c5226df72877bb0d4f387b7cedad6ce2eef1c16a0ee0337f7a537ce129cc282f

General

Target

064e3a1f77224f2e14edae479c7ea010.exe
Size

581KB
MD5

064e3a1f77224f2e14edae479c7ea010
SHA1

e78239dcaf2e62db97e16b9a67e482c738748538
SHA256

c5226df72877bb0d4f387b7cedad6ce2eef1c16a0ee0337f7a537ce129cc282f
SHA512

5a7b68a7f6fd2c4b0c51773a4367fb7bc8882efc1bb88ebb1148fa902b16a4a33d880c6c1a3db567ad56edd2b7856edcde4405fe34c519eb15331b832706cc1a
SSDEEP

12288:LBSDJhNH8ZkXWykEr8369tNFMP8NdHXpZ2achJC4+E:LCJbl+36tKPdhJ7p

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1748	1431831751.exe

Loads dropped DLL 2 IoCs

pid	Process
3764	064e3a1f77224f2e14edae479c7ea010.exe
3764	064e3a1f77224f2e14edae479c7ea010.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3060	1748	WerFault.exe	21

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3460	wmic.exe
Token: SeSecurityPrivilege	3460	wmic.exe
Token: SeTakeOwnershipPrivilege	3460	wmic.exe
Token: SeLoadDriverPrivilege	3460	wmic.exe
Token: SeSystemProfilePrivilege	3460	wmic.exe
Token: SeSystemtimePrivilege	3460	wmic.exe
Token: SeProfSingleProcessPrivilege	3460	wmic.exe
Token: SeIncBasePriorityPrivilege	3460	wmic.exe
Token: SeCreatePagefilePrivilege	3460	wmic.exe
Token: SeBackupPrivilege	3460	wmic.exe
Token: SeRestorePrivilege	3460	wmic.exe
Token: SeShutdownPrivilege	3460	wmic.exe
Token: SeDebugPrivilege	3460	wmic.exe
Token: SeSystemEnvironmentPrivilege	3460	wmic.exe
Token: SeRemoteShutdownPrivilege	3460	wmic.exe
Token: SeUndockPrivilege	3460	wmic.exe
Token: SeManageVolumePrivilege	3460	wmic.exe
Token: 33	3460	wmic.exe
Token: 34	3460	wmic.exe
Token: 35	3460	wmic.exe
Token: 36	3460	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 1748	3764	064e3a1f77224f2e14edae479c7ea010.exe	21
PID 3764 wrote to memory of 1748	3764	064e3a1f77224f2e14edae479c7ea010.exe	21
PID 3764 wrote to memory of 1748	3764	064e3a1f77224f2e14edae479c7ea010.exe	21
PID 1748 wrote to memory of 3460	1748	1431831751.exe	20
PID 1748 wrote to memory of 3460	1748	1431831751.exe	20
PID 1748 wrote to memory of 3460	1748	1431831751.exe	20

C:\Users\Admin\AppData\Local\Temp\064e3a1f77224f2e14edae479c7ea010.exe
"C:\Users\Admin\AppData\Local\Temp\064e3a1f77224f2e14edae479c7ea010.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\Temp\1431831751.exe
  C:\Users\Admin\AppData\Local\Temp\1431831751.exe 1*6*7*7*2*4*3*7*6*2*2 LkpCPTsvLSssHi1STztJR0A6KRotTEROUEhQR0Y9Ny4eLj5CTFJFQTYsNTA2LBkoQUVBNioeLU9MSD1TP1FYQ0I7MDAyLR4rUD5MVENRWU5LSjllbW5uOC4pbGt0KkE+TUkrU0lJJj9MTSdDTEROGig8SkVARENCO3ZKTEJKUDNER0s/Nk1FMkksUkAqLi5QRxkoQi06KisuLjQaKD0wOSoqGi1CMjcmKh4rQS03Ky8fKT0uOykuGSlOUE4+TjxSW01LQ1Q/QlM2GS1MT0g+U0FTWT5OSj06GSlOUE4+TjxSW0s6R0M7Hyk+UUNbUktGOx4uP1E+XT9KPUZHTEQ3GShGS1BNWUBQTlFMPlA5LRkpUkZASERSTVFcTkxKOx8pT0Y7Lh0oPlEvPBooS1NKUUJHQ11WP0U8TUlCQkc/RURPS0U7HCxCTV1QVEhNQktBOm1sc2MfKUs+UlFPR0NMRV5PTD5QW0E6U1E7MRooQUdAQlE3Lx4uQ0xYQlVLOkdHQV4/RzxQVU1NP0I7ZVtlbGMcLD1JVUxLSTo9XUVNNjA0LDAqKyc2Ki4sLR4tU0NGPjstMSwrNjE4MisqHitBSFFMSk47PVhSRUo+NzMtMDEoKy4tMiMvOC82NCkqKD1KGSlTPzxHaHNnaGlaHzBkNCgpJCZTZmdebXVyJUdNKTIrKh8xYCpRSFA0MCIsXClScWNdXmxwIitgNSwvHyxbKW5zHi1fLzAoKSIpaGZkXylFZF1kaB4rUktGO2ZzbmkeMV0iK2AjMGVhXm0vKi0qKy9iZG1iYGwqZmdgbSMxYEtubFBmZl9CbXZoZWhfYEpaaF9lZGxYXWNsaWhzIzBlKy0sLzQwMjIwMCQsX11tc2tlaV9ibFtnWmVhbx4sZC8zLSoxMTU1KywjMWUwKjIzLC0pMjcvM1NQS3BPZ1wqTjBmKkZidW9KSytkTlNDLERnMHVCZ1c2Sj4+Lkw/V2ZIQTZoUmM6LkhBPnFLQS9eUnIyL0k8YWZYQ0cyQ1FjaVI9MjZJPXBmWEBSKkRCP2hTQGFoVUQuYmBULypcZkRxYUBdZlcxcmlQMEZsUj5iMFEqLkNSQk5uS2l2SUlzU0lOd2VGS0MvHytbSnV0ak9DT2dbUEd0VmdKcg==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 864
    3⤵
    - Program crash
    PID:3060
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703915980.txt bios get version
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703915980.txt bios get version
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703915980.txt bios get version
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703915980.txt bios get version
    3⤵
    PID:3268

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703915980.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1748 -ip 1748
1⤵
PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
96KB

MD5
83851499596dc1a52d7d669b75e3bf76

SHA1
f7db240988a333d9473c6e712b22e62882ccec10

SHA256
5ca751f86561c072195349d888cbad59884faf8f8f151e414f8fcaa45d007791

SHA512
40ff68554235691f3f446cf85e0bf06cdfa07cf52ba0b2550e43ffbaaae5cdc1bca83b5e4382debe1a465e9711d7b39a55223f8a2c438f62d49d875d8bfa2355

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
92KB

MD5
822a8b18f7be2c1190c68dbf2c3d8132

SHA1
52899b177595afcb9f4af728732eeb71133ed812

SHA256
2ed8efe231ddf14b952dfd118dce2d845e82468ea512b6099b292ee1da4eb55e

SHA512
9c019e77436d1c632ed0d19405ece3afcf93a4cec88f87dd1474189b90ffffbed8e5a683a412ca093b19c5e6f9a5b0e0f7b0d248cdeda11af4191298d4c10940

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb4A0A.tmp\cgibuti.dll

Filesize
153KB

MD5
9b081b4f84974a46cffcf1ef1a2e85f9

SHA1
70a1b83bad19d28195f2df22c3d213a04b42fb2b

SHA256
303f74df9812b639b66f919804039d1e295ffae8e543fa4349507110ac766752

SHA512
4539a458b1d2ba61ffcf71ea59addd13727d26606f73dbfb21053d68d5656010dae5791d486789c14653c6fb953a7dc284c3a80db2b1970a0e7f0778ab77dbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb4A0A.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit

Analysis

Sharing