d1c70c3d08dfad1d9cd705285da2e7d8082d832355baa8bad4549a75cdcc89b0

Analysis

max time kernel
0s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

134b2977a591cd3e9b423d3c4aabdd5d.exe
Size

581KB
MD5

134b2977a591cd3e9b423d3c4aabdd5d
SHA1

25396df6b0445a0408c7df9b2a2fc148d3f3db90
SHA256

d1c70c3d08dfad1d9cd705285da2e7d8082d832355baa8bad4549a75cdcc89b0
SHA512

39246aabf6a5ba557f9092494a11bc0993f87256848d43c2c1c200bcf3cc5937f19816812f8198e4a7f9d306527fcdc45f6c22fac777d5b215883f3722503122
SSDEEP

12288:ZkDJhNH8ZkXWykEr8369tNFMP8NdHXpZ2achJC4+q:ZeJbl+36tKPdhJ7z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4908	1431831751.exe

Loads dropped DLL 2 IoCs

pid	Process
2424	134b2977a591cd3e9b423d3c4aabdd5d.exe
2424	134b2977a591cd3e9b423d3c4aabdd5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1316	4908	WerFault.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2224	wmic.exe
Token: SeSecurityPrivilege	2224	wmic.exe
Token: SeTakeOwnershipPrivilege	2224	wmic.exe
Token: SeLoadDriverPrivilege	2224	wmic.exe
Token: SeSystemProfilePrivilege	2224	wmic.exe
Token: SeSystemtimePrivilege	2224	wmic.exe
Token: SeProfSingleProcessPrivilege	2224	wmic.exe
Token: SeIncBasePriorityPrivilege	2224	wmic.exe
Token: SeCreatePagefilePrivilege	2224	wmic.exe
Token: SeBackupPrivilege	2224	wmic.exe
Token: SeRestorePrivilege	2224	wmic.exe
Token: SeShutdownPrivilege	2224	wmic.exe
Token: SeDebugPrivilege	2224	wmic.exe
Token: SeSystemEnvironmentPrivilege	2224	wmic.exe
Token: SeRemoteShutdownPrivilege	2224	wmic.exe
Token: SeUndockPrivilege	2224	wmic.exe
Token: SeManageVolumePrivilege	2224	wmic.exe
Token: 33	2224	wmic.exe
Token: 34	2224	wmic.exe
Token: 35	2224	wmic.exe
Token: 36	2224	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4908	2424	134b2977a591cd3e9b423d3c4aabdd5d.exe	35
PID 2424 wrote to memory of 4908	2424	134b2977a591cd3e9b423d3c4aabdd5d.exe	35
PID 2424 wrote to memory of 4908	2424	134b2977a591cd3e9b423d3c4aabdd5d.exe	35
PID 4908 wrote to memory of 2224	4908	1431831751.exe	20
PID 4908 wrote to memory of 2224	4908	1431831751.exe	20
PID 4908 wrote to memory of 2224	4908	1431831751.exe	20

C:\Users\Admin\AppData\Local\Temp\134b2977a591cd3e9b423d3c4aabdd5d.exe
"C:\Users\Admin\AppData\Local\Temp\134b2977a591cd3e9b423d3c4aabdd5d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\1431831751.exe
  C:\Users\Admin\AppData\Local\Temp\1431831751.exe 2)1)2)6)1)3)2)8)4)4)9 LU9HPjwwLiouHCZRVEBKSEE7KBwrRUNTVUlRSEc8OSwXLUNHTVNGQjUuMyk1MR4pQkZCNSwcJk5RTT5UQFJXRUA0LzU3Lh8sUT1OUjxQXlNMSzpmbHBsMS0ucWx1K0I9T0ckUk5OJ0BNTiZFSj1NHy09S0ZBQ0VANHVDQT5EUEI9SE1LLkVJM0pENy9SLT5QTh4pQy47KS0sJzMfLT4xOispHCs7MTwrKx8sQiw5KSgeLkIvPCovGCtMSU1DUz1TXE5KRVI4QVg7Gi5NUEdAUTpSXkNPSz47GCtMSU1DUz1TXEw5SUE0Hi5DUkRcU0pIORctRFY/XkBLPEhFRUM8HilHTFFMWz5JTVZRP1E6LhgrUD8/TUlTTlJdTU5INB4uVEc8Lx4nQE8oOx8tTFRLUkFJQVZVREo9TkpDQUk9PkNUUEY8HS1BT1tJU01SQ0xCO2xucVweLlA/U1JQRkVKPl1UUT9RXEI5VU80MB8tQkhBQ1A5LRctSFFZQ1ZMOUlFOl1ETD1RVk5MQUA0ZGBqbWQdLTxLU0VKTj8+XkZONTIyJTAzNyg3MCwpMzQXLVNHR0Q6LywvLS8xNjMrNh0tPEtTRUpOPz5eUUdFQTksLTA1KTEtLy0mMDExNzgtNic/RRwrTD88S2l5ZmpkXSEpZDQsKiolVWFqYGZ1cilIUyg0Ji0hKmAqVUlWMzIdL14iUnFnXmRrch0uYi4sLyMtYShwbiEvWC8wLCooKGphZ2EiRWRhZW4dLU1OSDRmc3JqJDBfHS5iHDBlZV9zLiwoLS0oYmRxY2ZrLGFqYmYjMWRMdGtSYWlhO212bGZuXmJFXWpYZWRwWWNibmRrdRwwZS8uMi42KzMxKDYkMGBjbHVmaGtYYmxfaGBkY2ohLl0vMzErNzA1LS00HDFlMiwwMi8wNCwoMjFXLE13UWJVb0UxQDZGeDFzRT9SXU5CbXBMZ1dtRkNeNUxCPzNJQC1xTDp1alc9NzVKPD1rQkJUalNDPjNDdj1fV3hxK0tRP2FVZjg1S0Fxa1VBKDVIOi5qV2djb1c/LVZRVVQ2XDFLdVsuNF9XbFBiWC9uZFVmYy9QeC9DTVNsQU48Zk9TPTRDUGJkQEd4ajBPaDZCTUEwX19FcmhhZ3Vt
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4908

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704010211.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704010211.txt bios get version
1⤵
PID:636

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704010211.txt bios get version
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4908 -ip 4908
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 952
1⤵
- Program crash
PID:1316

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704010211.txt bios get version
1⤵
PID:3680

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704010211.txt bios get version
1⤵
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsq5593.tmp\cgibuti.dll

Filesize
92KB

MD5
fa7ab2f9e55099d427a2709bca4321bd

SHA1
8e93b36e481739b42ce7e70cf5ae2274604c0407

SHA256
d52a5ccb69a94f708561c07027880875e528337bf1645094a72c19f1b0e6b7c1

SHA512
8f6c5dbd860c99c16f061ab18bacfb8427ab0c4b63ffa624a07af4a5b4d582dfc0b9968d3f42a28466af552a233b6ea643a950461dc3baa8e18597cf94800e1c

Download Submit