12e0a581730aefd210fecaded3a7d7e48ea902d60b437938ae6b293a7edcae0f

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 22:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

87cfd293ff7ca49270ea9d6f1f0f4479.exe
Size

558KB
MD5

87cfd293ff7ca49270ea9d6f1f0f4479
SHA1

1922a432be93a4427960b37f2120144bac668c51
SHA256

12e0a581730aefd210fecaded3a7d7e48ea902d60b437938ae6b293a7edcae0f
SHA512

728001bbffca08464d5110e47c1b12a2c5439be6139abc5fe94e4a3874a527b83056bb624c1dbbd1f335e9ab65f326d766acebc25b51397042d0933ba5b5a614
SSDEEP

12288:mmQDRNKuqDIo+wzn5rL5960NAbq4uIVlfli/Q8u+TVbUWGjAJdg:mVytIo+AJ9dNyxhlfANuqwWH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1848	1430568137.exe

Loads dropped DLL 10 IoCs

pid	Process
1996	87cfd293ff7ca49270ea9d6f1f0f4479.exe
1996	87cfd293ff7ca49270ea9d6f1f0f4479.exe
1996	87cfd293ff7ca49270ea9d6f1f0f4479.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2956	1848	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1260	wmic.exe
Token: SeSecurityPrivilege	1260	wmic.exe
Token: SeTakeOwnershipPrivilege	1260	wmic.exe
Token: SeLoadDriverPrivilege	1260	wmic.exe
Token: SeSystemProfilePrivilege	1260	wmic.exe
Token: SeSystemtimePrivilege	1260	wmic.exe
Token: SeProfSingleProcessPrivilege	1260	wmic.exe
Token: SeIncBasePriorityPrivilege	1260	wmic.exe
Token: SeCreatePagefilePrivilege	1260	wmic.exe
Token: SeBackupPrivilege	1260	wmic.exe
Token: SeRestorePrivilege	1260	wmic.exe
Token: SeShutdownPrivilege	1260	wmic.exe
Token: SeDebugPrivilege	1260	wmic.exe
Token: SeSystemEnvironmentPrivilege	1260	wmic.exe
Token: SeRemoteShutdownPrivilege	1260	wmic.exe
Token: SeUndockPrivilege	1260	wmic.exe
Token: SeManageVolumePrivilege	1260	wmic.exe
Token: 33	1260	wmic.exe
Token: 34	1260	wmic.exe
Token: 35	1260	wmic.exe
Token: SeIncreaseQuotaPrivilege	1260	wmic.exe
Token: SeSecurityPrivilege	1260	wmic.exe
Token: SeTakeOwnershipPrivilege	1260	wmic.exe
Token: SeLoadDriverPrivilege	1260	wmic.exe
Token: SeSystemProfilePrivilege	1260	wmic.exe
Token: SeSystemtimePrivilege	1260	wmic.exe
Token: SeProfSingleProcessPrivilege	1260	wmic.exe
Token: SeIncBasePriorityPrivilege	1260	wmic.exe
Token: SeCreatePagefilePrivilege	1260	wmic.exe
Token: SeBackupPrivilege	1260	wmic.exe
Token: SeRestorePrivilege	1260	wmic.exe
Token: SeShutdownPrivilege	1260	wmic.exe
Token: SeDebugPrivilege	1260	wmic.exe
Token: SeSystemEnvironmentPrivilege	1260	wmic.exe
Token: SeRemoteShutdownPrivilege	1260	wmic.exe
Token: SeUndockPrivilege	1260	wmic.exe
Token: SeManageVolumePrivilege	1260	wmic.exe
Token: 33	1260	wmic.exe
Token: 34	1260	wmic.exe
Token: 35	1260	wmic.exe
Token: SeIncreaseQuotaPrivilege	2708	wmic.exe
Token: SeSecurityPrivilege	2708	wmic.exe
Token: SeTakeOwnershipPrivilege	2708	wmic.exe
Token: SeLoadDriverPrivilege	2708	wmic.exe
Token: SeSystemProfilePrivilege	2708	wmic.exe
Token: SeSystemtimePrivilege	2708	wmic.exe
Token: SeProfSingleProcessPrivilege	2708	wmic.exe
Token: SeIncBasePriorityPrivilege	2708	wmic.exe
Token: SeCreatePagefilePrivilege	2708	wmic.exe
Token: SeBackupPrivilege	2708	wmic.exe
Token: SeRestorePrivilege	2708	wmic.exe
Token: SeShutdownPrivilege	2708	wmic.exe
Token: SeDebugPrivilege	2708	wmic.exe
Token: SeSystemEnvironmentPrivilege	2708	wmic.exe
Token: SeRemoteShutdownPrivilege	2708	wmic.exe
Token: SeUndockPrivilege	2708	wmic.exe
Token: SeManageVolumePrivilege	2708	wmic.exe
Token: 33	2708	wmic.exe
Token: 34	2708	wmic.exe
Token: 35	2708	wmic.exe
Token: SeIncreaseQuotaPrivilege	2808	wmic.exe
Token: SeSecurityPrivilege	2808	wmic.exe
Token: SeTakeOwnershipPrivilege	2808	wmic.exe
Token: SeLoadDriverPrivilege	2808	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1848	1996	87cfd293ff7ca49270ea9d6f1f0f4479.exe	28
PID 1996 wrote to memory of 1848	1996	87cfd293ff7ca49270ea9d6f1f0f4479.exe	28
PID 1996 wrote to memory of 1848	1996	87cfd293ff7ca49270ea9d6f1f0f4479.exe	28
PID 1996 wrote to memory of 1848	1996	87cfd293ff7ca49270ea9d6f1f0f4479.exe	28
PID 1848 wrote to memory of 1260	1848	1430568137.exe	30
PID 1848 wrote to memory of 1260	1848	1430568137.exe	30
PID 1848 wrote to memory of 1260	1848	1430568137.exe	30
PID 1848 wrote to memory of 1260	1848	1430568137.exe	30
PID 1848 wrote to memory of 2708	1848	1430568137.exe	32
PID 1848 wrote to memory of 2708	1848	1430568137.exe	32
PID 1848 wrote to memory of 2708	1848	1430568137.exe	32
PID 1848 wrote to memory of 2708	1848	1430568137.exe	32
PID 1848 wrote to memory of 2808	1848	1430568137.exe	34
PID 1848 wrote to memory of 2808	1848	1430568137.exe	34
PID 1848 wrote to memory of 2808	1848	1430568137.exe	34
PID 1848 wrote to memory of 2808	1848	1430568137.exe	34
PID 1848 wrote to memory of 2488	1848	1430568137.exe	36
PID 1848 wrote to memory of 2488	1848	1430568137.exe	36
PID 1848 wrote to memory of 2488	1848	1430568137.exe	36
PID 1848 wrote to memory of 2488	1848	1430568137.exe	36
PID 1848 wrote to memory of 2460	1848	1430568137.exe	38
PID 1848 wrote to memory of 2460	1848	1430568137.exe	38
PID 1848 wrote to memory of 2460	1848	1430568137.exe	38
PID 1848 wrote to memory of 2460	1848	1430568137.exe	38
PID 1848 wrote to memory of 2956	1848	1430568137.exe	40
PID 1848 wrote to memory of 2956	1848	1430568137.exe	40
PID 1848 wrote to memory of 2956	1848	1430568137.exe	40
PID 1848 wrote to memory of 2956	1848	1430568137.exe	40

C:\Users\Admin\AppData\Local\Temp\87cfd293ff7ca49270ea9d6f1f0f4479.exe
"C:\Users\Admin\AppData\Local\Temp\87cfd293ff7ca49270ea9d6f1f0f4479.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\1430568137.exe
  C:\Users\Admin\AppData\Local\Temp\1430568137.exe 1]3]8]9]3]5]5]1]6]2]1 Lk1BOzosLi8xMR8uUE05TUQ/PCoeLk1CTE5MTUZIPjsvHyw8QFBPREM3MDM3NC8XLD5EQzcuHy5NSkZBUD5TWUdDPDArKTIbKlI/UFVET1dMT0c4Z25ybzksJ2pvcSlDP1FKLFFHRyo8S08oR01FTBgmQEdEQkVHQzxqTCgtMXU2Yz93Hyw8KDpJUEw8Q1EfLDwpOigsHylCMjwqKRcsPy88Jy8fLkEtNCosGy5KUE5DUjtLXEtNSFA/Qlg6GCZNTUpDT0FTXkJNQz44Gy5KUE5DUjtLXEk8TD87Hy5CUDxcUE1LNx4uRFU9VkBIP0tDTEQ8HSc/TE5PXjxQTlZQPUk6LRsuTkZATUhRRlJaUFFGOx8uU0U0LxsqQ00vPB8sSkxLT0RMP11WREk7RkpAREw7RURUT0Q0HSpEUllQVE1RQURCOG9xb2MfLk89S1JNSUhIRV5UUD1JXD88WE07MR8sQEBBQFM8Kx4uSFBXO1ZJPExDQV5ESztJVktPRD47ZWBpa1wdKj9OUUxLTj48VkZLODAzMi0wMjAlMzEpMyoeLlNGRTw6LC8yKjM2My8oLh0qP05RTEtOPjxWUURIRDczLjEsKicuMCUwNDIyOS8vIU1IGy5PPzxMbHJgaWdcJCxkNC0tIx9UZGljaXVyKktMIjMpLCQtYCpWTE8tMSQmQGpua2RUXVlIZG8kLGQ0MjQmKjMmI0pCUkxLIipaKGdkal8pRmRgY2YmJj5nbG1sZCIqXTA0KS8oMDA2LiYwMiZOYGBfcWgiKl0yLjItLTQfLlJKQzpjb3NqIzJgIipdIi1hZl9yLS8uKS9nKWRtYG0kMWNKbGtPZGxfQm52a2RmXl9IYGhfZmRvV1tia2ducyMxZS4sKi0wMjMsLjUkL14oMS4rNDEyMS8zHSljLC8yKjM2My8oLSIuYTcuMjgvLykuLTI0VyxEdktRXzBfdVR3RkFidUlxQV9LT0B0S1NidEBOTjBHeGl3THhTZkdQZl9XPS40UVNOQ05PMFJCL29qV04wZlxSSDJYa1BuQnAyLUgxPEBjaFNhUC9jZ01NMmhiVGRsTT5u
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706826047.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706826047.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706826047.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706826047.txt bios get version
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706826047.txt bios get version
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1430568137.exe

Filesize
764KB

MD5
82111fbdefa2d99e66f342dfc3a0922d

SHA1
29ccd8f1cd124e649fda0bdc167c59c900e3fd91

SHA256
704bc9f4ff613443c4fca2037ac94699eb7673b24174f83577fbc383ca408c0c

SHA512
a0ee38fb2c2b902a936157a526566e4b7f197dc613f412e21b89f48667bec1d0d0276b2d875cff26e1e115d2b034373269022c297cfe697989321d6a6f8e24f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\81706826047.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\1430568137.exe

Filesize
516KB

MD5
117b69b3d472b9e3a8ad44fdeaddff9c

SHA1
dc1391c39647701c360a7803cb657edcdebb4835

SHA256
5b7931ec369fa8f5d13a64d1bd0768934ecbf786fd239aac955f8160fe49aef1

SHA512
71e8ce6fb76271d737053f64eedcc25a7633410879c905cd7f5bed7ab69a43c877c5a224fd3c9c1c8563d50d5fe740fece13e54d0a5996190ecbc2c72a716879

Download Submit
\Users\Admin\AppData\Local\Temp\nso1A65.tmp\dhihhg.dll

Filesize
126KB

MD5
09c0a8445c727b6cdee796a9a58b5482

SHA1
e654bd7418601f7205b2632c8bf32c29295384f9

SHA256
e363e4886f4a87644efc9a2515c0a98c054f50b02fc5fb58b540e041ad0d70d3

SHA512
3a43a904ea11bc1b70580da33196073e6f3a53841342ff755845f4eff94f4009b1fd496a57b2a38f36bb9dadbb87af92ca8ab9222547d780db081dc0a6ae0b85

Download Submit
\Users\Admin\AppData\Local\Temp\nso1A65.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit