0c4cd60a8770e657c3dc4d160d99bf29f8481226890f362580d3c3a729ccc3a6

Analysis

max time kernel
117s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b92b052457511c214db0b8f2faf0c30.exe
Size

955KB
MD5

0b92b052457511c214db0b8f2faf0c30
SHA1

95d8b72b8a700a88ad5cebc591abe626c7507735
SHA256

0c4cd60a8770e657c3dc4d160d99bf29f8481226890f362580d3c3a729ccc3a6
SHA512

4f8cce68b9c6971455ac07a9c0fdd13b60edd9c257546bfde975dae66ea60fba1010f4f6d658bb048901211a3a8f2cd52c4026192a4291796d3f6448fa8ac9e1
SSDEEP

12288:JYlRFHBdIwCDrA6hWVz0v/Cya+sNzaOvoJpaz/g/J/vVWyM:ulzhOwCDE6hCOo+sNH8az/g/J/NWy

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	0b92b052457511c214db0b8f2faf0c30.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	259446869.exe

Loads dropped DLL 11 IoCs

pid	Process
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
2708	259446869.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1708-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1708-41-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259446869.exe	0b92b052457511c214db0b8f2faf0c30.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\fonts\pci.sys	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	2708	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
1708	0b92b052457511c214db0b8f2faf0c30.exe
2160	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1708	0b92b052457511c214db0b8f2faf0c30.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	1708	0b92b052457511c214db0b8f2faf0c30.exe
Token: SeDebugPrivilege	2160	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2160	1708	0b92b052457511c214db0b8f2faf0c30.exe	28
PID 1708 wrote to memory of 2160	1708	0b92b052457511c214db0b8f2faf0c30.exe	28
PID 1708 wrote to memory of 2160	1708	0b92b052457511c214db0b8f2faf0c30.exe	28
PID 1708 wrote to memory of 2160	1708	0b92b052457511c214db0b8f2faf0c30.exe	28
PID 1708 wrote to memory of 2160	1708	0b92b052457511c214db0b8f2faf0c30.exe	28
PID 1708 wrote to memory of 2160	1708	0b92b052457511c214db0b8f2faf0c30.exe	28
PID 1708 wrote to memory of 2160	1708	0b92b052457511c214db0b8f2faf0c30.exe	28
PID 1708 wrote to memory of 2708	1708	0b92b052457511c214db0b8f2faf0c30.exe	31
PID 1708 wrote to memory of 2708	1708	0b92b052457511c214db0b8f2faf0c30.exe	31
PID 1708 wrote to memory of 2708	1708	0b92b052457511c214db0b8f2faf0c30.exe	31
PID 1708 wrote to memory of 2708	1708	0b92b052457511c214db0b8f2faf0c30.exe	31
PID 2708 wrote to memory of 2664	2708	259446869.exe	32
PID 2708 wrote to memory of 2664	2708	259446869.exe	32
PID 2708 wrote to memory of 2664	2708	259446869.exe	32
PID 2708 wrote to memory of 2664	2708	259446869.exe	32
PID 1708 wrote to memory of 2504	1708	0b92b052457511c214db0b8f2faf0c30.exe	33
PID 1708 wrote to memory of 2504	1708	0b92b052457511c214db0b8f2faf0c30.exe	33
PID 1708 wrote to memory of 2504	1708	0b92b052457511c214db0b8f2faf0c30.exe	33
PID 1708 wrote to memory of 2504	1708	0b92b052457511c214db0b8f2faf0c30.exe	33

C:\Users\Admin\AppData\Local\Temp\0b92b052457511c214db0b8f2faf0c30.exe
"C:\Users\Admin\AppData\Local\Temp\0b92b052457511c214db0b8f2faf0c30.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\259441846.dll testall
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\SysWOW64\259446869.exe
  "C:\Windows\system32\259446869.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 212
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\kl78a.bat" "
  2⤵
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kl78a.bat

Filesize
2KB

MD5
02d9d918fa8b60987185a61ce70cc334

SHA1
5425ad813a105fd0ddf3ee0308007fcfb3d65373

SHA256
5d4f091e6c30078388efe7609645cbd36c115b14fcca7d400b1ed0c3c1b3cd2d

SHA512
00f7f6f979998884256a28b18774a83e4be675dda96f86dcf77b84f4a78a96ed2c998c86a9a2af182c31c8f07e6c00a4e854b0257b89a6d873b1747bd3b12cbd

Download Submit
\Users\Admin\AppData\Local\Temp\259441846.dll

Filesize
14KB

MD5
962cab8783e4346bf2fd5ac1530a820e

SHA1
e5fa0795fafc737f13746ef09b63549bf965a627

SHA256
d443d789343c7509885062da36ca881c436bb4a0ff2e1facde138727b5c5699a

SHA512
5047c747925f6fc792b6929d19706fed5517a002a8bbf5a7c69d3142e5614b80b53c02b585846002a17e8433cf7c415852bda4abeaa77745c4048c376c6301af

Download Submit
\Users\Admin\AppData\Local\Temp\opeD8C2.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
\Windows\SysWOW64\259446869.exe

Filesize
12KB

MD5
a8528adb7b7c714cd966df5dcbf3e0af

SHA1
443ecbe1be975c3249f8817f6041556bbc52a82a

SHA256
140b915394135458d28f68d58bcd304d23bbbfe94fb06e817e951f96c59be823

SHA512
22a673ea4f75d4864de5846bc7901b88399fbad7fe8ef4fd325b6e46a81c13919df2238cde100ae83dff4ffafcca8805ca1734d516f36ebd4ccaa91278562b4e

Download Submit
memory/1708-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1708-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2160-6-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2160-8-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2160-9-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download