13b26d4a6b97e674227c26b8e9f591cac05e48cb62bf5d3a06328da2094d132a

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 22:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e90a6b20ce833238a15e3eb98525ac6.exe
Size

645KB
MD5

1e90a6b20ce833238a15e3eb98525ac6
SHA1

c6a8b6f502390254dd453db1c6a6a2e01be66cb1
SHA256

13b26d4a6b97e674227c26b8e9f591cac05e48cb62bf5d3a06328da2094d132a
SHA512

c7add0896611d5710b48a0d2fbdf02e97b89cd164ce0d874e514ced53b99969550d5595f187d69a5eb9252109ece7681fe5abde1cebffea92c47a4fbea8b2e31
SSDEEP

12288:btpf7BhrscSSOleuP7n/b7bQuXlTrhqMGm+xFwKhlfc8vy4h:btp1lsB7LPXv1TYM87s86

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	1432566139.exe

Loads dropped DLL 11 IoCs

pid	Process
2224	1e90a6b20ce833238a15e3eb98525ac6.exe
2224	1e90a6b20ce833238a15e3eb98525ac6.exe
2224	1e90a6b20ce833238a15e3eb98525ac6.exe
2224	1e90a6b20ce833238a15e3eb98525ac6.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
344	2688	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2848	wmic.exe
Token: SeSecurityPrivilege	2848	wmic.exe
Token: SeTakeOwnershipPrivilege	2848	wmic.exe
Token: SeLoadDriverPrivilege	2848	wmic.exe
Token: SeSystemProfilePrivilege	2848	wmic.exe
Token: SeSystemtimePrivilege	2848	wmic.exe
Token: SeProfSingleProcessPrivilege	2848	wmic.exe
Token: SeIncBasePriorityPrivilege	2848	wmic.exe
Token: SeCreatePagefilePrivilege	2848	wmic.exe
Token: SeBackupPrivilege	2848	wmic.exe
Token: SeRestorePrivilege	2848	wmic.exe
Token: SeShutdownPrivilege	2848	wmic.exe
Token: SeDebugPrivilege	2848	wmic.exe
Token: SeSystemEnvironmentPrivilege	2848	wmic.exe
Token: SeRemoteShutdownPrivilege	2848	wmic.exe
Token: SeUndockPrivilege	2848	wmic.exe
Token: SeManageVolumePrivilege	2848	wmic.exe
Token: 33	2848	wmic.exe
Token: 34	2848	wmic.exe
Token: 35	2848	wmic.exe
Token: SeIncreaseQuotaPrivilege	2848	wmic.exe
Token: SeSecurityPrivilege	2848	wmic.exe
Token: SeTakeOwnershipPrivilege	2848	wmic.exe
Token: SeLoadDriverPrivilege	2848	wmic.exe
Token: SeSystemProfilePrivilege	2848	wmic.exe
Token: SeSystemtimePrivilege	2848	wmic.exe
Token: SeProfSingleProcessPrivilege	2848	wmic.exe
Token: SeIncBasePriorityPrivilege	2848	wmic.exe
Token: SeCreatePagefilePrivilege	2848	wmic.exe
Token: SeBackupPrivilege	2848	wmic.exe
Token: SeRestorePrivilege	2848	wmic.exe
Token: SeShutdownPrivilege	2848	wmic.exe
Token: SeDebugPrivilege	2848	wmic.exe
Token: SeSystemEnvironmentPrivilege	2848	wmic.exe
Token: SeRemoteShutdownPrivilege	2848	wmic.exe
Token: SeUndockPrivilege	2848	wmic.exe
Token: SeManageVolumePrivilege	2848	wmic.exe
Token: 33	2848	wmic.exe
Token: 34	2848	wmic.exe
Token: 35	2848	wmic.exe
Token: SeIncreaseQuotaPrivilege	3032	wmic.exe
Token: SeSecurityPrivilege	3032	wmic.exe
Token: SeTakeOwnershipPrivilege	3032	wmic.exe
Token: SeLoadDriverPrivilege	3032	wmic.exe
Token: SeSystemProfilePrivilege	3032	wmic.exe
Token: SeSystemtimePrivilege	3032	wmic.exe
Token: SeProfSingleProcessPrivilege	3032	wmic.exe
Token: SeIncBasePriorityPrivilege	3032	wmic.exe
Token: SeCreatePagefilePrivilege	3032	wmic.exe
Token: SeBackupPrivilege	3032	wmic.exe
Token: SeRestorePrivilege	3032	wmic.exe
Token: SeShutdownPrivilege	3032	wmic.exe
Token: SeDebugPrivilege	3032	wmic.exe
Token: SeSystemEnvironmentPrivilege	3032	wmic.exe
Token: SeRemoteShutdownPrivilege	3032	wmic.exe
Token: SeUndockPrivilege	3032	wmic.exe
Token: SeManageVolumePrivilege	3032	wmic.exe
Token: 33	3032	wmic.exe
Token: 34	3032	wmic.exe
Token: 35	3032	wmic.exe
Token: SeIncreaseQuotaPrivilege	2724	wmic.exe
Token: SeSecurityPrivilege	2724	wmic.exe
Token: SeTakeOwnershipPrivilege	2724	wmic.exe
Token: SeLoadDriverPrivilege	2724	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2688	2224	1e90a6b20ce833238a15e3eb98525ac6.exe	28
PID 2224 wrote to memory of 2688	2224	1e90a6b20ce833238a15e3eb98525ac6.exe	28
PID 2224 wrote to memory of 2688	2224	1e90a6b20ce833238a15e3eb98525ac6.exe	28
PID 2224 wrote to memory of 2688	2224	1e90a6b20ce833238a15e3eb98525ac6.exe	28
PID 2688 wrote to memory of 2848	2688	1432566139.exe	29
PID 2688 wrote to memory of 2848	2688	1432566139.exe	29
PID 2688 wrote to memory of 2848	2688	1432566139.exe	29
PID 2688 wrote to memory of 2848	2688	1432566139.exe	29
PID 2688 wrote to memory of 3032	2688	1432566139.exe	32
PID 2688 wrote to memory of 3032	2688	1432566139.exe	32
PID 2688 wrote to memory of 3032	2688	1432566139.exe	32
PID 2688 wrote to memory of 3032	2688	1432566139.exe	32
PID 2688 wrote to memory of 2724	2688	1432566139.exe	34
PID 2688 wrote to memory of 2724	2688	1432566139.exe	34
PID 2688 wrote to memory of 2724	2688	1432566139.exe	34
PID 2688 wrote to memory of 2724	2688	1432566139.exe	34
PID 2688 wrote to memory of 2580	2688	1432566139.exe	36
PID 2688 wrote to memory of 2580	2688	1432566139.exe	36
PID 2688 wrote to memory of 2580	2688	1432566139.exe	36
PID 2688 wrote to memory of 2580	2688	1432566139.exe	36
PID 2688 wrote to memory of 536	2688	1432566139.exe	38
PID 2688 wrote to memory of 536	2688	1432566139.exe	38
PID 2688 wrote to memory of 536	2688	1432566139.exe	38
PID 2688 wrote to memory of 536	2688	1432566139.exe	38
PID 2688 wrote to memory of 344	2688	1432566139.exe	40
PID 2688 wrote to memory of 344	2688	1432566139.exe	40
PID 2688 wrote to memory of 344	2688	1432566139.exe	40
PID 2688 wrote to memory of 344	2688	1432566139.exe	40

C:\Users\Admin\AppData\Local\Temp\1e90a6b20ce833238a15e3eb98525ac6.exe
"C:\Users\Admin\AppData\Local\Temp\1e90a6b20ce833238a15e3eb98525ac6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\1432566139.exe
  C:\Users\Admin\AppData\Local\Temp\1432566139.exe 2)1)7)5)7)5)3)4)6)2)3 LU9CPzYtNTEaLVBTQUlEPTgtHClMQlJWSE1EREE5Kx4sQkhMT0I/Oi4vMDQwHyg+Qj86LBotTVBOPVA8T1xFPjsvMjMsLhkqUEFMVEJQXk5NRThlcG5uNy0ubG1vKUFBTUkqUk5JKDpLTSpDTENNHyg+RURAR0NCOmRiMjEtXzRgMy81LjMxMV1dYmIrYzRjN1xgLi8vXzFjHS1DKjgmLB0rPjA6KzAZKj0uOikrHixCMzYoKhssQC87Ki8fKEtLSkFRPVJcTlFCUTo+VjkaLU1QTj1QPE9cQU9KPjsfKEtLSkFRPVJcTEBGQDY/b2VwY29EaGdfXm0dKz9WQl1US0c2Y3FwajgsLXJhdGdvZWFsLGBtbCg/a2RzYWxEZmxjXm1YTmJwb24rY3deGyhAVUFZQUpCS0JJPjgdK0JNUFJeO01IUlBBTDsvHi5NQzpJSFVJU1xTUUU4GSpTSTcwHS1DTCw2LmIsMzE2N2ApYTFcMTEuXzU0ZV5hKzE1MjBhMi84WzQZKk9RSFJGS0RYUj5HQEtHQ0ZLQEBATk1JORotRlFeS1BHT0ZJPztxcHReGyhNQlBPUEtHTUBaTk5CTllCPldSNi0ZKkVFPkNVOzAZKkJOXEBTTD5LSDxaPklATlNOUUNDNmFaZ3BhGi1BTVZHR0g8QVtDTjoxMCctMSkvLiwsLjU4GSpNREpBNy8xMTEuMiorLywaLUFNVkdHSDxBW05HSkM8LiorMCwuKi8yKDMzLSw1MSwkTko=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704389275.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704389275.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704389275.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704389275.txt bios get version
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704389275.txt bios get version
    3⤵
    PID:536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704389275.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8C59.tmp\kzgmugr.dll

Filesize
157KB

MD5
5412979767528b02ae8a37bbce43c33a

SHA1
db0519851795170b0948e41d9b6ccb59b31906b5

SHA256
1cd3d8561ef481ba60e080b711b4177af9b2c5852912d4999178f446b695fad4

SHA512
473227450fa38c4e5836a8aa291c0212a39b222903b2195df808c9b6e9198efc511f6c9709b02fa6b3ce91f98cb6f1a15d89c0202d9d4170763433428b0b3636

Download Submit
\Users\Admin\AppData\Local\Temp\1432566139.exe

Filesize
755KB

MD5
1530f1cba9583095fc69e6ba83c3c8c4

SHA1
5e6581047e729b27b8d24f8ae0cef5237d019e24

SHA256
6cf1b1e246d4b1352a5d832179e48fae4b2df2e8b33ac2baa835a462b3de93d1

SHA512
1ca2c81fcabab6fa76e5d3170b1dbc8f0e0d2ada8f9923613b172651aeb2170f18eb18f45e432bd596c2c90aaac7aaa1900bd939e4b5f5c8969e6c8eeab9bd69

Download Submit
\Users\Admin\AppData\Local\Temp\nso8C59.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit