15efbc5e030d88f2901c94a9d991aeba80f495a602f874420483eafa88047ae4

Analysis

max time kernel
0s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

087c29fe563798806ba2b96ea5ad676c.exe
Size

759KB
MD5

087c29fe563798806ba2b96ea5ad676c
SHA1

7da357dad0c9e1ec4d0e0ddbd9f9f67a41a41a3a
SHA256

15efbc5e030d88f2901c94a9d991aeba80f495a602f874420483eafa88047ae4
SHA512

cb65026717d1c9364ba700bbb53453a7aa7a855913b1b752dc560db9d63490f32364aa782cdb26304242f23b31cffddd09f434510742feb33cd1e8da65e6cbf1
SSDEEP

12288:ae053Ys2ZELwbbuMc0ckdSq7yvRajGvuUrSRynv9rVlwVALGZkZPCfCvIqLmwl5y:aeDs2ZEL8CM3cuvQajAuYnvUucOUWlXY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4420	1432479682.exe

Loads dropped DLL 2 IoCs

pid	Process
4740	087c29fe563798806ba2b96ea5ad676c.exe
4740	087c29fe563798806ba2b96ea5ad676c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4512	4420	WerFault.exe	32

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2228	wmic.exe
Token: SeSecurityPrivilege	2228	wmic.exe
Token: SeTakeOwnershipPrivilege	2228	wmic.exe
Token: SeLoadDriverPrivilege	2228	wmic.exe
Token: SeSystemProfilePrivilege	2228	wmic.exe
Token: SeSystemtimePrivilege	2228	wmic.exe
Token: SeProfSingleProcessPrivilege	2228	wmic.exe
Token: SeIncBasePriorityPrivilege	2228	wmic.exe
Token: SeCreatePagefilePrivilege	2228	wmic.exe
Token: SeBackupPrivilege	2228	wmic.exe
Token: SeRestorePrivilege	2228	wmic.exe
Token: SeShutdownPrivilege	2228	wmic.exe
Token: SeDebugPrivilege	2228	wmic.exe
Token: SeSystemEnvironmentPrivilege	2228	wmic.exe
Token: SeRemoteShutdownPrivilege	2228	wmic.exe
Token: SeUndockPrivilege	2228	wmic.exe
Token: SeManageVolumePrivilege	2228	wmic.exe
Token: 33	2228	wmic.exe
Token: 34	2228	wmic.exe
Token: 35	2228	wmic.exe
Token: 36	2228	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4420	4740	087c29fe563798806ba2b96ea5ad676c.exe	32
PID 4740 wrote to memory of 4420	4740	087c29fe563798806ba2b96ea5ad676c.exe	32
PID 4740 wrote to memory of 4420	4740	087c29fe563798806ba2b96ea5ad676c.exe	32
PID 4420 wrote to memory of 2228	4420	1432479682.exe	23
PID 4420 wrote to memory of 2228	4420	1432479682.exe	23
PID 4420 wrote to memory of 2228	4420	1432479682.exe	23

C:\Users\Admin\AppData\Local\Temp\087c29fe563798806ba2b96ea5ad676c.exe
"C:\Users\Admin\AppData\Local\Temp\087c29fe563798806ba2b96ea5ad676c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\1432479682.exe
  C:\Users\Admin\AppData\Local\Temp\1432479682.exe 5|8|5|4|3|2|8|5|5|8|4 KkhEQDowLzIyGCtOTT1MRkI1KxsnSkBMUktPSUE/OCkcKjxET1FHPDgtLDIrKRsrQEc8OCsYK0tKSkBSQUxaRDw5LC40MB0tS0BNTkFNV1BOSTtgb29oNionbm5zLDxATkMpT0dLKT5OSClERkJKGCo/SUc7RkQ8OXBaXmEzLygzLC0xMCxgNWBgMTFgKS0vLjM1Xx4nPyw1KSwYKkAvOyUsGydALjUoLR0tPC84JS0bJz8xOispGypITko8UD9RXUhNRE49PlE4HCxOSko/TT9PV0BRST81GypITko8UD9RXUY8SD05GydAVEJdTU1HNRwqPVNBXEFFP0dBSkA1GytFTUtPWjpOSk9OQU87KhsqTEQ8RkZVTFNXUE1EORsnUUk6MBgqP0stOBgqTlJMTERIPVtSPUc/TEs9REg5Q0BNTUg6HidETldOUEZPRUpDNW9tbWEbJ01BUVNKSURGQ1pNTkFPXTw8VEs5LRgqREZCPVM4KRwqQU5bQVdGPEhBP1o9ST9PV0hPQDw5YVlnb2IeJz9KT0pHRzxAXEdIOCwwNCkqLiwrLy4pLCo1GydPRUpDNSwvKy4vMDItNDUYKj9HU0lESj1BXUxESD05MCctMCwwKCwwIjE1KDE2LjUiS0g=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 964
    3⤵
    - Program crash
    PID:4512

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703969895.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703969895.txt bios get version
1⤵
PID:1160

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703969895.txt bios get version
1⤵
PID:4268

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703969895.txt bios get version
1⤵
PID:4824

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703969895.txt bios get version
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4420 -ip 4420
1⤵
PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy4353.tmp\iymcmjl.dll

Filesize
32KB

MD5
f102621cd0801a3267bc2f689e8a4d9d

SHA1
442868bd87388f793743eea22206ec750369b6a7

SHA256
871c989fbabb76ad84e4be08efd8d68c6f5ae7dd9048d7ce235da3cf3747af33

SHA512
e7dbb0601a4ba17a31be08f9417d564fc687a5fd192a86d8f7578d31e0a7783a5eabae04dc7e74a4f7098cc2bfb40b1fe0ec5b201862b75ce164e237a7370b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4353.tmp\iymcmjl.dll

Filesize
4KB

MD5
0a4211b2ed65f0fcf3180ae12e165c88

SHA1
349d8ae375e728c49a608077ce1ceb8245630cf2

SHA256
0f9c6b9a705eca461134afca8c1e0e072c2d627b2607133a76d0b6caa81a11f6

SHA512
de8ee84cd19a4b6b9f23b6dab793078984c41a611b5b7d15c726a78a388bd691bca7141a2e1a76a302dcf9feda8f909f3b5999b850a5e555d37c64467a3c47a6

Download Submit