05d7bc7e061609758b0afd0507da23f6fc3d6d264c5ee75b9ecb6c1ba166a765

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 15:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04160e1527deb2ecd29feb37ec84febc.exe
Size

576KB
MD5

04160e1527deb2ecd29feb37ec84febc
SHA1

d0d156b126fc45dd47e8cef916e5d7679f7f0a3a
SHA256

05d7bc7e061609758b0afd0507da23f6fc3d6d264c5ee75b9ecb6c1ba166a765
SHA512

6ac7c391604d8d6cea605fc4f1d0eaf0a61a7f9dffbc471cd8ef0e528a62dd77b00b5cd852fa71bc63957a859978f8e1dcb8da83301e8916e2c26d9fc87ec2cf
SSDEEP

12288:VCYNdarpnfmdWpVLXgJqmu2cGIsgZK35B1MEdLlMJZx0gpnDvR:VCYNoFnfmApCPu2BIbKpB1MEdpwZx0gD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2920	ebicabfbcafh.exe

Loads dropped DLL 10 IoCs

pid	Process
2356	04160e1527deb2ecd29feb37ec84febc.exe
2356	04160e1527deb2ecd29feb37ec84febc.exe
2356	04160e1527deb2ecd29feb37ec84febc.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2956	2920	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2532	wmic.exe
Token: SeSecurityPrivilege	2532	wmic.exe
Token: SeTakeOwnershipPrivilege	2532	wmic.exe
Token: SeLoadDriverPrivilege	2532	wmic.exe
Token: SeSystemProfilePrivilege	2532	wmic.exe
Token: SeSystemtimePrivilege	2532	wmic.exe
Token: SeProfSingleProcessPrivilege	2532	wmic.exe
Token: SeIncBasePriorityPrivilege	2532	wmic.exe
Token: SeCreatePagefilePrivilege	2532	wmic.exe
Token: SeBackupPrivilege	2532	wmic.exe
Token: SeRestorePrivilege	2532	wmic.exe
Token: SeShutdownPrivilege	2532	wmic.exe
Token: SeDebugPrivilege	2532	wmic.exe
Token: SeSystemEnvironmentPrivilege	2532	wmic.exe
Token: SeRemoteShutdownPrivilege	2532	wmic.exe
Token: SeUndockPrivilege	2532	wmic.exe
Token: SeManageVolumePrivilege	2532	wmic.exe
Token: 33	2532	wmic.exe
Token: 34	2532	wmic.exe
Token: 35	2532	wmic.exe
Token: SeIncreaseQuotaPrivilege	2532	wmic.exe
Token: SeSecurityPrivilege	2532	wmic.exe
Token: SeTakeOwnershipPrivilege	2532	wmic.exe
Token: SeLoadDriverPrivilege	2532	wmic.exe
Token: SeSystemProfilePrivilege	2532	wmic.exe
Token: SeSystemtimePrivilege	2532	wmic.exe
Token: SeProfSingleProcessPrivilege	2532	wmic.exe
Token: SeIncBasePriorityPrivilege	2532	wmic.exe
Token: SeCreatePagefilePrivilege	2532	wmic.exe
Token: SeBackupPrivilege	2532	wmic.exe
Token: SeRestorePrivilege	2532	wmic.exe
Token: SeShutdownPrivilege	2532	wmic.exe
Token: SeDebugPrivilege	2532	wmic.exe
Token: SeSystemEnvironmentPrivilege	2532	wmic.exe
Token: SeRemoteShutdownPrivilege	2532	wmic.exe
Token: SeUndockPrivilege	2532	wmic.exe
Token: SeManageVolumePrivilege	2532	wmic.exe
Token: 33	2532	wmic.exe
Token: 34	2532	wmic.exe
Token: 35	2532	wmic.exe
Token: SeIncreaseQuotaPrivilege	2708	wmic.exe
Token: SeSecurityPrivilege	2708	wmic.exe
Token: SeTakeOwnershipPrivilege	2708	wmic.exe
Token: SeLoadDriverPrivilege	2708	wmic.exe
Token: SeSystemProfilePrivilege	2708	wmic.exe
Token: SeSystemtimePrivilege	2708	wmic.exe
Token: SeProfSingleProcessPrivilege	2708	wmic.exe
Token: SeIncBasePriorityPrivilege	2708	wmic.exe
Token: SeCreatePagefilePrivilege	2708	wmic.exe
Token: SeBackupPrivilege	2708	wmic.exe
Token: SeRestorePrivilege	2708	wmic.exe
Token: SeShutdownPrivilege	2708	wmic.exe
Token: SeDebugPrivilege	2708	wmic.exe
Token: SeSystemEnvironmentPrivilege	2708	wmic.exe
Token: SeRemoteShutdownPrivilege	2708	wmic.exe
Token: SeUndockPrivilege	2708	wmic.exe
Token: SeManageVolumePrivilege	2708	wmic.exe
Token: 33	2708	wmic.exe
Token: 34	2708	wmic.exe
Token: 35	2708	wmic.exe
Token: SeIncreaseQuotaPrivilege	2808	wmic.exe
Token: SeSecurityPrivilege	2808	wmic.exe
Token: SeTakeOwnershipPrivilege	2808	wmic.exe
Token: SeLoadDriverPrivilege	2808	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2920	2356	04160e1527deb2ecd29feb37ec84febc.exe	28
PID 2356 wrote to memory of 2920	2356	04160e1527deb2ecd29feb37ec84febc.exe	28
PID 2356 wrote to memory of 2920	2356	04160e1527deb2ecd29feb37ec84febc.exe	28
PID 2356 wrote to memory of 2920	2356	04160e1527deb2ecd29feb37ec84febc.exe	28
PID 2920 wrote to memory of 2532	2920	ebicabfbcafh.exe	29
PID 2920 wrote to memory of 2532	2920	ebicabfbcafh.exe	29
PID 2920 wrote to memory of 2532	2920	ebicabfbcafh.exe	29
PID 2920 wrote to memory of 2532	2920	ebicabfbcafh.exe	29
PID 2920 wrote to memory of 2708	2920	ebicabfbcafh.exe	32
PID 2920 wrote to memory of 2708	2920	ebicabfbcafh.exe	32
PID 2920 wrote to memory of 2708	2920	ebicabfbcafh.exe	32
PID 2920 wrote to memory of 2708	2920	ebicabfbcafh.exe	32
PID 2920 wrote to memory of 2808	2920	ebicabfbcafh.exe	34
PID 2920 wrote to memory of 2808	2920	ebicabfbcafh.exe	34
PID 2920 wrote to memory of 2808	2920	ebicabfbcafh.exe	34
PID 2920 wrote to memory of 2808	2920	ebicabfbcafh.exe	34
PID 2920 wrote to memory of 2488	2920	ebicabfbcafh.exe	36
PID 2920 wrote to memory of 2488	2920	ebicabfbcafh.exe	36
PID 2920 wrote to memory of 2488	2920	ebicabfbcafh.exe	36
PID 2920 wrote to memory of 2488	2920	ebicabfbcafh.exe	36
PID 2920 wrote to memory of 2456	2920	ebicabfbcafh.exe	38
PID 2920 wrote to memory of 2456	2920	ebicabfbcafh.exe	38
PID 2920 wrote to memory of 2456	2920	ebicabfbcafh.exe	38
PID 2920 wrote to memory of 2456	2920	ebicabfbcafh.exe	38
PID 2920 wrote to memory of 2956	2920	ebicabfbcafh.exe	40
PID 2920 wrote to memory of 2956	2920	ebicabfbcafh.exe	40
PID 2920 wrote to memory of 2956	2920	ebicabfbcafh.exe	40
PID 2920 wrote to memory of 2956	2920	ebicabfbcafh.exe	40

C:\Users\Admin\AppData\Local\Temp\04160e1527deb2ecd29feb37ec84febc.exe
"C:\Users\Admin\AppData\Local\Temp\04160e1527deb2ecd29feb37ec84febc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe
  C:\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe 7)1)2)3)4)4)6)1)9)0)3 KE9HQTktMzItMx0oUlM/TEU+PCcgLEdEUlRLTkVIOz0uHjEubW5rXnRadGtabGM6TmFjbFhnYhkuQkZPUENDNDI0MDAwHSs/Q0M0MB0oT1BMQFE9U1ZJQTYxNDYwLxouSkVPT0RQXFFORjxfdHFpOS0sb25wLTtFUEQsUkxMKTtPRy5GR0VNHSs/Rkg6S0Y9PB4sQC03LCggLD0xOyotHClDKj0qKh8tQTA5JzAXL0EuPCsuHCtKUUZEUjxTXU1ORVBAOlk6GS5OT0tAT0JLX0JOSz86HCtKUUZEUjxTXUs9ST88Fy9CUURdUk5INx8mRVU+XkFKQEhDTTw9HShHTVBQWzxRRldQPlE7MhwrTkc4TkhSTlNcUU5GPBcvU0Y8MB0rQE0wNCAsS1RMUUVJP15ORUk8TktCRUk7RjxVT0U8HixFT1lRTE5RQkxDOnBub2QXL08+U1NPSkVIRlZVUD5RXUE9VU08KSAsQUhCQlQ5Kx8mSVBYQ1dLPUlDQlZFSzxRV01QQT48XWFpbGQeLEBLUU1DTz49XkdNOTMyLSg4NCcxLy0qLis3Fy9RQkxDOi0wLDgqOC0sNS4dK0BJVkVMTDpDXVFFST88Ky8uMS4wLS0xJDUxMDMzLy4nTEkaLkxBOhkuU09IOWJza3AiLGAjL2IhLGVeZXFrLWRmaGEyY1xzaG1ubitfa2ckKWZPbm1SZmlhPm5ubmloYGJKXWpbZlxyXF1kbmlrdR8xXTIvKzEwLy4uLDEpMi8rJDBjYGtxbWNvXl1sX2tdY19xHDJjYGRyMjIhLWVnJTBdMDcwMi8fMS1kIixjMDQzLSwkKTZpHjJiLzI1LjIcMjNnJDFhLSdqcWZkclxzbF5pYR8yW1JiYmxfZGEhLDVdaWlebV9qYSEtY0llZmZgZWI=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437924.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437924.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437924.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437924.txt bios get version
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437924.txt bios get version
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703437924.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe

Filesize
764KB

MD5
569b95d9f1e42aff069d81ea9538e453

SHA1
5c1e66936e5ee1a3342c89477a438988c938f716

SHA256
3a739e02259240b115465c424b167cf9613938ed9f76527a8a3583badead17e7

SHA512
8d0985f3dc43ebbe992b05589c4355ca8a674017b3ea7d6a3a94e57e0527ee57d5c485214ed3bf1905aa4b65ff174e7cbb3e84fb871fcea797e4877e003e6b9c

Download Submit
\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe

Filesize
512KB

MD5
91027771b36a68a11ff4a55ab27044aa

SHA1
3f22e2f84d0950b7c15a658b46467018895b16a9

SHA256
a18a89ba8bf27b8c905a5acae62219992101b5a501b1521787082550d215a54f

SHA512
097c9e92fa435bc1e2cea21249cda38681db13adaa50c0fd47e7dfdaec06405cdef8d2ccd1bd3a32fcbf1b963a436d9cec681c502b03d813b21d4caa775cacfa

Download Submit
\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe

Filesize
599KB

MD5
6ca74a580588a4bc88e3add1e076d4a7

SHA1
71f96345e4e0748af8c0110f4f91268c4650575d

SHA256
175758a85a487fd806e82e2a3693af41e5d1e20b27ba1e5b99627a34766e1fa6

SHA512
ba14cee2d67598da40a5425617b554193e8f673b8006dd2d85b53e02a5369f0393b5f48c673e29b4338bcfbdb8d940e6861d343f1fcee1a4a5ffdf033407756c

Download Submit
\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe

Filesize
513KB

MD5
515948f48ccfcca7a73c07f440bf7333

SHA1
87be5e619dd333e9cb3d81c6ce221b0888255967

SHA256
c26897c8657617ec46fb58fb8ec33eb9796ff8f5864abad7cd1188c8a8309648

SHA512
c829f68f59c132a1df2d118ef93098b6b3eb927b4f6d2cf34a232d67579a19f3d04ac2e34c1df5ca93060874e12639e192a829dc693a4c888aa982de3aab0092

Download Submit
\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe

Filesize
641KB

MD5
2f7359cd3d864f29c8af4514d0da6001

SHA1
c36fc955f07f0f03abaaf463f8d6e0b45dd8258c

SHA256
5f77603017c9e5e8d45b102347c065646eea2633084577d80f85d5f256c10b27

SHA512
dd56166ea2deb4a0cd0b0282d3b37c0c5dce16131ca3c86c16822951f500557d1a40263b56f1a789fcab330716c1f9ef91818bc2247f6a9bc430ed0311713f08

Download Submit
\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe

Filesize
633KB

MD5
9808dbd1f8bd19e4bb42a45cc76ed5d7

SHA1
795c6d7d6399c6d5673b96da7e3b91a8aab14e2f

SHA256
5d2e9d06eb7840ce3ea62c17212d2a502d7680dcfb3fcc65f763e644be8f91c9

SHA512
5bb91da4d6e830b8ccf49c3cfdc32e33de73753bd2bbe9654a20bed5e43e87b416ba0553d45137ecef67103b31598e2dda1873849feb8eb80c5932f7eee2b6f4

Download Submit
\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe

Filesize
595KB

MD5
da79ef83eef390c5462e06464758a382

SHA1
2416ee41445647c44eb68f7a882e5910ca065c7d

SHA256
e5f6522eb761375d06f03b1f80453543f4cf13754485106a123d0d9c07c46c8e

SHA512
5818657931f36aed5e74c0ed51b6ef2e31ddd2d3a5b9b8e5407f21b2da6694cfdd9343606897b9b06c3c3fb25ee68a23c4d453040a4e18e773946b74f2b2c6dd

Download Submit
\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe

Filesize
464KB

MD5
6010ebd6d4e5b59b8d0c5f4624440486

SHA1
6005ac18ada7f9c122a94d2d15bd092bbbd7aeb5

SHA256
421779fb01aaf22678aad342867884cc5b9ccb25dae8c3fb5b3ac6345a1167b9

SHA512
982195616c4a2e33e9cc973f39abe8d782f614a2a6d450af583889aef44677726bed271a794639639fb43ca0cc1eb6eeb01d5087d1efcba65aa99b0becc6856b

Download Submit
\Users\Admin\AppData\Local\Temp\nso1AB3.tmp\fntiv.dll

Filesize
126KB

MD5
bfb847c2716c7903efa8fcf5ecb6ee06

SHA1
bf04cd8df341cec68e75c75cd7452ce8076dfe4a

SHA256
301b48fdcd912d8b07c7e70306082146c7b672af53253e771bff2372a59faca6

SHA512
918b3f2f4fe3f84a328dc3e1dbdd2855b8c11a660e4db612f8fc5942c066b3bed6fe4a7a619a68796db42cb612e7c3b09d28ac4b556dabbadc7573eb1d9ca5d0

Download Submit
\Users\Admin\AppData\Local\Temp\nso1AB3.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit