06549af3606014510e5da6bc47c3af3d8aca6faa33e63df2456bfda85936bfbb

Analysis

max time kernel
15s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2003ce5113f0615016521caeedbbd312.exe
Size

976KB
MD5

2003ce5113f0615016521caeedbbd312
SHA1

5efd7be2e5bae7a3b41478ce60e91922f482f71d
SHA256

06549af3606014510e5da6bc47c3af3d8aca6faa33e63df2456bfda85936bfbb
SHA512

61ca00490f6a67bc4101a8a66386f7e411dd3a9a57a6266174b7f36b5dbd5f79f1b820878ba387b96bd7fde804159ba0dc1e8644705dd1255bb9292cc7f021cb
SSDEEP

24576:233EOrpA17Lm6car6OmTzqeYkK+4K6kZHh4mGKZ7VV:JUpgG6car6QN+4K6sHh7H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4188	f.exe

Loads dropped DLL 1 IoCs

pid	Process
4840	2003ce5113f0615016521caeedbbd312.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5012	4188	WerFault.exe	38

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\Version = "1.0"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version\ = "1.0"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS\ = "0"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\ = "SmartInstallerLib"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f.exe"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ = "IBrowserExternals"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ = "IBrowserExternals"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f.exe\""	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\ = "CBrowserExternal Class"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Programmable	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f.exe"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\Version = "1.0"	f.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2516	wmic.exe
Token: SeSecurityPrivilege	2516	wmic.exe
Token: SeTakeOwnershipPrivilege	2516	wmic.exe
Token: SeLoadDriverPrivilege	2516	wmic.exe
Token: SeSystemProfilePrivilege	2516	wmic.exe
Token: SeSystemtimePrivilege	2516	wmic.exe
Token: SeProfSingleProcessPrivilege	2516	wmic.exe
Token: SeIncBasePriorityPrivilege	2516	wmic.exe
Token: SeCreatePagefilePrivilege	2516	wmic.exe
Token: SeBackupPrivilege	2516	wmic.exe
Token: SeRestorePrivilege	2516	wmic.exe
Token: SeShutdownPrivilege	2516	wmic.exe
Token: SeDebugPrivilege	2516	wmic.exe
Token: SeSystemEnvironmentPrivilege	2516	wmic.exe
Token: SeRemoteShutdownPrivilege	2516	wmic.exe
Token: SeUndockPrivilege	2516	wmic.exe
Token: SeManageVolumePrivilege	2516	wmic.exe
Token: 33	2516	wmic.exe
Token: 34	2516	wmic.exe
Token: 35	2516	wmic.exe
Token: 36	2516	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 4188	4840	2003ce5113f0615016521caeedbbd312.exe	38
PID 4840 wrote to memory of 4188	4840	2003ce5113f0615016521caeedbbd312.exe	38
PID 4840 wrote to memory of 4188	4840	2003ce5113f0615016521caeedbbd312.exe	38
PID 4188 wrote to memory of 2516	4188	f.exe	50
PID 4188 wrote to memory of 2516	4188	f.exe	50
PID 4188 wrote to memory of 2516	4188	f.exe	50

C:\Users\Admin\AppData\Local\Temp\2003ce5113f0615016521caeedbbd312.exe
"C:\Users\Admin\AppData\Local\Temp\2003ce5113f0615016521caeedbbd312.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\f.exe
  C:\Users\Admin\AppData\Local\Temp\f.exe /PID=301 /SUBPID=0 /NETWORKID=1 /DISTID=3746 /CID=0 /PRODUCT_ID=3578 /SERVER_URL=http://installer.apps-track.com /CLICKID= /D1=5046 /D2=-1 /D3=-1 /D4=-1 /D5=34103 /PRODUCT_PRIVACY= /PRODUCT_EULA= /PRODUCT_NAME=Google%20Earth /EXE_URL=http://www.google.com/earth/download/ge/agree.html /EXE_CMDLINE= /HOST_BROWSER=2 /THANKYOU_URL= /TIME=1404084119 /VM=0 /DS1= /IS_RUNTIME=true /RETURNING_USER_DAYS=2 /IS_DYNAMIC_ENCRYPTED=false
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt bios get version
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt bios get version
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt bios get version
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt bios get version
    3⤵
    PID:644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 900
    3⤵
    - Program crash
    PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4188 -ip 4188
1⤵
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f.exe

Filesize
8KB

MD5
1c3a4ce03e701a816f3369124d72119f

SHA1
d5e2f9daebe35d340937f2770adb57bab53ce03b

SHA256
4d583e2f098f63c7fc55f7429cbded2a3d2f7d1decb6caa44753e2ad9ce4f715

SHA512
63de54a66c7641285fb31449ca7e3714a1220ce87c100ac9e640f7c7f31be5ae73d67a50eb0e7499f7410e241ad69bbd3b05a2ee2443c0f45d964d5ada6f19f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.exe

Filesize
27KB

MD5
bc8074cc78bd5046034d0a9af90f0903

SHA1
a44fce7d7a9f9ab763539fda82b180a985cbe921

SHA256
6b08e7b3522b3a2df24c61fddb01b4d3f21ddb06100d942b1b2e60b6e3582303

SHA512
abfffd7d55d7187d31415985c2e42e12273b19364a7ab9292480e1ecabb8b92a4ae374e111987e9e065addcaae47197ef620f49238a95451dda7f8943058aa63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxBF3A.tmp\Convert.dll

Filesize
48KB

MD5
4de3e9e2db2cb52c4d4657713779e871

SHA1
6014e1c560ae69571c5bc156b9d9a388c2a994a3

SHA256
12cb154ced4f052cfdb1a39d341577f97db141b266f37a84d9c9f1dee141b420

SHA512
5507655723a34d95694885ec287dfd5fb5e051b91d0fef07d683e98c6d0577f073ca6ee3d7de3e43dfda2c99c2d1616f40375965f0c631411749d01e92e9800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxBF3A.tmp\Convert.dll

Filesize
5KB

MD5
e2a088f04917f9d12370028357eebf36

SHA1
dbd779fa42029dcae46f5320e5f2a6a26c2df562

SHA256
e3fb8d4452ed8f92eb04a671ef446b56bd579f141fa76a89b80f1dbc87465e4b

SHA512
e1078cb67689d62e7c5c6c2679b00b10eab815bd4411e94e02ce7d00e4d5579539703f1473aa6a17fbaadfd7d929e9422ba48c80b593328591306b151208dec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ob1hhelper.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit