic.exe
Token: SeShutdownPrivilege	2816	wmic.exe
Token: SeDebugPrivilege	2816	wmic.exe
Token: SeSystemEnvironmentPrivilege	2816	wmic.exe
Token: SeRemoteShutdownPrivilege	2816	wmic.exe
Token: SeUndockPrivilege	2816	wmic.exe
Token: SeManageVolumePrivilege	2816	wmic.exe
Token: 33	2816	wmic.exe
Token: 34	2816	wmic.exe
Token: 35	2816	wmic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2740	2408	06aba9e95708b03bb8ee137f74004be9.exe	30
PID 2408 wrote to memory of 2740	2408	06aba9e95708b03bb8ee137f74004be9.exe	30
PID 2408 wrote to memory of 2740	2408	06aba9e95708b03bb8ee137f74004be9.exe	30
PID 2408 wrote to memory of 2740	2408	06aba9e95708b03bb8ee137f74004be9.exe	30
PID 2740 wrote to memory of 2876	2740	1430995632.exe	28
PID 2740 wrote to memory of 2876	2740	1430995632.exe	28
PID 2740 wrote to memory of 2876	2740	1430995632.exe	28
PID 2740 wrote to memory of 2876	2740	1430995632.exe	28
PID 2740 wrote to memory of 2816	2740	1430995632.exe	33
PID 2740 wrote to memory of 2816	2740	1430995632.exe	33
PID 2740 wrote to memory of 2816	2740	1430995632.exe	33
PID 2740 wrote to memory of 2816	2740	1430995632.exe	33

C:\Users\Admin\AppData\Local\Temp\06aba9e95708b03bb8ee137f74004be9.exe
"C:\Users\Admin\AppData\Local\Temp\06aba9e95708b03bb8ee137f74004be9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\1430995632.exe
  C:\Users\Admin\AppData\Local\Temp\1430995632.exe 8*6*2*3*8*8*5*3*8*8*7 J0pHQTUpMy0wKhknTVM/SEE/OigYKEY/UlRHSkZGPDUqGClCRktMREE1KjAwMy8dJztEQTUoGSdKUEw8TT5RV0E9NSwxLykvGyxLPUtOP1BcTUpHOmBsbWg0LSxranErPD1MQydSTEglPE1IJkJGQE0dJztHRjtDQjw3Hiw8KTgqKRgoPCw7KikYKkErNSYpGi1BLDUoLhgnPS03Ky4YJ0tPRzxOO05dTUpBUT47UTYYKU5PRzxQQExXPk1GPzoYJ0tPRzxOO05dSzlFQDo5XGhaXyMvKD5nXmtgHioqTmlZcWBvGCc+UD9dUkpEOGVsbGkyKS1tXmYpYWReb2FuLGBnZSpgallwZF9iXGtnYXEnKigqKWdhaF4oY2pdXmtpLi4oci8yXVopKVw3Ly4tLGEoKjErKmMvWVksMisuW1tfMTZdJWpybCUuLS5jMipZLzIoXSkpMywwLDAtMy0sMCVdZm9nZWAqYVxpXikwLzAsMzUlLjAuMjA2JVlfbFpdJl5mX3BgJWtpWXFeaihjdV0YKkJQPVg7R0JJQUZAOhgnQUdNUlw6SkpUSz1LNSweLExAPEtDUUhNWVNPRDVjcWxoMycpcmVZZmZwJl5rXV9xbF5sbnFnal4qKGFsZSdka1xdcSZqZm03XGg6XmpeXWdubzEmYW9dXWxnYHJwbGdtYiZbaGUgbmhvNUFPPT1MR0BSUExHTUI7R0YeamU6OVxqX10dKyhAal5rYCAvKEhlWXNjbx5nYjpFOU1HR1cjYWZucVlkZV1sOzYYJ1FKNSoZJz5RLjU+TUI9S0goKy5XLC1gXygpWzEsNDIpXCsvMCspXSxfXiktLjNaW14rM2MdJ0pQS0xBRj1ZVUJEO0pKPUFGOUFDUkpEOB0nQUxXTFNLTEFIQjVsa21fHixKPU9SSkZCRkFdUks9TVw8OVJLNzAdJ0BEQT1QNikaLUZLVz9WRjlGQT1dQkY7TVZITD48N2ReZGtgHSc8SE9ISkw5PFpGSDUyKygvNTEmLjAmKSkrGi1RQUVAOiksLCkrNzMvMTMdJzxIT0hKTDk8WlFBRT41Ly02JyorLi0iLzItNzctMCVNRRgoTU1DT1c5QkJGTDZHb3I/amdycF0dKyhnX2tZX2BvHSopIGBnb11eanUhGChNOztKZ3JkaWRZHipgMysoIyNUYWZdZ3FxKEZMJjMmKR4rXClUR08xMSEjOmhqamJPXV1IYWweKmAzMC8mLjMjIERATktJHSpeKGRhZF0lRWJbY2omIzthamlrYh0qYTEqJikmLDEuKSYsMC0jTFlgX29hHS1jLSswJi00HSdNTUk1YG1saiMwWR0tYx0qX19fcm8mXmRpXTBdXW1pcWdoKWBnZR4qYFByZkxkal08aG9oamxZXEheZllgXWxdYV1oZ2xxHSteKzMvKy0rLisxLR0sZEFnb2lpZ1ldZVtsXl9dbSIqXmBdbjQzHSthbR0rXSkyLjUqHS0zXB0sXCw1NTEpIC8uZB4rXjAwKikyIiouZx0tYi4dKjFtamddbV1ya1llYCIrXD1ncWxpZ1lfKEVZZ1lhY28dKjFicF1uamYjMFxgb3FoHSxZHzBjHSphbV5mJ1xmZHNhbClgZ2UeKmBhb1lvZ2JcV2xnYHIiKl4tIipeKx0sZGZcaGEqXmpeXW1tLSkodTEtXVsoK2A2Ki4wLlwoKzAtLmIqWVwuLSsvWl1jMDFdKGxtbCYtLzJiLSpcMS0oXigrNysrLDMvLi0tLydhZWpnaGIlYV1oYCMvXiotNSwwMSUwNTMwKjQqWVxoWl8rY2RZbmUlaGVZc2NvJl1zYh0qL1xzbF5lYV5rWWVeHS1iPlxnXWIjPmVZbWYoSGRcdl1qHiowUSIrXEFPPT1MRyovLVIsMGJaKCpaMzAzLSlfLSowLChfMF5ZKTAwLlpcXS03Yh0qMXJZHSxcSXNxOmpqdGtdJGVbbF5fXW0oIF5ial9kbHAhIC8ubHJtbGoiK1xjcWxoHitbIy9eHS1jbGBaZmVxK15qYGJrZ19sbXJsal0tK1tnZh0sZGZmXGB1JmhhaB8xY1xlIDBcXmtdX2ttajEpY2pdXmtpZHFrbGpvXSZcZ2cjLy5oZnQdK10+TENCS0dBUUtMSEo/QUxFHS0zaF8eK14/YWdaYCIqLSstLC5DZFluZR0qLiovMC1IZFx2XWoeKjBtZB0rX0o5TEhFUyMvLmFpcGxZZWRfcCIrXDQ=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919340.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919340.txt bios get version
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919340.txt bios get version
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 372
    3⤵
    - Program crash
    PID:2932
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919340.txt bios get version
    3⤵
    PID:2596

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919340.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1430995632.exe

Filesize
1KB

MD5
39a0a4574f2a82861d0498bfb99d7bdd

SHA1
a29bbe8ac71d1f4c27be11c19819ff8ae2a40e39

SHA256
06e95120cc25020f001a50c7dfdb4356722c6e6f1f88d8b85102602e39541a71

SHA512
be7713b33a34a6d74b02ff5253f97df14b53a7ea2bb8add740eb7df455eb09a1bef0a035045caf5bc1dfa53a6704cd7c1d611fd1c4eea4aed6a38c08751c43e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1430995632.exe

