112134c7d307a0874e2232d930b44825e0398579eb029ee19f87ea51281cf443

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cd3fb09bafbb0037b82791c32c1277c.exe
Size

581KB
MD5

8cd3fb09bafbb0037b82791c32c1277c
SHA1

62b0f8f52b6ff69a8d36bc4aa1575b9f00a05d64
SHA256

112134c7d307a0874e2232d930b44825e0398579eb029ee19f87ea51281cf443
SHA512

ee9ca6148890af03a875ee81f951f4c21f4d748299c276742769dac2377fa39bb35bea2ac544413399233685c68e79dd7ea0cc79f67c8f2019f8ec32a77edf36
SSDEEP

12288:bzaDJhNH8ZkXWykEr8369tNFMP8NdHXpZ2achJC4+5:bcJbl+36tKPdhJ7Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2544	1431831751.exe

Loads dropped DLL 11 IoCs

pid	Process
2364	8cd3fb09bafbb0037b82791c32c1277c.exe
2364	8cd3fb09bafbb0037b82791c32c1277c.exe
2364	8cd3fb09bafbb0037b82791c32c1277c.exe
2364	8cd3fb09bafbb0037b82791c32c1277c.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2220	2544	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2804	wmic.exe
Token: SeSecurityPrivilege	2804	wmic.exe
Token: SeTakeOwnershipPrivilege	2804	wmic.exe
Token: SeLoadDriverPrivilege	2804	wmic.exe
Token: SeSystemProfilePrivilege	2804	wmic.exe
Token: SeSystemtimePrivilege	2804	wmic.exe
Token: SeProfSingleProcessPrivilege	2804	wmic.exe
Token: SeIncBasePriorityPrivilege	2804	wmic.exe
Token: SeCreatePagefilePrivilege	2804	wmic.exe
Token: SeBackupPrivilege	2804	wmic.exe
Token: SeRestorePrivilege	2804	wmic.exe
Token: SeShutdownPrivilege	2804	wmic.exe
Token: SeDebugPrivilege	2804	wmic.exe
Token: SeSystemEnvironmentPrivilege	2804	wmic.exe
Token: SeRemoteShutdownPrivilege	2804	wmic.exe
Token: SeUndockPrivilege	2804	wmic.exe
Token: SeManageVolumePrivilege	2804	wmic.exe
Token: 33	2804	wmic.exe
Token: 34	2804	wmic.exe
Token: 35	2804	wmic.exe
Token: SeIncreaseQuotaPrivilege	2804	wmic.exe
Token: SeSecurityPrivilege	2804	wmic.exe
Token: SeTakeOwnershipPrivilege	2804	wmic.exe
Token: SeLoadDriverPrivilege	2804	wmic.exe
Token: SeSystemProfilePrivilege	2804	wmic.exe
Token: SeSystemtimePrivilege	2804	wmic.exe
Token: SeProfSingleProcessPrivilege	2804	wmic.exe
Token: SeIncBasePriorityPrivilege	2804	wmic.exe
Token: SeCreatePagefilePrivilege	2804	wmic.exe
Token: SeBackupPrivilege	2804	wmic.exe
Token: SeRestorePrivilege	2804	wmic.exe
Token: SeShutdownPrivilege	2804	wmic.exe
Token: SeDebugPrivilege	2804	wmic.exe
Token: SeSystemEnvironmentPrivilege	2804	wmic.exe
Token: SeRemoteShutdownPrivilege	2804	wmic.exe
Token: SeUndockPrivilege	2804	wmic.exe
Token: SeManageVolumePrivilege	2804	wmic.exe
Token: 33	2804	wmic.exe
Token: 34	2804	wmic.exe
Token: 35	2804	wmic.exe
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemProfilePrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeProfSingleProcessPrivilege	2080	wmic.exe
Token: SeIncBasePriorityPrivilege	2080	wmic.exe
Token: SeCreatePagefilePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeDebugPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeRemoteShutdownPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: 33	2080	wmic.exe
Token: 34	2080	wmic.exe
Token: 35	2080	wmic.exe
Token: SeIncreaseQuotaPrivilege	2488	wmic.exe
Token: SeSecurityPrivilege	2488	wmic.exe
Token: SeTakeOwnershipPrivilege	2488	wmic.exe
Token: SeLoadDriverPrivilege	2488	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2544	2364	8cd3fb09bafbb0037b82791c32c1277c.exe	28
PID 2364 wrote to memory of 2544	2364	8cd3fb09bafbb0037b82791c32c1277c.exe	28
PID 2364 wrote to memory of 2544	2364	8cd3fb09bafbb0037b82791c32c1277c.exe	28
PID 2364 wrote to memory of 2544	2364	8cd3fb09bafbb0037b82791c32c1277c.exe	28
PID 2544 wrote to memory of 2804	2544	1431831751.exe	29
PID 2544 wrote to memory of 2804	2544	1431831751.exe	29
PID 2544 wrote to memory of 2804	2544	1431831751.exe	29
PID 2544 wrote to memory of 2804	2544	1431831751.exe	29
PID 2544 wrote to memory of 2080	2544	1431831751.exe	33
PID 2544 wrote to memory of 2080	2544	1431831751.exe	33
PID 2544 wrote to memory of 2080	2544	1431831751.exe	33
PID 2544 wrote to memory of 2080	2544	1431831751.exe	33
PID 2544 wrote to memory of 2488	2544	1431831751.exe	34
PID 2544 wrote to memory of 2488	2544	1431831751.exe	34
PID 2544 wrote to memory of 2488	2544	1431831751.exe	34
PID 2544 wrote to memory of 2488	2544	1431831751.exe	34
PID 2544 wrote to memory of 2724	2544	1431831751.exe	36
PID 2544 wrote to memory of 2724	2544	1431831751.exe	36
PID 2544 wrote to memory of 2724	2544	1431831751.exe	36
PID 2544 wrote to memory of 2724	2544	1431831751.exe	36
PID 2544 wrote to memory of 2460	2544	1431831751.exe	39
PID 2544 wrote to memory of 2460	2544	1431831751.exe	39
PID 2544 wrote to memory of 2460	2544	1431831751.exe	39
PID 2544 wrote to memory of 2460	2544	1431831751.exe	39
PID 2544 wrote to memory of 2220	2544	1431831751.exe	40
PID 2544 wrote to memory of 2220	2544	1431831751.exe	40
PID 2544 wrote to memory of 2220	2544	1431831751.exe	40
PID 2544 wrote to memory of 2220	2544	1431831751.exe	40

C:\Users\Admin\AppData\Local\Temp\8cd3fb09bafbb0037b82791c32c1277c.exe
"C:\Users\Admin\AppData\Local\Temp\8cd3fb09bafbb0037b82791c32c1277c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\1431831751.exe
  C:\Users\Admin\AppData\Local\Temp\1431831751.exe 2!0!7!7!5!8!6!4!4!8!0 LVBCPTgrKi4uGC9RVTtJRDw3LBwnTkNUUEhNQ0NAOSggLURCTE9BPjkuLzI1MhkoPkE+OSwYL05SSD1QO05bRTw9LzYyLRsnTUFOTkVQX05LRzVicHBoOi0vbGtxJj5BT0MtUk9JJjxISipFRkZNICg8R0E9R0U8PXUyKUIwSUlKRz40S0JFMkYoLVE0KDNGMBkoPyk3LS0oMDMgKD0tNSctHCdEMT0mKhsnPjA5JTEeLz0uOCUrHCtIUk1ETjxPV0pORU5BQVk2GSpITEtATUNSXz5ORzk3HCtIUk1ETjxPV0g9ST09Hi8+UUBXT05INSAtRVE+WjtHQEhBTkM9GShDR01QWzpSTVdMPk01KhwrTEg/TkRSSk1ZUU5EPR4vT0Y4KhorQEsxOyAoS1BGTkVJPV9VRUU8SkU/RUk5R0NVS0U4GClFT1dSU05NQkg9N3BubWUeL0s+T01MSkVGR11VTD5NVz49VUs9MCAoQUQ8P1Q5KSAtSUxYP1FIPUlBQ11FRzxNUUpQQTw9ZGFlbGAYKUBLT05KTzo9WkFKOTIuLi8wKyczJiwxLBgvUklGPjgpLi8tMDQuNjIuGyc+S1NGTE1BPVhPQUdBOS0vLzcoKyspLyYxMjMvOiwuJTlHHCtNQTtNaHNkZGZdISpmMy4pJCNPY2pgZ3dxK0dNJi4oLSErYilXSFAxLB8vXiNUcGldXmlsHy5iLy4uJSxbJmpwIS9ZMS8uKSImZGNnYSNHY2NkaBsnT05INWhydGkeLlkfLmIdMmRnXm0sJiotLSlkY3NiYGkmY2piZyUwZktuaUxjaWE8b3VuZWhcXEddallnY3JYXWBoZmt1HTJkMS0sLDAuLDIxOCMyX11qb2hoa1lka2FnWmJdbCEuXjEyMyoxLygwNTQdM2Q3LSwsLSs0MjExL1lAP3NMZEV2RjJtMEZiM2pGZUpiT0JFb0U+LHJGU001SmpOKUhwL2tKOzhqWEwpMUU9c3JDQzZkUnNAKkVPMGRYeEkqQ3RfZlV1KDVJajphVHEqL0Y8QWpYK09rUkFoY1JWNjBcZk1sXVMsZFhrdGFRUkJpVXZSekp5Mj5JPWZGTk1wRExOZCAqYE92SktJQypGSXEyb047MGpaQENpWT5NdA==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706978622.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706978622.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706978622.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706978622.txt bios get version
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706978622.txt bios get version
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
409KB

MD5
a6a2aa3ecfeb753a197bd5ff4e9cd17c

SHA1
6fc3329010aef2cf6e66577d52319505b662c8fb

SHA256
8d9e924b3790e1a331c4b9749f94610cc4410c8b25e2b7764fe0adbcbd22a796

SHA512
9aa2a028bd41b0cb03a3f45e81f37f78ef0d2aa999dcc70237a969eafae5e5030d0b87ce5ed35f1376b17a25e14a5db486d8042b5cc0c37cbb557287fa69a2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
435KB

MD5
c06cbec00e0625d66a31e4058a446771

SHA1
33fce5cd50082906bc5e7586d8c37a31748352fe

SHA256
222e5363abc312ea1c8753ed77a346d68d4a17dc1ec904290e8e659e2a77c936

SHA512
79b42dbb9079e7958199aa77633aead99e8412d3c83213fdd43c958765009db9a784bf7360087db7a7068fa95bb9dd8ac64da04107b1196cd834f060aad9b1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\81706978622.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
759KB

MD5
566531efc71b1a91b141fb19929aa7d9

SHA1
eb78289b3bda51c0e534b3666ba22afc1b113bc8

SHA256
524117b7700bb4eb376811679e49d588dce490334223e73ee9b5de9dbfc0e197

SHA512
e72b59d10cf8daddca2e93447f70b55b2c616660b93b636345d4271ecbf7c4f436a4e25beb27c1a21de49c9ec163b089f8c2a90c61f33f3a8bd6d1b755efb337

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
351KB

MD5
c1aec368a0bfe1d5357457d60634bdb1

SHA1
da9eb0f67a6ab0a92f44fd4aac2dc7563f5ab397

SHA256
dd585017cc1a3ae6205590120e98e1e0e6cef2a2b6cc89c916ab3a74347676f6

SHA512
1fa28279637286daf19ce5f144456fe940e430eed401d21a29bbc9023b0626ec965f75f3e211a49a5003dd889eb6638ac1a7acc75ca17d32628cda8827a14808

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
339KB

MD5
3e8c2832f3fdb5092529d565386f1594

SHA1
b73fa413c49ad56c756625caf60f1bd5c873edd8

SHA256
a2c6e8ec4e5bb885d2b70dbfe59820dcc1ef5366170e1f38fef8016d9101a75b

SHA512
de5ce9651d51e6223fa79384312e15b7677b2c4e411f0d165f39c429d5a0b27a0fbf24d313f3a66fab8825f35a261a299e7da29320afc01ae2da9e468523e286

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
330KB

MD5
30e88d1015dcdbeff351ebb57d00e340

SHA1
e548479f456cc7dad2bfeff294708f362380e6c8

SHA256
84276fb541021d21840b2e811b8d4c8b2e6d2230629fd32e671e4b691edba752

SHA512
299c74be99c5c3da31a8b031367e712f17a63d2d8f2d724605008dcd546ad1fc646476f5092866cd41326f41007538d1f8cbf1e380e380cdddb5bc0370555066

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
189KB

MD5
f623dc200489f55cf5544a712f237681

SHA1
e0a19588456f483201c822a05ce1e8f4f0941ca1

SHA256
c6d0ec1122a96669eb9c70fc01c36625e8223ab4ed469edabf817fe6a74e46fa

SHA512
bea5aba71b624cee3c53834d0a19b54729c1f2a7de600e309b5623c856de85c61e46f0be5d159df0a46572b7e2d0537427d288a3354fe5b4b5aba688fcd13bf4

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
381KB

MD5
1ad1ee1ca2fbe714f1808318b17a330c

SHA1
4c35421189e28fd8e8fa3c110d728c06265ad883

SHA256
3e2b4b63e9556e1ac4d2b2537b12fbf2e9ca79fa45df6efbdd2f0b3a6b0fdb64

SHA512
d49d5f9db6a3e2aaa0c90d754aed4de79ec4cd0ff51381ba6ab5d3389d8bff5b0e9a253df83d375b29728c3e9d5ab65400adccccc0c5c55dc56c65867cdf53f8

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
186KB

MD5
f4da2b7f6a919b4998964d07d8338925

SHA1
7c249f0b135c6d407450b9a5e9d03b07e7abb67e

SHA256
47e2ee4201a1b03e0ddc5cc0d70deea6f7a72d209f7848c42f252eb4b59cecdd

SHA512
2ceb85a272f2c5dc86eb956b38ae208a222141fc0d822c5900091f5af9aa395df82c98ea3b2ee9b7747429f6f05ac1bf934784c95188b719312d262d946d68a6

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
230KB

MD5
3d85cb479acd8113cf7051813eb25d84

SHA1
25fa4fb8798311ddfa7ef47dd08da07843b8fc97

SHA256
10077adec6e71d492c25efb4fa4a882b983ef6ae049a0ee51ae65e006398f532

SHA512
1d58f53f402e2c01db2b48a79323c5a57311cbb3eb8b9ca5f7faa287ac5e2d5a369205e2cc8671817519bab559c1ba2dd1dce5cfe0568b4da52af3e9ae86e7da

Download Submit
\Users\Admin\AppData\Local\Temp\1431831751.exe

Filesize
212KB

MD5
4469388f569691ac65ce9e7e19053e30

SHA1
f80c07992796c049f4c1ed5b76abdcb25104c4d1

SHA256
ba39996dfedce0aeb68e84d8e41612a98fe3239b9908c8722a202fa225e90afe

SHA512
49225341b23af58a1c24c2409d3cde97c227aab7a95431dcd945acf4db91aaecb8bbe864bc5cea4f8892fb2ec1d84e93e694b2f136dd3ba3df9e56bc96516324

Download Submit
\Users\Admin\AppData\Local\Temp\nsd742.tmp\cgibuti.dll

Filesize
153KB

MD5
9b081b4f84974a46cffcf1ef1a2e85f9

SHA1
70a1b83bad19d28195f2df22c3d213a04b42fb2b

SHA256
303f74df9812b639b66f919804039d1e295ffae8e543fa4349507110ac766752

SHA512
4539a458b1d2ba61ffcf71ea59addd13727d26606f73dbfb21053d68d5656010dae5791d486789c14653c6fb953a7dc284c3a80db2b1970a0e7f0778ab77dbbf

Download Submit
\Users\Admin\AppData\Local\Temp\nsd742.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit