2297c1d36245d555ae2d032c5465dee510a2c9cf1e312572aa0468168d3afcf0

Analysis

max time kernel
122s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-01-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59775e702d91e31d1c849b0f5e8c5a65.exe
Size

968KB
MD5

59775e702d91e31d1c849b0f5e8c5a65
SHA1

266dffbd14020fe4490d213f03b03278aef8296f
SHA256

2297c1d36245d555ae2d032c5465dee510a2c9cf1e312572aa0468168d3afcf0
SHA512

e11e05fb82c54aa5675926d4f18c624bc4eab064037df1d3236b8f33a07fc9cff73c28d63d0f89d16429a6aee849bfae4a7f0acedbf356b24c2e2e90ea564c9e
SSDEEP

24576:87tbtfFcicu9/AGdSHlXEYprdDJ5Qk7I/Oylc8Cnrg7:479Iu9/9dSHlXECrBJ5r7Ibl7org7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2372	instract.exe

Loads dropped DLL 9 IoCs

pid	Process
368	59775e702d91e31d1c849b0f5e8c5a65.exe
368	59775e702d91e31d1c849b0f5e8c5a65.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	2372	WerFault.exe	28

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\instract.exe\""	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Programmable	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS\ = "0"	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\Version = "1.0"	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\instract.exe"	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\ = "SmartInstallerLib"	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\instract.exe"	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ = "IBrowserExternals"	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ = "IBrowserExternals"	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version\ = "1.0"	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\Version = "1.0"	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\ = "CBrowserExternal Class"	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	instract.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	instract.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib	instract.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2700	wmic.exe
Token: SeSecurityPrivilege	2700	wmic.exe
Token: SeTakeOwnershipPrivilege	2700	wmic.exe
Token: SeLoadDriverPrivilege	2700	wmic.exe
Token: SeSystemProfilePrivilege	2700	wmic.exe
Token: SeSystemtimePrivilege	2700	wmic.exe
Token: SeProfSingleProcessPrivilege	2700	wmic.exe
Token: SeIncBasePriorityPrivilege	2700	wmic.exe
Token: SeCreatePagefilePrivilege	2700	wmic.exe
Token: SeBackupPrivilege	2700	wmic.exe
Token: SeRestorePrivilege	2700	wmic.exe
Token: SeShutdownPrivilege	2700	wmic.exe
Token: SeDebugPrivilege	2700	wmic.exe
Token: SeSystemEnvironmentPrivilege	2700	wmic.exe
Token: SeRemoteShutdownPrivilege	2700	wmic.exe
Token: SeUndockPrivilege	2700	wmic.exe
Token: SeManageVolumePrivilege	2700	wmic.exe
Token: 33	2700	wmic.exe
Token: 34	2700	wmic.exe
Token: 35	2700	wmic.exe
Token: SeIncreaseQuotaPrivilege	2700	wmic.exe
Token: SeSecurityPrivilege	2700	wmic.exe
Token: SeTakeOwnershipPrivilege	2700	wmic.exe
Token: SeLoadDriverPrivilege	2700	wmic.exe
Token: SeSystemProfilePrivilege	2700	wmic.exe
Token: SeSystemtimePrivilege	2700	wmic.exe
Token: SeProfSingleProcessPrivilege	2700	wmic.exe
Token: SeIncBasePriorityPrivilege	2700	wmic.exe
Token: SeCreatePagefilePrivilege	2700	wmic.exe
Token: SeBackupPrivilege	2700	wmic.exe
Token: SeRestorePrivilege	2700	wmic.exe
Token: SeShutdownPrivilege	2700	wmic.exe
Token: SeDebugPrivilege	2700	wmic.exe
Token: SeSystemEnvironmentPrivilege	2700	wmic.exe
Token: SeRemoteShutdownPrivilege	2700	wmic.exe
Token: SeUndockPrivilege	2700	wmic.exe
Token: SeManageVolumePrivilege	2700	wmic.exe
Token: 33	2700	wmic.exe
Token: 34	2700	wmic.exe
Token: 35	2700	wmic.exe
Token: SeIncreaseQuotaPrivilege	2956	wmic.exe
Token: SeSecurityPrivilege	2956	wmic.exe
Token: SeTakeOwnershipPrivilege	2956	wmic.exe
Token: SeLoadDriverPrivilege	2956	wmic.exe
Token: SeSystemProfilePrivilege	2956	wmic.exe
Token: SeSystemtimePrivilege	2956	wmic.exe
Token: SeProfSingleProcessPrivilege	2956	wmic.exe
Token: SeIncBasePriorityPrivilege	2956	wmic.exe
Token: SeCreatePagefilePrivilege	2956	wmic.exe
Token: SeBackupPrivilege	2956	wmic.exe
Token: SeRestorePrivilege	2956	wmic.exe
Token: SeShutdownPrivilege	2956	wmic.exe
Token: SeDebugPrivilege	2956	wmic.exe
Token: SeSystemEnvironmentPrivilege	2956	wmic.exe
Token: SeRemoteShutdownPrivilege	2956	wmic.exe
Token: SeUndockPrivilege	2956	wmic.exe
Token: SeManageVolumePrivilege	2956	wmic.exe
Token: 33	2956	wmic.exe
Token: 34	2956	wmic.exe
Token: 35	2956	wmic.exe
Token: SeIncreaseQuotaPrivilege	2868	wmic.exe
Token: SeSecurityPrivilege	2868	wmic.exe
Token: SeTakeOwnershipPrivilege	2868	wmic.exe
Token: SeLoadDriverPrivilege	2868	wmic.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 2372	368	59775e702d91e31d1c849b0f5e8c5a65.exe	28
PID 368 wrote to memory of 2372	368	59775e702d91e31d1c849b0f5e8c5a65.exe	28
PID 368 wrote to memory of 2372	368	59775e702d91e31d1c849b0f5e8c5a65.exe	28
PID 368 wrote to memory of 2372	368	59775e702d91e31d1c849b0f5e8c5a65.exe	28
PID 368 wrote to memory of 2372	368	59775e702d91e31d1c849b0f5e8c5a65.exe	28
PID 368 wrote to memory of 2372	368	59775e702d91e31d1c849b0f5e8c5a65.exe	28
PID 368 wrote to memory of 2372	368	59775e702d91e31d1c849b0f5e8c5a65.exe	28
PID 2372 wrote to memory of 2700	2372	instract.exe	29
PID 2372 wrote to memory of 2700	2372	instract.exe	29
PID 2372 wrote to memory of 2700	2372	instract.exe	29
PID 2372 wrote to memory of 2700	2372	instract.exe	29
PID 2372 wrote to memory of 2956	2372	instract.exe	32
PID 2372 wrote to memory of 2956	2372	instract.exe	32
PID 2372 wrote to memory of 2956	2372	instract.exe	32
PID 2372 wrote to memory of 2956	2372	instract.exe	32
PID 2372 wrote to memory of 2868	2372	instract.exe	34
PID 2372 wrote to memory of 2868	2372	instract.exe	34
PID 2372 wrote to memory of 2868	2372	instract.exe	34
PID 2372 wrote to memory of 2868	2372	instract.exe	34
PID 2372 wrote to memory of 2632	2372	instract.exe	36
PID 2372 wrote to memory of 2632	2372	instract.exe	36
PID 2372 wrote to memory of 2632	2372	instract.exe	36
PID 2372 wrote to memory of 2632	2372	instract.exe	36
PID 2372 wrote to memory of 2128	2372	instract.exe	38
PID 2372 wrote to memory of 2128	2372	instract.exe	38
PID 2372 wrote to memory of 2128	2372	instract.exe	38
PID 2372 wrote to memory of 2128	2372	instract.exe	38
PID 2372 wrote to memory of 2752	2372	instract.exe	40
PID 2372 wrote to memory of 2752	2372	instract.exe	40
PID 2372 wrote to memory of 2752	2372	instract.exe	40
PID 2372 wrote to memory of 2752	2372	instract.exe	40

C:\Users\Admin\AppData\Local\Temp\59775e702d91e31d1c849b0f5e8c5a65.exe
"C:\Users\Admin\AppData\Local\Temp\59775e702d91e31d1c849b0f5e8c5a65.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Local\Temp\instract.exe
  C:\Users\Admin\AppData\Local\Temp\instract.exe /PID=7302 /SUBPID=-1 /DISTID=1775 /NETWORKID=0 /CID=0 /PRODUCT_ID=1694 /SERVER_URL=http://installer.apps-track.com /CLICKID=613531982 /D1=14321 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_NAME= /PRODUCT_EULA= /PRODUCT_PRIVACY= /EXE_URL= /EXE_CMDLINE= /HOST_BROWSER=2 /IS_RUNTIME=true /THANKYOU_URL= /RETURNING_USER_DAYS=2 /VM=1
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get version
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get version
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 364
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\obhhelper.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\instract.exe

Filesize
1.2MB

MD5
a086ed49ec2ca9b3d680068e015e7b7e

SHA1
3ce9208fec431db0bb61decfa9207967a38ad6b4

SHA256
e37e9878809c29967636da8744a0c2477925542c187b55857e588b5e8abf65b5

SHA512
ee20d4939e5b4fe4cee945574057f3e51845e32ac4e38dd64555683e8ca2f1c532826ae8014ab18cf4998b176647a6b80f09d3243a5fa7c9e62542f0b6f2d0dd

Download Submit
\Users\Admin\AppData\Local\Temp\instract.exe

Filesize
1.0MB

MD5
cc5355e910931bf00013fcaaa1b9ca6a

SHA1
270fb25488584fb10a60b139521556bf2bb20abc

SHA256
440e49343023a51d6bcfe79daed1afeff20833da6f4f648ac6eccb941306591a

SHA512
af35bc37412f17a09f095ba1f8007d485c9f28c4be373d2ef06cbf173a940f63f3f415b7592b43ef287740fcdf26ab7450b469c1101a9b0297632514ab81dbc9

Download Submit
\Users\Admin\AppData\Local\Temp\instract.exe

Filesize
855KB

MD5
749e1106f88ccc84238647ec5e094b4f

SHA1
0e267d655d0196a74e4b5a2b5176615f48deb73d

SHA256
37d4d44f463fa87e84bb3734cd2a38320964b6528dde3daea36d3729014c88bc

SHA512
130b136fe0c5a6840b124baa20589f1cf1ba716866b05b20d614b445ec4b61c6d78be841dd2e81a0e393710b1312d2cf722d190c03d80c7589f19a4e0b9d3707

Download Submit
\Users\Admin\AppData\Local\Temp\instract.exe

Filesize
739KB

MD5
8b0b0eb8abb8ced6a83d6ff6796a9f6e

SHA1
f679f35ac86bcb09e5d85ce2b289e46250952b74

SHA256
37e4a34dc8199eeec6e6f446cf9bf172547b534b9abafe39ff31687d3b820a1f

SHA512
35fb8fa303c4b9ec03f0983fedcfb42fac83bf706b3cbb43bb1f3981cb2b474660612eff3a3cded9aaf14408f662bf6b8cdddd90cec53120f7282fe21c5e2fc8

Download Submit
\Users\Admin\AppData\Local\Temp\instract.exe

Filesize
1.3MB

MD5
a5a797794bada70c3eea4fc169cc28bf

SHA1
2fabd278b0e388a9dc7834ac9412dd94cac9f31e

SHA256
ef454f3e355e66480bb75433d9942babd9d594ff51df65a8ef0a3c0a2cd42e57

SHA512
47e214552737071c7fe23ca518a98ae59f0ed3aab041ddcf8977c1b2efcfde589af7502252c5bf9a43c9b3b7e6cb9ce21b3118ef8258685fb42abb9a760579a0

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6317.tmp\Convert.dll

Filesize
113KB

MD5
27ad43a37566f883c2a95f773dd3b6f5

SHA1
0c5ab78b2fc5de9b789c0051b2eb5b3f82b83af1

SHA256
acaae5a76974ca7f8d7544104fb8398c4075baed7920e356988ef177055a905f

SHA512
4397842f5162a19aa420d7cd0c299896d78d4d8ab90044c10e3aee234fc5b787b399bff286ac9cca693e99f4170cafb36cb00f646869ab949d2854cb8ec72d4d

Download Submit