04f0dd6a18084c9bfb10d20346e3d8e2672bf9492d7143816cd15925a8f318d0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc885c26c59fe2c3ab61f90df7e67cdc.exe
Size

581KB
MD5

cc885c26c59fe2c3ab61f90df7e67cdc
SHA1

689ce4ad0b0bdbc2c5be5ae748b91cfaed6bf2c7
SHA256

04f0dd6a18084c9bfb10d20346e3d8e2672bf9492d7143816cd15925a8f318d0
SHA512

e48a40800876691e7fc47168834031ed98013a9234043389259c517637d79f5d9984c8a1d34dd61b2d1c82f8df2505b28500adbe01a0b3c8d83c75cf708d8c61
SSDEEP

12288:I0F9OdUzgyqV95sOV5Lm1r1ZT7SL4gLAyDOfvCH7:IuM+vqVTsvr1ZTUX6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	1431378119.exe

Loads dropped DLL 11 IoCs

pid	Process
2932	cc885c26c59fe2c3ab61f90df7e67cdc.exe
2932	cc885c26c59fe2c3ab61f90df7e67cdc.exe
2932	cc885c26c59fe2c3ab61f90df7e67cdc.exe
2932	cc885c26c59fe2c3ab61f90df7e67cdc.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1592	2740	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2524	wmic.exe
Token: SeSecurityPrivilege	2524	wmic.exe
Token: SeTakeOwnershipPrivilege	2524	wmic.exe
Token: SeLoadDriverPrivilege	2524	wmic.exe
Token: SeSystemProfilePrivilege	2524	wmic.exe
Token: SeSystemtimePrivilege	2524	wmic.exe
Token: SeProfSingleProcessPrivilege	2524	wmic.exe
Token: SeIncBasePriorityPrivilege	2524	wmic.exe
Token: SeCreatePagefilePrivilege	2524	wmic.exe
Token: SeBackupPrivilege	2524	wmic.exe
Token: SeRestorePrivilege	2524	wmic.exe
Token: SeShutdownPrivilege	2524	wmic.exe
Token: SeDebugPrivilege	2524	wmic.exe
Token: SeSystemEnvironmentPrivilege	2524	wmic.exe
Token: SeRemoteShutdownPrivilege	2524	wmic.exe
Token: SeUndockPrivilege	2524	wmic.exe
Token: SeManageVolumePrivilege	2524	wmic.exe
Token: 33	2524	wmic.exe
Token: 34	2524	wmic.exe
Token: 35	2524	wmic.exe
Token: SeIncreaseQuotaPrivilege	2524	wmic.exe
Token: SeSecurityPrivilege	2524	wmic.exe
Token: SeTakeOwnershipPrivilege	2524	wmic.exe
Token: SeLoadDriverPrivilege	2524	wmic.exe
Token: SeSystemProfilePrivilege	2524	wmic.exe
Token: SeSystemtimePrivilege	2524	wmic.exe
Token: SeProfSingleProcessPrivilege	2524	wmic.exe
Token: SeIncBasePriorityPrivilege	2524	wmic.exe
Token: SeCreatePagefilePrivilege	2524	wmic.exe
Token: SeBackupPrivilege	2524	wmic.exe
Token: SeRestorePrivilege	2524	wmic.exe
Token: SeShutdownPrivilege	2524	wmic.exe
Token: SeDebugPrivilege	2524	wmic.exe
Token: SeSystemEnvironmentPrivilege	2524	wmic.exe
Token: SeRemoteShutdownPrivilege	2524	wmic.exe
Token: SeUndockPrivilege	2524	wmic.exe
Token: SeManageVolumePrivilege	2524	wmic.exe
Token: 33	2524	wmic.exe
Token: 34	2524	wmic.exe
Token: 35	2524	wmic.exe
Token: SeIncreaseQuotaPrivilege	2724	wmic.exe
Token: SeSecurityPrivilege	2724	wmic.exe
Token: SeTakeOwnershipPrivilege	2724	wmic.exe
Token: SeLoadDriverPrivilege	2724	wmic.exe
Token: SeSystemProfilePrivilege	2724	wmic.exe
Token: SeSystemtimePrivilege	2724	wmic.exe
Token: SeProfSingleProcessPrivilege	2724	wmic.exe
Token: SeIncBasePriorityPrivilege	2724	wmic.exe
Token: SeCreatePagefilePrivilege	2724	wmic.exe
Token: SeBackupPrivilege	2724	wmic.exe
Token: SeRestorePrivilege	2724	wmic.exe
Token: SeShutdownPrivilege	2724	wmic.exe
Token: SeDebugPrivilege	2724	wmic.exe
Token: SeSystemEnvironmentPrivilege	2724	wmic.exe
Token: SeRemoteShutdownPrivilege	2724	wmic.exe
Token: SeUndockPrivilege	2724	wmic.exe
Token: SeManageVolumePrivilege	2724	wmic.exe
Token: 33	2724	wmic.exe
Token: 34	2724	wmic.exe
Token: 35	2724	wmic.exe
Token: SeIncreaseQuotaPrivilege	2940	wmic.exe
Token: SeSecurityPrivilege	2940	wmic.exe
Token: SeTakeOwnershipPrivilege	2940	wmic.exe
Token: SeLoadDriverPrivilege	2940	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2740	2932	cc885c26c59fe2c3ab61f90df7e67cdc.exe	28
PID 2932 wrote to memory of 2740	2932	cc885c26c59fe2c3ab61f90df7e67cdc.exe	28
PID 2932 wrote to memory of 2740	2932	cc885c26c59fe2c3ab61f90df7e67cdc.exe	28
PID 2932 wrote to memory of 2740	2932	cc885c26c59fe2c3ab61f90df7e67cdc.exe	28
PID 2740 wrote to memory of 2524	2740	1431378119.exe	29
PID 2740 wrote to memory of 2524	2740	1431378119.exe	29
PID 2740 wrote to memory of 2524	2740	1431378119.exe	29
PID 2740 wrote to memory of 2524	2740	1431378119.exe	29
PID 2740 wrote to memory of 2724	2740	1431378119.exe	32
PID 2740 wrote to memory of 2724	2740	1431378119.exe	32
PID 2740 wrote to memory of 2724	2740	1431378119.exe	32
PID 2740 wrote to memory of 2724	2740	1431378119.exe	32
PID 2740 wrote to memory of 2940	2740	1431378119.exe	34
PID 2740 wrote to memory of 2940	2740	1431378119.exe	34
PID 2740 wrote to memory of 2940	2740	1431378119.exe	34
PID 2740 wrote to memory of 2940	2740	1431378119.exe	34
PID 2740 wrote to memory of 2464	2740	1431378119.exe	36
PID 2740 wrote to memory of 2464	2740	1431378119.exe	36
PID 2740 wrote to memory of 2464	2740	1431378119.exe	36
PID 2740 wrote to memory of 2464	2740	1431378119.exe	36
PID 2740 wrote to memory of 2452	2740	1431378119.exe	38
PID 2740 wrote to memory of 2452	2740	1431378119.exe	38
PID 2740 wrote to memory of 2452	2740	1431378119.exe	38
PID 2740 wrote to memory of 2452	2740	1431378119.exe	38
PID 2740 wrote to memory of 1592	2740	1431378119.exe	40
PID 2740 wrote to memory of 1592	2740	1431378119.exe	40
PID 2740 wrote to memory of 1592	2740	1431378119.exe	40
PID 2740 wrote to memory of 1592	2740	1431378119.exe	40

C:\Users\Admin\AppData\Local\Temp\cc885c26c59fe2c3ab61f90df7e67cdc.exe
"C:\Users\Admin\AppData\Local\Temp\cc885c26c59fe2c3ab61f90df7e67cdc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\1431378119.exe
  C:\Users\Admin\AppData\Local\Temp\1431378119.exe 4*6*3*6*2*9*1*0*6*2*4 K0pGPjsoMjAxMRwrTVI8TkBDPSoeK0o/UVFNSUpJPjssHClBQ1FLSEQ3LzQxMDAaLTpIRDcuHCtKT0lCTEJUWUdAOS0wLDMXLlM/UFJBTFxPUEM8aG5ybDYpLG1wbS1EP1FHKU5MSis4T1AoR0pCSR0pQUNIQ0VHQDlTYisuRUBxMTRmHClBKztFVE08Q04cKUEsOyQwIClCLzknLhotOzM9Jy8cKz4yNysoHy9KUEtAT0BOXUdRSVA/P1U3HSlOSU5ET0FQWz9SRj80Hy9KUEtAT0BOXUVATT87HCs/VT9dTFFMNx4rQVJCWUFEQ0xDTEE5GixCTUpTXzxQS1NNQkw7KR8vTkY9SkVWSVNWVFJGOxwrUEo3MBcuRE0vORwpT09MS0hNP11TQUZASUs8SE07RUFRTEk3HiZIU1lQUUpORkdDNHNyb2McK0xCTlNJTUlIRVtRTUJMXTtAWU07LhwpRUNCPFc9Kx4rRU1cPldFQE1DQVtBSEBMV0dTRT47Yl1mcF8eJkNPUUxISztBWUdHPDEyNSozLissLzAtMisuHCtORkdDNDA0LS8vNC0vMy4XLkRJVUpIST4+XUtITT87MSsrLikwJzA1JC8sNiw1NC8nKVBHHitROzpHbXFobGZfIS5gMiguIidXY2xga3FwJUxLKjYoMSEvXChRTU41NCMpPWxqaV9VXGFLY3IhLmAyLTUlMjYlJkdETkpGIyliK2ZnZ2ElRF9hYm4pJUFkbmlqXyMpZTQsLCwqLDArLyUwMy8pT11gXmxnHDFmLzEzKi0zGi1MUUw3ZnBwaiItXxwxZh8wYmNfcWwsJzAwMHJhX2IrY2xdbiUsZE5xaFFja1xDb3FsaGtbYUdfZWBnX3BbYF9tZm1wJDJgLzAvKzAyMSk4MB8wYi0uMCsxLzIyMy4hLmAuLjEoMjgtMDUsHzBgNzA1NTAzLDQtMS9WY3d1R0E0Ml1BT3NDeHNvSWU+YEtzdStLVEd0RVNHLUZRK3JNPVhpS2N0YlVwZjNNUzVFS2crTkBrNWRXQi1nVis2MFRXQ3JHLE8xW3hAdlpNWGRVQXFqTDpqZ15VSm5KUGk=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710545520.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710545520.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710545520.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710545520.txt bios get version
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710545520.txt bios get version
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431378119.exe

Filesize
128KB

MD5
b45ed3cc244fb42322d14d40da2764e0

SHA1
f07147e8484434408638d13215346c74a894b294

SHA256
951e3f336e4e9d9ddda2006bfe9f8c750b7027c081e5fa4cde704296aa8a5017

SHA512
3494e1464016d74be8d48398b1ae121b8c46ab216e302c5e147b1551f344c5e8995048d4454d65e9ccd52d13b06f3ea8aa100e8e43e74b4e5e81768952706111

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431378119.exe

Filesize
198KB

MD5
f9cb97a2c4d5d26b8c3984467909ea20

SHA1
777188a89fa571399856fed31e650ca9a3afa3e6

SHA256
8fe9ada22b7d18cb0e2f487e7d6c2d4b20dc85d74723707b69f3a865b0e78cbb

SHA512
2b01187578d007e39d74930ac2affe9d670df4a1ef79ec6b95b2ee32aef53e20d0ee5d5d797592bf6347f8ac19a5a3951543f4e2d101303251221a0b3248f499

Download Submit
C:\Users\Admin\AppData\Local\Temp\81710545520.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1768.tmp\razylfh.dll

Filesize
153KB

MD5
d5e4796f7bfec4f14ed59ca5f9df65fa

SHA1
e620857a03293928a04551d2ac9263296f9c0999

SHA256
bfa360e810448e0bd71e3e27b6d6d922e547f7cd5fa1f3c71db3778088f9aa61

SHA512
cd957fb9d65bdf64a8828e7da0fb67aa83c2cec23f7ae71f953c30822b66a6116dcc8883fada97943080dd09c08e6a7959fe62234002c4d959178661df24a2dd

Download Submit
\Users\Admin\AppData\Local\Temp\1431378119.exe

Filesize
171KB

MD5
d55bf542ebfb3a29075ed5efb661dd2d

SHA1
9244e75a57a5c5dc2ed8a53b4fb9576dd2abfda1

SHA256
f652504530691cea1fe59fc6bf241e032e862a1861262648f7c57471ef8656c9

SHA512
83d8c59406d9fc0dacaa2e06eb5501943bfc02306a599bd969b515aa64c1e79670628631e638458a03a4bc2761d577643cc944556736fb5d7c96ee6c0d59b2bb

Download Submit
\Users\Admin\AppData\Local\Temp\1431378119.exe

Filesize
235KB

MD5
a8ba6fcfc43f0020050e487a97ef26a6

SHA1
4fa1985cca35d0c0c0d87664f5fd204e9af995cd

SHA256
c06fabc5d2172f434683d589806316fd94ab77313d4a057eead85258a0b64c5d

SHA512
b0040ea50e33e9d1ecfe47e2d6174106a2133210cc4d95dab6e4aaac5170443e2ad65c0b079c1d7b25ec1b712009112f70462e50da5454a922bc14d64bd69665

Download Submit
\Users\Admin\AppData\Local\Temp\1431378119.exe

Filesize
358KB

MD5
4661787479576eb18948cc608b47b5eb

SHA1
65aa60bb8c1096c937b4519fea70fad863f535c1

SHA256
ef5685432d2752815f9cc0ddbc1dea787962cb0ba035f92206e00ba5e803239e

SHA512
5ef27497b12f5b11303f7586f17ea6177f1bcf3ae87f3d5a3788dd73999ee6d7b1581780b03d1b37b71482b865ee0d674e820fc00ea68a15356947b0481dbc05

Download Submit
\Users\Admin\AppData\Local\Temp\1431378119.exe

Filesize
5KB

MD5
078f02a5e0d2180528e6fc5ac4ac8619

SHA1
a211901ad139d667b8a681e4ced8f1fd8dcc1eb7

SHA256
a67f7875ff05e23cd363df70ed77aa556a44eeb91d47031e6d4c1a87d46560c8

SHA512
8a698d2ceb92b4e2a675bcda7e7a2d5cd185722f8df9f0ecbb795ef9dfea33e74b936571b2de59d2f05ce731346c3f82edff3b62347d7412a0a6d8df0d6db399

Download Submit
\Users\Admin\AppData\Local\Temp\1431378119.exe

Filesize
45KB

MD5
b92152ce6d2f8c2f2c7c4f4af4689085

SHA1
ac46a6fb7cd77a7188cee2b10a41d245a41b1455

SHA256
691d7c407f90bcafc4912e80b9e9f5edaf87fd3cb5013c8a9397c6fcd204834a

SHA512
6239ac18a70f62ceba1ee05d3e1e0d3b095e16fe7b4a4e1ac70c8778faeeb270a98bc9964a122b5ae3ca88c75b5e319b049cd67c718e6c82f3e645dea009474c

Download Submit
\Users\Admin\AppData\Local\Temp\1431378119.exe

Filesize
23KB

MD5
93d7fdaf5f2bb09735199a9873795b0b

SHA1
8955d6c1531a55a941c4cc9dff117e3039d77bdf

SHA256
05783ffc2666822627ff68ba1f708004ee3c65e470ad9f4cc7bf31a52ef83eaf

SHA512
12bc83e4b6d150b87882f4c2adb217e842a636409773315820e4324511c6ed2c0df4bea4608b594852c6747bec1f282e5dec9f34a2bd497f7a08c63c3bc75073

Download Submit
\Users\Admin\AppData\Local\Temp\1431378119.exe

Filesize
20KB

MD5
83c873f8cbffcb34329c50a067ca3289

SHA1
6fe4fef5232d7d4f8f3c9fa7388113c15cf21ad0

SHA256
586ebcf3302ca523c7eae21cc8e01fa4b4accbbd9e6d5fc0d73941643a7ad3d5

SHA512
5f9a4884c2dcd4483605c1abb0f1a0b32f946c389d84d21f5e895d7c25924c46a5d81cb16d931e1fd45491031603e076c74e82c3a13c03b20173ab1cf40569b0

Download Submit
\Users\Admin\AppData\Local\Temp\1431378119.exe

Filesize
62KB

MD5
18447f615cfdea665ede79958015400c

SHA1
682fc8022fcd614f429b44a50df5a73907d956af

SHA256
4f7e6b56b213e9d34d2b421dcba69469cc2984dac6c464966fc08e47434e83ca

SHA512
daa35215dcaf0e90f1217565bc1124a50db7f124752241fc9d7c273cc0bfd59badf1d9efc46c8770700eae5db80d07d05f8c6c62029078ba094413c1ba226e81

Download Submit
\Users\Admin\AppData\Local\Temp\1431378119.exe

Filesize
16KB

MD5
8ee6982eb034bb991b1e4a0b2296f4a3

SHA1
6203fca73240b4514dbe5ab33fe13d634a0161c5

SHA256
728414bc0eb6550732cf0b29480984ce4c7ad9f477ee9f161beb60a5c6af2d06

SHA512
92f10de14a628d9fe043fec2fd62986a62e960c96b2bb55b6c96f0701a35c5a3081b7a44b35486e200199a42b17523d2fe7d893a63e02f26fa9789f18eda3d62

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1768.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit