10fb2c2778f11842d7eee6cc2033e8bc2e3fb45f1a24a58427572b4d1461a4fb

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 09:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

be36bc6930617236c7402f979942798d.exe
Size

695KB
MD5

be36bc6930617236c7402f979942798d
SHA1

f649bad1869591f5aa9105108e467aba7593a82c
SHA256

10fb2c2778f11842d7eee6cc2033e8bc2e3fb45f1a24a58427572b4d1461a4fb
SHA512

b2d888c8a7d809a817a8128dc5b4a84981e41a073559ca1996eb787a9d2cb67b2bd5dcf4ba137a748f4914af2d9b82b654f5c9bb36ee03ee3aa783b28f8f0d81
SSDEEP

12288:DI+fRbQEliesFKIYR8fi/RSSaTsMc9eUKcYJPkNbFVrYrgUKWrzF3:DI+fq5RxYR8K/8pYMc9eUKDkNbUMm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1644	1432274482.exe

Loads dropped DLL 11 IoCs

pid	Process
2360	be36bc6930617236c7402f979942798d.exe
2360	be36bc6930617236c7402f979942798d.exe
2360	be36bc6930617236c7402f979942798d.exe
2360	be36bc6930617236c7402f979942798d.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3020	1644	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2100	wmic.exe
Token: SeSecurityPrivilege	2100	wmic.exe
Token: SeTakeOwnershipPrivilege	2100	wmic.exe
Token: SeLoadDriverPrivilege	2100	wmic.exe
Token: SeSystemProfilePrivilege	2100	wmic.exe
Token: SeSystemtimePrivilege	2100	wmic.exe
Token: SeProfSingleProcessPrivilege	2100	wmic.exe
Token: SeIncBasePriorityPrivilege	2100	wmic.exe
Token: SeCreatePagefilePrivilege	2100	wmic.exe
Token: SeBackupPrivilege	2100	wmic.exe
Token: SeRestorePrivilege	2100	wmic.exe
Token: SeShutdownPrivilege	2100	wmic.exe
Token: SeDebugPrivilege	2100	wmic.exe
Token: SeSystemEnvironmentPrivilege	2100	wmic.exe
Token: SeRemoteShutdownPrivilege	2100	wmic.exe
Token: SeUndockPrivilege	2100	wmic.exe
Token: SeManageVolumePrivilege	2100	wmic.exe
Token: 33	2100	wmic.exe
Token: 34	2100	wmic.exe
Token: 35	2100	wmic.exe
Token: SeIncreaseQuotaPrivilege	2100	wmic.exe
Token: SeSecurityPrivilege	2100	wmic.exe
Token: SeTakeOwnershipPrivilege	2100	wmic.exe
Token: SeLoadDriverPrivilege	2100	wmic.exe
Token: SeSystemProfilePrivilege	2100	wmic.exe
Token: SeSystemtimePrivilege	2100	wmic.exe
Token: SeProfSingleProcessPrivilege	2100	wmic.exe
Token: SeIncBasePriorityPrivilege	2100	wmic.exe
Token: SeCreatePagefilePrivilege	2100	wmic.exe
Token: SeBackupPrivilege	2100	wmic.exe
Token: SeRestorePrivilege	2100	wmic.exe
Token: SeShutdownPrivilege	2100	wmic.exe
Token: SeDebugPrivilege	2100	wmic.exe
Token: SeSystemEnvironmentPrivilege	2100	wmic.exe
Token: SeRemoteShutdownPrivilege	2100	wmic.exe
Token: SeUndockPrivilege	2100	wmic.exe
Token: SeManageVolumePrivilege	2100	wmic.exe
Token: 33	2100	wmic.exe
Token: 34	2100	wmic.exe
Token: 35	2100	wmic.exe
Token: SeIncreaseQuotaPrivilege	2580	wmic.exe
Token: SeSecurityPrivilege	2580	wmic.exe
Token: SeTakeOwnershipPrivilege	2580	wmic.exe
Token: SeLoadDriverPrivilege	2580	wmic.exe
Token: SeSystemProfilePrivilege	2580	wmic.exe
Token: SeSystemtimePrivilege	2580	wmic.exe
Token: SeProfSingleProcessPrivilege	2580	wmic.exe
Token: SeIncBasePriorityPrivilege	2580	wmic.exe
Token: SeCreatePagefilePrivilege	2580	wmic.exe
Token: SeBackupPrivilege	2580	wmic.exe
Token: SeRestorePrivilege	2580	wmic.exe
Token: SeShutdownPrivilege	2580	wmic.exe
Token: SeDebugPrivilege	2580	wmic.exe
Token: SeSystemEnvironmentPrivilege	2580	wmic.exe
Token: SeRemoteShutdownPrivilege	2580	wmic.exe
Token: SeUndockPrivilege	2580	wmic.exe
Token: SeManageVolumePrivilege	2580	wmic.exe
Token: 33	2580	wmic.exe
Token: 34	2580	wmic.exe
Token: 35	2580	wmic.exe
Token: SeIncreaseQuotaPrivilege	2492	wmic.exe
Token: SeSecurityPrivilege	2492	wmic.exe
Token: SeTakeOwnershipPrivilege	2492	wmic.exe
Token: SeLoadDriverPrivilege	2492	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1644	2360	be36bc6930617236c7402f979942798d.exe	28
PID 2360 wrote to memory of 1644	2360	be36bc6930617236c7402f979942798d.exe	28
PID 2360 wrote to memory of 1644	2360	be36bc6930617236c7402f979942798d.exe	28
PID 2360 wrote to memory of 1644	2360	be36bc6930617236c7402f979942798d.exe	28
PID 1644 wrote to memory of 2100	1644	1432274482.exe	29
PID 1644 wrote to memory of 2100	1644	1432274482.exe	29
PID 1644 wrote to memory of 2100	1644	1432274482.exe	29
PID 1644 wrote to memory of 2100	1644	1432274482.exe	29
PID 1644 wrote to memory of 2580	1644	1432274482.exe	32
PID 1644 wrote to memory of 2580	1644	1432274482.exe	32
PID 1644 wrote to memory of 2580	1644	1432274482.exe	32
PID 1644 wrote to memory of 2580	1644	1432274482.exe	32
PID 1644 wrote to memory of 2492	1644	1432274482.exe	34
PID 1644 wrote to memory of 2492	1644	1432274482.exe	34
PID 1644 wrote to memory of 2492	1644	1432274482.exe	34
PID 1644 wrote to memory of 2492	1644	1432274482.exe	34
PID 1644 wrote to memory of 2496	1644	1432274482.exe	36
PID 1644 wrote to memory of 2496	1644	1432274482.exe	36
PID 1644 wrote to memory of 2496	1644	1432274482.exe	36
PID 1644 wrote to memory of 2496	1644	1432274482.exe	36
PID 1644 wrote to memory of 2628	1644	1432274482.exe	38
PID 1644 wrote to memory of 2628	1644	1432274482.exe	38
PID 1644 wrote to memory of 2628	1644	1432274482.exe	38
PID 1644 wrote to memory of 2628	1644	1432274482.exe	38
PID 1644 wrote to memory of 3020	1644	1432274482.exe	40
PID 1644 wrote to memory of 3020	1644	1432274482.exe	40
PID 1644 wrote to memory of 3020	1644	1432274482.exe	40
PID 1644 wrote to memory of 3020	1644	1432274482.exe	40

C:\Users\Admin\AppData\Local\Temp\be36bc6930617236c7402f979942798d.exe
"C:\Users\Admin\AppData\Local\Temp\be36bc6930617236c7402f979942798d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\1432274482.exe
  C:\Users\Admin\AppData\Local\Temp\1432274482.exe 2]3]4]1]2]4]0]2]4]0]0 LU1FQzsvMDAuIC9RUj5PR0A9LhwvTkNRU05QR0lCOTAgLUFFUlJFRDsuMDI3NBwuQUVEOywgL05PS0NTP1RdRUQ9LzM1Mx4rU0NOVkVQXFFRSjlocnBwOi0sb3F0KkRDT0stUkxMLD9MUCxFTkZNHStCSkVDSUVEPXVMNTBUTUQ0SUlQTE8+RkcsSjUyTTMuTBwuQi09MTI1NDMvHC5CLj0rLSAvQjA5LC8cL0IwPS0vHStDMzktLxwvUFBMQFRBUF9OTklWP0BVPB4rUFBLRFVBUVtEU0hBOxwvUFBMQFRBUF9MPU1FOx0rRFZBX1NOTD0eLEFXQ1tDS0BMSUxCOR8tRE9RUF9CUExTUkNOPTEcL1RGPkpKV0tVXVFSTDsdK1VLOTIeK0RTLzocLlBRTlJFTUVdVEFLQUtNQ0VNQUVCUVFKOSAtRVNfUFJKU0dJRTtwcnVjHStRQ1BVUEpJTkVcUVJDTl9CPVlTOy8cLkZFRENUPTEeLEVSXUBZTD1NSUFcQU1BTllOUEVEO2Nda3FhIC1AT1dMSUtAQltJTjkyLjcvKjEvLy4wMTQgLVFFTEM5MTIvMjI1NTQzNhwvQktXTkpMPUNdUElLQT01LS8uLjAsMTMmNzovMTYvNiZBSxwvVT86S29jbmEjLmY5LDUsKiZTaWxgb3dxKEpTKTIuLiUrUHBib3NtITJkLi4xMCsvNzYnVmNuc2ltayExZC0yLC02IC1STks7ZHRybCUzXyIuZSMuZmVhdDEsLS0wL2BlcWVnbixmamVtITJkTnVuUmZpZEJrd2xob2FiSl1tX2NlcFtkZW5pa3gjLmYvMDMyMDQ0NzMwJTBiZG91a2huX2BtX2phZ2NvITFkLTQxLjI3NjUxMyMvZjMtODIvMi0zLy0yV2lSc0p3XzVgdmt3SHpBckdSdjVJU3F0TlRXaV1pZXNMaF96SVUtMUt3UmlKQHdyTEFNdUw/NGpVekEyST9qaVV5MjRLVD9pVWg2NEpRNGxYeE4xS0I9a1dTaGtXLy1iYENFNl9tTnRhQ2ZpVW1ia1gybmxVaWYuUnhfd1VUPz1NU3RIUSwxS09CVkRKLFkwSlVzc0ksYmldRjNxYWp1dA==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710061659.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710061659.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710061659.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710061659.txt bios get version
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710061659.txt bios get version
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81710061659.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\1432274482.exe

Filesize
1021KB

MD5
4b313fd428ffbfa691d6e27407704cad

SHA1
6fe8231cdfb6e8ed945b7a377cab1b23ce469cf3

SHA256
13f22d266dc253786357bcad9b6fc9e8cdf019f57b265ad5adf3b020bc4b975d

SHA512
09950165385a3ec93ccb9a886d22533404b8aed5520caf00ace75a04294b3504ff216f71c0b6993dfe8f324e7635bb6e4a1ab605186b10f7b570d0bf415f5b2e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd484.tmp\fnbvert.dll

Filesize
158KB

MD5
4dab253abac323efe6b7290426f69b8b

SHA1
e6f6f88a42416a9ce8b994d2a301b8e99ca664a8

SHA256
4b5103433cd2aec8bc27aafdcca1a4e04c5ad13ffff1e4c36e58cf534918fc85

SHA512
0085f2d755b4eef98816ed31f23701270aa62fb4aef697361b6e77eaec5aedec63e13855443fe5b8d5325985289dfbb9d95390ed86c54e0bcebdd8dd9f7f008d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd484.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit