1a87451a85c7b827c7f96c67dd9e1ba412677fa0037611699ce36b2781308de2

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24f951dcaa2809ecb6f035cb0b12aafa.exe
Size

623KB
MD5

24f951dcaa2809ecb6f035cb0b12aafa
SHA1

2f4b4437d6d1673338314690f26f0e7da5967c0a
SHA256

1a87451a85c7b827c7f96c67dd9e1ba412677fa0037611699ce36b2781308de2
SHA512

541f865daa0c16d094813b15caea91f1056c0981e74b13652b2984ecb3dd5b4f1d62e84c333fbf7db53c2aef3439ba21a2e25a4c9e4611bb317aed7c7105c1bd
SSDEEP

12288:W/pmxj3G/wxxAeFSZMCM2cjnt+m/SS2qzjqWiaiueAQPfXUlJdmklY:W/gxj0OxAeFvCIn0mAqHHbQPf0dmke

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1332	1430881320.exe

Loads dropped DLL 11 IoCs

pid	Process
2356	24f951dcaa2809ecb6f035cb0b12aafa.exe
2356	24f951dcaa2809ecb6f035cb0b12aafa.exe
2356	24f951dcaa2809ecb6f035cb0b12aafa.exe
2356	24f951dcaa2809ecb6f035cb0b12aafa.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3020	1332	WerFault.exe	26

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2692	wmic.exe
Token: SeSecurityPrivilege	2692	wmic.exe
Token: SeTakeOwnershipPrivilege	2692	wmic.exe
Token: SeLoadDriverPrivilege	2692	wmic.exe
Token: SeSystemProfilePrivilege	2692	wmic.exe
Token: SeSystemtimePrivilege	2692	wmic.exe
Token: SeProfSingleProcessPrivilege	2692	wmic.exe
Token: SeIncBasePriorityPrivilege	2692	wmic.exe
Token: SeCreatePagefilePrivilege	2692	wmic.exe
Token: SeBackupPrivilege	2692	wmic.exe
Token: SeRestorePrivilege	2692	wmic.exe
Token: SeShutdownPrivilege	2692	wmic.exe
Token: SeDebugPrivilege	2692	wmic.exe
Token: SeSystemEnvironmentPrivilege	2692	wmic.exe
Token: SeRemoteShutdownPrivilege	2692	wmic.exe
Token: SeUndockPrivilege	2692	wmic.exe
Token: SeManageVolumePrivilege	2692	wmic.exe
Token: 33	2692	wmic.exe
Token: 34	2692	wmic.exe
Token: 35	2692	wmic.exe
Token: SeIncreaseQuotaPrivilege	2692	wmic.exe
Token: SeSecurityPrivilege	2692	wmic.exe
Token: SeTakeOwnershipPrivilege	2692	wmic.exe
Token: SeLoadDriverPrivilege	2692	wmic.exe
Token: SeSystemProfilePrivilege	2692	wmic.exe
Token: SeSystemtimePrivilege	2692	wmic.exe
Token: SeProfSingleProcessPrivilege	2692	wmic.exe
Token: SeIncBasePriorityPrivilege	2692	wmic.exe
Token: SeCreatePagefilePrivilege	2692	wmic.exe
Token: SeBackupPrivilege	2692	wmic.exe
Token: SeRestorePrivilege	2692	wmic.exe
Token: SeShutdownPrivilege	2692	wmic.exe
Token: SeDebugPrivilege	2692	wmic.exe
Token: SeSystemEnvironmentPrivilege	2692	wmic.exe
Token: SeRemoteShutdownPrivilege	2692	wmic.exe
Token: SeUndockPrivilege	2692	wmic.exe
Token: SeManageVolumePrivilege	2692	wmic.exe
Token: 33	2692	wmic.exe
Token: 34	2692	wmic.exe
Token: 35	2692	wmic.exe
Token: SeIncreaseQuotaPrivilege	2948	wmic.exe
Token: SeSecurityPrivilege	2948	wmic.exe
Token: SeTakeOwnershipPrivilege	2948	wmic.exe
Token: SeLoadDriverPrivilege	2948	wmic.exe
Token: SeSystemProfilePrivilege	2948	wmic.exe
Token: SeSystemtimePrivilege	2948	wmic.exe
Token: SeProfSingleProcessPrivilege	2948	wmic.exe
Token: SeIncBasePriorityPrivilege	2948	wmic.exe
Token: SeCreatePagefilePrivilege	2948	wmic.exe
Token: SeBackupPrivilege	2948	wmic.exe
Token: SeRestorePrivilege	2948	wmic.exe
Token: SeShutdownPrivilege	2948	wmic.exe
Token: SeDebugPrivilege	2948	wmic.exe
Token: SeSystemEnvironmentPrivilege	2948	wmic.exe
Token: SeRemoteShutdownPrivilege	2948	wmic.exe
Token: SeUndockPrivilege	2948	wmic.exe
Token: SeManageVolumePrivilege	2948	wmic.exe
Token: 33	2948	wmic.exe
Token: 34	2948	wmic.exe
Token: 35	2948	wmic.exe
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1332	2356	24f951dcaa2809ecb6f035cb0b12aafa.exe	26
PID 2356 wrote to memory of 1332	2356	24f951dcaa2809ecb6f035cb0b12aafa.exe	26
PID 2356 wrote to memory of 1332	2356	24f951dcaa2809ecb6f035cb0b12aafa.exe	26
PID 2356 wrote to memory of 1332	2356	24f951dcaa2809ecb6f035cb0b12aafa.exe	26
PID 1332 wrote to memory of 2692	1332	1430881320.exe	16
PID 1332 wrote to memory of 2692	1332	1430881320.exe	16
PID 1332 wrote to memory of 2692	1332	1430881320.exe	16
PID 1332 wrote to memory of 2692	1332	1430881320.exe	16
PID 1332 wrote to memory of 2948	1332	1430881320.exe	24
PID 1332 wrote to memory of 2948	1332	1430881320.exe	24
PID 1332 wrote to memory of 2948	1332	1430881320.exe	24
PID 1332 wrote to memory of 2948	1332	1430881320.exe	24
PID 1332 wrote to memory of 2816	1332	1430881320.exe	23
PID 1332 wrote to memory of 2816	1332	1430881320.exe	23
PID 1332 wrote to memory of 2816	1332	1430881320.exe	23
PID 1332 wrote to memory of 2816	1332	1430881320.exe	23
PID 1332 wrote to memory of 2664	1332	1430881320.exe	21
PID 1332 wrote to memory of 2664	1332	1430881320.exe	21
PID 1332 wrote to memory of 2664	1332	1430881320.exe	21
PID 1332 wrote to memory of 2664	1332	1430881320.exe	21
PID 1332 wrote to memory of 2624	1332	1430881320.exe	20
PID 1332 wrote to memory of 2624	1332	1430881320.exe	20
PID 1332 wrote to memory of 2624	1332	1430881320.exe	20
PID 1332 wrote to memory of 2624	1332	1430881320.exe	20
PID 1332 wrote to memory of 3020	1332	1430881320.exe	40
PID 1332 wrote to memory of 3020	1332	1430881320.exe	40
PID 1332 wrote to memory of 3020	1332	1430881320.exe	40
PID 1332 wrote to memory of 3020	1332	1430881320.exe	40

C:\Users\Admin\AppData\Local\Temp\24f951dcaa2809ecb6f035cb0b12aafa.exe
"C:\Users\Admin\AppData\Local\Temp\24f951dcaa2809ecb6f035cb0b12aafa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\1430881320.exe
  C:\Users\Admin\AppData\Local\Temp\1430881320.exe 6|8|2|4|5|8|4|9|1|1|8 KUhHQDgpNSo1MhgpS1M+S0FANC8fJ0g9UlNKSkdAQzwpHyoubG1nYGxic2ZbZWM5TV1lZGBmXRonQkVOTEU7PDEvMSkwHCo7RTs8LxgpSFBLP00/S15IPDcqNDUvKxwmUkRKUD1QW1BKSDRnc2xqMi0rbmpyJUNES0UlUktLJT1HTy1BSD5NHCo7SEBCSkE+NR4rPyk5JDAfJz4qOyksGCs7MjwlKxgtQC81KSgfLjwvNSstGydMSU5DTT1MXUxNQVI4Qlg1GidOTko8UTpTXj1PRD85GydMSU5DTT1MXUo8RUE0Hy49Uj1dUU1EORcuRFA/V0FJP0RFRUQ8GClATU9PVz5JTlZLP0o7MRsnUD9ATUNTR1NbUEpINB8uTkc1MBwqPE8oPB8nTE1MUERFQVZWREQ9R0tBREU9PkRUSkY1HitES1tJVE1MQ0VDOW9qcVwfLko/TFNOSUFKPl5USz9KXUA8UU80MR8nQkFCQVM1LRcuSEtZPFdKPEVFOl5ERj1KV0xPPUA0ZWBkbV0eKz9HU0VLTjk+V0dMOCk1Ki0wKSomLzMpKi0vHy5MQ0VDOSwsLyc3OCoqKjUcKjxLTk1LRzs8XVBERUE0NC4uKSouLTAiMjEvLzIsLyg9SBgrTEA8GClNUEg4YHBrbyQrWx0wYiAqYl5kc2ooXmdoYDBgXHJqbGloLF9qZSEpZVFtaExnaWA8a25ta2dbXEtdaVljXHFeXF9oamt0HS5dMTEqLCowLi0qLikxMSofKmRgam9qY25gXGdZbF1iXW4cMWVfX2wzMiArYmckMlwrMTEyLh0uLWMkK14qNTMsKiEpNWsdLVwwMjQsLxwxNWYfK2ItJmhuZmN0W25mX2lgHS9bUWRhZ1llYSAqMl1oa11oWWthICtgSWRoZVtfYw==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3020

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704438237.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704438237.txt bios get version
1⤵
PID:2624

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704438237.txt bios get version
1⤵
PID:2664

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704438237.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704438237.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1430881320.exe

Filesize
92KB

MD5
35d429352d4b0545c44edfc8000d1410

SHA1
36f1ac0d4039d59d83d486eaa208217b7ee38a7d

SHA256
15a0fda5f7af37246bdd79f1d2e4f7fe6c52a1ba20a5e9701a210469a3f5af27

SHA512
bd053a1f2251dd15b10b40a7e5eb4c72190ae826ff5de39665cd147efddf052dec107f5bf76247e0462ba9e4d89055ff5f8a1c292cf1172342766a07e327f3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso13B1.tmp\fvrde.dll

Filesize
107KB

MD5
0eddb8a05f770e57a9ec9a729938655a

SHA1
5b9d42661122bb12768fceb05a5a2eb9e78831af

SHA256
fb9cd01a8130cefde1953de5fea3eba7c4983a1a3c893832cf877cf17b11e70b

SHA512
083d8ccaef1586dcb7207a0466a6a2e226f7636ec9fce1c209418afdad98b073959af07b7271389d3a79e71b4420696f80b1c91b0220523acb5a4581a5e9e49d

Download Submit
\Users\Admin\AppData\Local\Temp\1430881320.exe

Filesize
893KB

MD5
52f2f00d2ecc1a301353d1e937af5a84

SHA1
d5a0a2d8a14e47f8bfc8337a11e3c9ace8d32b36

SHA256
418548a5f588d291aca05a20d8804bf0c27c4834440f0349b02a28382f4b4359

SHA512
a158947f7ed34a4b70a42bebf2d76285e7337094c58b6d3bae4613b5b3fb5d23a69ff9734bfcd246c2ce5ef6702109751f247290d91ed8a3449471e222e0e810

Download Submit
\Users\Admin\AppData\Local\Temp\1430881320.exe

Filesize
381KB

MD5
904b10db4ecbc76b1cd939516753bfe2

SHA1
71127849a53b41c11f57af6c9d0bf212fdf2128f

SHA256
41f55572030edfbbf56f09ab49f3ca34ed820dd05b1cbe71e3d5cf8f43be9efb

SHA512
4754aee9151f8564fd81073a37cddb8770f8d0f20be3bedfc90a9e5216db1c5e53bf7b1b02335de7e48e55a8248767e12680277c8d9062f8f785ed2bbd0371ee

Download Submit
\Users\Admin\AppData\Local\Temp\1430881320.exe

Filesize
928KB

MD5
0d2d87d8dc022c2b77c733c3db39c07f

SHA1
03676809e20a5dd7f6f0b2aa36b9c9bac1b29829

SHA256
5ebab65d3a916290954faf6ffd0520f16b570828b98f2374f1576dd1139046e5

SHA512
6ae559eab2a94f6f252ae0602eeab05d48dc959f229f8b28d23de7b4921ced8af02a83153316ec0e3a5eb3b3d42d1016a245f41099289fa2ba2c82c216d64f53

Download Submit
\Users\Admin\AppData\Local\Temp\nso13B1.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit