1422f14b22bc32ddd923d8d8885f78419c1f0a4ad5f0d84bf196fbad651955fe

Analysis

max time kernel
0s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1446ae98042bab807891b0d373f70168.exe
Size

574KB
MD5

1446ae98042bab807891b0d373f70168
SHA1

ae6b5f0698090d6f88732006091bdec2bdabb585
SHA256

1422f14b22bc32ddd923d8d8885f78419c1f0a4ad5f0d84bf196fbad651955fe
SHA512

c23fa22a66a363a9a622802af25f46840f32fac78817025736ab7be4f24bd527e5a35d66e208d664baee97fa827c2ccd8bf42fdeba24f7966c0681a60ea6a1e3
SSDEEP

12288:TK0cjfyBYdfzRGE4OxueN1cJpWng7BSRZfjymE5s0Xd8F5oOqz:TK0cjqBYdfzRGEZNCDW8qhWs0XCF5oX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	bcchcabedebdb.exe

Loads dropped DLL 3 IoCs

pid	Process
1032	1446ae98042bab807891b0d373f70168.exe
1032	1446ae98042bab807891b0d373f70168.exe
1032	1446ae98042bab807891b0d373f70168.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1384	2756	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2796	wmic.exe
Token: SeSecurityPrivilege	2796	wmic.exe
Token: SeTakeOwnershipPrivilege	2796	wmic.exe
Token: SeLoadDriverPrivilege	2796	wmic.exe
Token: SeSystemProfilePrivilege	2796	wmic.exe
Token: SeSystemtimePrivilege	2796	wmic.exe
Token: SeProfSingleProcessPrivilege	2796	wmic.exe
Token: SeIncBasePriorityPrivilege	2796	wmic.exe
Token: SeCreatePagefilePrivilege	2796	wmic.exe
Token: SeBackupPrivilege	2796	wmic.exe
Token: SeRestorePrivilege	2796	wmic.exe
Token: SeShutdownPrivilege	2796	wmic.exe
Token: SeDebugPrivilege	2796	wmic.exe
Token: SeSystemEnvironmentPrivilege	2796	wmic.exe
Token: SeRemoteShutdownPrivilege	2796	wmic.exe
Token: SeUndockPrivilege	2796	wmic.exe
Token: SeManageVolumePrivilege	2796	wmic.exe
Token: 33	2796	wmic.exe
Token: 34	2796	wmic.exe
Token: 35	2796	wmic.exe
Token: SeIncreaseQuotaPrivilege	2796	wmic.exe
Token: SeSecurityPrivilege	2796	wmic.exe
Token: SeTakeOwnershipPrivilege	2796	wmic.exe
Token: SeLoadDriverPrivilege	2796	wmic.exe
Token: SeSystemProfilePrivilege	2796	wmic.exe
Token: SeSystemtimePrivilege	2796	wmic.exe
Token: SeProfSingleProcessPrivilege	2796	wmic.exe
Token: SeIncBasePriorityPrivilege	2796	wmic.exe
Token: SeCreatePagefilePrivilege	2796	wmic.exe
Token: SeBackupPrivilege	2796	wmic.exe
Token: SeRestorePrivilege	2796	wmic.exe
Token: SeShutdownPrivilege	2796	wmic.exe
Token: SeDebugPrivilege	2796	wmic.exe
Token: SeSystemEnvironmentPrivilege	2796	wmic.exe
Token: SeRemoteShutdownPrivilege	2796	wmic.exe
Token: SeUndockPrivilege	2796	wmic.exe
Token: SeManageVolumePrivilege	2796	wmic.exe
Token: 33	2796	wmic.exe
Token: 34	2796	wmic.exe
Token: 35	2796	wmic.exe
Token: SeIncreaseQuotaPrivilege	2684	wmic.exe
Token: SeSecurityPrivilege	2684	wmic.exe
Token: SeTakeOwnershipPrivilege	2684	wmic.exe
Token: SeLoadDriverPrivilege	2684	wmic.exe
Token: SeSystemProfilePrivilege	2684	wmic.exe
Token: SeSystemtimePrivilege	2684	wmic.exe
Token: SeProfSingleProcessPrivilege	2684	wmic.exe
Token: SeIncBasePriorityPrivilege	2684	wmic.exe
Token: SeCreatePagefilePrivilege	2684	wmic.exe
Token: SeBackupPrivilege	2684	wmic.exe
Token: SeRestorePrivilege	2684	wmic.exe
Token: SeShutdownPrivilege	2684	wmic.exe
Token: SeDebugPrivilege	2684	wmic.exe
Token: SeSystemEnvironmentPrivilege	2684	wmic.exe
Token: SeRemoteShutdownPrivilege	2684	wmic.exe
Token: SeUndockPrivilege	2684	wmic.exe
Token: SeManageVolumePrivilege	2684	wmic.exe
Token: 33	2684	wmic.exe
Token: 34	2684	wmic.exe
Token: 35	2684	wmic.exe
Token: SeIncreaseQuotaPrivilege	2556	wmic.exe
Token: SeSecurityPrivilege	2556	wmic.exe
Token: SeTakeOwnershipPrivilege	2556	wmic.exe
Token: SeLoadDriverPrivilege	2556	wmic.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2756	1032	1446ae98042bab807891b0d373f70168.exe	29
PID 1032 wrote to memory of 2756	1032	1446ae98042bab807891b0d373f70168.exe	29
PID 1032 wrote to memory of 2756	1032	1446ae98042bab807891b0d373f70168.exe	29
PID 1032 wrote to memory of 2756	1032	1446ae98042bab807891b0d373f70168.exe	29
PID 2756 wrote to memory of 2796	2756	bcchcabedebdb.exe	18
PID 2756 wrote to memory of 2796	2756	bcchcabedebdb.exe	18
PID 2756 wrote to memory of 2796	2756	bcchcabedebdb.exe	18
PID 2756 wrote to memory of 2796	2756	bcchcabedebdb.exe	18
PID 2756 wrote to memory of 2684	2756	bcchcabedebdb.exe	28
PID 2756 wrote to memory of 2684	2756	bcchcabedebdb.exe	28
PID 2756 wrote to memory of 2684	2756	bcchcabedebdb.exe	28
PID 2756 wrote to memory of 2684	2756	bcchcabedebdb.exe	28
PID 2756 wrote to memory of 2556	2756	bcchcabedebdb.exe	27
PID 2756 wrote to memory of 2556	2756	bcchcabedebdb.exe	27
PID 2756 wrote to memory of 2556	2756	bcchcabedebdb.exe	27
PID 2756 wrote to memory of 2556	2756	bcchcabedebdb.exe	27

C:\Users\Admin\AppData\Local\Temp\1446ae98042bab807891b0d373f70168.exe
"C:\Users\Admin\AppData\Local\Temp\1446ae98042bab807891b0d373f70168.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\bcchcabedebdb.exe
  C:\Users\Admin\AppData\Local\Temp\bcchcabedebdb.exe 0-3-5-7-7-3-0-4-8-5-1 L01EPTYuMywvLh8vUFA7SUZEOSgbLk5CT1BIT0tFPDgvICw/QkxRSUA1LTM2LSwZKEBJQDUrHy9NTUg9UkNQV0RDPS4xMi0dL089TVVFT1pOS0k9ZGxvbzosKmxeb3YqbGNkLV5raSZhYXBZKWhuY2oZKEBMRTtGSEQ6X20qLWdMT2BrSR0qPSo6TlFFPURSHSo9KzotLRgqQzM6KCoZLEQwNSgwICw/LjYqMRwnS1FPQVA8TVxQTkFRQENWOBkoTVJLPFBCVFxATkU+PRwnS1FPQVA8TVxOPUVAPCAsQFE+XFVORDgfL0JTPlhATUBERE1FOhsoQUxTUFc9UU9UTj5LOjIcJ09HQUtGUkhSX1FKRzwgLE9CRkI9LSwsODYxLS0wNiArTkg8Mh0qPUwuPRwnTVROUURGPlxXQUQ+Tk1CREY6REVRSkc8ICxETFhPVUpMRExFOm9rbmIgK0pAU1VPSUJHRF9RS0BRX0E8Ukw6MhwnQ0hEQlM2Kh0vRUtaQ1lLPEZCQF9BRj5RWU1PPj06Zl1kbmQgLD9IUEtMSzk/XlRGSD42LjIrKjIuMi0sLSMuOiwvNTQ5JzxGGSxES09JS08+P1hCTT0zKykwOCssLTIrMzQ=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2756

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703536949.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703536949.txt bios get version
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 368
1⤵
- Program crash
PID:1384

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703536949.txt bios get version
1⤵
PID:2364

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703536949.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703536949.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703536949.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcchcabedebdb.exe

Filesize
61KB

MD5
06df35114e337b2ad359a6b33d7c1104

SHA1
438c55b2418591b49b89bbeccb506a31a173829b

SHA256
4ece0ab742fc5d1914ccaf9ae1b48bfdd3d04fc72a569a687c2d85162c32ae9d

SHA512
45edd03ec932f6012bae6d25ac2ddeecd173cc831461f6ffd40f8a1c0cfb0701059e396eadc9616a5702d6c9233609c0f90476c151f0eb43c7e42d8268bdf601

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8B9.tmp\zzp.dll

Filesize
108KB

MD5
2e352e4574545d13bbb4004f508c6f1e

SHA1
f90cadb5e3696167e183ba548abd4c8086566318

SHA256
3cee88da308c942dd2900192691779432f9326819fe7da08c9c555bf56a9fac0

SHA512
2cd3250bca3e4f998c7fcee4f17a3e1f01249ce4eab4b09373937551d0055ea1dfdad74149ab8281a1bf4b8195a492fb48eabbd04c63374a1561dcd910289da6

Download Submit
\Users\Admin\AppData\Local\Temp\bcchcabedebdb.exe

Filesize
30KB

MD5
559914d44ea0a6ee995c76aae27dbdba

SHA1
aaac93f1238dc75e6ac6500167bdb5ea12fc8b75

SHA256
3aaecb872d0653efccd5a5904b33c3173723a2b94deb18e1554b4214e5b005be

SHA512
abe4bbc6d0053c556c1996bf2c742005bbd32a620c25ad73881c9f5e3c1c09f9f67c13332c161dcf022cc244697fa6b0c2695f59ded27398bedec424dd6fe242

Download Submit
\Users\Admin\AppData\Local\Temp\bcchcabedebdb.exe

Filesize
21KB

MD5
16377655e7941d641e7fac7df896896f

SHA1
ada777809554a952c37db9eb9ab55804402e72bf

SHA256
3189a2e9d4f46ff9769e8aa65edb7860701e90efebfee440cfc816941890e431

SHA512
f956d9e955348a26c5843241fe1b81cc84ac59c4899dbca17a09ef587f942b844feed96cc725c3ae652ba7a96b798b14c30283af9e71ca2b6035c28d1ff9b9cf

Download Submit
\Users\Admin\AppData\Local\Temp\bcchcabedebdb.exe

Filesize
18KB

MD5
7755ffa15a9c83e4c91c20691eaf8b80

SHA1
55347ad6cac2d87b448033888536bf6d7e94fcad

SHA256
323b4f010f5f999fe4ebc338fed0e12e20b57b8e15bd82c71802ed086a7b2b53

SHA512
a5a8db2e207162fbc62bea2cd1d074a8b861c935e2ba2fbd7f672f81698a21cb077cc11f7d9ed1c6ec2ab7605393306bdafb29e29f83264fef4d750a6f17d99a

Download Submit
\Users\Admin\AppData\Local\Temp\bcchcabedebdb.exe

Filesize
55KB

MD5
6b2261cbab4a6ee698f3260d003309a9

SHA1
744c29ff905420bf55f15caace66aa5df0598142

SHA256
cf2ebc9cfe6d6a5c5a9d4446423d47f949de1315760cc97faf94e2f4e38c3ddb

SHA512
dfcbaa83297dcdf6d885e63034e15ddd242cc12c8b1daacfb853d07730679681641c58fb3354fff5f275ecc29fcfd7c74fb44c7404d0cecf965a73e518441c17

Download Submit
\Users\Admin\AppData\Local\Temp\bcchcabedebdb.exe

Filesize
76KB

MD5
1596517de47dcfa7e8b45203e3df8459

SHA1
e6948eba7c6a306106bc7db2e1d69e072f12ad18

SHA256
8de7ba36428b4dac845129af25d7568df59174115c9ddc53b4007d1573744c92

SHA512
598b435e985a9eff77ae3e55ab113b4a80f43c800ce5aa8f1318a6487e2e2987293b953d381a2b748b57a9762c90946d55d7df812592793c4c5b316140d7a4ff

Download Submit
\Users\Admin\AppData\Local\Temp\bcchcabedebdb.exe

Filesize
102KB

MD5
aea2ab10b415a415f5428bca86992ddf

SHA1
c03a8e9936bd82819b44c78ef2df3c9a06e972a9

SHA256
55f9e23773d4a63e751d518825318a2860b3b48c7a189c50515446e5a1f61e8b

SHA512
b76d402f7c06cc125327a23edd7ff102de998ec510d1d8aa90a2652683d1f969e2538f2ac63c126dcb44295e3da0b94b949c6c3cd5c146b7228c53096717c4c3

Download Submit
\Users\Admin\AppData\Local\Temp\bcchcabedebdb.exe

Filesize
49KB

MD5
3d3a916b09895a948dc8a0755aa580e6

SHA1
7be42e19ee8f6a65b92e8cec6235242159f8dd15

SHA256
763257ba1c658b32ed214a087a0e57f6c8fdc6962d0b47b4f091280bafa00b3f

SHA512
93e5c99cf0062a6679f52f2ea4116605e369238810f8f6d79c8a935592db498bd903568a63daeca39ebe9216e35df9d6bdb28918885b0a1d15b5bdfcf816d9b1

Download Submit
\Users\Admin\AppData\Local\Temp\bcchcabedebdb.exe

Filesize
35KB

MD5
5271f76b85e9b06fa94bc5c3b3414566

SHA1
5e512410bd423185871719f9707abb809cf345f2

SHA256
fe7eb540eca371ee773cccda2f30abc9ec8e013868d6b7f1d65ba40f503c7e44

SHA512
36d18550cd62c7fa848ca3f4d3005518ec3f56d360f8dcbfb86a4521aefdeac57ce15c43d738249477cb3c9608eee1c9096b187240b9dbc3928406c46cadd5db

Download Submit
\Users\Admin\AppData\Local\Temp\nso8B9.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
\Users\Admin\AppData\Local\Temp\nso8B9.tmp\zzp.dll

Filesize
93KB

MD5
a741aef20e07f910b9aeda6e0f27a713

SHA1
48d07a88aa95f9869c33048f9c41c1ec6c2623a6

SHA256
b3db02676d101b0c70ccc20574c082cc81e1a31466d72eddb28144262ead0fa7

SHA512
0a876476f73b65e5a40cf141de5d24d111ffad5f002ba849d8e5bc3edd39b89b5d8033041146e2bb81e0dfdee02370747d3b1b50eea267c8f9ceeb8ad4aefada

Download Submit