Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 23:57
Static task
static1
Behavioral task
behavioral1
Sample
1b2843371dfb8ec5b14ac6497460ea34.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1b2843371dfb8ec5b14ac6497460ea34.exe
Resource
win10v2004-20231222-en
General
-
Target
1b2843371dfb8ec5b14ac6497460ea34.exe
-
Size
576KB
-
MD5
1b2843371dfb8ec5b14ac6497460ea34
-
SHA1
76e352174918f478dc05dad60a5f7ef73144b503
-
SHA256
10cca25bcb0406586faf468c65182df22c29407eaaab66c04ff8e43c2795e60d
-
SHA512
0c7f1a87af741413510f85163f6aa5ae9ae3a7fd3ee013babd8d776331fda766573831916604617b58cb3855a47b61810eabd35d40a218f5e430aa2e8faa38bf
-
SSDEEP
12288:beNLh4YWj1vnmsncM6oDVhbf2WlA0ZRETFDv6:beNtcvnjcM64hD250INy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2856 ebhcabfbcacde.exe -
Loads dropped DLL 10 IoCs
pid Process 2960 1b2843371dfb8ec5b14ac6497460ea34.exe 2960 1b2843371dfb8ec5b14ac6497460ea34.exe 2960 1b2843371dfb8ec5b14ac6497460ea34.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2336 2856 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2924 wmic.exe Token: SeSecurityPrivilege 2924 wmic.exe Token: SeTakeOwnershipPrivilege 2924 wmic.exe Token: SeLoadDriverPrivilege 2924 wmic.exe Token: SeSystemProfilePrivilege 2924 wmic.exe Token: SeSystemtimePrivilege 2924 wmic.exe Token: SeProfSingleProcessPrivilege 2924 wmic.exe Token: SeIncBasePriorityPrivilege 2924 wmic.exe Token: SeCreatePagefilePrivilege 2924 wmic.exe Token: SeBackupPrivilege 2924 wmic.exe Token: SeRestorePrivilege 2924 wmic.exe Token: SeShutdownPrivilege 2924 wmic.exe Token: SeDebugPrivilege 2924 wmic.exe Token: SeSystemEnvironmentPrivilege 2924 wmic.exe Token: SeRemoteShutdownPrivilege 2924 wmic.exe Token: SeUndockPrivilege 2924 wmic.exe Token: SeManageVolumePrivilege 2924 wmic.exe Token: 33 2924 wmic.exe Token: 34 2924 wmic.exe Token: 35 2924 wmic.exe Token: SeIncreaseQuotaPrivilege 2924 wmic.exe Token: SeSecurityPrivilege 2924 wmic.exe Token: SeTakeOwnershipPrivilege 2924 wmic.exe Token: SeLoadDriverPrivilege 2924 wmic.exe Token: SeSystemProfilePrivilege 2924 wmic.exe Token: SeSystemtimePrivilege 2924 wmic.exe Token: SeProfSingleProcessPrivilege 2924 wmic.exe Token: SeIncBasePriorityPrivilege 2924 wmic.exe Token: SeCreatePagefilePrivilege 2924 wmic.exe Token: SeBackupPrivilege 2924 wmic.exe Token: SeRestorePrivilege 2924 wmic.exe Token: SeShutdownPrivilege 2924 wmic.exe Token: SeDebugPrivilege 2924 wmic.exe Token: SeSystemEnvironmentPrivilege 2924 wmic.exe Token: SeRemoteShutdownPrivilege 2924 wmic.exe Token: SeUndockPrivilege 2924 wmic.exe Token: SeManageVolumePrivilege 2924 wmic.exe Token: 33 2924 wmic.exe Token: 34 2924 wmic.exe Token: 35 2924 wmic.exe Token: SeIncreaseQuotaPrivilege 2588 wmic.exe Token: SeSecurityPrivilege 2588 wmic.exe Token: SeTakeOwnershipPrivilege 2588 wmic.exe Token: SeLoadDriverPrivilege 2588 wmic.exe Token: SeSystemProfilePrivilege 2588 wmic.exe Token: SeSystemtimePrivilege 2588 wmic.exe Token: SeProfSingleProcessPrivilege 2588 wmic.exe Token: SeIncBasePriorityPrivilege 2588 wmic.exe Token: SeCreatePagefilePrivilege 2588 wmic.exe Token: SeBackupPrivilege 2588 wmic.exe Token: SeRestorePrivilege 2588 wmic.exe Token: SeShutdownPrivilege 2588 wmic.exe Token: SeDebugPrivilege 2588 wmic.exe Token: SeSystemEnvironmentPrivilege 2588 wmic.exe Token: SeRemoteShutdownPrivilege 2588 wmic.exe Token: SeUndockPrivilege 2588 wmic.exe Token: SeManageVolumePrivilege 2588 wmic.exe Token: 33 2588 wmic.exe Token: 34 2588 wmic.exe Token: 35 2588 wmic.exe Token: SeIncreaseQuotaPrivilege 2228 wmic.exe Token: SeSecurityPrivilege 2228 wmic.exe Token: SeTakeOwnershipPrivilege 2228 wmic.exe Token: SeLoadDriverPrivilege 2228 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2856 2960 1b2843371dfb8ec5b14ac6497460ea34.exe 28 PID 2960 wrote to memory of 2856 2960 1b2843371dfb8ec5b14ac6497460ea34.exe 28 PID 2960 wrote to memory of 2856 2960 1b2843371dfb8ec5b14ac6497460ea34.exe 28 PID 2960 wrote to memory of 2856 2960 1b2843371dfb8ec5b14ac6497460ea34.exe 28 PID 2856 wrote to memory of 2924 2856 ebhcabfbcacde.exe 29 PID 2856 wrote to memory of 2924 2856 ebhcabfbcacde.exe 29 PID 2856 wrote to memory of 2924 2856 ebhcabfbcacde.exe 29 PID 2856 wrote to memory of 2924 2856 ebhcabfbcacde.exe 29 PID 2856 wrote to memory of 2588 2856 ebhcabfbcacde.exe 32 PID 2856 wrote to memory of 2588 2856 ebhcabfbcacde.exe 32 PID 2856 wrote to memory of 2588 2856 ebhcabfbcacde.exe 32 PID 2856 wrote to memory of 2588 2856 ebhcabfbcacde.exe 32 PID 2856 wrote to memory of 2228 2856 ebhcabfbcacde.exe 34 PID 2856 wrote to memory of 2228 2856 ebhcabfbcacde.exe 34 PID 2856 wrote to memory of 2228 2856 ebhcabfbcacde.exe 34 PID 2856 wrote to memory of 2228 2856 ebhcabfbcacde.exe 34 PID 2856 wrote to memory of 2472 2856 ebhcabfbcacde.exe 36 PID 2856 wrote to memory of 2472 2856 ebhcabfbcacde.exe 36 PID 2856 wrote to memory of 2472 2856 ebhcabfbcacde.exe 36 PID 2856 wrote to memory of 2472 2856 ebhcabfbcacde.exe 36 PID 2856 wrote to memory of 2672 2856 ebhcabfbcacde.exe 38 PID 2856 wrote to memory of 2672 2856 ebhcabfbcacde.exe 38 PID 2856 wrote to memory of 2672 2856 ebhcabfbcacde.exe 38 PID 2856 wrote to memory of 2672 2856 ebhcabfbcacde.exe 38 PID 2856 wrote to memory of 2336 2856 ebhcabfbcacde.exe 40 PID 2856 wrote to memory of 2336 2856 ebhcabfbcacde.exe 40 PID 2856 wrote to memory of 2336 2856 ebhcabfbcacde.exe 40 PID 2856 wrote to memory of 2336 2856 ebhcabfbcacde.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b2843371dfb8ec5b14ac6497460ea34.exe"C:\Users\Admin\AppData\Local\Temp\1b2843371dfb8ec5b14ac6497460ea34.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\ebhcabfbcacde.exeC:\Users\Admin\AppData\Local\Temp\ebhcabfbcacde.exe 6^4^7^5^9^4^5^0^5^3^5 KUxCPzQtNDMxMBspT049R0U/PSsdKkhBTVJGTkZJPzosHy4pa2lrX3VecWlbaV44SWFkbVxkYBorPURKUEREOC8yMS0rGyY/REQ4LRspTEtKO1E+VFpGPzcuLzQrLxsvTkJNUEFLWkxORz1jcW9qNigqam5xLj9CTkUpTUpHKTxQSytESEJIGyY/R0k+SEQ+ORkqOy04LSwdKj4uNigoHCpELjooKxwoPys5KDEbLD8vOSYsFytLUkpBUD1QWEtJRVFBPlY4GitJTUZAUENPXEBPSDo4FytLUkpBUD1QWEk4SUA9GyxAUkFYUElIOCAqQlM/WzxIO0hETkA6GylESE5LWz1SSlROP042MBcrT0g8S0ZTS05aTE5HPRssUUc5KxsmQE4xOB0qTFFHT0BJQF9SQkc9S0ZAQEk8R0BSTUY5GSpAT1pSUEtPQ0k+OGtucGUbLE0/UE5NRUVJR1pSTj9OWD84VU49LR0qQkU9QE85LCAqRk5ZQFJJOElEQ1pCST1OUktLQT89YV5nbWEZKjtLUk5HTDw+W0JLNDEpMS8uKSwvLykoMhsvT0ZIPzkqLyk1LTktMDIqHCg/RlNJTEo+P1lQQkg8OS8vLDQqLCwqMCExNTM0Ny4qJklIFytQQTgdKk9ORThfcG9wIDBcHy5fICliYmVvbylgZWVgL2Bgc2ZxamoqXGpkIS1mTXJpTmVmYDtrcm5nbFxeSVppWGNgclphYGpoaHQcLmEyLS8tLC4rLSkuLTItLyAsYl1qbmpnb1xhaFtqWmJcbiAyYWRgbjEvICpiayUuYSwzLy8uHC4xZCAwXywzMCwpIS02ZyIuXi4vNCsvIDIxayAtYComZ25qZHBgb2hdZmAcL19SYGZoW2NeICkyYWlnYmlbaV4gKmBNZWRqXGFh2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703571737.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703571737.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703571737.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703571737.txt bios get version3⤵PID:2472
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703571737.txt bios get version3⤵PID:2672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 3683⤵
- Loads dropped DLL
- Program crash
PID:2336
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
359KB
MD5df300a17733d91b4c6d94ca3f38b15bf
SHA1e5a1d8843a6e0bb555b83e05ef3cffbd64edd693
SHA25618b8b937173c3d8e519073e96a7cfe95f1be362a2d2132834b7407fe442d5f50
SHA512872132961d5b7203f9d717ff827846ccb84c137b231fa3c044007da438d8e843051963da12c6ce3f9c0a3772ed5a13e0ca600adad9bfaa1ef10296060d948dda
-
Filesize
764KB
MD54e79cf9d76970052c28eab71f0c7d870
SHA1acdcb9c9872dd9745b579151908d194b6921a742
SHA256cacfd104cf7cb24ae0b15fd34d5bdf78c622731df4b59df58d616d726e0667c5
SHA512c595ebc44ffecf2bcdc7a36474bcd40c3e3d80d87f4e7d293b3e96cc20bc436da921c0139e0d816da33cb025fdc460c71fc9ed957a13e640251870c5a9a5b97a
-
Filesize
64KB
MD525c0777f8576317fb976a704825ca82c
SHA111296f4fd404d04d523c97e621d67bc8e6df6e62
SHA256f4b946b135c266707abb8f7be05e967f76446417d1dfb891f0f61a425016293d
SHA5129399a2856d4267ddc83903172b79c5965d804dfa68f3a122544380ad32704d752b41248b8766123bf992e1b392997ff75a1b6a22d872c94ad0371be8f2ce509d
-
Filesize
73KB
MD5132a015c922f52603a760689a9561524
SHA1d222cb09101a507fa946438ecb3c9a127f3c6b43
SHA256ec510ae203aea7bb5de2ad2f981935a1116a16186549307167c3dc8e4e50e216
SHA512d854e86a2a8e91875d2eac69680b03e4fc0b969532b0d6307d2812a3602ed087e35a47d248b2725e04a5056d74ea4aeb8977bc2e579fb4b3be594eea4bbfd731
-
Filesize
166KB
MD5d645971a789fb733c32b676ad36e0d38
SHA1bd852db8bbcae8a018bb6f4d53cbd3776bfabd09
SHA2567080f1e0f9fa4269803d47e41c948c0cbaad744851ec3cb1a07d288d7d142828
SHA512f00dce531e21cbed03d1e61dca165df23b21a7ca7fd2760c604a99289fce0cfb867950f7226ee00909839accaeb8a3ba1c0576019a87eb381423581c2e02f27b
-
Filesize
40KB
MD55f13dbc378792f23e598079fc1e4422b
SHA15813c05802f15930aa860b8363af2b58426c8adf
SHA2566e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
SHA5129270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5
-
Filesize
126KB
MD5740244cbfd0d0d60118c75e073a816bf
SHA177237f3c19dad58f0143dba6d1e001a7b9273f88
SHA256919d11eee42c3d57baeadecb4cda2cb790643ea1fd26b568ed72e48e4d90057b
SHA5123c3b69f9edd64a9ab97c8c2f53f97f9fab68d14b46028d3617b3f85bbcc1dd64ff22579302772a638ed102e10324db2a8247a06a099d8683515bb7c3ce91f645