40ba07f9761a6565642d7aae57f2f4622030e33fe80eb46a543446dcb8e3f1ca

Analysis

max time kernel
140s
max time network
105s
platform
windows10_x64
resource
win10v20201028
submitted
15-03-2021 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe
Size

611KB
MD5

646a7f19343274ba87dbddc903dd60d0
SHA1

eb84789fda3ad3fa6e838c954e1ac0d1e9fd2848
SHA256

5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4
SHA512

3589d32cce5620232b2b6e7b6fc4f64fad7cf7b0ff95bd161913f8f59b45a086c9d93aa453dbc6f4d9b63b40b7a3e1101f09fe6ee5bcd997de1177a5d798c362

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3960	dicabfcedb.exe

Loads dropped DLL 2 IoCs

pid	Process
644	5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe
644	5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2656	3960	WerFault.exe	74

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4028	wmic.exe
Token: SeSecurityPrivilege	4028	wmic.exe
Token: SeTakeOwnershipPrivilege	4028	wmic.exe
Token: SeLoadDriverPrivilege	4028	wmic.exe
Token: SeSystemProfilePrivilege	4028	wmic.exe
Token: SeSystemtimePrivilege	4028	wmic.exe
Token: SeProfSingleProcessPrivilege	4028	wmic.exe
Token: SeIncBasePriorityPrivilege	4028	wmic.exe
Token: SeCreatePagefilePrivilege	4028	wmic.exe
Token: SeBackupPrivilege	4028	wmic.exe
Token: SeRestorePrivilege	4028	wmic.exe
Token: SeShutdownPrivilege	4028	wmic.exe
Token: SeDebugPrivilege	4028	wmic.exe
Token: SeSystemEnvironmentPrivilege	4028	wmic.exe
Token: SeRemoteShutdownPrivilege	4028	wmic.exe
Token: SeUndockPrivilege	4028	wmic.exe
Token: SeManageVolumePrivilege	4028	wmic.exe
Token: 33	4028	wmic.exe
Token: 34	4028	wmic.exe
Token: 35	4028	wmic.exe
Token: 36	4028	wmic.exe
Token: SeIncreaseQuotaPrivilege	4028	wmic.exe
Token: SeSecurityPrivilege	4028	wmic.exe
Token: SeTakeOwnershipPrivilege	4028	wmic.exe
Token: SeLoadDriverPrivilege	4028	wmic.exe
Token: SeSystemProfilePrivilege	4028	wmic.exe
Token: SeSystemtimePrivilege	4028	wmic.exe
Token: SeProfSingleProcessPrivilege	4028	wmic.exe
Token: SeIncBasePriorityPrivilege	4028	wmic.exe
Token: SeCreatePagefilePrivilege	4028	wmic.exe
Token: SeBackupPrivilege	4028	wmic.exe
Token: SeRestorePrivilege	4028	wmic.exe
Token: SeShutdownPrivilege	4028	wmic.exe
Token: SeDebugPrivilege	4028	wmic.exe
Token: SeSystemEnvironmentPrivilege	4028	wmic.exe
Token: SeRemoteShutdownPrivilege	4028	wmic.exe
Token: SeUndockPrivilege	4028	wmic.exe
Token: SeManageVolumePrivilege	4028	wmic.exe
Token: 33	4028	wmic.exe
Token: 34	4028	wmic.exe
Token: 35	4028	wmic.exe
Token: 36	4028	wmic.exe
Token: SeIncreaseQuotaPrivilege	3180	wmic.exe
Token: SeSecurityPrivilege	3180	wmic.exe
Token: SeTakeOwnershipPrivilege	3180	wmic.exe
Token: SeLoadDriverPrivilege	3180	wmic.exe
Token: SeSystemProfilePrivilege	3180	wmic.exe
Token: SeSystemtimePrivilege	3180	wmic.exe
Token: SeProfSingleProcessPrivilege	3180	wmic.exe
Token: SeIncBasePriorityPrivilege	3180	wmic.exe
Token: SeCreatePagefilePrivilege	3180	wmic.exe
Token: SeBackupPrivilege	3180	wmic.exe
Token: SeRestorePrivilege	3180	wmic.exe
Token: SeShutdownPrivilege	3180	wmic.exe
Token: SeDebugPrivilege	3180	wmic.exe
Token: SeSystemEnvironmentPrivilege	3180	wmic.exe
Token: SeRemoteShutdownPrivilege	3180	wmic.exe
Token: SeUndockPrivilege	3180	wmic.exe
Token: SeManageVolumePrivilege	3180	wmic.exe
Token: 33	3180	wmic.exe
Token: 34	3180	wmic.exe
Token: 35	3180	wmic.exe
Token: 36	3180	wmic.exe
Token: SeIncreaseQuotaPrivilege	3180	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 3960	644	5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe	74
PID 644 wrote to memory of 3960	644	5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe	74
PID 644 wrote to memory of 3960	644	5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe	74
PID 3960 wrote to memory of 4028	3960	dicabfcedb.exe	75
PID 3960 wrote to memory of 4028	3960	dicabfcedb.exe	75
PID 3960 wrote to memory of 4028	3960	dicabfcedb.exe	75
PID 3960 wrote to memory of 3180	3960	dicabfcedb.exe	78
PID 3960 wrote to memory of 3180	3960	dicabfcedb.exe	78
PID 3960 wrote to memory of 3180	3960	dicabfcedb.exe	78
PID 3960 wrote to memory of 2724	3960	dicabfcedb.exe	80
PID 3960 wrote to memory of 2724	3960	dicabfcedb.exe	80
PID 3960 wrote to memory of 2724	3960	dicabfcedb.exe	80
PID 3960 wrote to memory of 200	3960	dicabfcedb.exe	82
PID 3960 wrote to memory of 200	3960	dicabfcedb.exe	82
PID 3960 wrote to memory of 200	3960	dicabfcedb.exe	82
PID 3960 wrote to memory of 2720	3960	dicabfcedb.exe	84
PID 3960 wrote to memory of 2720	3960	dicabfcedb.exe	84
PID 3960 wrote to memory of 2720	3960	dicabfcedb.exe	84

C:\Users\Admin\AppData\Local\Temp\5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe
"C:\Users\Admin\AppData\Local\Temp\5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\dicabfcedb.exe
  C:\Users\Admin\AppData\Local\Temp\dicabfcedb.exe 9-8-2-6-0-2-2-7-4-7-9 JkhHPj01Nik1GSZKTUBKSUI7KRwoRTxMVUlSSUc9OSoXJjxHTVRHQjYtKS0uLR4pQ0dCNiwZJkdKTT5VQVJYRT00KCgvKzkeLUxBS008Sl1PUko7YXBtZzEnLW1lcHQncGFcJFluai1iX21dJ2BlXm0aL0FKQj9EQDs1HilELzsrLCknFydCLD0rLxkrPSo0JS8aL0IyNikqFyY8MzctLx4oTEtGO01BTl9OUEJSOjpQNR4pUFBNPVE8S1Y9U0ZBOx4oTEtGO01BTl9MP0ZBNjpYZGNoZF9wHi4pQGRobWx0K0NxbGhpax0wKmZtcB4uKUZsbGppb2keKEFRPFZNUEY9ZnJtbDMmJlxqKHRtblpobSVaZ2spY19qYmFYalxsc2ouY3ZeHCg8Tz1dPU1CSkJKPjQXJ0ZJU1JdO05ITko9UDc1Hi1NRDpFQlFNT19TUEU5YWtraDgpL3BjaWsnW2ZvbGZvX2ImdmhlXCZhaS9ycFpfZCZgZnFuYWpqJ2xhZzZocGlkc2FtalpkXDVBW2xjbF1dayJAZW5pcnIrPnRpZmlsKWBvcClIcW1jZmdpIGZnal5qWmRcNUFbbGNsXV1rIkBlbmlycis+dGlmaWwpYG9wKUhxbWNmZ2kaL1RLNi4ZJjtLLzcgLVBOSk1ARD1dUUVKQUhJPkBEOUU/VVBKNhwoQEpXUE9OUkdGQTZraW1jGi9QQ01RS0VARkVZVVFDS1s9OFBLOywgLUZCQD5PNCkeKUlRXT1VRzhEQUFZRUxBS1VJSzw8O2BhanFeHCg7Rk9MRk8/QlhFSTQsLCwrOTYsKjErJSgtNxovUkdGQTYoKyozMjI0Ni8sGSY7R1VITE0/PVtNQEQ9Oy0vNi0rLCosISs4KjE4LikmSUQ=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81615801579.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4028
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81615801579.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81615801579.txt bios get version
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81615801579.txt bios get version
    3⤵
    PID:200
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81615801579.txt bios get version
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 948
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    PID:2656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2656-17-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download