Filesize
37KB

MD5
4d668f7e6d134d9f363c0d98c9de14ed

SHA1
dc043c1146269b2356f2fd7ee04efae64b511f9c

SHA256
fb464b0eb45cfe81665bf0d0b4820262a2bd341dc3fef56f11afb3f9de152815

SHA512
b099ee9b4acf89c7213f8ff9ee0656a4f8f3052186bf5d7d1ad46e329dc4985af5917dbe20d0df3b542a91b6266f7b362023e15e3ddb9e9d2fc619fb087cc3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703919340.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703919340.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703919340.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst36DA.tmp\epswgem.dll

Filesize
10KB

MD5
f09b2ed1628c07facabb6864e0a0adfb

SHA1
f2a2422a29cc26ddbcd6e493e0f087268ceceb0c

SHA256
e785335f60d32c59a991f74ec811081d3473193854afdcf24c35732e38813baf

SHA512
31c99f43f761d472c02bb6a533a26db8903308f134a6a58ab8af3dafeb44638b4033dbf44947d17d62f4e04b628c4c86788e97b948f899366cb544671fa00261

Download Submit
\Users\Admin\AppData\Local\Temp\1430995632.exe

Filesize
12KB

MD5
288e8670e4aa1b5f90bd43951fb81b5a

SHA1
1f63b0f4193a37f009ae36ee5847f9b9d0d7e6f5

SHA256
c723214fff3d6fd9898876f740df52a31d49273529d73447c283c850f7e2d113

SHA512
c401b3f888819309565e6d38fa37cb679d5c7cf242ca4ee7cb3c6d06d41dbd697ee5906d83057721e638905705d112bc83adb8eabd75805d24b58d6baafabb60

Download Submit
\Users\Admin\AppData\Local\Temp\1430995632.exe

Filesize
8KB

MD5
fb48f90158792ee8f8c497efb5c7dfe8

SHA1
07a95bdad77ab88e48ca3449e709fac6851a285e

SHA256
48cfadc75734bd282fa53d87f888d819203ff412dca443e5132273517081dfce

SHA512
f15d5dc4bfa12f6244f65d7d2d39a2d227f2c88a111fef8a3a7ff9fb8dd0013005fea787c9c8af0c68e714eda09ae40e5e188ca0696e19cbf98d6d9c6172a9d9

Download Submit
\Users\Admin\AppData\Local\Temp\1430995632.exe

Filesize
85KB

MD5
cf827559ccd6d6c91d8737ed0c2c135b

SHA1
dc5203d8359cbec2f386849c70e43842618dbb2d

SHA256
89c88b96dcc6dc56f530f2145c2d292390df470f867a45ceca49c9373a133674

SHA512
3a4abb4965fc648eaa60fe6621a14c2434594dc1b621ae0f7b85ad3a2c1db3c15f61e93d744319780a5682091939787b155bb3e969ad2c161a54c6d3c60f3104

Download Submit
\Users\Admin\AppData\Local\Temp\1430995632.exe

Filesize
104KB

MD5
8ad86b9c7d1663525cebad7410644ca3

SHA1
226257787b19419e1590640000c68215b7b9d3f0

SHA256
96940fc084cb8d3c48daec769ab42619edca774b3c59ca6a102ff1ad75ad85a5

SHA512
c02506b68ac22d04b6f74931421df5bdc22e428be1a1a8c185cb6bc54e5558c3b633cb36cb52d959fb29fe91a7e7983989430e4ff8f7bb482a2c8ca44aa7b75e

Download Submit
\Users\Admin\AppData\Local\Temp\1430995632.exe

Filesize
8KB

MD5
b6b8e77edc8cfadc310b98b5088850c7

SHA1
a078f61981a6cfd90ce69fdb9d0b92ce3f07ef13

SHA256
58d98ec8f2bfcf13ee415841a38fb5d92e83fa6a51c10a269015f71f4821c11b

SHA512
3288d65c1202036c21e05e6db0fced05ea4cdec2bd740c23d100ba0f06a3f5c4b4bb82b925df9e63e585125c86c6b3bf5d73cde74965cec4363c006f60b0d423

Download Submit
\Users\Admin\AppData\Local\Temp\1430995632.exe

Filesize
130KB

MD5
600f940042ec3311ad11c583d6326ef7

SHA1
125158c58291f9271b09de905ac73d382d07c72f

SHA256
8c6000678764145938d0ba519cf377bca0fcd65d5455394187638254db93b91d

SHA512
ae1af9bd6414c0faaea78c7cfe17b30101c04454e807cb075d408e5fddfdedd92249f282ba7d3f6309ba0fcd88593afae0127f220ff47432ace7b3d1f8cfb531

Download Submit
\Users\Admin\AppData\Local\Temp\1430995632.exe

Filesize
65KB

MD5
1d038205d6af4f76b57ca5d8f564c4eb

SHA1
9c484985daadc2908aea943ea5994b689f058de4

SHA256
4693e5edd8a2e47510992edd25d326b09366298705f2562eaba709bea8ba5811

SHA512
ab1ddf171312f279fe4feaa2b496eb8da65ea1c9dfbdd8983db555f8dbee77a72eaac15367aad5819a73a5327c0f840ddf0478012ab939aec3d7bfcac612c151

Download Submit
\Users\Admin\AppData\Local\Temp\1430995632.exe

Filesize
74KB

MD5
31b545667d441667c43293d1eee6d41c

SHA1
cd3f652e9030622669a60e192f1e3ee4d38eff51

SHA256
a6a88f4cc38eb0a780beaf9a870c4fc0aa241b309259df73f6c76740011f387b

SHA512
c91c82b3016cc9023d13008e485b6e483e0a92b5295bf02d122e465aaa15823776ac4dd7fa83e81ce9b0a89b7c58f2794d966657ba199df4f818fcd2695ffd21

Download Submit
\Users\Admin\AppData\Local\Temp\1430995632.exe

Filesize
30KB

MD5
89ca8495dab424836854fb77d65dcd77

SHA1
b87d53f574a9e083d5605443f3f24f43d604ea15

SHA256
f1e44f1cbad4358444abec614c279b64e0896c6835332ff039c15dea3657169f

SHA512
59e89f32070c63ec42e40eb9e019db5369ffe28e269e602d8772cd0c3df4b8d44be130b0dfb9cf990d5c7da3822a447a419eed33481b7554c0263633a479c512

Download Submit
\Users\Admin\AppData\Local\Temp\nst36DA.tmp\epswgem.dll

Filesize
53KB

MD5
4997dfc871c6ffb7b24b6a9c862cabc4

SHA1
4b72c3fb979a3fd3d043b34acb3a2748291b4d05

SHA256
4dbb2532a70eb10b1b4588d7e71e4720d1001a65b112e03c32e8aec325b96f32

SHA512
9292fb119af8cdecc87d02022c9a4783942932510bc50dba0082994dd35ce9f3b165594fec157ecdab5be01fb3c018e55a5797cf616534d8381e4023d729c64b

Download Submit
\Users\Admin\AppData\Local\Temp\nst36DA.tmp\nsisunz.dll

Filesize
31KB

MD5
c7279d82ac1239c2974f3af3e1ee1fc8

SHA1
0dd28db2619e1071a37103919767482c3a5edaaa

SHA256
137a56820c1099ea7e9048f5dc8776194b49d7f4eacb9200531734c1eaef8c42

SHA512
e9ab2515e305665154678bed66021e6eedb93098dc7827fc9627afc228748a85a169cc1c369b5ac4bd6c4b8922a3763ff026f0a3c59356bcdf437bbf4f6f30d3

Download Submit