40ba07f9761a6565642d7aae57f2f4622030e33fe80eb46a543446dcb8e3f1ca

Analysis

max time kernel
140s
max time network
105s
platform
windows10_x64
resource
win10v20201028
submitted
15-03-2021 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe
Size

611KB
MD5

646a7f19343274ba87dbddc903dd60d0
SHA1

eb84789fda3ad3fa6e838c954e1ac0d1e9fd2848
SHA256

5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4
SHA512

3589d32cce5620232b2b6e7b6fc4f64fad7cf7b0ff95bd161913f8f59b45a086c9d93aa453dbc6f4d9b63b40b7a3e1101f09fe6ee5bcd997de1177a5d798c362

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dicabfcedb.exe

pid	Process
3960	dicabfcedb.exe

Loads dropped DLL 2 IoCs

Processes:

5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe

pid	Process
644	5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe
644	5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2656	3960	WerFault.exe	74

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	Process
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4028	wmic.exe
Token: SeSecurityPrivilege	4028	wmic.exe
Token: SeTakeOwnershipPrivilege	4028	wmic.exe
Token: SeLoadDriverPrivilege	4028	wmic.exe
Token: SeSystemProfilePrivilege	4028	wmic.exe
Token: SeSystemtimePrivilege	4028	wmic.exe
Token: SeProfSingleProcessPrivilege	4028	wmic.exe
Token: SeIncBasePriorityPrivilege	4028	wmic.exe
Token: SeCreatePagefilePrivilege	4028	wmic.exe
Token: SeBackupPrivilege	4028	wmic.exe
Token: SeRestorePrivilege	4028	wmic.exe
Token: SeShutdownPrivilege	4028	wmic.exe
Token: SeDebugPrivilege	4028	wmic.exe
Token: SeSystemEnvironmentPrivilege	4028	wmic.exe
Token: SeRemoteShutdownPrivilege	4028	wmic.exe
Token: SeUndockPrivilege	4028	wmic.exe
Token: SeManageVolumePrivilege	4028	wmic.exe
Token: 33	4028	wmic.exe
Token: 34	4028	wmic.exe
Token: 35	4028	wmic.exe
Token: 36	4028	wmic.exe
Token: SeIncreaseQuotaPrivilege	4028	wmic.exe
Token: SeSecurityPrivilege	4028	wmic.exe
Token: SeTakeOwnershipPrivilege	4028	wmic.exe
Token: SeLoadDriverPrivilege	4028	wmic.exe
Token: SeSystemProfilePrivilege	4028	wmic.exe
Token: SeSystemtimePrivilege	4028	wmic.exe
Token: SeProfSingleProcessPrivilege	4028	wmic.exe
Token: SeIncBasePriorityPrivilege	4028	wmic.exe
Token: SeCreatePagefilePrivilege	4028	wmic.exe
Token: SeBackupPrivilege	4028	wmic.exe
Token: SeRestorePrivilege	4028	wmic.exe
Token: SeShutdownPrivilege	4028	wmic.exe
Token: SeDebugPrivilege	4028	wmic.exe
Token: SeSystemEnvironmentPrivilege	4028	wmic.exe
Token: SeRemoteShutdownPrivilege	4028	wmic.exe
Token: SeUndockPrivilege	4028	wmic.exe
Token: SeManageVolumePrivilege	4028	wmic.exe
Token: 33	4028	wmic.exe
Token: 34	4028	wmic.exe
Token: 35	4028	wmic.exe
Token: 36	4028	wmic.exe
Token: SeIncreaseQuotaPrivilege	3180	wmic.exe
Token: SeSecurityPrivilege	3180	wmic.exe
Token: SeTakeOwnershipPrivilege	3180	wmic.exe
Token: SeLoadDriverPrivilege	3180	wmic.exe
Token: SeSystemProfilePrivilege	3180	wmic.exe
Token: SeSystemtimePrivilege	3180	wmic.exe
Token: SeProfSingleProcessPrivilege	3180	wmic.exe
Token: SeIncBasePriorityPrivilege	3180	wmic.exe
Token: SeCreatePagefilePrivilege	3180	wmic.exe
Token: SeBackupPrivilege	3180	wmic.exe
Token: SeRestorePrivilege	3180	wmic.exe
Token: SeShutdownPrivilege	3180	wmic.exe
Token: SeDebugPrivilege	3180	wmic.exe
Token: SeSystemEnvironmentPrivilege	3180	wmic.exe
Token: SeRemoteShutdownPrivilege	3180	wmic.exe
Token: SeUndockPrivilege	3180	wmic.exe
Token: SeManageVolumePrivilege	3180	wmic.exe
Token: 33	3180	wmic.exe
Token: 34	3180	wmic.exe
Token: 35	3180	wmic.exe
Token: 36	3180	wmic.exe
Token: SeIncreaseQuotaPrivilege	3180	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exedicabfcedb.exe

description	pid	Process	procid_target
PID 644 wrote to memory of 3960	644	5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe	74
PID 644 wrote to memory of 3960	644	5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe	74
PID 644 wrote to memory of 3960	644	5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe	74
PID 3960 wrote to memory of 4028	3960	dicabfcedb.exe	75
PID 3960 wrote to memory of 4028	3960	dicabfcedb.exe	75
PID 3960 wrote to memory of 4028	3960	dicabfcedb.exe	75
PID 3960 wrote to memory of 3180	3960	dicabfcedb.exe	78
PID 3960 wrote to memory of 3180	3960	dicabfcedb.exe	78
PID 3960 wrote to memory of 3180	3960	dicabfcedb.exe	78
PID 3960 wrote to memory of 2724	3960	dicabfcedb.exe	80
PID 3960 wrote to memory of 2724	3960	dicabfcedb.exe	80
PID 3960 wrote to memory of 2724	3960	dicabfcedb.exe	80
PID 3960 wrote to memory of 200	3960	dicabfcedb.exe	82
PID 3960 wrote to memory of 200	3960	dicabfcedb.exe	82
PID 3960 wrote to memory of 200	3960	dicabfcedb.exe	82
PID 3960 wrote to memory of 2720	3960	dicabfcedb.exe	84
PID 3960 wrote to memory of 2720	3960	dicabfcedb.exe	84
PID 3960 wrote to memory of 2720	3960	dicabfcedb.exe	84

C:\Users\Admin\AppData\Local\Temp\5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe
"C:\Users\Admin\AppData\Local\Temp\5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\dicabfcedb.exe
  C:\Users\Admin\AppData\Local\Temp\dicabfcedb.exe 9-8-2-6-0-2-2-7-4-7-9 JkhHPj01Nik1GSZKTUBKSUI7KRwoRTxMVUlSSUc9OSoXJjxHTVRHQjYtKS0uLR4pQ0dCNiwZJkdKTT5VQVJYRT00KCgvKzkeLUxBS008Sl1PUko7YXBtZzEnLW1lcHQncGFcJFluai1iX21dJ2BlXm0aL0FKQj9EQDs1HilELzsrLCknFydCLD0rLxkrPSo0JS8aL0IyNikqFyY8MzctLx4oTEtGO01BTl9OUEJSOjpQNR4pUFBNPVE8S1Y9U0ZBOx4oTEtGO01BTl9MP0ZBNjpYZGNoZF9wHi4pQGRobWx0K0NxbGhpax0wKmZtcB4uKUZsbGppb2keKEFRPFZNUEY9ZnJtbDMmJlxqKHRtblpobSVaZ2spY19qYmFYalxsc2ouY3ZeHCg8Tz1dPU1CSkJKPjQXJ0ZJU1JdO05ITko9UDc1Hi1NRDpFQlFNT19TUEU5YWtraDgpL3BjaWsnW2ZvbGZvX2ImdmhlXCZhaS9ycFpfZCZgZnFuYWpqJ2xhZzZocGlkc2FtalpkXDVBW2xjbF1dayJAZW5pcnIrPnRpZmlsKWBvcClIcW1jZmdpIGZnal5qWmRcNUFbbGNsXV1rIkBlbmlycis+dGlmaWwpYG9wKUhxbWNmZ2kaL1RLNi4ZJjtLLzcgLVBOSk1ARD1dUUVKQUhJPkBEOUU/VVBKNhwoQEpXUE9OUkdGQTZraW1jGi9QQ01RS0VARkVZVVFDS1s9OFBLOywgLUZCQD5PNCkeKUlRXT1VRzhEQUFZRUxBS1VJSzw8O2BhanFeHCg7Rk9MRk8/QlhFSTQsLCwrOTYsKjErJSgtNxovUkdGQTYoKyozMjI0Ni8sGSY7R1VITE0/PVtNQEQ9Oy0vNi0rLCosISs4KjE4LikmSUQ=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81615801579.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4028
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81615801579.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81615801579.txt bios get version
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81615801579.txt bios get version
    3⤵
    PID:200
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81615801579.txt bios get version
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 948
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    PID:2656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81615801579.txt

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81615801579.txt

MD5
3cbfbbbbfc8632c74c0f88c589c59ae2

SHA1
2708325a8a037862cfc03ffad1847d54e94ba7e1

SHA256
bdc8fff6d3d93e00ce021f9820c3aeafb52bd3e1e8c75c11c9a2de1c7206457c

SHA512
65a61a05df3cb02bdeca7639423815963874424cd666aa4685e617d04a439ab5b856d38339a212c555a1f85f87f91949f1547b0618030ce335d9aef4ffcaca7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\81615801579.txt

MD5
3cbfbbbbfc8632c74c0f88c589c59ae2

SHA1
2708325a8a037862cfc03ffad1847d54e94ba7e1

SHA256
bdc8fff6d3d93e00ce021f9820c3aeafb52bd3e1e8c75c11c9a2de1c7206457c

SHA512
65a61a05df3cb02bdeca7639423815963874424cd666aa4685e617d04a439ab5b856d38339a212c555a1f85f87f91949f1547b0618030ce335d9aef4ffcaca7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\81615801579.txt

MD5
3cbfbbbbfc8632c74c0f88c589c59ae2

SHA1
2708325a8a037862cfc03ffad1847d54e94ba7e1

SHA256
bdc8fff6d3d93e00ce021f9820c3aeafb52bd3e1e8c75c11c9a2de1c7206457c

SHA512
65a61a05df3cb02bdeca7639423815963874424cd666aa4685e617d04a439ab5b856d38339a212c555a1f85f87f91949f1547b0618030ce335d9aef4ffcaca7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\81615801579.txt

MD5
3cbfbbbbfc8632c74c0f88c589c59ae2

SHA1
2708325a8a037862cfc03ffad1847d54e94ba7e1

SHA256
bdc8fff6d3d93e00ce021f9820c3aeafb52bd3e1e8c75c11c9a2de1c7206457c

SHA512
65a61a05df3cb02bdeca7639423815963874424cd666aa4685e617d04a439ab5b856d38339a212c555a1f85f87f91949f1547b0618030ce335d9aef4ffcaca7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dicabfcedb.exe

MD5
df42855eae67ed0495f9c930c01ff047

SHA1
7149d375f24bd0613f3fa48531504d97501a8005

SHA256
247d3b121db646aa7b7ec1294519e8e60a2021579b74814674fb6fe32d6e928d

SHA512
62bdf0b32d09a80f1584a894ea459580a30099d58e849795dc17c7758706b49c5b14d61b8bc86c16023680db47621ca3bab1d54ab90a43d2c0a753e93bf91812

Download Submit
C:\Users\Admin\AppData\Local\Temp\dicabfcedb.exe

MD5
df42855eae67ed0495f9c930c01ff047

SHA1
7149d375f24bd0613f3fa48531504d97501a8005

SHA256
247d3b121db646aa7b7ec1294519e8e60a2021579b74814674fb6fe32d6e928d

SHA512
62bdf0b32d09a80f1584a894ea459580a30099d58e849795dc17c7758706b49c5b14d61b8bc86c16023680db47621ca3bab1d54ab90a43d2c0a753e93bf91812

Download Submit
\Users\Admin\AppData\Local\Temp\nsi747B.tmp\aepnl.dll

MD5
86d626aa2d4ab88518d11ee75753edb1

SHA1
45d924b2252b1b9d7953fece2d0d167c34be656b

SHA256
8a403322c48cba1abfd9cb9d607c95c252f982705f44901f433f4c97db9cb2f7

SHA512
8bc365e68b83c42137533abc5b03ac5307acce4e2a2bc45f42a8b270e5f20612a81107660da85c4d253c40b7ae118bc5301d31190580c652d965b683e839b20b

Download Submit
\Users\Admin\AppData\Local\Temp\nsi747B.tmp\nsisunz.dll

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
memory/200-13-0x0000000000000000-mapping.dmp

Download
memory/2656-17-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/2720-15-0x0000000000000000-mapping.dmp

Download
memory/2724-11-0x0000000000000000-mapping.dmp

Download
memory/3180-9-0x0000000000000000-mapping.dmp

Download
memory/3960-4-0x0000000000000000-mapping.dmp

Download
memory/4028-7-0x0000000000000000-mapping.dmp

Download