06a951be886b3b276e79d7657afc1d6adf3ccf9edc64704a31c74dad0a63f9f7

Analysis

max time kernel
0s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c943a71adaecce1bf7b424e11563c87.exe
Size

920KB
MD5

1c943a71adaecce1bf7b424e11563c87
SHA1

b41c59594653625092b6b1e5edb64ba74f35dcb9
SHA256

06a951be886b3b276e79d7657afc1d6adf3ccf9edc64704a31c74dad0a63f9f7
SHA512

06b4dde1da068b339754d8aa7528409422facd59393a6b4f9ce71a6bbb11a589d160cb4c2ce89dacc369cedbf94e59261b6b32a2036b7532e3d74aef16abf5b6
SSDEEP

24576:YeHXdyZNrNF/4lgGhpwJxmntY1VKc9IsTELQ:3HXc3BqXp6fScKsIL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2224	f.exe

Loads dropped DLL 2 IoCs

pid	Process
1116	1c943a71adaecce1bf7b424e11563c87.exe
1116	1c943a71adaecce1bf7b424e11563c87.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2296	2224	WerFault.exe	20

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f.exe"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version\ = "1.0"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f.exe"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Programmable	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ = "IBrowserExternals"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\Version = "1.0"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\ = "SmartInstallerLib"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS\ = "0"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\Version = "1.0"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\ = "CBrowserExternal Class"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f.exe\""	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ = "IBrowserExternals"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	f.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3552	wmic.exe
Token: SeSecurityPrivilege	3552	wmic.exe
Token: SeTakeOwnershipPrivilege	3552	wmic.exe
Token: SeLoadDriverPrivilege	3552	wmic.exe
Token: SeSystemProfilePrivilege	3552	wmic.exe
Token: SeSystemtimePrivilege	3552	wmic.exe
Token: SeProfSingleProcessPrivilege	3552	wmic.exe
Token: SeIncBasePriorityPrivilege	3552	wmic.exe
Token: SeCreatePagefilePrivilege	3552	wmic.exe
Token: SeBackupPrivilege	3552	wmic.exe
Token: SeRestorePrivilege	3552	wmic.exe
Token: SeShutdownPrivilege	3552	wmic.exe
Token: SeDebugPrivilege	3552	wmic.exe
Token: SeSystemEnvironmentPrivilege	3552	wmic.exe
Token: SeRemoteShutdownPrivilege	3552	wmic.exe
Token: SeUndockPrivilege	3552	wmic.exe
Token: SeManageVolumePrivilege	3552	wmic.exe
Token: 33	3552	wmic.exe
Token: 34	3552	wmic.exe
Token: 35	3552	wmic.exe
Token: 36	3552	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2224	1116	1c943a71adaecce1bf7b424e11563c87.exe	20
PID 1116 wrote to memory of 2224	1116	1c943a71adaecce1bf7b424e11563c87.exe	20
PID 1116 wrote to memory of 2224	1116	1c943a71adaecce1bf7b424e11563c87.exe	20
PID 2224 wrote to memory of 3552	2224	f.exe	22
PID 2224 wrote to memory of 3552	2224	f.exe	22
PID 2224 wrote to memory of 3552	2224	f.exe	22

C:\Users\Admin\AppData\Local\Temp\1c943a71adaecce1bf7b424e11563c87.exe
"C:\Users\Admin\AppData\Local\Temp\1c943a71adaecce1bf7b424e11563c87.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\f.exe
  C:\Users\Admin\AppData\Local\Temp\f.exe /PID=7302 /SUBPID=-1 /DISTID=1775 /NETWORKID=0 /CID=0 /PRODUCT_ID=1694 /SERVER_URL=http://installer.apps-track.com /CLICKID=808931009 /D1=14321 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_NAME= /PRODUCT_EULA= /PRODUCT_PRIVACY= /EXE_URL= /EXE_CMDLINE= /HOST_BROWSER=2 /IS_RUNTIME=true /THANKYOU_URL= /RETURNING_USER_DAYS=2 /VM=2
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get version
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get version
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get version
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get version
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 692
    3⤵
    - Program crash
    PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2224 -ip 2224
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy43EF.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit