13b26d4a6b97e674227c26b8e9f591cac05e48cb62bf5d3a06328da2094d132a

Analysis

max time kernel
0s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 22:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e90a6b20ce833238a15e3eb98525ac6.exe
Size

645KB
MD5

1e90a6b20ce833238a15e3eb98525ac6
SHA1

c6a8b6f502390254dd453db1c6a6a2e01be66cb1
SHA256

13b26d4a6b97e674227c26b8e9f591cac05e48cb62bf5d3a06328da2094d132a
SHA512

c7add0896611d5710b48a0d2fbdf02e97b89cd164ce0d874e514ced53b99969550d5595f187d69a5eb9252109ece7681fe5abde1cebffea92c47a4fbea8b2e31
SSDEEP

12288:btpf7BhrscSSOleuP7n/b7bQuXlTrhqMGm+xFwKhlfc8vy4h:btp1lsB7LPXv1TYM87s86

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5444	1432566139.exe

Loads dropped DLL 2 IoCs

pid	Process
2780	1e90a6b20ce833238a15e3eb98525ac6.exe
2780	1e90a6b20ce833238a15e3eb98525ac6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
60	5444	WerFault.exe	25

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	796	wmic.exe
Token: SeSecurityPrivilege	796	wmic.exe
Token: SeTakeOwnershipPrivilege	796	wmic.exe
Token: SeLoadDriverPrivilege	796	wmic.exe
Token: SeSystemProfilePrivilege	796	wmic.exe
Token: SeSystemtimePrivilege	796	wmic.exe
Token: SeProfSingleProcessPrivilege	796	wmic.exe
Token: SeIncBasePriorityPrivilege	796	wmic.exe
Token: SeCreatePagefilePrivilege	796	wmic.exe
Token: SeBackupPrivilege	796	wmic.exe
Token: SeRestorePrivilege	796	wmic.exe
Token: SeShutdownPrivilege	796	wmic.exe
Token: SeDebugPrivilege	796	wmic.exe
Token: SeSystemEnvironmentPrivilege	796	wmic.exe
Token: SeRemoteShutdownPrivilege	796	wmic.exe
Token: SeUndockPrivilege	796	wmic.exe
Token: SeManageVolumePrivilege	796	wmic.exe
Token: 33	796	wmic.exe
Token: 34	796	wmic.exe
Token: 35	796	wmic.exe
Token: 36	796	wmic.exe
Token: SeIncreaseQuotaPrivilege	796	wmic.exe
Token: SeSecurityPrivilege	796	wmic.exe
Token: SeTakeOwnershipPrivilege	796	wmic.exe
Token: SeLoadDriverPrivilege	796	wmic.exe
Token: SeSystemProfilePrivilege	796	wmic.exe
Token: SeSystemtimePrivilege	796	wmic.exe
Token: SeProfSingleProcessPrivilege	796	wmic.exe
Token: SeIncBasePriorityPrivilege	796	wmic.exe
Token: SeCreatePagefilePrivilege	796	wmic.exe
Token: SeBackupPrivilege	796	wmic.exe
Token: SeRestorePrivilege	796	wmic.exe
Token: SeShutdownPrivilege	796	wmic.exe
Token: SeDebugPrivilege	796	wmic.exe
Token: SeSystemEnvironmentPrivilege	796	wmic.exe
Token: SeRemoteShutdownPrivilege	796	wmic.exe
Token: SeUndockPrivilege	796	wmic.exe
Token: SeManageVolumePrivilege	796	wmic.exe
Token: 33	796	wmic.exe
Token: 34	796	wmic.exe
Token: 35	796	wmic.exe
Token: 36	796	wmic.exe
Token: SeIncreaseQuotaPrivilege	3728	wmic.exe
Token: SeSecurityPrivilege	3728	wmic.exe
Token: SeTakeOwnershipPrivilege	3728	wmic.exe
Token: SeLoadDriverPrivilege	3728	wmic.exe
Token: SeSystemProfilePrivilege	3728	wmic.exe
Token: SeSystemtimePrivilege	3728	wmic.exe
Token: SeProfSingleProcessPrivilege	3728	wmic.exe
Token: SeIncBasePriorityPrivilege	3728	wmic.exe
Token: SeCreatePagefilePrivilege	3728	wmic.exe
Token: SeBackupPrivilege	3728	wmic.exe
Token: SeRestorePrivilege	3728	wmic.exe
Token: SeShutdownPrivilege	3728	wmic.exe
Token: SeDebugPrivilege	3728	wmic.exe
Token: SeSystemEnvironmentPrivilege	3728	wmic.exe
Token: SeRemoteShutdownPrivilege	3728	wmic.exe
Token: SeUndockPrivilege	3728	wmic.exe
Token: SeManageVolumePrivilege	3728	wmic.exe
Token: 33	3728	wmic.exe
Token: 34	3728	wmic.exe
Token: 35	3728	wmic.exe
Token: 36	3728	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 5444	2780	1e90a6b20ce833238a15e3eb98525ac6.exe	25
PID 2780 wrote to memory of 5444	2780	1e90a6b20ce833238a15e3eb98525ac6.exe	25
PID 2780 wrote to memory of 5444	2780	1e90a6b20ce833238a15e3eb98525ac6.exe	25
PID 5444 wrote to memory of 796	5444	1432566139.exe	28
PID 5444 wrote to memory of 796	5444	1432566139.exe	28
PID 5444 wrote to memory of 796	5444	1432566139.exe	28
PID 5444 wrote to memory of 3728	5444	1432566139.exe	33
PID 5444 wrote to memory of 3728	5444	1432566139.exe	33
PID 5444 wrote to memory of 3728	5444	1432566139.exe	33

C:\Users\Admin\AppData\Local\Temp\1e90a6b20ce833238a15e3eb98525ac6.exe
"C:\Users\Admin\AppData\Local\Temp\1e90a6b20ce833238a15e3eb98525ac6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\1432566139.exe
  C:\Users\Admin\AppData\Local\Temp\1432566139.exe 2)1)7)5)7)5)3)4)6)2)3 LU9CPzYtNTEaLVBTQUlEPTgtHClMQlJWSE1EREE5Kx4sQkhMT0I/Oi4vMDQwHyg+Qj86LBotTVBOPVA8T1xFPjsvMjMsLhkqUEFMVEJQXk5NRThlcG5uNy0ubG1vKUFBTUkqUk5JKDpLTSpDTENNHyg+RURAR0NCOmRiMjEtXzRgMy81LjMxMV1dYmIrYzRjN1xgLi8vXzFjHS1DKjgmLB0rPjA6KzAZKj0uOikrHixCMzYoKhssQC87Ki8fKEtLSkFRPVJcTlFCUTo+VjkaLU1QTj1QPE9cQU9KPjsfKEtLSkFRPVJcTEBGQDY/b2VwY29EaGdfXm0dKz9WQl1US0c2Y3FwajgsLXJhdGdvZWFsLGBtbCg/a2RzYWxEZmxjXm1YTmJwb24rY3deGyhAVUFZQUpCS0JJPjgdK0JNUFJeO01IUlBBTDsvHi5NQzpJSFVJU1xTUUU4GSpTSTcwHS1DTCw2LmIsMzE2N2ApYTFcMTEuXzU0ZV5hKzE1MjBhMi84WzQZKk9RSFJGS0RYUj5HQEtHQ0ZLQEBATk1JORotRlFeS1BHT0ZJPztxcHReGyhNQlBPUEtHTUBaTk5CTllCPldSNi0ZKkVFPkNVOzAZKkJOXEBTTD5LSDxaPklATlNOUUNDNmFaZ3BhGi1BTVZHR0g8QVtDTjoxMCctMSkvLiwsLjU4GSpNREpBNy8xMTEuMiorLywaLUFNVkdHSDxBW05HSkM8LiorMCwuKi8yKDMzLSw1MSwkTko=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5444
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704389270.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:796
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704389270.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704389270.txt bios get version
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704389270.txt bios get version
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704389270.txt bios get version
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 852
    3⤵
    - Program crash
    PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5444 -ip 5444
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1432566139.exe

Filesize
164KB

MD5
68b93ffe1542d1a0707fc1eaf9378f91

SHA1
b2f628ff0d48f6bfc4358a9c062ac022a91652f8

SHA256
f727f4c84b5e9501e201ed70c46228722cb6ea14ded9b86117b4f7328f39f723

SHA512
a8b8e47eee67f9367c0c5a73eb0c852657028c6bb18c0160da440c6c8ec0022e5c8825dc6824a08a4ba829eca40158ec73a055a64565b174166f8950977b3dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1432566139.exe

Filesize
228KB

MD5
38e7f6dae2e627a4292c6b06e58bf32f

SHA1
d907d1763fc2e84674cec5c3ff695a19dc1fc8b9

SHA256
f44ded3bfc746026e40f80936ee9ae7269709b4fbd04df2b64b9aeb8739f32a3

SHA512
5c75e9a3708ac70237b7c9a5a9616008ddc28a1808715aa43c1d0d831cfe25b815cd84920035a1a44fdc20aef93cfe87b83bbdbe4e668e8ed734aea30277378f

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704389270.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704389270.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704389270.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse445D.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse445D.tmp\ZipDLL.dll

Filesize
25KB

MD5
85b9360dc45cac593c08371570dff471

SHA1
0ce998855c862529e9f1855e2358d97d88764cba

SHA256
525597bf80975cd855b30ec9b7cafd8a5ed81d2649c24825f74e74f4d2917a06

SHA512
0b32b4d96dd9d92aa328210f7c1bd901a13ab4529a3875bdd73471f144132371c0f8e14dc4fa4b98bc8183e69d93a69e050f678fbf5cb211f318bff1ec23fe9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse445D.tmp\kzgmugr.dll

Filesize
157KB

MD5
5412979767528b02ae8a37bbce43c33a

SHA1
db0519851795170b0948e41d9b6ccb59b31906b5

SHA256
1cd3d8561ef481ba60e080b711b4177af9b2c5852912d4999178f446b695fad4

SHA512
473227450fa38c4e5836a8aa291c0212a39b222903b2195df808c9b6e9198efc511f6c9709b02fa6b3ce91f98cb6f1a15d89c0202d9d4170763433428b0b3636

Download Submit