216264f5238b45e5a4247b44d886c7a07f1a5d840ab9e8a941eda17476ccf856

Analysis

max time kernel
0s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 21:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

140fc2e9c2d52fa803c57bf27c85a867.exe
Size

576KB
MD5

140fc2e9c2d52fa803c57bf27c85a867
SHA1

f97d583078be3d0ff7bc4eb84386ddf9ba8e0074
SHA256

216264f5238b45e5a4247b44d886c7a07f1a5d840ab9e8a941eda17476ccf856
SHA512

177e35d2a749d351fff33ef339b82d0e4d29f7bc417c318c646793240d3423d9c7b247df9d1a345bacd218f7235b97468e7a302d1aab5fa940d9337692dcce53
SSDEEP

12288:9kJw5nM2N4KxJMixKTssY3P0AVnvdc89qAgte8ytgnqSoosQlR1NITwc2m:9kl2NTxJMYsOnh99RgtDqDoLRTiwcR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2680	ebccabfbcabgf.exe

Loads dropped DLL 3 IoCs

pid	Process
1800	140fc2e9c2d52fa803c57bf27c85a867.exe
1800	140fc2e9c2d52fa803c57bf27c85a867.exe
1800	140fc2e9c2d52fa803c57bf27c85a867.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1572	2680	WerFault.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2756	wmic.exe
Token: SeSecurityPrivilege	2756	wmic.exe
Token: SeTakeOwnershipPrivilege	2756	wmic.exe
Token: SeLoadDriverPrivilege	2756	wmic.exe
Token: SeSystemProfilePrivilege	2756	wmic.exe
Token: SeSystemtimePrivilege	2756	wmic.exe
Token: SeProfSingleProcessPrivilege	2756	wmic.exe
Token: SeIncBasePriorityPrivilege	2756	wmic.exe
Token: SeCreatePagefilePrivilege	2756	wmic.exe
Token: SeBackupPrivilege	2756	wmic.exe
Token: SeRestorePrivilege	2756	wmic.exe
Token: SeShutdownPrivilege	2756	wmic.exe
Token: SeDebugPrivilege	2756	wmic.exe
Token: SeSystemEnvironmentPrivilege	2756	wmic.exe
Token: SeRemoteShutdownPrivilege	2756	wmic.exe
Token: SeUndockPrivilege	2756	wmic.exe
Token: SeManageVolumePrivilege	2756	wmic.exe
Token: 33	2756	wmic.exe
Token: 34	2756	wmic.exe
Token: 35	2756	wmic.exe
Token: SeIncreaseQuotaPrivilege	2756	wmic.exe
Token: SeSecurityPrivilege	2756	wmic.exe
Token: SeTakeOwnershipPrivilege	2756	wmic.exe
Token: SeLoadDriverPrivilege	2756	wmic.exe
Token: SeSystemProfilePrivilege	2756	wmic.exe
Token: SeSystemtimePrivilege	2756	wmic.exe
Token: SeProfSingleProcessPrivilege	2756	wmic.exe
Token: SeIncBasePriorityPrivilege	2756	wmic.exe
Token: SeCreatePagefilePrivilege	2756	wmic.exe
Token: SeBackupPrivilege	2756	wmic.exe
Token: SeRestorePrivilege	2756	wmic.exe
Token: SeShutdownPrivilege	2756	wmic.exe
Token: SeDebugPrivilege	2756	wmic.exe
Token: SeSystemEnvironmentPrivilege	2756	wmic.exe
Token: SeRemoteShutdownPrivilege	2756	wmic.exe
Token: SeUndockPrivilege	2756	wmic.exe
Token: SeManageVolumePrivilege	2756	wmic.exe
Token: 33	2756	wmic.exe
Token: 34	2756	wmic.exe
Token: 35	2756	wmic.exe
Token: SeIncreaseQuotaPrivilege	2576	wmic.exe
Token: SeSecurityPrivilege	2576	wmic.exe
Token: SeTakeOwnershipPrivilege	2576	wmic.exe
Token: SeLoadDriverPrivilege	2576	wmic.exe
Token: SeSystemProfilePrivilege	2576	wmic.exe
Token: SeSystemtimePrivilege	2576	wmic.exe
Token: SeProfSingleProcessPrivilege	2576	wmic.exe
Token: SeIncBasePriorityPrivilege	2576	wmic.exe
Token: SeCreatePagefilePrivilege	2576	wmic.exe
Token: SeBackupPrivilege	2576	wmic.exe
Token: SeRestorePrivilege	2576	wmic.exe
Token: SeShutdownPrivilege	2576	wmic.exe
Token: SeDebugPrivilege	2576	wmic.exe
Token: SeSystemEnvironmentPrivilege	2576	wmic.exe
Token: SeRemoteShutdownPrivilege	2576	wmic.exe
Token: SeUndockPrivilege	2576	wmic.exe
Token: SeManageVolumePrivilege	2576	wmic.exe
Token: 33	2576	wmic.exe
Token: 34	2576	wmic.exe
Token: 35	2576	wmic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2680	1800	140fc2e9c2d52fa803c57bf27c85a867.exe	27
PID 1800 wrote to memory of 2680	1800	140fc2e9c2d52fa803c57bf27c85a867.exe	27
PID 1800 wrote to memory of 2680	1800	140fc2e9c2d52fa803c57bf27c85a867.exe	27
PID 1800 wrote to memory of 2680	1800	140fc2e9c2d52fa803c57bf27c85a867.exe	27
PID 2680 wrote to memory of 2756	2680	ebccabfbcabgf.exe	26
PID 2680 wrote to memory of 2756	2680	ebccabfbcabgf.exe	26
PID 2680 wrote to memory of 2756	2680	ebccabfbcabgf.exe	26
PID 2680 wrote to memory of 2756	2680	ebccabfbcabgf.exe	26
PID 2680 wrote to memory of 2576	2680	ebccabfbcabgf.exe	25
PID 2680 wrote to memory of 2576	2680	ebccabfbcabgf.exe	25
PID 2680 wrote to memory of 2576	2680	ebccabfbcabgf.exe	25
PID 2680 wrote to memory of 2576	2680	ebccabfbcabgf.exe	25

C:\Users\Admin\AppData\Local\Temp\140fc2e9c2d52fa803c57bf27c85a867.exe
"C:\Users\Admin\AppData\Local\Temp\140fc2e9c2d52fa803c57bf27c85a867.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\ebccabfbcabgf.exe
  C:\Users\Admin\AppData\Local\Temp\ebccabfbcabgf.exe 8-3-0-6-5-6-5-6-7-5-2 J01JPjgrNC0vLh4nUFU8S0M/NykbLUZCVFFKTEZDPTgvHS8wam1pX29cb2xZamU3TV9kZ1piYxgsRENOTkQ+Ni01Ly4yGio9RD42Kx4nTVJJP08+TlhEQjUvNjMvLRspTEBQTkJSWVBMRzdhb3JoNy8pbmxxKD1AUUMqVElLJzxKSSlHRkNPGio9R0M8Rkc8OiApPys4JyobLTwvPScsGio+LDgrKR0vPi83KCsZKkItOi0rGylLTEg/UztRX0pNQ1E7PFQ7GCxQTEo+UD1NWkNNSUE3GylLTEg/UztRX0g8R0A3GSpDUEJfT01GOBooQFY9XENHP0ZESD44HidFT01PWT1MSFJRPU89LxspT0I6SUlRTFVZUExHNxkqVEU6MhoqPk4rNhstSlJOTkRHQFlQQEo7TE0/REc8QT5QUEQ6IClETVpMTklSQUpFN29scF8ZKlA9UVVMSUNJQVhQUT1PXz48U043KxstQEZEP1M3LBooRFFXQVlIPEdEPVhATDtPWUpPPz83X1xqa2IgKT9JUkhFSj88XElKOCszLCcxNyYvNDMpMS0aKE9HRUI9Ky8sMzIqMjcwMSApP0lSSEVKPzxcVENIPzguKCwwJy8wKzAkMDQuLjgoMSo7SA==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 368
1⤵
- Program crash
PID:1572

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703535889.txt bios get version
1⤵
PID:2984

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703535889.txt bios get version
1⤵
PID:2568

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703535889.txt bios get version
1⤵
PID:2664

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703535889.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703535889.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703535889.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebccabfbcabgf.exe

Filesize
39KB

MD5
6c1cfe0cff1e707ce604cca431acbaa0

SHA1
93a72b980a23b8283cbb9455c8944b75170dca47

SHA256
98375492e2c0f22e52ed2f3881a01ee8d3aff4119785d88fde5d86ac8f05b248

SHA512
596ed500861e0d8ce8a4034163639592f72048229ae3d61796ddf6144ae0e255906111111f5dcd0b336b2dd3af66d57b9dfe19ee50cd835e8f8779a6f3414c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi195B.tmp\jdvis.dll

Filesize
51KB

MD5
0934181a56243c8232b30e128cf008ee

SHA1
dd4198f20b8633fc461e85f1897704b12a93f5ae

SHA256
83940e0707026e8d4370b15e3f1b9ebed742096d4b72a870df8dcc3258f9d815

SHA512
21a9db2dfbfb3deef7e3ccd312276b27e6b126f24ab3069c8cd86a9c3532576f8ee6bb64b61b014e9eccf126b358208044dfce98abd03775e665d4b9300a05d6

Download Submit
\Users\Admin\AppData\Local\Temp\ebccabfbcabgf.exe

Filesize
459B

MD5
3d38a52c1a7cf0c111a9c87823020c25

SHA1
26541570c87877b10ca8f5a6abef15cd1c2ae6a4

SHA256
51ef203245c7c27df1be24394cf16c6ed6fd24cd16a9ac46bf471656f33142ae

SHA512
94868738d5f59bde070a44c1ae23ebb70a74854771baae880965878b933f402b2e88bca7baf25be6290ceb3b9d7607bbdf392389e6eb40c2a78edf2c214921bc

Download Submit
\Users\Admin\AppData\Local\Temp\ebccabfbcabgf.exe

Filesize
65KB

MD5
43b8954a172018073f06921ea00ae46e

SHA1
d1a550496532e6f71e51bde005aae55e7dedc837

SHA256
c3ce5a20b461d44146f80faae2fe08a50857b63751bdef1055aa81f5eb4bda14

SHA512
070a39c21d5d7c8fd7b18ea758a7a8a27f8ead3053c6f3106e787c78308e8a20d6fdb06167b18ef591f110f8e650d887ca878644843e7fb62b37873c912c15f3

Download Submit
\Users\Admin\AppData\Local\Temp\ebccabfbcabgf.exe

Filesize
47KB

MD5
03310f1f2878b208a25bd36a93af9399

SHA1
b7006474bb160ceb05f6194bbcefb1bec09e1542

SHA256
675c78725a166d8705d097ac5b525ded52cd79181212fa74aba2fb4e77152dbb

SHA512
7c88f2941457dde3a1c4984ba1bb9e1c064a0bd46320ab2d3e36ca06aec8ad041ab250079f010fbb17d1144fc14dc7b9493308a4575de6857d8fd81ed31af0e9

Download Submit
\Users\Admin\AppData\Local\Temp\ebccabfbcabgf.exe

Filesize
1KB

MD5
3d0125bd7e05aa4ff4d01f0a88176207

SHA1
d0f82b1912863d6c4385646021e9569f13169bec

SHA256
d353265e4da085c1995e585a9c07d54bf263f544786ced23e0ed881e97178e54

SHA512
7284b3b4bf3723963dd2664343d5985082187cf57349015183240db6b7c3db90ac07f9a3fb6c1c661f4c39492ff173b518e3e07ece76d38f155a2c8d3d1a4b84

Download Submit
\Users\Admin\AppData\Local\Temp\ebccabfbcabgf.exe

Filesize
8KB

MD5
3089afa01df7fa610db23adeeefe98fb

SHA1
77f29e02ea8528b727e347efc940877ce4b6ad53

SHA256
2cb4100d372246acb46d92f4623e8c5d8b5238af81f6308592ec5119720e02a4

SHA512
f1d923efbe2a76c7f7d877296650a5b8e39cf59ba996ab29ea78d9cd228c3b6c19a8ecdb83e5c01326dcbacd111d8bd7e419dda73e46720330958f77be3faa2f

Download Submit
\Users\Admin\AppData\Local\Temp\ebccabfbcabgf.exe

Filesize
19KB

MD5
1925c5ac8e0ff8583b292ea3cf758be8

SHA1
04d6c9606cfc4d5117c9f3285f545bda6ebd28a0

SHA256
fff75eb4776c6b9398c20c18fa67e996cb2235a090985eb0bd463ed354fa1338

SHA512
a17d83183fba83634239b2ffaa488a00b92083f16b023fc0e90da3a634ad1066a4277f0915e9eed87f78c8fda2cb3fcc01d7cfceddb831bb9cb2450f15ebb27b

Download Submit
\Users\Admin\AppData\Local\Temp\ebccabfbcabgf.exe

Filesize
15KB

MD5
3527966d0643908ff420768960d90017

SHA1
2723f016644363e31328553e22f7136bebdeed30

SHA256
481e157745807ee6f848d26834cbde371e82e3ab646e593e64364f47ba1a3e3d

SHA512
838695a9770c45a01889c988010dbb4ca21619b51486ded947e95c366aaf599b0b2320970a32a80aa4d620cb61a3a18d7abb3b2632b1d029614b3f00e22b662f

Download Submit
\Users\Admin\AppData\Local\Temp\ebccabfbcabgf.exe

Filesize
61KB

MD5
54f5b7c2de2489e4f948c2e76dad2bfb

SHA1
6734b7d1d528a4804b45422ab58221d66cf4a685

SHA256
d98d72235794b9f72da54720fefc30b691cf166dc85e60ee98c52199300dd72c

SHA512
2107dc1715b3eef32eeb4463d188286567e8397ac753f078cf00a4b2216c1275f7e066e4274aa1a780b14296613ac90a40e63491916b5c69707741041b22ce37

Download Submit
\Users\Admin\AppData\Local\Temp\nsi195B.tmp\jdvis.dll

Filesize
63KB

MD5
30830a4b5786105b54cd952dad09b3f8

SHA1
7dd5340ebaa6fe52344132eae671929ba22b2e06

SHA256
00c78bf3b27b9b2aac2f663ac59fbea33a876c0a86d498025b7efb673791e59a

SHA512
1cb797dfbae80a4fb6efb9315eb6bd0a4811112358af6f9aa5cda31c7a86926ba23869e545460b1502a2a223c611de11d11c33e6476a0224ce90c3ea8ec36e94

Download Submit
\Users\Admin\AppData\Local\Temp\nsi195B.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit