bbfa386b911b74571c130c9bef2d84c75fbfab5151b564df2855abbaee0553f7

Analysis

max time kernel
0s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1399522d3c66e2aa291e2733e2f9b518.exe
Size

572KB
MD5

1399522d3c66e2aa291e2733e2f9b518
SHA1

ce8d74111b6b66790772638be7e463515337ca74
SHA256

bbfa386b911b74571c130c9bef2d84c75fbfab5151b564df2855abbaee0553f7
SHA512

e052727daf226fec2e53a53301b7abf34f072882695c19d916bcd3a0ea12e3be44f0dbc7952ab0b76f361041cad874a357f03aa143a4cebae371a18d5f3ceaf0
SSDEEP

12288:Tnh2UgPOmF/VhCrlqiAZDRK2p8TvaMYw4h5n+BgHNQSzG:TnhNqOW/VIrlqiA5r4vahzh5nUgtQSy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2152	bcdacabedejd.exe

Loads dropped DLL 3 IoCs

pid	Process
2100	1399522d3c66e2aa291e2733e2f9b518.exe
2100	1399522d3c66e2aa291e2733e2f9b518.exe
2100	1399522d3c66e2aa291e2733e2f9b518.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1896	2152	WerFault.exe	19

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2724	wmic.exe
Token: SeSecurityPrivilege	2724	wmic.exe
Token: SeTakeOwnershipPrivilege	2724	wmic.exe
Token: SeLoadDriverPrivilege	2724	wmic.exe
Token: SeSystemProfilePrivilege	2724	wmic.exe
Token: SeSystemtimePrivilege	2724	wmic.exe
Token: SeProfSingleProcessPrivilege	2724	wmic.exe
Token: SeIncBasePriorityPrivilege	2724	wmic.exe
Token: SeCreatePagefilePrivilege	2724	wmic.exe
Token: SeBackupPrivilege	2724	wmic.exe
Token: SeRestorePrivilege	2724	wmic.exe
Token: SeShutdownPrivilege	2724	wmic.exe
Token: SeDebugPrivilege	2724	wmic.exe
Token: SeSystemEnvironmentPrivilege	2724	wmic.exe
Token: SeRemoteShutdownPrivilege	2724	wmic.exe
Token: SeUndockPrivilege	2724	wmic.exe
Token: SeManageVolumePrivilege	2724	wmic.exe
Token: 33	2724	wmic.exe
Token: 34	2724	wmic.exe
Token: 35	2724	wmic.exe
Token: SeIncreaseQuotaPrivilege	2724	wmic.exe
Token: SeSecurityPrivilege	2724	wmic.exe
Token: SeTakeOwnershipPrivilege	2724	wmic.exe
Token: SeLoadDriverPrivilege	2724	wmic.exe
Token: SeSystemProfilePrivilege	2724	wmic.exe
Token: SeSystemtimePrivilege	2724	wmic.exe
Token: SeProfSingleProcessPrivilege	2724	wmic.exe
Token: SeIncBasePriorityPrivilege	2724	wmic.exe
Token: SeCreatePagefilePrivilege	2724	wmic.exe
Token: SeBackupPrivilege	2724	wmic.exe
Token: SeRestorePrivilege	2724	wmic.exe
Token: SeShutdownPrivilege	2724	wmic.exe
Token: SeDebugPrivilege	2724	wmic.exe
Token: SeSystemEnvironmentPrivilege	2724	wmic.exe
Token: SeRemoteShutdownPrivilege	2724	wmic.exe
Token: SeUndockPrivilege	2724	wmic.exe
Token: SeManageVolumePrivilege	2724	wmic.exe
Token: 33	2724	wmic.exe
Token: 34	2724	wmic.exe
Token: 35	2724	wmic.exe
Token: SeIncreaseQuotaPrivilege	2872	wmic.exe
Token: SeSecurityPrivilege	2872	wmic.exe
Token: SeTakeOwnershipPrivilege	2872	wmic.exe
Token: SeLoadDriverPrivilege	2872	wmic.exe
Token: SeSystemProfilePrivilege	2872	wmic.exe
Token: SeSystemtimePrivilege	2872	wmic.exe
Token: SeProfSingleProcessPrivilege	2872	wmic.exe
Token: SeIncBasePriorityPrivilege	2872	wmic.exe
Token: SeCreatePagefilePrivilege	2872	wmic.exe
Token: SeBackupPrivilege	2872	wmic.exe
Token: SeRestorePrivilege	2872	wmic.exe
Token: SeShutdownPrivilege	2872	wmic.exe
Token: SeDebugPrivilege	2872	wmic.exe
Token: SeSystemEnvironmentPrivilege	2872	wmic.exe
Token: SeRemoteShutdownPrivilege	2872	wmic.exe
Token: SeUndockPrivilege	2872	wmic.exe
Token: SeManageVolumePrivilege	2872	wmic.exe
Token: 33	2872	wmic.exe
Token: 34	2872	wmic.exe
Token: 35	2872	wmic.exe
Token: SeIncreaseQuotaPrivilege	2756	wmic.exe
Token: SeSecurityPrivilege	2756	wmic.exe
Token: SeTakeOwnershipPrivilege	2756	wmic.exe
Token: SeLoadDriverPrivilege	2756	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2152	2100	1399522d3c66e2aa291e2733e2f9b518.exe	19
PID 2100 wrote to memory of 2152	2100	1399522d3c66e2aa291e2733e2f9b518.exe	19
PID 2100 wrote to memory of 2152	2100	1399522d3c66e2aa291e2733e2f9b518.exe	19
PID 2100 wrote to memory of 2152	2100	1399522d3c66e2aa291e2733e2f9b518.exe	19
PID 2152 wrote to memory of 2724	2152	bcdacabedejd.exe	18
PID 2152 wrote to memory of 2724	2152	bcdacabedejd.exe	18
PID 2152 wrote to memory of 2724	2152	bcdacabedejd.exe	18
PID 2152 wrote to memory of 2724	2152	bcdacabedejd.exe	18
PID 2152 wrote to memory of 2872	2152	bcdacabedejd.exe	29
PID 2152 wrote to memory of 2872	2152	bcdacabedejd.exe	29
PID 2152 wrote to memory of 2872	2152	bcdacabedejd.exe	29
PID 2152 wrote to memory of 2872	2152	bcdacabedejd.exe	29
PID 2152 wrote to memory of 2756	2152	bcdacabedejd.exe	28
PID 2152 wrote to memory of 2756	2152	bcdacabedejd.exe	28
PID 2152 wrote to memory of 2756	2152	bcdacabedejd.exe	28
PID 2152 wrote to memory of 2756	2152	bcdacabedejd.exe	28
PID 2152 wrote to memory of 2612	2152	bcdacabedejd.exe	22
PID 2152 wrote to memory of 2612	2152	bcdacabedejd.exe	22
PID 2152 wrote to memory of 2612	2152	bcdacabedejd.exe	22
PID 2152 wrote to memory of 2612	2152	bcdacabedejd.exe	22
PID 2152 wrote to memory of 2868	2152	bcdacabedejd.exe	24
PID 2152 wrote to memory of 2868	2152	bcdacabedejd.exe	24
PID 2152 wrote to memory of 2868	2152	bcdacabedejd.exe	24
PID 2152 wrote to memory of 2868	2152	bcdacabedejd.exe	24

C:\Users\Admin\AppData\Local\Temp\1399522d3c66e2aa291e2733e2f9b518.exe
"C:\Users\Admin\AppData\Local\Temp\1399522d3c66e2aa291e2733e2f9b518.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\bcdacabedejd.exe
  C:\Users\Admin\AppData\Local\Temp\bcdacabedejd.exe 8-6-5-6-6-4-5-3-0-7-7 J0pEPjcuMjQ3GShLTz1KQ0A4LSAoRz1OUklMR0RBPSkZJz5ETU5FPzoyLikwMxspPUU/OjAZKEhMSj5PP09cST02KTA0LhorTkJSTz5KWVBMRjljcXRpMycpbl9scilxaF4mWWprJ15db14uYmdeaRspPUhEQEtCPTUtLDAuNC0uNyopKS4sMzMyLi4xMRknPiw3KxwqQTI2JikaKj4tOSguICg9LDcoKxorPzI9JioYKUtMSUBQQFRYSUpDUTs9VTgdL0lLRz5QPU5bQFJMOjYYKUtMSUBQQFRYRzlHQDcaK0BVRVhOSkY4GilBU0JfPEY8RkRIPzkbLEhITExZPUxJU05CUjYrGClPQjtKRlZPTlhNTEc3GitPRk0+NikuLDMzMi4uMTEZJ1BINywcKkFTKjYYKU1PSFBESkVYUD1GPklHQURKQUA+TUxHNxorRFBfS05GTkRHPzlvb3VeGSdMQE5PTklGTkBYTU1ATFlAPFZTNisYKUNDPkFTOjEZKEFNWj5TSjxKSTxYPUg+TFNMT0JENl9ZZm5fGis/TFdHRUc7P1lORUhCPSorJy0rKSwsLDEqLzMpKzUvMiZLSiAoPUdRSUZJPT9cSUk2KTIzKCsyLis4MScqKjE=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703532990.txt bios get version
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703532990.txt bios get version
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 368
    3⤵
    - Program crash
    PID:1896
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703532990.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703532990.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2872

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703532990.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703532990.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcdacabedejd.exe

Filesize
442KB

MD5
5611de368559373cdc986fc193a2b1ce

SHA1
207f20cc4659285591c3a0b1c59df875ecb0d687

SHA256
3a0869b2a6a3aef6b43b0c5e12205d5b44f1071f7aa2e4fe8a01edf417506323

SHA512
66915b03221d393e863d13399966b320453fe023e29ceda5e1d13bace245fab62a1371074f9113d13a42b2dbfb6ea5b60348b785472ed417d514a18cab5fe7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd916.tmp\aal.dll

Filesize
104KB

MD5
ffbdc15f5bd54d27777ce33f6db4c710

SHA1
92895c6c2659bafa4158ceb61b74c1b8f26a46d3

SHA256
fa96425d95d5d875d1695b1a803d9407b6b1753b371e1a83860254d91a345a4c

SHA512
27953f296662096780b6820af09b495c25c42d36cdfbaa7b38b5f52c21e793f71aca8e638090ba6f279c17b7341e76bfcabdb12987ef443fdd573b70f9566d7d

Download Submit
\Users\Admin\AppData\Local\Temp\bcdacabedejd.exe

Filesize
557KB

MD5
8bcace7e5dcbddd3ba61fe4aeff9f75f

SHA1
284fced4a920ca6ba679910c27f6dd2294e0e632

SHA256
e5f6a28e26610d1216ced23f3fe62e0bac76197007040c563bdf391e86d9e98e

SHA512
611a32636f2da970582920fa84c2d414431650347116c918f849c74775b58e7ef090a0f80f5ab005e62b280993e5ed63866bbb476bd4258029758a3823bcc263

Download Submit
\Users\Admin\AppData\Local\Temp\bcdacabedejd.exe

Filesize
281KB

MD5
6a49603ddb901444d4cab7fc084b6632

SHA1
d6fb74d2b3380b89f347efe74a00295dce06ff36

SHA256
0d226c9b0a9b4926c4f91ddf87e1309627050b8ce77f40405238ca206782407f

SHA512
51560526213fc00b2ba5ca0b8e27d615f01c6b616e1560a120f27d6b154c0aae33417c5cd14a1e77af3439556a6a2e34467d8a6e3fbfa27c3bf843afbd923bcd

Download Submit
\Users\Admin\AppData\Local\Temp\bcdacabedejd.exe

Filesize
236KB

MD5
727bb61301a6eda738a56b2caceca590

SHA1
49a9cb1dfca58b4b176a4d60704adc7de6ee8783

SHA256
17e191c29fd35fa771c2e6ad7e028a64a40afd158b258cae19ab264338d3bd93

SHA512
eaf268a4b9c6e65be73c1334bbad14d3b676c4fa70e3f08c55e1dc49df322b4038eb7a8ec038b861e6e7141b6790b3a338c710c28564e0b26fbd98a0713443d2

Download Submit
\Users\Admin\AppData\Local\Temp\bcdacabedejd.exe

Filesize
309KB

MD5
9b5f12c36b3de1cccbcd6a652691a8cd

SHA1
62d5426ec127aff096cd92870cf2510242f9008a

SHA256
dbf165eeec8db8028e597b332bc54c8e8d477955c744aa930480ffea0edf25b3

SHA512
c239d6377c0a394abf7cc61de8343e2b2237d8270acc9223f665090c408af5a1fe8fd5d1721a36d06d17cfb41be6c5b1af7972cc3ddfaf426b3831180f58b076

Download Submit
\Users\Admin\AppData\Local\Temp\bcdacabedejd.exe

Filesize
236KB

MD5
64687f79e2b87a494b5b7683ef0ed6ea

SHA1
d49d337f8a19ac8454fb81834bfa7430c31e6e92

SHA256
916e590fec243b9d93e30ca15afaddfc5a789ae4391300a3ebf8a4366af53aa3

SHA512
ee09907aa4684c37cb8e04f49b5433decac98b9cf5ffca8f593ced3113162782117be1aff1eb9d0be594eed38f55280993d9bd6b2134b9c7d639a89b12cc5b30

Download Submit
\Users\Admin\AppData\Local\Temp\bcdacabedejd.exe

Filesize
127KB

MD5
91c1243a9b327dae08b6060ce6770c30

SHA1
022148fb5f59a27700c3db2bb1bbfe6c5a80005d

SHA256
3429afe31b2bd59ed9f262292af70bfad2c685723998d5d6c210c9f58b33d66b

SHA512
5ba24a6ca570d30ce9218830983b55684666be48c634f86cdb8321b63553cf93aef9b439f8ddb0adc5c5d35e9a6a9b1d3cfa233c060c400ae5f7362d84140870

Download Submit
\Users\Admin\AppData\Local\Temp\bcdacabedejd.exe

Filesize
281KB

MD5
70e3a85245303b3703c87d87ccc3fc61

SHA1
3197712ec92d01abc9cc74f0066a960508524453

SHA256
4fb6652f36876bee2716f70112d9f92e47721fb19c2e4ac39109ac5c03059a59

SHA512
78ae2abb6d125f1c2a3a5a40efad76cb0981287127d33aafb94f5ecd5f55bede271d564382b192a37b5116cef6ad695024ed1fa8b12ce5115ee5f51da4111a78

Download Submit
\Users\Admin\AppData\Local\Temp\bcdacabedejd.exe

Filesize
244KB

MD5
5dc694aa8eca2a7724c1038313618cf3

SHA1
fc7e6093218a11cfe24a1bf3e812094137a17fe7

SHA256
3c62eefc3e1ad30c0e211d1858db810ada1ed63234638e83d50fa02fb5a01442

SHA512
ff2083c0f5b062c48fdd46bec80b98805d60e061330bd6ab31c1f7d30b1f7f432a28d4389440bba9eb253b180fb5c96c3f27f7afb153e110de7933aee9a3a32d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd916.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit