Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2023 23:57

General

  • Target

    1b2843371dfb8ec5b14ac6497460ea34.exe

  • Size

    576KB

  • MD5

    1b2843371dfb8ec5b14ac6497460ea34

  • SHA1

    76e352174918f478dc05dad60a5f7ef73144b503

  • SHA256

    10cca25bcb0406586faf468c65182df22c29407eaaab66c04ff8e43c2795e60d

  • SHA512

    0c7f1a87af741413510f85163f6aa5ae9ae3a7fd3ee013babd8d776331fda766573831916604617b58cb3855a47b61810eabd35d40a218f5e430aa2e8faa38bf

  • SSDEEP

    12288:beNLh4YWj1vnmsncM6oDVhbf2WlA0ZRETFDv6:beNtcvnjcM64hD250INy

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b2843371dfb8ec5b14ac6497460ea34.exe
    "C:\Users\Admin\AppData\Local\Temp\1b2843371dfb8ec5b14ac6497460ea34.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Admin\AppData\Local\Temp\ebhcabfbcacde.exe
      C:\Users\Admin\AppData\Local\Temp\ebhcabfbcacde.exe 6^4^7^5^9^4^5^0^5^3^5 KUxCPzQtNDMxMBspT049R0U/PSsdKkhBTVJGTkZJPzosHy4pa2lrX3VecWlbaV44SWFkbVxkYBorPURKUEREOC8yMS0rGyY/REQ4LRspTEtKO1E+VFpGPzcuLzQrLxsvTkJNUEFLWkxORz1jcW9qNigqam5xLj9CTkUpTUpHKTxQSytESEJIGyY/R0k+SEQ+ORkqOy04LSwdKj4uNigoHCpELjooKxwoPys5KDEbLD8vOSYsFytLUkpBUD1QWEtJRVFBPlY4GitJTUZAUENPXEBPSDo4FytLUkpBUD1QWEk4SUA9GyxAUkFYUElIOCAqQlM/WzxIO0hETkA6GylESE5LWz1SSlROP042MBcrT0g8S0ZTS05aTE5HPRssUUc5KxsmQE4xOB0qTFFHT0BJQF9SQkc9S0ZAQEk8R0BSTUY5GSpAT1pSUEtPQ0k+OGtucGUbLE0/UE5NRUVJR1pSTj9OWD84VU49LR0qQkU9QE85LCAqRk5ZQFJJOElEQ1pCST1OUktLQT89YV5nbWEZKjtLUk5HTDw+W0JLNDEpMS8uKSwvLykoMhsvT0ZIPzkqLyk1LTktMDIqHCg/RlNJTEo+P1lQQkg8OS8vLDQqLCwqMCExNTM0Ny4qJklIFytQQTgdKk9ORThfcG9wIDBcHy5fICliYmVvbylgZWVgL2Bgc2ZxamoqXGpkIS1mTXJpTmVmYDtrcm5nbFxeSVppWGNgclphYGpoaHQcLmEyLS8tLC4rLSkuLTItLyAsYl1qbmpnb1xhaFtqWmJcbiAyYWRgbjEvICpiayUuYSwzLy8uHC4xZCAwXywzMCwpIS02ZyIuXi4vNCsvIDIxayAtYComZ25qZHBgb2hdZmAcL19SYGZoW2NeICkyYWlnYmlbaV4gKmBNZWRqXGFh
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703571737.txt bios get serialnumber
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2924
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703571737.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2588
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703571737.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2228
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703571737.txt bios get version
        3⤵
          PID:2472
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81703571737.txt bios get version
          3⤵
            PID:2672
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 368
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:2336

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\81703571737.txt

        Filesize

        66B

        MD5

        9025468f85256136f923096b01375964

        SHA1

        7fcd174999661594fa5f88890ffb195e9858cc52

        SHA256

        d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

        SHA512

        92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

      • C:\Users\Admin\AppData\Local\Temp\ebhcabfbcacde.exe

        Filesize

        359KB

        MD5

        df300a17733d91b4c6d94ca3f38b15bf

        SHA1

        e5a1d8843a6e0bb555b83e05ef3cffbd64edd693

        SHA256

        18b8b937173c3d8e519073e96a7cfe95f1be362a2d2132834b7407fe442d5f50

        SHA512

        872132961d5b7203f9d717ff827846ccb84c137b231fa3c044007da438d8e843051963da12c6ce3f9c0a3772ed5a13e0ca600adad9bfaa1ef10296060d948dda

      • \Users\Admin\AppData\Local\Temp\ebhcabfbcacde.exe

        Filesize

        764KB

        MD5

        4e79cf9d76970052c28eab71f0c7d870

        SHA1

        acdcb9c9872dd9745b579151908d194b6921a742

        SHA256

        cacfd104cf7cb24ae0b15fd34d5bdf78c622731df4b59df58d616d726e0667c5

        SHA512

        c595ebc44ffecf2bcdc7a36474bcd40c3e3d80d87f4e7d293b3e96cc20bc436da921c0139e0d816da33cb025fdc460c71fc9ed957a13e640251870c5a9a5b97a

      • \Users\Admin\AppData\Local\Temp\ebhcabfbcacde.exe

        Filesize

        64KB

        MD5

        25c0777f8576317fb976a704825ca82c

        SHA1

        11296f4fd404d04d523c97e621d67bc8e6df6e62

        SHA256

        f4b946b135c266707abb8f7be05e967f76446417d1dfb891f0f61a425016293d

        SHA512

        9399a2856d4267ddc83903172b79c5965d804dfa68f3a122544380ad32704d752b41248b8766123bf992e1b392997ff75a1b6a22d872c94ad0371be8f2ce509d

      • \Users\Admin\AppData\Local\Temp\ebhcabfbcacde.exe

        Filesize

        73KB

        MD5

        132a015c922f52603a760689a9561524

        SHA1

        d222cb09101a507fa946438ecb3c9a127f3c6b43

        SHA256

        ec510ae203aea7bb5de2ad2f981935a1116a16186549307167c3dc8e4e50e216

        SHA512

        d854e86a2a8e91875d2eac69680b03e4fc0b969532b0d6307d2812a3602ed087e35a47d248b2725e04a5056d74ea4aeb8977bc2e579fb4b3be594eea4bbfd731

      • \Users\Admin\AppData\Local\Temp\ebhcabfbcacde.exe

        Filesize

        166KB

        MD5

        d645971a789fb733c32b676ad36e0d38

        SHA1

        bd852db8bbcae8a018bb6f4d53cbd3776bfabd09

        SHA256

        7080f1e0f9fa4269803d47e41c948c0cbaad744851ec3cb1a07d288d7d142828

        SHA512

        f00dce531e21cbed03d1e61dca165df23b21a7ca7fd2760c604a99289fce0cfb867950f7226ee00909839accaeb8a3ba1c0576019a87eb381423581c2e02f27b

      • \Users\Admin\AppData\Local\Temp\nsi17D5.tmp\nsisunz.dll

        Filesize

        40KB

        MD5

        5f13dbc378792f23e598079fc1e4422b

        SHA1

        5813c05802f15930aa860b8363af2b58426c8adf

        SHA256

        6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

        SHA512

        9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

      • \Users\Admin\AppData\Local\Temp\nsi17D5.tmp\rfdyb.dll

        Filesize

        126KB

        MD5

        740244cbfd0d0d60118c75e073a816bf

        SHA1

        77237f3c19dad58f0143dba6d1e001a7b9273f88

        SHA256

        919d11eee42c3d57baeadecb4cda2cb790643ea1fd26b568ed72e48e4d90057b

        SHA512

        3c3b69f9edd64a9ab97c8c2f53f97f9fab68d14b46028d3617b3f85bbcc1dd64ff22579302772a638ed102e10324db2a8247a06a099d8683515bb7c3ce91f645