06549af3606014510e5da6bc47c3af3d8aca6faa33e63df2456bfda85936bfbb

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2003ce5113f0615016521caeedbbd312.exe
Size

976KB
MD5

2003ce5113f0615016521caeedbbd312
SHA1

5efd7be2e5bae7a3b41478ce60e91922f482f71d
SHA256

06549af3606014510e5da6bc47c3af3d8aca6faa33e63df2456bfda85936bfbb
SHA512

61ca00490f6a67bc4101a8a66386f7e411dd3a9a57a6266174b7f36b5dbd5f79f1b820878ba387b96bd7fde804159ba0dc1e8644705dd1255bb9292cc7f021cb
SSDEEP

24576:233EOrpA17Lm6car6OmTzqeYkK+4K6kZHh4mGKZ7VV:JUpgG6car6QN+4K6sHh7H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	f.exe

Loads dropped DLL 9 IoCs

pid	Process
2508	2003ce5113f0615016521caeedbbd312.exe
2508	2003ce5113f0615016521caeedbbd312.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
652	2700	WerFault.exe	28

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\Version = "1.0"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\ = "SmartInstallerLib"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ = "IBrowserExternals"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version\ = "1.0"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS\ = "0"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\Version = "1.0"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\ = "CBrowserExternal Class"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ = "IBrowserExternals"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f.exe\""	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f.exe"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Programmable	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f.exe"	f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3004	wmic.exe
Token: SeSecurityPrivilege	3004	wmic.exe
Token: SeTakeOwnershipPrivilege	3004	wmic.exe
Token: SeLoadDriverPrivilege	3004	wmic.exe
Token: SeSystemProfilePrivilege	3004	wmic.exe
Token: SeSystemtimePrivilege	3004	wmic.exe
Token: SeProfSingleProcessPrivilege	3004	wmic.exe
Token: SeIncBasePriorityPrivilege	3004	wmic.exe
Token: SeCreatePagefilePrivilege	3004	wmic.exe
Token: SeBackupPrivilege	3004	wmic.exe
Token: SeRestorePrivilege	3004	wmic.exe
Token: SeShutdownPrivilege	3004	wmic.exe
Token: SeDebugPrivilege	3004	wmic.exe
Token: SeSystemEnvironmentPrivilege	3004	wmic.exe
Token: SeRemoteShutdownPrivilege	3004	wmic.exe
Token: SeUndockPrivilege	3004	wmic.exe
Token: SeManageVolumePrivilege	3004	wmic.exe
Token: 33	3004	wmic.exe
Token: 34	3004	wmic.exe
Token: 35	3004	wmic.exe
Token: SeIncreaseQuotaPrivilege	3004	wmic.exe
Token: SeSecurityPrivilege	3004	wmic.exe
Token: SeTakeOwnershipPrivilege	3004	wmic.exe
Token: SeLoadDriverPrivilege	3004	wmic.exe
Token: SeSystemProfilePrivilege	3004	wmic.exe
Token: SeSystemtimePrivilege	3004	wmic.exe
Token: SeProfSingleProcessPrivilege	3004	wmic.exe
Token: SeIncBasePriorityPrivilege	3004	wmic.exe
Token: SeCreatePagefilePrivilege	3004	wmic.exe
Token: SeBackupPrivilege	3004	wmic.exe
Token: SeRestorePrivilege	3004	wmic.exe
Token: SeShutdownPrivilege	3004	wmic.exe
Token: SeDebugPrivilege	3004	wmic.exe
Token: SeSystemEnvironmentPrivilege	3004	wmic.exe
Token: SeRemoteShutdownPrivilege	3004	wmic.exe
Token: SeUndockPrivilege	3004	wmic.exe
Token: SeManageVolumePrivilege	3004	wmic.exe
Token: 33	3004	wmic.exe
Token: 34	3004	wmic.exe
Token: 35	3004	wmic.exe
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe
Token: SeSystemProfilePrivilege	2744	wmic.exe
Token: SeSystemtimePrivilege	2744	wmic.exe
Token: SeProfSingleProcessPrivilege	2744	wmic.exe
Token: SeIncBasePriorityPrivilege	2744	wmic.exe
Token: SeCreatePagefilePrivilege	2744	wmic.exe
Token: SeBackupPrivilege	2744	wmic.exe
Token: SeRestorePrivilege	2744	wmic.exe
Token: SeShutdownPrivilege	2744	wmic.exe
Token: SeDebugPrivilege	2744	wmic.exe
Token: SeSystemEnvironmentPrivilege	2744	wmic.exe
Token: SeRemoteShutdownPrivilege	2744	wmic.exe
Token: SeUndockPrivilege	2744	wmic.exe
Token: SeManageVolumePrivilege	2744	wmic.exe
Token: 33	2744	wmic.exe
Token: 34	2744	wmic.exe
Token: 35	2744	wmic.exe
Token: SeIncreaseQuotaPrivilege	2636	wmic.exe
Token: SeSecurityPrivilege	2636	wmic.exe
Token: SeTakeOwnershipPrivilege	2636	wmic.exe
Token: SeLoadDriverPrivilege	2636	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2700	2508	2003ce5113f0615016521caeedbbd312.exe	28
PID 2508 wrote to memory of 2700	2508	2003ce5113f0615016521caeedbbd312.exe	28
PID 2508 wrote to memory of 2700	2508	2003ce5113f0615016521caeedbbd312.exe	28
PID 2508 wrote to memory of 2700	2508	2003ce5113f0615016521caeedbbd312.exe	28
PID 2700 wrote to memory of 3004	2700	f.exe	29
PID 2700 wrote to memory of 3004	2700	f.exe	29
PID 2700 wrote to memory of 3004	2700	f.exe	29
PID 2700 wrote to memory of 3004	2700	f.exe	29
PID 2700 wrote to memory of 2744	2700	f.exe	32
PID 2700 wrote to memory of 2744	2700	f.exe	32
PID 2700 wrote to memory of 2744	2700	f.exe	32
PID 2700 wrote to memory of 2744	2700	f.exe	32
PID 2700 wrote to memory of 2636	2700	f.exe	34
PID 2700 wrote to memory of 2636	2700	f.exe	34
PID 2700 wrote to memory of 2636	2700	f.exe	34
PID 2700 wrote to memory of 2636	2700	f.exe	34
PID 2700 wrote to memory of 2616	2700	f.exe	36
PID 2700 wrote to memory of 2616	2700	f.exe	36
PID 2700 wrote to memory of 2616	2700	f.exe	36
PID 2700 wrote to memory of 2616	2700	f.exe	36
PID 2700 wrote to memory of 2768	2700	f.exe	38
PID 2700 wrote to memory of 2768	2700	f.exe	38
PID 2700 wrote to memory of 2768	2700	f.exe	38
PID 2700 wrote to memory of 2768	2700	f.exe	38
PID 2700 wrote to memory of 652	2700	f.exe	40
PID 2700 wrote to memory of 652	2700	f.exe	40
PID 2700 wrote to memory of 652	2700	f.exe	40
PID 2700 wrote to memory of 652	2700	f.exe	40

C:\Users\Admin\AppData\Local\Temp\2003ce5113f0615016521caeedbbd312.exe
"C:\Users\Admin\AppData\Local\Temp\2003ce5113f0615016521caeedbbd312.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\f.exe
  C:\Users\Admin\AppData\Local\Temp\f.exe /PID=301 /SUBPID=0 /NETWORKID=1 /DISTID=3746 /CID=0 /PRODUCT_ID=3578 /SERVER_URL=http://installer.apps-track.com /CLICKID= /D1=5046 /D2=-1 /D3=-1 /D4=-1 /D5=34103 /PRODUCT_PRIVACY= /PRODUCT_EULA= /PRODUCT_NAME=Google%20Earth /EXE_URL=http://www.google.com/earth/download/ge/agree.html /EXE_CMDLINE= /HOST_BROWSER=2 /THANKYOU_URL= /TIME=1404084119 /VM=0 /DS1= /IS_RUNTIME=true /RETURNING_USER_DAYS=2 /IS_DYNAMIC_ENCRYPTED=false
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt bios get version
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt bios get version
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\f.exe

Filesize
1.3MB

MD5
abf32f699a8f46201c050ae100a96120

SHA1
19592e3cad4e95d32e26fb255e1b1667ceacf756

SHA256
e7329793eaf848eb0d2179aa70424eba366ecf82b39b08f507cbb31b8b52d1e4

SHA512
5b5865cbce619b024baaa7d43c47122e35c9cd45fac16d648e9987cc753fa3488e8931cf8580a191c726cb4558d2f59cd0404618800b6e64e7adf9ff308bed58

Download Submit
\Users\Admin\AppData\Local\Temp\nso56B9.tmp\Convert.dll

Filesize
114KB

MD5
800146b096a206b799d42699344bcc41

SHA1
19d45579c0f8fda2f03c1e5f661654b381b48201

SHA256
2c45897153ced9e105a3e95a09fcf757bd48d0228974410f1c29977bb0660aa9

SHA512
8c214ea6a75b165f9a76a3895e8c4ebed4949ff387d4692a1a0b9e6b27d450a451d6b3645a7783d81570159df2553a6013feb2f0ae0b62c83764fbf97e8ab34f

Download Submit