219f1d951db5cd2f5ead92411b536010e4c30a33d090e2a86fe3ca9f37bad684

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 15:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7d4755158824fa7598ebb4eb9740e7cf.exe
Size

677KB
MD5

7d4755158824fa7598ebb4eb9740e7cf
SHA1

171a9ee4deb502c88c8044121a3c1be43a101b86
SHA256

219f1d951db5cd2f5ead92411b536010e4c30a33d090e2a86fe3ca9f37bad684
SHA512

a828cea5cd4ac517cbe49c4fb8d48af184f667f4707f5e91df7c6751fe34a715b007a7a1834032dd6bf66b94340e7a42c61f0528bf34a947322bf0496de8693e
SSDEEP

12288:OH4SQE4vlI/Dsyw/yZAP58CyoPeMa6DKacs79veDlMDAimQQRdy:OHHbu4AP5xyMe56DK69veCUst

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2140	1432144931.exe

Loads dropped DLL 11 IoCs

pid	Process
2336	7d4755158824fa7598ebb4eb9740e7cf.exe
2336	7d4755158824fa7598ebb4eb9740e7cf.exe
2336	7d4755158824fa7598ebb4eb9740e7cf.exe
2336	7d4755158824fa7598ebb4eb9740e7cf.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2184	2140	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2792	wmic.exe
Token: SeSecurityPrivilege	2792	wmic.exe
Token: SeTakeOwnershipPrivilege	2792	wmic.exe
Token: SeLoadDriverPrivilege	2792	wmic.exe
Token: SeSystemProfilePrivilege	2792	wmic.exe
Token: SeSystemtimePrivilege	2792	wmic.exe
Token: SeProfSingleProcessPrivilege	2792	wmic.exe
Token: SeIncBasePriorityPrivilege	2792	wmic.exe
Token: SeCreatePagefilePrivilege	2792	wmic.exe
Token: SeBackupPrivilege	2792	wmic.exe
Token: SeRestorePrivilege	2792	wmic.exe
Token: SeShutdownPrivilege	2792	wmic.exe
Token: SeDebugPrivilege	2792	wmic.exe
Token: SeSystemEnvironmentPrivilege	2792	wmic.exe
Token: SeRemoteShutdownPrivilege	2792	wmic.exe
Token: SeUndockPrivilege	2792	wmic.exe
Token: SeManageVolumePrivilege	2792	wmic.exe
Token: 33	2792	wmic.exe
Token: 34	2792	wmic.exe
Token: 35	2792	wmic.exe
Token: SeIncreaseQuotaPrivilege	2792	wmic.exe
Token: SeSecurityPrivilege	2792	wmic.exe
Token: SeTakeOwnershipPrivilege	2792	wmic.exe
Token: SeLoadDriverPrivilege	2792	wmic.exe
Token: SeSystemProfilePrivilege	2792	wmic.exe
Token: SeSystemtimePrivilege	2792	wmic.exe
Token: SeProfSingleProcessPrivilege	2792	wmic.exe
Token: SeIncBasePriorityPrivilege	2792	wmic.exe
Token: SeCreatePagefilePrivilege	2792	wmic.exe
Token: SeBackupPrivilege	2792	wmic.exe
Token: SeRestorePrivilege	2792	wmic.exe
Token: SeShutdownPrivilege	2792	wmic.exe
Token: SeDebugPrivilege	2792	wmic.exe
Token: SeSystemEnvironmentPrivilege	2792	wmic.exe
Token: SeRemoteShutdownPrivilege	2792	wmic.exe
Token: SeUndockPrivilege	2792	wmic.exe
Token: SeManageVolumePrivilege	2792	wmic.exe
Token: 33	2792	wmic.exe
Token: 34	2792	wmic.exe
Token: 35	2792	wmic.exe
Token: SeIncreaseQuotaPrivilege	2948	wmic.exe
Token: SeSecurityPrivilege	2948	wmic.exe
Token: SeTakeOwnershipPrivilege	2948	wmic.exe
Token: SeLoadDriverPrivilege	2948	wmic.exe
Token: SeSystemProfilePrivilege	2948	wmic.exe
Token: SeSystemtimePrivilege	2948	wmic.exe
Token: SeProfSingleProcessPrivilege	2948	wmic.exe
Token: SeIncBasePriorityPrivilege	2948	wmic.exe
Token: SeCreatePagefilePrivilege	2948	wmic.exe
Token: SeBackupPrivilege	2948	wmic.exe
Token: SeRestorePrivilege	2948	wmic.exe
Token: SeShutdownPrivilege	2948	wmic.exe
Token: SeDebugPrivilege	2948	wmic.exe
Token: SeSystemEnvironmentPrivilege	2948	wmic.exe
Token: SeRemoteShutdownPrivilege	2948	wmic.exe
Token: SeUndockPrivilege	2948	wmic.exe
Token: SeManageVolumePrivilege	2948	wmic.exe
Token: 33	2948	wmic.exe
Token: 34	2948	wmic.exe
Token: 35	2948	wmic.exe
Token: SeIncreaseQuotaPrivilege	2752	wmic.exe
Token: SeSecurityPrivilege	2752	wmic.exe
Token: SeTakeOwnershipPrivilege	2752	wmic.exe
Token: SeLoadDriverPrivilege	2752	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2140	2336	7d4755158824fa7598ebb4eb9740e7cf.exe	28
PID 2336 wrote to memory of 2140	2336	7d4755158824fa7598ebb4eb9740e7cf.exe	28
PID 2336 wrote to memory of 2140	2336	7d4755158824fa7598ebb4eb9740e7cf.exe	28
PID 2336 wrote to memory of 2140	2336	7d4755158824fa7598ebb4eb9740e7cf.exe	28
PID 2140 wrote to memory of 2792	2140	1432144931.exe	29
PID 2140 wrote to memory of 2792	2140	1432144931.exe	29
PID 2140 wrote to memory of 2792	2140	1432144931.exe	29
PID 2140 wrote to memory of 2792	2140	1432144931.exe	29
PID 2140 wrote to memory of 2948	2140	1432144931.exe	32
PID 2140 wrote to memory of 2948	2140	1432144931.exe	32
PID 2140 wrote to memory of 2948	2140	1432144931.exe	32
PID 2140 wrote to memory of 2948	2140	1432144931.exe	32
PID 2140 wrote to memory of 2752	2140	1432144931.exe	34
PID 2140 wrote to memory of 2752	2140	1432144931.exe	34
PID 2140 wrote to memory of 2752	2140	1432144931.exe	34
PID 2140 wrote to memory of 2752	2140	1432144931.exe	34
PID 2140 wrote to memory of 2596	2140	1432144931.exe	36
PID 2140 wrote to memory of 2596	2140	1432144931.exe	36
PID 2140 wrote to memory of 2596	2140	1432144931.exe	36
PID 2140 wrote to memory of 2596	2140	1432144931.exe	36
PID 2140 wrote to memory of 1340	2140	1432144931.exe	38
PID 2140 wrote to memory of 1340	2140	1432144931.exe	38
PID 2140 wrote to memory of 1340	2140	1432144931.exe	38
PID 2140 wrote to memory of 1340	2140	1432144931.exe	38
PID 2140 wrote to memory of 2184	2140	1432144931.exe	40
PID 2140 wrote to memory of 2184	2140	1432144931.exe	40
PID 2140 wrote to memory of 2184	2140	1432144931.exe	40
PID 2140 wrote to memory of 2184	2140	1432144931.exe	40

C:\Users\Admin\AppData\Local\Temp\7d4755158824fa7598ebb4eb9740e7cf.exe
"C:\Users\Admin\AppData\Local\Temp\7d4755158824fa7598ebb4eb9740e7cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\1432144931.exe
  C:\Users\Admin\AppData\Local\Temp\1432144931.exe 1#2#7#0#6#4#7#1#8#8#8 Lk5CRDctLDMqMBguUU5CSkU9PCgYJ01DTVdJTkRIPDUpHy09SU1QQkM1KjAwMSwgKT9CQzUoGC5OS08+UTxTV0E8PDAwMzEwGS5LPUpVQ0tfT05FPGBsbG84KC9tbm8tPD1LSitNT0opOk9IJkFNREggKT9FSDtDQUM7GS8+LTYsKRgnQzA2LSscKEMrNSUwHihELjkmMBgnPDQ7JjEaK0lRRzxNQlJYUExFT0A7UTUfLUlSSUBOQkxXPVRKOj0aK0lRRzxNQlJYTjtJPjw+YWRkIyswPmtwbWRnWWNjayApQVFEV01KSzthdG5sbDknJ1xhLG10KUMpaGBnWlFpGS8/VD5eO0U8S0dHRTccKEdHS0xeQEtPUU8+UTUqGC5SQUFIR1JOTVdNUUo2IClSRjwqGCdDUSo9GitLVEZMQUxDWFc/SDxORT1BTD9ARU9ORTwYJ0FSXUtVSFBCTD01bHFzXiApTj5TTUpGSExAX09PPlFXPDlYUTYyGitBSDw9UDwvGS9DT1hDUUY5TEc8Xz9KPFFRSExEQjZmW2hsZBgnPE5VR0xJPT1eQUg1MDcwLi0tJzYsJjAyHihUQ0k+PCksKzEvLjEtMTEfJzxHVkxFTztAWFNBRT08MygyKisrLyktIjY4LTk0LTEpSEUYLlM6PUdrc2hkZFkkMF81KCwkJ09hZmNtcHMlSk0qLiYpKCk6cGpoXlZdWkNoch4yYDEsNiYrLiomREhOSUUkKlsja2dkZSVDXmJjZyEqQWFyaWleJCpeLDEsKS4sLyowJiktMSlMYWBda2gdKl40MTAuLTIZLk1KRDxmbXRqISxgHSpeJDBfZ19wJy8pKitnLGJuYGseMV5KbW1SYm1fQGh2ZmRnYGJGYWhdYGRqV1xkbmVvcyErZSksKzEvLjEtMikkKl4pMzErMS8tLDUoHSplLy0zLC0uMCsuKCQxXzcvMSo3KSsuMDcwWUE+b01Lax0xYFtUXXNEaChqRXhEY05OQSpKckFpRzBONEZQUnFGYj1mYE1Ra0Qrc2xaZHcuUkcvcFBGUl1HRDNkYkJObUg/Sm5Xay50VHZxZlsrPnBhYXdtU2JAbFJKL3ZSMS9kQ1YpbEFCL2VQczVmWGUtUlIwSmhSL2FsUT9oaVdmVltWZkAsSk9FcFJpUEBTbTpmUjFuYFhBTm9IP05fWVQucFJDcWNIPjplYSt4akQrUV1aZVg2RXk8MVJGYypEUA==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706454089.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706454089.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706454089.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706454089.txt bios get version
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706454089.txt bios get version
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81706454089.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\1432144931.exe

Filesize
1021KB

MD5
e35979d115954d0ecba343c34c42f4bb

SHA1
f7397fa64dec910176af47caf436d9ad5fcff45c

SHA256
701456c8649783b2cd01828a43b536982559216298541758e12433653c57d12a

SHA512
e611291ef2c0f20fe4ddb5b1a1d940d68a38188c1e2a9f739eb1a2a207ddf243aa59eeb84390b071ab85e36619ff6c5a0b80424715d68668b8b77e5944caee55

Download Submit
\Users\Admin\AppData\Local\Temp\nst42BC.tmp\frxdwew.dll

Filesize
158KB

MD5
c2bc7115e45cd13205ae5537c9d85947

SHA1
06ba255cac7dd364160923898c0087e966e63505

SHA256
8f8722ed438b81ae932e3815fe3287e35fe275d75cd9ca693509f980f9fd49ae

SHA512
7962d572a3ace8d2aa7a336669e442b8ae0497df4c15bcca01b72391299712885263f18d8ca4099ee4b5dfd233977f0fb3d1565261e6a25652d5f9e8e8d7cde2

Download Submit
\Users\Admin\AppData\Local\Temp\nst42BC.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit