2018b80cd3c7f727c5ed0a874be03c0bb785b86371b25ff90a95220f09d3e685

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 02:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2018b80cd3c7f727c5ed0a874be03c0bb785b86371b25ff90a95220f09d3e685.exe
Size

556KB
MD5

b6937ac947734b2be19290adfa678533
SHA1

333d2993f673335511eb0f6be2561a46504ba7d9
SHA256

2018b80cd3c7f727c5ed0a874be03c0bb785b86371b25ff90a95220f09d3e685
SHA512

d82cfcd2a292df3be548fd6813d025de36a2f92928af884a4b456a59a55d1f915ba0ed6bbba337e974745eab610a29670643c4d95bb33b110c089a02f4b4ee18
SSDEEP

12288:+tOn4+FfbJi2ebbkTpOphkojRjPTSsra6NKeYhC:+twYba4jRrxxKel

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2424	ddacabfcdbff.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	2018b80cd3c7f727c5ed0a874be03c0bb785b86371b25ff90a95220f09d3e685.exe
1996	2018b80cd3c7f727c5ed0a874be03c0bb785b86371b25ff90a95220f09d3e685.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
744	2424	WerFault.exe	79

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2700	wmic.exe
Token: SeSecurityPrivilege	2700	wmic.exe
Token: SeTakeOwnershipPrivilege	2700	wmic.exe
Token: SeLoadDriverPrivilege	2700	wmic.exe
Token: SeSystemProfilePrivilege	2700	wmic.exe
Token: SeSystemtimePrivilege	2700	wmic.exe
Token: SeProfSingleProcessPrivilege	2700	wmic.exe
Token: SeIncBasePriorityPrivilege	2700	wmic.exe
Token: SeCreatePagefilePrivilege	2700	wmic.exe
Token: SeBackupPrivilege	2700	wmic.exe
Token: SeRestorePrivilege	2700	wmic.exe
Token: SeShutdownPrivilege	2700	wmic.exe
Token: SeDebugPrivilege	2700	wmic.exe
Token: SeSystemEnvironmentPrivilege	2700	wmic.exe
Token: SeRemoteShutdownPrivilege	2700	wmic.exe
Token: SeUndockPrivilege	2700	wmic.exe
Token: SeManageVolumePrivilege	2700	wmic.exe
Token: 33	2700	wmic.exe
Token: 34	2700	wmic.exe
Token: 35	2700	wmic.exe
Token: 36	2700	wmic.exe
Token: SeIncreaseQuotaPrivilege	2700	wmic.exe
Token: SeSecurityPrivilege	2700	wmic.exe
Token: SeTakeOwnershipPrivilege	2700	wmic.exe
Token: SeLoadDriverPrivilege	2700	wmic.exe
Token: SeSystemProfilePrivilege	2700	wmic.exe
Token: SeSystemtimePrivilege	2700	wmic.exe
Token: SeProfSingleProcessPrivilege	2700	wmic.exe
Token: SeIncBasePriorityPrivilege	2700	wmic.exe
Token: SeCreatePagefilePrivilege	2700	wmic.exe
Token: SeBackupPrivilege	2700	wmic.exe
Token: SeRestorePrivilege	2700	wmic.exe
Token: SeShutdownPrivilege	2700	wmic.exe
Token: SeDebugPrivilege	2700	wmic.exe
Token: SeSystemEnvironmentPrivilege	2700	wmic.exe
Token: SeRemoteShutdownPrivilege	2700	wmic.exe
Token: SeUndockPrivilege	2700	wmic.exe
Token: SeManageVolumePrivilege	2700	wmic.exe
Token: 33	2700	wmic.exe
Token: 34	2700	wmic.exe
Token: 35	2700	wmic.exe
Token: 36	2700	wmic.exe
Token: SeIncreaseQuotaPrivilege	4476	wmic.exe
Token: SeSecurityPrivilege	4476	wmic.exe
Token: SeTakeOwnershipPrivilege	4476	wmic.exe
Token: SeLoadDriverPrivilege	4476	wmic.exe
Token: SeSystemProfilePrivilege	4476	wmic.exe
Token: SeSystemtimePrivilege	4476	wmic.exe
Token: SeProfSingleProcessPrivilege	4476	wmic.exe
Token: SeIncBasePriorityPrivilege	4476	wmic.exe
Token: SeCreatePagefilePrivilege	4476	wmic.exe
Token: SeBackupPrivilege	4476	wmic.exe
Token: SeRestorePrivilege	4476	wmic.exe
Token: SeShutdownPrivilege	4476	wmic.exe
Token: SeDebugPrivilege	4476	wmic.exe
Token: SeSystemEnvironmentPrivilege	4476	wmic.exe
Token: SeRemoteShutdownPrivilege	4476	wmic.exe
Token: SeUndockPrivilege	4476	wmic.exe
Token: SeManageVolumePrivilege	4476	wmic.exe
Token: 33	4476	wmic.exe
Token: 34	4476	wmic.exe
Token: 35	4476	wmic.exe
Token: 36	4476	wmic.exe
Token: SeIncreaseQuotaPrivilege	4476	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2424	1996	2018b80cd3c7f727c5ed0a874be03c0bb785b86371b25ff90a95220f09d3e685.exe	79
PID 1996 wrote to memory of 2424	1996	2018b80cd3c7f727c5ed0a874be03c0bb785b86371b25ff90a95220f09d3e685.exe	79
PID 1996 wrote to memory of 2424	1996	2018b80cd3c7f727c5ed0a874be03c0bb785b86371b25ff90a95220f09d3e685.exe	79
PID 2424 wrote to memory of 2700	2424	ddacabfcdbff.exe	80
PID 2424 wrote to memory of 2700	2424	ddacabfcdbff.exe	80
PID 2424 wrote to memory of 2700	2424	ddacabfcdbff.exe	80
PID 2424 wrote to memory of 4476	2424	ddacabfcdbff.exe	82
PID 2424 wrote to memory of 4476	2424	ddacabfcdbff.exe	82
PID 2424 wrote to memory of 4476	2424	ddacabfcdbff.exe	82
PID 2424 wrote to memory of 5044	2424	ddacabfcdbff.exe	84
PID 2424 wrote to memory of 5044	2424	ddacabfcdbff.exe	84
PID 2424 wrote to memory of 5044	2424	ddacabfcdbff.exe	84
PID 2424 wrote to memory of 1328	2424	ddacabfcdbff.exe	86
PID 2424 wrote to memory of 1328	2424	ddacabfcdbff.exe	86
PID 2424 wrote to memory of 1328	2424	ddacabfcdbff.exe	86
PID 2424 wrote to memory of 528	2424	ddacabfcdbff.exe	88
PID 2424 wrote to memory of 528	2424	ddacabfcdbff.exe	88
PID 2424 wrote to memory of 528	2424	ddacabfcdbff.exe	88

C:\Users\Admin\AppData\Local\Temp\2018b80cd3c7f727c5ed0a874be03c0bb785b86371b25ff90a95220f09d3e685.exe
"C:\Users\Admin\AppData\Local\Temp\2018b80cd3c7f727c5ed0a874be03c0bb785b86371b25ff90a95220f09d3e685.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\ddacabfcdbff.exe
  C:\Users\Admin\AppData\Local\Temp\ddacabfcdbff.exe 5-8-9-4-9-9-4-6-0-1-7 KkhAQDQtLzIgLkxQOkdFOzQsGi9NPk9PRk5CQEA3MB8oP0FKUEA7OSogLjxEPDQsFyZMTE9DTj5MVkU7NCwaL1I+TU48TlZMTkY9Z21vaDErJmpucC5DPk5DJFBGRyk7UE8nREY9SxcmP0ZJQkREPDQcJjstNy0wGSo8KTkkKBwpRDI2KCkXKzsrOScxHyg/LTQpKBcrSlJOPVA7S1tHSUVQQUJSOBgmTElGQE9DU1hATUM9NBcrSlJOPVA7S1tFOEk/PR8oQFA8W0xJSDcgLj5TPVY/RDtIQ05ENhsnP0tKS1s8Uk5QTj1JOScXK05IQEdGUUZRVkxORj0fKFFFNC4XJkBNMTwZKkpMSktAST9fVj5HO0ZJPEBJO0dETk1ENBwmQE9ZUlRHT0FEQTRrbm9lHyhNPUtRSUVFSEdeTk49SVs7OFVNPTEZKkBAQDxPOSsgLkJOVztVRThJQ0NePkk7SVVHS0E+PWVaZ2tcHCY7S1FOS0g8PFZFRzQtMTMtKyswJS0wLSosMTQZKkxASTw0LS4yNjAtKCs0MBcrPk9WR0dHOEBWS0VHRTwsKisnKyknLS8qMDMrKTEuMCFMRw==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81669701868.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81669701868.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81669701868.txt bios get version
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81669701868.txt bios get version
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81669701868.txt bios get version
    3⤵
    PID:528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 924
    3⤵
    - Program crash
    PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2424 -ip 2424
1⤵
PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81669701868.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81669701868.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81669701868.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81669701868.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81669701868.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddacabfcdbff.exe

Filesize
767KB

MD5
63513c5434ccd51f9bd83845a6b1b36d

SHA1
4cdcdca0c5fa0193df418270444d9bdacff4d197

SHA256
85dcd3ccdb45ffaa60c35b8f5be4f70dddf6f15fb8baf6f4521a84b65df22f0a

SHA512
a5ec442a7105d5e4061aae826c4fbf21d22294f65cddf4c31ee738ad9d745516266730be1df0856efa5dc3afb93205154adbb4c1b379b3ab5243b4fb0d35cf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddacabfcdbff.exe

Filesize
767KB

MD5
63513c5434ccd51f9bd83845a6b1b36d

SHA1
4cdcdca0c5fa0193df418270444d9bdacff4d197

SHA256
85dcd3ccdb45ffaa60c35b8f5be4f70dddf6f15fb8baf6f4521a84b65df22f0a

SHA512
a5ec442a7105d5e4061aae826c4fbf21d22294f65cddf4c31ee738ad9d745516266730be1df0856efa5dc3afb93205154adbb4c1b379b3ab5243b4fb0d35cf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst908E.tmp\hylcx.dll

Filesize
120KB

MD5
c098029d4cd7b60fb9ec45594b03d022

SHA1
f8d3e8fa5003b610283daebc77ddf43adba7e9be

SHA256
8b48658998701bd8589c4bd72343eb8361e9daf8038dea775722bbef8e85b632

SHA512
780130d6bc7aaf1684d31db2b5da30a11d510e5363466f4f1318dc90bedcbacf2ae88edaab52d30adc5c857fa22cfd755d2a8dace34ce3a6744ebabe2c605d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst908E.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit