503489f6a200d5bad10841f8740c481b96ff17a08b8edc476b7722853bba23ed

Analysis

max time kernel
25s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 14:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

39f65eb60578fafd0df50305fd87a1a5.exe
Size

286KB
MD5

39f65eb60578fafd0df50305fd87a1a5
SHA1

c4be9cb53658e3d9592288e31b32733e4b1e80cc
SHA256

503489f6a200d5bad10841f8740c481b96ff17a08b8edc476b7722853bba23ed
SHA512

e82d9cf2ee64cc21bfba41733ee41538af4daf611dd87c9adbfd51c76f5f7df22fa75de68ce0bce1a7f6d48320a5269e9052309ed88156d9a7a26d47fdc57241
SSDEEP

6144:eKK9AIV8+3vko4UWDxjyaz6BNG+D+Pbhjesi1cT:mGIV8OlgVxuNoPtmW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1348	nClDnKaEkLg28601.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\G:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\H:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\K:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\N:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\U:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\Q:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\R:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\S:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\W:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\Z:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\Y:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\I:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\L:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\M:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\P:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\T:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\V:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\X:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\J:	nClDnKaEkLg28601.exe
File opened (read-only)	\??\O:	nClDnKaEkLg28601.exe

Program crash 33 IoCs

pid	pid_target	Process	procid_target
1180	3368	WerFault.exe	15
3484	3368	WerFault.exe	15
4716	3368	WerFault.exe	15
1060	3368	WerFault.exe	15
1448	3368	WerFault.exe	15
4728	1348	WerFault.exe
2100	3368	WerFault.exe	15
5116	1348	WerFault.exe
384	1348	WerFault.exe
2532	1348	WerFault.exe
3456	1348	WerFault.exe
2680	3368	WerFault.exe	15
1700	1348	WerFault.exe
764	3368	WerFault.exe	15
1944	3368	WerFault.exe	15
3708	1348	WerFault.exe
1468	3368	WerFault.exe	15
1844	3368	WerFault.exe	15
4888	1348	WerFault.exe
4208	1348	WerFault.exe
1696	1348	WerFault.exe	58
1384	1348	WerFault.exe	58
2608	1348	WerFault.exe	58
740	1348	WerFault.exe	58
448	1348	WerFault.exe	58
1232	1348	WerFault.exe	58
2928	1348	WerFault.exe	58
3988	1348	WerFault.exe	58
2024	3368	WerFault.exe	15
3936	3368	WerFault.exe	15
2996	1348	WerFault.exe	58
1452	1348	WerFault.exe	58
876	1348	WerFault.exe	58

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
1348	nClDnKaEkLg28601.exe
1348	nClDnKaEkLg28601.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe
3368	39f65eb60578fafd0df50305fd87a1a5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	39f65eb60578fafd0df50305fd87a1a5.exe
Token: SeDebugPrivilege	1348	nClDnKaEkLg28601.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 1348	3368	39f65eb60578fafd0df50305fd87a1a5.exe	58
PID 3368 wrote to memory of 1348	3368	39f65eb60578fafd0df50305fd87a1a5.exe	58
PID 3368 wrote to memory of 1348	3368	39f65eb60578fafd0df50305fd87a1a5.exe	58

C:\Users\Admin\AppData\Local\Temp\39f65eb60578fafd0df50305fd87a1a5.exe
"C:\Users\Admin\AppData\Local\Temp\39f65eb60578fafd0df50305fd87a1a5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 560
  2⤵
  - Program crash
  PID:1180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 568
  2⤵
  - Program crash
  PID:3484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 576
  2⤵
  - Program crash
  PID:4716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 632
  2⤵
  - Program crash
  PID:1060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 792
  2⤵
  - Program crash
  PID:1448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 800
  2⤵
  - Program crash
  PID:2100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 1072
  2⤵
  - Program crash
  PID:2680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 1016
  2⤵
  - Program crash
  PID:764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 980
  2⤵
  - Program crash
  PID:1944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 852
  2⤵
  - Program crash
  PID:1468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 844
  2⤵
  - Program crash
  PID:1844
- C:\ProgramData\nClDnKaEkLg28601\nClDnKaEkLg28601.exe
  "C:\ProgramData\nClDnKaEkLg28601\nClDnKaEkLg28601.exe" "C:\Users\Admin\AppData\Local\Temp\39f65eb60578fafd0df50305fd87a1a5.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 652
    3⤵
    - Program crash
    PID:1696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1388
    3⤵
    - Program crash
    PID:1384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1600
    3⤵
    - Program crash
    PID:2608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1588
    3⤵
    - Program crash
    PID:740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1676
    3⤵
    - Program crash
    PID:448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 668
    3⤵
    - Program crash
    PID:1232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1788
    3⤵
    - Program crash
    PID:2928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1796
    3⤵
    - Program crash
    PID:3988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1192
    3⤵
    - Program crash
    PID:2996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 816
    3⤵
    - Program crash
    PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 808
    3⤵
    - Program crash
    PID:876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 652
  2⤵
  - Program crash
  PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 140
  2⤵
  - Program crash
  PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3368 -ip 3368
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 1348
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 640
1⤵
- Program crash
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3368 -ip 3368
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 792
1⤵
- Program crash
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3368 -ip 3368
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 800
1⤵
- Program crash
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1348 -ip 1348
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 1348
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3368 -ip 3368
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 852
1⤵
- Program crash
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1012
1⤵
- Program crash
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1072
1⤵
- Program crash
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1348 -ip 1348
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3368 -ip 3368
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1348 -ip 1348
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 844
1⤵
- Program crash
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3368 -ip 3368
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1348 -ip 1348
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1348 -ip 1348
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3368 -ip 3368
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 648
1⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1348 -ip 1348
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3368 -ip 3368
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 632
1⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1348 -ip 1348
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3368 -ip 3368
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3368 -ip 3368
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3368 -ip 3368
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1348 -ip 1348
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1348 -ip 1348
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1348 -ip 1348
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1348 -ip 1348
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1348 -ip 1348
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1348 -ip 1348
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1348 -ip 1348
1⤵
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1348 -ip 1348
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3368 -ip 3368
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3368 -ip 3368
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1348 -ip 1348
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1348 -ip 1348
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1348 -ip 1348
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-28-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1348-32-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1348-22-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1348-21-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1348-19-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1348-20-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1348-40-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3368-2-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3368-5-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3368-0-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3368-4-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3368-27-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3368-1-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3368-29-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3368-6-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3368-7-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3368-47-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download