029e965acc794e032f898972d35fa297cc7370b5551bb4c63feb35827387a703

Analysis

max time kernel
0s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 02:35

Target

0bd8e50d0d9bf2bb1d8da98510d7741e.exe
Size

15KB
MD5

0bd8e50d0d9bf2bb1d8da98510d7741e
SHA1

7a14868f4683d4ecc34e58cf8f59c79bb57af7dd
SHA256

029e965acc794e032f898972d35fa297cc7370b5551bb4c63feb35827387a703
SHA512

5b50d8c057da3a0be59b54ef70667014b5ab6d8c4a9c7345ecae9c483e9519d7f55bcad2b8a16fbd6bd72d41a75a64a2844b012a2253d0dfab43277b76a4639a
SSDEEP

384:GOzchOtS/GLHvytFBZg8YxboQmulVbZb7OEzWq7XW3S4moV:FchuSAHs7AhFIiIS4mY

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4592	4808	WerFault.exe	14

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	0bd8e50d0d9bf2bb1d8da98510d7741e.exe
Token: SeSystemtimePrivilege	4808	0bd8e50d0d9bf2bb1d8da98510d7741e.exe

C:\Users\Admin\AppData\Local\Temp\0bd8e50d0d9bf2bb1d8da98510d7741e.exe
"C:\Users\Admin\AppData\Local\Temp\0bd8e50d0d9bf2bb1d8da98510d7741e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\packet.dll /e /p everyone:f
  2⤵
  PID:448
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\pthreadVC.dll /e /p everyone:f
  2⤵
  PID:844
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\wpcap.dll /e /p everyone:f
  2⤵
  PID:4012
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\drivers\npf.sys /e /p everyone:f
  2⤵
  PID:4984
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\npptools.dll /e /p everyone:f
  2⤵
  PID:4552
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\drivers\acpidisk.sys /e /p everyone:f
  2⤵
  PID:4316
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\wanpacket.dll /e /p everyone:f
  2⤵
  PID:2028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1160
  2⤵
  - Program crash
  PID:4592
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
  2⤵
  PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4808 -ip 4808
1⤵
PID:728

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/4808-0-0x0000000013140000-0x000000001314B000-memory.dmp

Filesize
44KB

Download
memory/4808-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/4808-2-0x0000000013140000-0x000000001314B000-memory.dmp

Filesize
44KB

Download