f7c77ef5e9638eca93db1eab5f65fd11786623888bedf3731482fa6a86b51f81

Analysis

max time kernel
118s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05b8e77ec396f165e2137ef92b77b4ba.exe
Size

581KB
MD5

05b8e77ec396f165e2137ef92b77b4ba
SHA1

3b4c632ee1b1c3af8224472074d3a6151b151a64
SHA256

f7c77ef5e9638eca93db1eab5f65fd11786623888bedf3731482fa6a86b51f81
SHA512

8def0309c08bbf332de4e6f20b14a4790db98a48a182fb19dc9b607a90088d1fc07257026110ff3c9504bf7f20207451325e7d216a26c8798315d6173aa85169
SSDEEP

12288:IJDJhNH8ZkXWykEr8369tNFMP8NdHXpZ2achJC4+8:IxJbl+36tKPdhJ7b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	1431831751.exe

Loads dropped DLL 11 IoCs

pid	Process
2004	05b8e77ec396f165e2137ef92b77b4ba.exe
2004	05b8e77ec396f165e2137ef92b77b4ba.exe
2004	05b8e77ec396f165e2137ef92b77b4ba.exe
2004	05b8e77ec396f165e2137ef92b77b4ba.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2868	2200	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2752	wmic.exe
Token: SeSecurityPrivilege	2752	wmic.exe
Token: SeTakeOwnershipPrivilege	2752	wmic.exe
Token: SeLoadDriverPrivilege	2752	wmic.exe
Token: SeSystemProfilePrivilege	2752	wmic.exe
Token: SeSystemtimePrivilege	2752	wmic.exe
Token: SeProfSingleProcessPrivilege	2752	wmic.exe
Token: SeIncBasePriorityPrivilege	2752	wmic.exe
Token: SeCreatePagefilePrivilege	2752	wmic.exe
Token: SeBackupPrivilege	2752	wmic.exe
Token: SeRestorePrivilege	2752	wmic.exe
Token: SeShutdownPrivilege	2752	wmic.exe
Token: SeDebugPrivilege	2752	wmic.exe
Token: SeSystemEnvironmentPrivilege	2752	wmic.exe
Token: SeRemoteShutdownPrivilege	2752	wmic.exe
Token: SeUndockPrivilege	2752	wmic.exe
Token: SeManageVolumePrivilege	2752	wmic.exe
Token: 33	2752	wmic.exe
Token: 34	2752	wmic.exe
Token: 35	2752	wmic.exe
Token: SeIncreaseQuotaPrivilege	2752	wmic.exe
Token: SeSecurityPrivilege	2752	wmic.exe
Token: SeTakeOwnershipPrivilege	2752	wmic.exe
Token: SeLoadDriverPrivilege	2752	wmic.exe
Token: SeSystemProfilePrivilege	2752	wmic.exe
Token: SeSystemtimePrivilege	2752	wmic.exe
Token: SeProfSingleProcessPrivilege	2752	wmic.exe
Token: SeIncBasePriorityPrivilege	2752	wmic.exe
Token: SeCreatePagefilePrivilege	2752	wmic.exe
Token: SeBackupPrivilege	2752	wmic.exe
Token: SeRestorePrivilege	2752	wmic.exe
Token: SeShutdownPrivilege	2752	wmic.exe
Token: SeDebugPrivilege	2752	wmic.exe
Token: SeSystemEnvironmentPrivilege	2752	wmic.exe
Token: SeRemoteShutdownPrivilege	2752	wmic.exe
Token: SeUndockPrivilege	2752	wmic.exe
Token: SeManageVolumePrivilege	2752	wmic.exe
Token: 33	2752	wmic.exe
Token: 34	2752	wmic.exe
Token: 35	2752	wmic.exe
Token: SeIncreaseQuotaPrivilege	2856	wmic.exe
Token: SeSecurityPrivilege	2856	wmic.exe
Token: SeTakeOwnershipPrivilege	2856	wmic.exe
Token: SeLoadDriverPrivilege	2856	wmic.exe
Token: SeSystemProfilePrivilege	2856	wmic.exe
Token: SeSystemtimePrivilege	2856	wmic.exe
Token: SeProfSingleProcessPrivilege	2856	wmic.exe
Token: SeIncBasePriorityPrivilege	2856	wmic.exe
Token: SeCreatePagefilePrivilege	2856	wmic.exe
Token: SeBackupPrivilege	2856	wmic.exe
Token: SeRestorePrivilege	2856	wmic.exe
Token: SeShutdownPrivilege	2856	wmic.exe
Token: SeDebugPrivilege	2856	wmic.exe
Token: SeSystemEnvironmentPrivilege	2856	wmic.exe
Token: SeRemoteShutdownPrivilege	2856	wmic.exe
Token: SeUndockPrivilege	2856	wmic.exe
Token: SeManageVolumePrivilege	2856	wmic.exe
Token: 33	2856	wmic.exe
Token: 34	2856	wmic.exe
Token: 35	2856	wmic.exe
Token: SeIncreaseQuotaPrivilege	2856	wmic.exe
Token: SeSecurityPrivilege	2856	wmic.exe
Token: SeTakeOwnershipPrivilege	2856	wmic.exe
Token: SeLoadDriverPrivilege	2856	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2200	2004	05b8e77ec396f165e2137ef92b77b4ba.exe	28
PID 2004 wrote to memory of 2200	2004	05b8e77ec396f165e2137ef92b77b4ba.exe	28
PID 2004 wrote to memory of 2200	2004	05b8e77ec396f165e2137ef92b77b4ba.exe	28
PID 2004 wrote to memory of 2200	2004	05b8e77ec396f165e2137ef92b77b4ba.exe	28
PID 2200 wrote to memory of 2752	2200	1431831751.exe	29
PID 2200 wrote to memory of 2752	2200	1431831751.exe	29
PID 2200 wrote to memory of 2752	2200	1431831751.exe	29
PID 2200 wrote to memory of 2752	2200	1431831751.exe	29
PID 2200 wrote to memory of 2856	2200	1431831751.exe	33
PID 2200 wrote to memory of 2856	2200	1431831751.exe	33
PID 2200 wrote to memory of 2856	2200	1431831751.exe	33
PID 2200 wrote to memory of 2856	2200	1431831751.exe	33
PID 2200 wrote to memory of 2544	2200	1431831751.exe	35
PID 2200 wrote to memory of 2544	2200	1431831751.exe	35
PID 2200 wrote to memory of 2544	2200	1431831751.exe	35
PID 2200 wrote to memory of 2544	2200	1431831751.exe	35
PID 2200 wrote to memory of 2992	2200	1431831751.exe	37
PID 2200 wrote to memory of 2992	2200	1431831751.exe	37
PID 2200 wrote to memory of 2992	2200	1431831751.exe	37
PID 2200 wrote to memory of 2992	2200	1431831751.exe	37
PID 2200 wrote to memory of 1268	2200	1431831751.exe	38
PID 2200 wrote to memory of 1268	2200	1431831751.exe	38
PID 2200 wrote to memory of 1268	2200	1431831751.exe	38
PID 2200 wrote to memory of 1268	2200	1431831751.exe	38
PID 2200 wrote to memory of 2868	2200	1431831751.exe	40
PID 2200 wrote to memory of 2868	2200	1431831751.exe	40
PID 2200 wrote to memory of 2868	2200	1431831751.exe	40
PID 2200 wrote to memory of 2868	2200	1431831751.exe	40

C:\Users\Admin\AppData\Local\Temp\05b8e77ec396f165e2137ef92b77b4ba.exe
"C:\Users\Admin\AppData\Local\Temp\05b8e77ec396f165e2137ef92b77b4ba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\1431831751.exe
  C:\Users\Admin\AppData\Local\Temp\1431831751.exe 0!0!8!8!8!9!5!4!0!8!3 L1BBPDUqKy4yGCxTVTpIQTs4LCAnS0VUT0dKQkRAPSgdL0RBS0xAPzkyLy83MhgnO0A/OTAYLFBSRzxNOk9bSTw6MTYxLBgmTkFSTkJSX01KRDRjcHRoNy8va2puJT9BU0MqVE9IJTlHSypJRkNPICc7REA+R0k8OndKRUpHOVA0STlJVUpDMUMnPEE2KUZJNBgnPCg4LTEoLTUgJzwqNCgtICdBMz0lKRgmPzA9JS4gLzwtNSQsHC9IT09ETTtMVktOSU4+Q1k1GCdHTUtETUBUXz1NRDg4HC9IT09ETTtMVkk9TT06IC89UD1WUE5MNR0vRVA9VzpIQExBS0U9GCdARk5QXzpPT1dLPUo0KxwvTEVBTkNRR0xaUVJEOiAvTkU1KRsrREsuPSAnSk1FT0VNPVxXRUQ7R0RARU05REVVSkQ1FypFU1dPVU5MQUU8OHBybWIgL0o9TExNSklGRF9VSz1KVj89WUs6MiAnQEE7QFQ9KR0vSUtXPFBJPU1BQF9FRjtKUEtQRTw6ZmFka10XKkBPT0tMTzk8V0BLOTYuKzEwKiYwJSw0MBgsVElFPTUoLy8xMDA2MjEtGCY/S1dGSU9BPFdMQEhBPS0sMTcnKigoMCY0Mi44OiktIjhIHC9NPj1NZ3JhY2ddJSpjNS4oIyBOZGpkZ3RzK0ZMIy0pLSUrXytXR08uKyAvYiNRcmlcXWZrIC5mLyswJStaI2lxITNZLjEuKB0rWSZDVDo0LjUhI2RgZmErP2Jja2cYJ0xNSD1gcXRwHStZHC1iJSpjZ2VsKSYnLC0xXGJzaV9mJmBpYm8dL2ZSbWZMYGhhRGd0bmxnWVxEXGphX2JyX1xdaGNqdSUqYzE0KykwKjEuOS4iMmZcZ29lZ2thXGphbllfXWkgLmYpMTMxMCsuKTQyJStjODMuLysoLSw1KTZYMkJtSztMdlBQPjRNYVtpQ3Q+ZEdnRTFFYkFvQ1NRLkh5OCpFcUlwS0MwYVhDLCtDYC9yTGJSaFlxYylCZG9mUVFJN0RLb2NSdXcuR3lvYlFyRDRHRDlhWG1SZVBkb2NhKlI0Y2Rwa1poa2ZRRHRuUSpSZlJ2VihPRVpITGM5UUkwXzFSRkI9SjtVR0xjQ0FOS2A6SWQwZlJqSnRaYl9v
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703911502.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703911502.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703911502.txt bios get version
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703911502.txt bios get version
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703911502.txt bios get version
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
728KB

MD5
a3b2577661803254b8fe2fac592551f3

SHA1
ab4576ed8bdecde099dfa2923e358d9c7ea7086e

SHA256
5de5590857d8ac1a2fa4c1f7851fe0adbac65885a3df285064a40ec3e659af61

SHA512
d1bbffaf992575a51f4375881bfe484b27f6be8bf06449ed9fcd42f2e5de284046ca085cea42d93ebe15beffa5ebb7f102ff636d52ac03dbd4b7048babb34527

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703911502.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703911502.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703911502.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
788KB

MD5
8890fe58240790af20b7006c537a69a2

SHA1
aebb9a5cbd652634e017bbe57d1ba032b90f5a5b

SHA256
747baf72bd89b1dc09ec74093aad6249b2ee983e56cb730476a107ee5024be27

SHA512
ddf24bf4004148b7f90b4659bc2cd59cc97c3fa9b1c75d2bfdb89d0547ecb1b62405d5258f6ea7c4e18c3892cb1cb7c4fb354f34a091325ca9b940d99eafb074

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
54KB

MD5
e8128e832df4c7b8368d745afcea4442

SHA1
13abe0f33c7c5c2e8d9e9a42c4b228546876705b

SHA256
d7e15702befdfdadd62e3fb34363e62dc274d5b1dc914abd4a338b53857ea26d

SHA512
4d3d3f16a93bb06a235cbd4de44c2ed5a945d7e9e1a884cadf0fb973e2204d455450f704fe8eff0c99a8c8cfcb34d10e7ff128881fc9909fc3a2a15c6a4315f9

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
152KB

MD5
8599a90d5adb1355cd1bf53a6e93f08f

SHA1
286cf7d6abfc78363f3c4a9261c8cf0a5a478a5a

SHA256
75bfc2b973a64197d00e49bfdf95ef2f4da4742b367ea7dad5c96102fe6360f4

SHA512
77a7219656604d6088fdf3e69b7361105418b87492780f82185739f3288aed3e1b98afd0a598aae9788023e5c3f36a60fff1ecf1e60e2e7a3095d1a3c6da582c

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
67KB

MD5
3beb254355efa72d0f69b4fed8d38266

SHA1
cba6972f3a8ee9b43077e883c2fc280b0a0e04f3

SHA256
242274f7ed63028099f231001f555b02f5cb2ed751861968ec670c35401cd3d9

SHA512
cbc8f550d12c3881d9bd12e0c7372c66f6a47fa08125d848cbd4ef71bd9b3d24f914c5a9fed2c6ab2598f9c2e803742e58a38341b42a500d5675e108e9673a8c

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
85KB

MD5
edd742c10cfde70ee4de9669f9db6200

SHA1
51fb918c5cb4b0fc0fb548a218ff3e18cc7bab27

SHA256
0433e11a47815b5becd6da36995cd99a5118179851b86e2a27633f221ad22b42

SHA512
e19077cc564eb29728f1b1a82cf99736b6d28b44d41ce861302a699513758c70df2e811f05b2019e4b3a3b4aa782b77553143df175ae476fc144f0da0a8512ee

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
94KB

MD5
8b619dcca4456805f2b55f51dd92bbd2

SHA1
11fd8284898794c53f8afb8d3f97766dc1ebb00e

SHA256
eaa5eac784cc6b3ac700ca5083e7d6bb373f4480fe2dcadcdb3bc904865ebde9

SHA512
c6927491c8ff4f95b278a0d2d229da42985b26365879d5b195a9f884f3b99f9ca80a43643b8e9eb9e39434d2ca539f20c59fe2d6c2792df8485f66d8f8800e80

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
75KB

MD5
afec14f49ac01a3ebaaf3ca2aeccef24

SHA1
81c9511cb6cece3d0c321fb104885a61818efeea

SHA256
2e58d47863db526d86ac7f4bee2d05a1f6d00b9c9a8598ffdf6fb50e7dd78286

SHA512
cc66acd0ebcbcef34876a72aef794755b2af8f680c96e72f438248db79e84307c64e37e3945b44f84be4f5ce78842c6357ae4a772c67c2cc1af65378904bd012

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
421KB

MD5
f925dba217dbe37c59512bf43c044931

SHA1
ff5b919a701d34a31f3380568d66a6b6102866d5

SHA256
4858c02b1409f583a74e4af43d6fac765faaf2996e3ddd651edb16a25472f40c

SHA512
ab9c6e6e0572b61099baa248d7c38b698112b7c45c5b3a7c630c63de84601995f10ac821b57ce7baa655fe356b7247e9dc26f52a26cdc252663a472140d5ac34

Download Submit
\Users\Admin\AppData\Local\Temp\nsd714A.tmp\cgibuti.dll

Filesize
153KB

MD5
9b081b4f84974a46cffcf1ef1a2e85f9

SHA1
70a1b83bad19d28195f2df22c3d213a04b42fb2b

SHA256
303f74df9812b639b66f919804039d1e295ffae8e543fa4349507110ac766752

SHA512
4539a458b1d2ba61ffcf71ea59addd13727d26606f73dbfb21053d68d5656010dae5791d486789c14653c6fb953a7dc284c3a80db2b1970a0e7f0778ab77dbbf

Download Submit
\Users\Admin\AppData\Local\Temp\nsd714A.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit