9da4b8ec88c9d41dd3bdb5f2c16550f57238e0b7c686c6e1a1e71886dedd15b1

Analysis

max time kernel
0s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

135cbec618493ced3374ecc4cf78ee8f.exe
Size

677KB
MD5

135cbec618493ced3374ecc4cf78ee8f
SHA1

40cff422b05a3fbfce7dfb1943549380682d76d6
SHA256

9da4b8ec88c9d41dd3bdb5f2c16550f57238e0b7c686c6e1a1e71886dedd15b1
SHA512

41b00fdeb3e0980854194da5ed86359518fa2d5f67501320619982ad3cd2865535bd5eae4d9f49faa79f65a286b988cf1864ee7c640b30ff90e90d0e678c1866
SSDEEP

12288:eQrMVF0tn9VtwF5EZa08UeJaGhTGlbyz7QuxZEfrP+UwaVbVr0V7fbT:eQrMVFO9Vtwfm8NJagsK7HZEjGRaVbVU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2112	1432090882.exe

Loads dropped DLL 4 IoCs

pid	Process
1684	135cbec618493ced3374ecc4cf78ee8f.exe
1684	135cbec618493ced3374ecc4cf78ee8f.exe
1684	135cbec618493ced3374ecc4cf78ee8f.exe
1684	135cbec618493ced3374ecc4cf78ee8f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
320	2112	WerFault.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2796	wmic.exe
Token: SeSecurityPrivilege	2796	wmic.exe
Token: SeTakeOwnershipPrivilege	2796	wmic.exe
Token: SeLoadDriverPrivilege	2796	wmic.exe
Token: SeSystemProfilePrivilege	2796	wmic.exe
Token: SeSystemtimePrivilege	2796	wmic.exe
Token: SeProfSingleProcessPrivilege	2796	wmic.exe
Token: SeIncBasePriorityPrivilege	2796	wmic.exe
Token: SeCreatePagefilePrivilege	2796	wmic.exe
Token: SeBackupPrivilege	2796	wmic.exe
Token: SeRestorePrivilege	2796	wmic.exe
Token: SeShutdownPrivilege	2796	wmic.exe
Token: SeDebugPrivilege	2796	wmic.exe
Token: SeSystemEnvironmentPrivilege	2796	wmic.exe
Token: SeRemoteShutdownPrivilege	2796	wmic.exe
Token: SeUndockPrivilege	2796	wmic.exe
Token: SeManageVolumePrivilege	2796	wmic.exe
Token: 33	2796	wmic.exe
Token: 34	2796	wmic.exe
Token: 35	2796	wmic.exe
Token: SeIncreaseQuotaPrivilege	2796	wmic.exe
Token: SeSecurityPrivilege	2796	wmic.exe
Token: SeTakeOwnershipPrivilege	2796	wmic.exe
Token: SeLoadDriverPrivilege	2796	wmic.exe
Token: SeSystemProfilePrivilege	2796	wmic.exe
Token: SeSystemtimePrivilege	2796	wmic.exe
Token: SeProfSingleProcessPrivilege	2796	wmic.exe
Token: SeIncBasePriorityPrivilege	2796	wmic.exe
Token: SeCreatePagefilePrivilege	2796	wmic.exe
Token: SeBackupPrivilege	2796	wmic.exe
Token: SeRestorePrivilege	2796	wmic.exe
Token: SeShutdownPrivilege	2796	wmic.exe
Token: SeDebugPrivilege	2796	wmic.exe
Token: SeSystemEnvironmentPrivilege	2796	wmic.exe
Token: SeRemoteShutdownPrivilege	2796	wmic.exe
Token: SeUndockPrivilege	2796	wmic.exe
Token: SeManageVolumePrivilege	2796	wmic.exe
Token: 33	2796	wmic.exe
Token: 34	2796	wmic.exe
Token: 35	2796	wmic.exe
Token: SeIncreaseQuotaPrivilege	2616	wmic.exe
Token: SeSecurityPrivilege	2616	wmic.exe
Token: SeTakeOwnershipPrivilege	2616	wmic.exe
Token: SeLoadDriverPrivilege	2616	wmic.exe
Token: SeSystemProfilePrivilege	2616	wmic.exe
Token: SeSystemtimePrivilege	2616	wmic.exe
Token: SeProfSingleProcessPrivilege	2616	wmic.exe
Token: SeIncBasePriorityPrivilege	2616	wmic.exe
Token: SeCreatePagefilePrivilege	2616	wmic.exe
Token: SeBackupPrivilege	2616	wmic.exe
Token: SeRestorePrivilege	2616	wmic.exe
Token: SeShutdownPrivilege	2616	wmic.exe
Token: SeDebugPrivilege	2616	wmic.exe
Token: SeSystemEnvironmentPrivilege	2616	wmic.exe
Token: SeRemoteShutdownPrivilege	2616	wmic.exe
Token: SeUndockPrivilege	2616	wmic.exe
Token: SeManageVolumePrivilege	2616	wmic.exe
Token: 33	2616	wmic.exe
Token: 34	2616	wmic.exe
Token: 35	2616	wmic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2112	1684	135cbec618493ced3374ecc4cf78ee8f.exe	29
PID 1684 wrote to memory of 2112	1684	135cbec618493ced3374ecc4cf78ee8f.exe	29
PID 1684 wrote to memory of 2112	1684	135cbec618493ced3374ecc4cf78ee8f.exe	29
PID 1684 wrote to memory of 2112	1684	135cbec618493ced3374ecc4cf78ee8f.exe	29
PID 2112 wrote to memory of 2796	2112	1432090882.exe	18
PID 2112 wrote to memory of 2796	2112	1432090882.exe	18
PID 2112 wrote to memory of 2796	2112	1432090882.exe	18
PID 2112 wrote to memory of 2796	2112	1432090882.exe	18
PID 2112 wrote to memory of 2616	2112	1432090882.exe	28
PID 2112 wrote to memory of 2616	2112	1432090882.exe	28
PID 2112 wrote to memory of 2616	2112	1432090882.exe	28
PID 2112 wrote to memory of 2616	2112	1432090882.exe	28

C:\Users\Admin\AppData\Local\Temp\135cbec618493ced3374ecc4cf78ee8f.exe
"C:\Users\Admin\AppData\Local\Temp\135cbec618493ced3374ecc4cf78ee8f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\1432090882.exe
  C:\Users\Admin\AppData\Local\Temp\1432090882.exe 2|8|1|7|7|0|1|7|3|6|1 LUhIPTYzLysvGi5RTUFJQkQ8KR0pTUNMVkhLS0g9OiofLTxITE1JQzYvLjUuKR8oPElDNi0aLk5KTj1OQ1NYRj48Ly44LRkvUj5PUERQV1RLRT1nbXFqOS0ncmtvLkM+UEUsUkdPJjpQTydGSEVNGC48RUlCREY+PHUoR05ENTVGQCo2Nk1HREIwTDtAPE5QLh8oPTE8LDAxNTIpHyg9MjwmLhouQis8JiogLj0xNywvGC49Lj0sKh0pT1BHQ048VF5JT0NVPztYNhkvT0tMPlRBTF4+TkxANh0pT1BHQ048VF5HPkdEOxguPlFFXk5PRjweJ0RRPl9CRkFGSEw9PBkoSE5MUVlBUEdWTD5SPCsdKVNGOU1EUk9UWFJMSzsYLk9GPTEZLD5SLzUfKEtVTU1GR0RdT0RFPE9MPkZHQEU9VEtFPR8oRk1eUE1NTUJNRDZxbHRjGC5LPlRUS0tDTUVXVEw+Ul49PlNSOyofKEFJQz5VNzAeJ0hMWERYRz5HSEFXREc8UlhJUT9DO15gZWxlHyhBSVZMRE46PV9ISToxOCwpNS4nMS8sKys3NxguTUJNRDYuLjIwKS8rLjQ2GSw+TlVGS0g6RF5NRkdEOy0uKykvMSkuLyk0MjAuMzQ2Iz5HHy1NQDZGb3liaWZgIyplLicwKiFUY21iZ3ZsJE5TJDMoMCMrYSRQT1YvMSMqP2hvZV5XZFtIY3MjKmUuLDctLDMlJ0lAU0ZFJTFcKGZoaV0qQF5jamgmJUJmam5mXiUxXzArLS4mMC8uMC0uNCVSX15ga2IlMV8yLTYsKzUkSFBRHi9gMDYmLycqMjctKy44KSBEXWJ0aGhrJVh2IR8oTlJLNmVuc24dMloeMmUeL2BmY2wwJykxMCphX3JnX20nYm5laCIsZVBtbU1ibWQ9bHFtamdgXUZhbVpkX3FdXGRpZW94Hi9gMDIrMSopMjQuLh8xZFxucGdsblphZ2BsWWZeayUxXy4uMjApLysuNTAeMGA0MzA1KzIzLyo1MVhrOnJEc1kxW1EqeEk7cm1CVnYsSj1yeEVDOl5aU2BwRmlLcUdQbDlLcTJeS0JfcUVNVXNGUT9rVjtyLURDamBWY240RFM6XlhSMTFEUnFjVnNCOUs8aGBYVUpqUSt4WFpqTzdfKTRvXEdmYFZRTWtRMWlhWFNhdkVESExQY0IyUz1wakxoRk1KZGxARVIrQU1yc0RNUzNgVytvcVppcGo=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2112

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704010825.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704010825.txt bios get version
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 368
1⤵
- Program crash
PID:320

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704010825.txt bios get version
1⤵
PID:3000

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704010825.txt bios get version
1⤵
PID:2604

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704010825.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads