e44b7cb522f6a1a67726febb34253b2d42cad1e051ca1914f98a37b8c4bf9128

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

132cc996378ae11e80c2397ee84336b9.exe
Size

581KB
MD5

132cc996378ae11e80c2397ee84336b9
SHA1

ab832e0e997cb4c698b5bc6012a61d0de71f2fa9
SHA256

e44b7cb522f6a1a67726febb34253b2d42cad1e051ca1914f98a37b8c4bf9128
SHA512

53157ebbeb7971b45b08aa99356e2d085bcbce828aa1dfa41164f0803348341ae8f2b82a9c1a3ec117cf6e0a0f7dc182e829a98b6d8628099870a2c00e5886d4
SSDEEP

12288:zs2hRGyvdlHBQ4HRK0m1w+If+SlNCO8ns72I+9bA8lKo0aOAMd:zs2WqvHBQ2RK0me+VSx8Apub6uO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1124	bcgcabfccceh.exe

Loads dropped DLL 10 IoCs

pid	Process
1900	132cc996378ae11e80c2397ee84336b9.exe
1900	132cc996378ae11e80c2397ee84336b9.exe
1900	132cc996378ae11e80c2397ee84336b9.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	1124	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2540	wmic.exe
Token: SeSecurityPrivilege	2540	wmic.exe
Token: SeTakeOwnershipPrivilege	2540	wmic.exe
Token: SeLoadDriverPrivilege	2540	wmic.exe
Token: SeSystemProfilePrivilege	2540	wmic.exe
Token: SeSystemtimePrivilege	2540	wmic.exe
Token: SeProfSingleProcessPrivilege	2540	wmic.exe
Token: SeIncBasePriorityPrivilege	2540	wmic.exe
Token: SeCreatePagefilePrivilege	2540	wmic.exe
Token: SeBackupPrivilege	2540	wmic.exe
Token: SeRestorePrivilege	2540	wmic.exe
Token: SeShutdownPrivilege	2540	wmic.exe
Token: SeDebugPrivilege	2540	wmic.exe
Token: SeSystemEnvironmentPrivilege	2540	wmic.exe
Token: SeRemoteShutdownPrivilege	2540	wmic.exe
Token: SeUndockPrivilege	2540	wmic.exe
Token: SeManageVolumePrivilege	2540	wmic.exe
Token: 33	2540	wmic.exe
Token: 34	2540	wmic.exe
Token: 35	2540	wmic.exe
Token: SeIncreaseQuotaPrivilege	2540	wmic.exe
Token: SeSecurityPrivilege	2540	wmic.exe
Token: SeTakeOwnershipPrivilege	2540	wmic.exe
Token: SeLoadDriverPrivilege	2540	wmic.exe
Token: SeSystemProfilePrivilege	2540	wmic.exe
Token: SeSystemtimePrivilege	2540	wmic.exe
Token: SeProfSingleProcessPrivilege	2540	wmic.exe
Token: SeIncBasePriorityPrivilege	2540	wmic.exe
Token: SeCreatePagefilePrivilege	2540	wmic.exe
Token: SeBackupPrivilege	2540	wmic.exe
Token: SeRestorePrivilege	2540	wmic.exe
Token: SeShutdownPrivilege	2540	wmic.exe
Token: SeDebugPrivilege	2540	wmic.exe
Token: SeSystemEnvironmentPrivilege	2540	wmic.exe
Token: SeRemoteShutdownPrivilege	2540	wmic.exe
Token: SeUndockPrivilege	2540	wmic.exe
Token: SeManageVolumePrivilege	2540	wmic.exe
Token: 33	2540	wmic.exe
Token: 34	2540	wmic.exe
Token: 35	2540	wmic.exe
Token: SeIncreaseQuotaPrivilege	2612	wmic.exe
Token: SeSecurityPrivilege	2612	wmic.exe
Token: SeTakeOwnershipPrivilege	2612	wmic.exe
Token: SeLoadDriverPrivilege	2612	wmic.exe
Token: SeSystemProfilePrivilege	2612	wmic.exe
Token: SeSystemtimePrivilege	2612	wmic.exe
Token: SeProfSingleProcessPrivilege	2612	wmic.exe
Token: SeIncBasePriorityPrivilege	2612	wmic.exe
Token: SeCreatePagefilePrivilege	2612	wmic.exe
Token: SeBackupPrivilege	2612	wmic.exe
Token: SeRestorePrivilege	2612	wmic.exe
Token: SeShutdownPrivilege	2612	wmic.exe
Token: SeDebugPrivilege	2612	wmic.exe
Token: SeSystemEnvironmentPrivilege	2612	wmic.exe
Token: SeRemoteShutdownPrivilege	2612	wmic.exe
Token: SeUndockPrivilege	2612	wmic.exe
Token: SeManageVolumePrivilege	2612	wmic.exe
Token: 33	2612	wmic.exe
Token: 34	2612	wmic.exe
Token: 35	2612	wmic.exe
Token: SeIncreaseQuotaPrivilege	2124	wmic.exe
Token: SeSecurityPrivilege	2124	wmic.exe
Token: SeTakeOwnershipPrivilege	2124	wmic.exe
Token: SeLoadDriverPrivilege	2124	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1124	1900	132cc996378ae11e80c2397ee84336b9.exe	28
PID 1900 wrote to memory of 1124	1900	132cc996378ae11e80c2397ee84336b9.exe	28
PID 1900 wrote to memory of 1124	1900	132cc996378ae11e80c2397ee84336b9.exe	28
PID 1900 wrote to memory of 1124	1900	132cc996378ae11e80c2397ee84336b9.exe	28
PID 1124 wrote to memory of 2540	1124	bcgcabfccceh.exe	18
PID 1124 wrote to memory of 2540	1124	bcgcabfccceh.exe	18
PID 1124 wrote to memory of 2540	1124	bcgcabfccceh.exe	18
PID 1124 wrote to memory of 2540	1124	bcgcabfccceh.exe	18
PID 1124 wrote to memory of 2612	1124	bcgcabfccceh.exe	27
PID 1124 wrote to memory of 2612	1124	bcgcabfccceh.exe	27
PID 1124 wrote to memory of 2612	1124	bcgcabfccceh.exe	27
PID 1124 wrote to memory of 2612	1124	bcgcabfccceh.exe	27
PID 1124 wrote to memory of 2124	1124	bcgcabfccceh.exe	25
PID 1124 wrote to memory of 2124	1124	bcgcabfccceh.exe	25
PID 1124 wrote to memory of 2124	1124	bcgcabfccceh.exe	25
PID 1124 wrote to memory of 2124	1124	bcgcabfccceh.exe	25
PID 1124 wrote to memory of 2824	1124	bcgcabfccceh.exe	23
PID 1124 wrote to memory of 2824	1124	bcgcabfccceh.exe	23
PID 1124 wrote to memory of 2824	1124	bcgcabfccceh.exe	23
PID 1124 wrote to memory of 2824	1124	bcgcabfccceh.exe	23
PID 1124 wrote to memory of 776	1124	bcgcabfccceh.exe	22
PID 1124 wrote to memory of 776	1124	bcgcabfccceh.exe	22
PID 1124 wrote to memory of 776	1124	bcgcabfccceh.exe	22
PID 1124 wrote to memory of 776	1124	bcgcabfccceh.exe	22
PID 1124 wrote to memory of 2576	1124	bcgcabfccceh.exe	35
PID 1124 wrote to memory of 2576	1124	bcgcabfccceh.exe	35
PID 1124 wrote to memory of 2576	1124	bcgcabfccceh.exe	35
PID 1124 wrote to memory of 2576	1124	bcgcabfccceh.exe	35

C:\Users\Admin\AppData\Local\Temp\132cc996378ae11e80c2397ee84336b9.exe
"C:\Users\Admin\AppData\Local\Temp\132cc996378ae11e80c2397ee84336b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\bcgcabfccceh.exe
  C:\Users\Admin\AppData\Local\Temp\bcgcabfccceh.exe 3-6-2-0-6-9-3-1-3-9-5 LEpHRDcoNTgxJxssTVNCSkBBPC0XKks/UldJSUhIQTQsHSlCSU1LRkM6KTAtMzAgKTpGQzonGyxKUE8+TEBTXEA/OiwyMjEvHS5QPE1TP1BfT0lJPGVrb200LS9tXG91K2tjYidfcGokYWBxWClmaGRvGiZAS0Y6RkY+OyApOy48LRcqQSw7LSsXLEMwNCguGi1ELjQqMB0mPzI3KzEaJk1RTDtQQE5dUExAU0BAUDgdKU5SSTtSQlFWQFJGPz0aJk1RTDtQQE5dTjtEQjw+W2pfXyMyKj1pYHBfIC8qTmxbcGJxHSZAVT9dVUxDOmdxa2s3KS1hamdwcnFYb2ZdMGZeK3BkMlxoK20xLltkXnlsZVx0bSxjaWQsaGtqb15mal9gY15yZVZraVt3ZWxWLjJcZ2dyYWduKFx1ZB0mQFU/XUNHO0lISzw4HSlGT01LXEFPRlJQP1A9LBcsU0U4SUhTTVVZTE9LOhcqU0c7MhomQVIuNCwxLDAyLSgxLzYqLDAzKjIyJzArUkonamxpX2hdYDAtIzAyLipvXGUpNTUjPmVsbW1fIzFhYyteLzJiZl4qLzgvWV5iKzA3YF0vNDRZXmIyMWExI2FgcGs4VmhIel1hLXlKO153RGtKcEdRSGpQLWlxX1dLMEppZHBIQTt4TT1RZ2BVRWtXPi9ESEthRE88VHZMQkVxRFFmLkVlVi1LVDspSkM+K0l3YTFNc1FnYFVBa1c+L0RIS2FETzxUdkxCRXFEUWYuRWVWLktUXSlKeUYpSFFdM01zUXdhRGNmTU4/bV0qU2heTkw2R2hBcURRZndFdT50S1RDKEpDPm5IQTt1SmdFbWNUY2ZNTmU1R3FSeEpLTDFHeEFyRlFILkVlVi1Mak9kYDE1MEhmVGhjZ2NoT1FEc0xOU3pJS2RsV09jZ1tVUTNEZ0hqWVIuKk5TKm9HbD
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2576

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703472917.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703472917.txt bios get version
1⤵
PID:776

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703472917.txt bios get version
1⤵
PID:2824

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703472917.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703472917.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi13DF.tmp\eor.dll

Filesize
92KB

MD5
446e158e8d97b0c05d80e5aa2d650358

SHA1
4f834d1285f31d648a03ba7116b280e85b97926b

SHA256
77ef09c9252e277ee309ae4ba576e4e18f522ed1a77d877f779441f0b7b3ab0e

SHA512
9387875ebedbb9c7567c653b0ce37a3a707f1d4bdf70fce2041b0dfcdef5bb7ed40cfe0f7e600d8cbe59fb3def14c2cdbfce4b29a3294c71be97317aee35e457

Download Submit