873ea5b7fa8f0c6b6b1658b251c8f4777de81a351962212bae92682f4a40ed37

Analysis

max time kernel
149s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 07:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1226b10915dbb4ea210703467fbcf03e.exe
Size

635KB
MD5

1226b10915dbb4ea210703467fbcf03e
SHA1

7f425dc984c52939efdfb6e5ba243986df303fdb
SHA256

873ea5b7fa8f0c6b6b1658b251c8f4777de81a351962212bae92682f4a40ed37
SHA512

f6b09a5fcbaa0a9387305f12979e4e59907de4f25ae9627e7c61b934a1edf13a37981ab5b3abba83bda718c824c4df6821ead314e6d01213edab34ae3c8995f6
SSDEEP

12288:uFHhydILp2G2ePQ8rYP8arNDBDKK9DxwDvNSc5jKfc8vy4h8:u2dqsbePafDKK9DUYC86v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2408	1432641720.exe

Loads dropped DLL 2 IoCs

pid	Process
1108	1226b10915dbb4ea210703467fbcf03e.exe
1108	1226b10915dbb4ea210703467fbcf03e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2284	2408	WerFault.exe	91

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1528	wmic.exe
Token: SeSecurityPrivilege	1528	wmic.exe
Token: SeTakeOwnershipPrivilege	1528	wmic.exe
Token: SeLoadDriverPrivilege	1528	wmic.exe
Token: SeSystemProfilePrivilege	1528	wmic.exe
Token: SeSystemtimePrivilege	1528	wmic.exe
Token: SeProfSingleProcessPrivilege	1528	wmic.exe
Token: SeIncBasePriorityPrivilege	1528	wmic.exe
Token: SeCreatePagefilePrivilege	1528	wmic.exe
Token: SeBackupPrivilege	1528	wmic.exe
Token: SeRestorePrivilege	1528	wmic.exe
Token: SeShutdownPrivilege	1528	wmic.exe
Token: SeDebugPrivilege	1528	wmic.exe
Token: SeSystemEnvironmentPrivilege	1528	wmic.exe
Token: SeRemoteShutdownPrivilege	1528	wmic.exe
Token: SeUndockPrivilege	1528	wmic.exe
Token: SeManageVolumePrivilege	1528	wmic.exe
Token: 33	1528	wmic.exe
Token: 34	1528	wmic.exe
Token: 35	1528	wmic.exe
Token: 36	1528	wmic.exe
Token: SeIncreaseQuotaPrivilege	1528	wmic.exe
Token: SeSecurityPrivilege	1528	wmic.exe
Token: SeTakeOwnershipPrivilege	1528	wmic.exe
Token: SeLoadDriverPrivilege	1528	wmic.exe
Token: SeSystemProfilePrivilege	1528	wmic.exe
Token: SeSystemtimePrivilege	1528	wmic.exe
Token: SeProfSingleProcessPrivilege	1528	wmic.exe
Token: SeIncBasePriorityPrivilege	1528	wmic.exe
Token: SeCreatePagefilePrivilege	1528	wmic.exe
Token: SeBackupPrivilege	1528	wmic.exe
Token: SeRestorePrivilege	1528	wmic.exe
Token: SeShutdownPrivilege	1528	wmic.exe
Token: SeDebugPrivilege	1528	wmic.exe
Token: SeSystemEnvironmentPrivilege	1528	wmic.exe
Token: SeRemoteShutdownPrivilege	1528	wmic.exe
Token: SeUndockPrivilege	1528	wmic.exe
Token: SeManageVolumePrivilege	1528	wmic.exe
Token: 33	1528	wmic.exe
Token: 34	1528	wmic.exe
Token: 35	1528	wmic.exe
Token: 36	1528	wmic.exe
Token: SeIncreaseQuotaPrivilege	1504	wmic.exe
Token: SeSecurityPrivilege	1504	wmic.exe
Token: SeTakeOwnershipPrivilege	1504	wmic.exe
Token: SeLoadDriverPrivilege	1504	wmic.exe
Token: SeSystemProfilePrivilege	1504	wmic.exe
Token: SeSystemtimePrivilege	1504	wmic.exe
Token: SeProfSingleProcessPrivilege	1504	wmic.exe
Token: SeIncBasePriorityPrivilege	1504	wmic.exe
Token: SeCreatePagefilePrivilege	1504	wmic.exe
Token: SeBackupPrivilege	1504	wmic.exe
Token: SeRestorePrivilege	1504	wmic.exe
Token: SeShutdownPrivilege	1504	wmic.exe
Token: SeDebugPrivilege	1504	wmic.exe
Token: SeSystemEnvironmentPrivilege	1504	wmic.exe
Token: SeRemoteShutdownPrivilege	1504	wmic.exe
Token: SeUndockPrivilege	1504	wmic.exe
Token: SeManageVolumePrivilege	1504	wmic.exe
Token: 33	1504	wmic.exe
Token: 34	1504	wmic.exe
Token: 35	1504	wmic.exe
Token: 36	1504	wmic.exe
Token: SeIncreaseQuotaPrivilege	1504	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2408	1108	1226b10915dbb4ea210703467fbcf03e.exe	91
PID 1108 wrote to memory of 2408	1108	1226b10915dbb4ea210703467fbcf03e.exe	91
PID 1108 wrote to memory of 2408	1108	1226b10915dbb4ea210703467fbcf03e.exe	91
PID 2408 wrote to memory of 1528	2408	1432641720.exe	92
PID 2408 wrote to memory of 1528	2408	1432641720.exe	92
PID 2408 wrote to memory of 1528	2408	1432641720.exe	92
PID 2408 wrote to memory of 1504	2408	1432641720.exe	96
PID 2408 wrote to memory of 1504	2408	1432641720.exe	96
PID 2408 wrote to memory of 1504	2408	1432641720.exe	96
PID 2408 wrote to memory of 2516	2408	1432641720.exe	98
PID 2408 wrote to memory of 2516	2408	1432641720.exe	98
PID 2408 wrote to memory of 2516	2408	1432641720.exe	98
PID 2408 wrote to memory of 5116	2408	1432641720.exe	100
PID 2408 wrote to memory of 5116	2408	1432641720.exe	100
PID 2408 wrote to memory of 5116	2408	1432641720.exe	100
PID 2408 wrote to memory of 5088	2408	1432641720.exe	102
PID 2408 wrote to memory of 5088	2408	1432641720.exe	102
PID 2408 wrote to memory of 5088	2408	1432641720.exe	102

C:\Users\Admin\AppData\Local\Temp\1226b10915dbb4ea210703467fbcf03e.exe
"C:\Users\Admin\AppData\Local\Temp\1226b10915dbb4ea210703467fbcf03e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\1432641720.exe
  C:\Users\Admin\AppData\Local\Temp\1432641720.exe 5]3]7]9]7]3]5]7]9]9]2 Kk1COzYuNCwtKh4qUE45SUY/NicXLUlCTU5IT0ZCOzQvIC8pZ2tsX25aa2xcal40S2JkZlheYxssPUBMUUQ9NCk1Mi4rFyhARD00Jx4qTUtGPVI+TVZAQjgvLzAtMBsoSjxQUUJLVk5PRzZfa3JrNygmbG9xJzs8UUYqTUZJKjxJRyVHSUNIFyhAR0I6Qkc/OhkmPS44JigXLT8vNiQqHSo9KjQrLB0oOy06KCoXJkIwOiYoGSxLS0Y7Uz5RWEdLRlE6OlA7GyxJSUhBUDxLVkNQSTo0GSxLS0Y7Uz5RWEU6SkA2FyZDU0JYTEtJOBkmPFZAXDxEPUlERzw0HipFSEpNXD1LRk5RQE82LBksT0E4RUlUTE5WTk9HNhcmVEg6KxcoQU4qNBctTVJHS0JKQFhOPEo+TEY8Qko8QDxMUEc6GSZCUFpLTEVSREo+NG1vcF4XJlBAUU5JR0ZJQFZMUUBPWDs6Vk42KRctQ0Y9PFE6LBkmQFFaQVJFOkpEPFY8TD5PUkdNQj82XVhqbmIZJj1MUkdDRj8/XEJHNjYwJyswLC4yJygxMRsoS0BLQDoqKywvMS0uKzAtHSg7SFRJRUY4QlpRQkQ+OjAoKS0tLS0qLCMuNSwuMS4tJ0lE
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704001735.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704001735.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704001735.txt bios get version
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704001735.txt bios get version
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704001735.txt bios get version
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 856
    3⤵
    - Program crash
    PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2408 -ip 2408
1⤵
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1432641720.exe

Filesize
755KB

MD5
0fb464acb03b761397f14784bc5bbf8c

SHA1
0a613b0fd68f5d9db9d2419fe4ff1ceeee993283

SHA256
cc61853ed62d06d18a3d86c1c5220fc8ca8552c851e2f7f4c4a2f2e92d79da7a

SHA512
434dee239f755c640979dd5bd4c3fc10c10374f6752563be8b4cbd12ec5f5c99ddebb70bee0f086d37ca573040324b80f1320c58e61ae36c087c9ce7d576a86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704001735.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704001735.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq879B.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq879B.tmp\penhmpp.dll

Filesize
153KB

MD5
ccf576a86d9ddc12280e11775675c32b

SHA1
337aba595ace77891c02a28e7dd14f421fc60b08

SHA256
a74ce0894e4c42e6fbbdb9f89d14c1576908a62270a4c546587f0a10530d1da2

SHA512
a68ed8eaeadc57f9ffbd73817ea3bd2bf947b573effd0288fdc019f0948451194384c7417cd29deddfe0775f32959bbb22bda8d9f9b045992ad4ebfea2b06a4a

Download Submit