05d7bc7e061609758b0afd0507da23f6fc3d6d264c5ee75b9ecb6c1ba166a765

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 15:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04160e1527deb2ecd29feb37ec84febc.exe
Size

576KB
MD5

04160e1527deb2ecd29feb37ec84febc
SHA1

d0d156b126fc45dd47e8cef916e5d7679f7f0a3a
SHA256

05d7bc7e061609758b0afd0507da23f6fc3d6d264c5ee75b9ecb6c1ba166a765
SHA512

6ac7c391604d8d6cea605fc4f1d0eaf0a61a7f9dffbc471cd8ef0e528a62dd77b00b5cd852fa71bc63957a859978f8e1dcb8da83301e8916e2c26d9fc87ec2cf
SSDEEP

12288:VCYNdarpnfmdWpVLXgJqmu2cGIsgZK35B1MEdLlMJZx0gpnDvR:VCYNoFnfmApCPu2BIbKpB1MEdpwZx0gD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1680	ebicabfbcafh.exe

Loads dropped DLL 2 IoCs

pid	Process
4536	04160e1527deb2ecd29feb37ec84febc.exe
4536	04160e1527deb2ecd29feb37ec84febc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
868	1680	WerFault.exe	33

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1976	wmic.exe
Token: SeSecurityPrivilege	1976	wmic.exe
Token: SeTakeOwnershipPrivilege	1976	wmic.exe
Token: SeLoadDriverPrivilege	1976	wmic.exe
Token: SeSystemProfilePrivilege	1976	wmic.exe
Token: SeSystemtimePrivilege	1976	wmic.exe
Token: SeProfSingleProcessPrivilege	1976	wmic.exe
Token: SeIncBasePriorityPrivilege	1976	wmic.exe
Token: SeCreatePagefilePrivilege	1976	wmic.exe
Token: SeBackupPrivilege	1976	wmic.exe
Token: SeRestorePrivilege	1976	wmic.exe
Token: SeShutdownPrivilege	1976	wmic.exe
Token: SeDebugPrivilege	1976	wmic.exe
Token: SeSystemEnvironmentPrivilege	1976	wmic.exe
Token: SeRemoteShutdownPrivilege	1976	wmic.exe
Token: SeUndockPrivilege	1976	wmic.exe
Token: SeManageVolumePrivilege	1976	wmic.exe
Token: 33	1976	wmic.exe
Token: 34	1976	wmic.exe
Token: 35	1976	wmic.exe
Token: 36	1976	wmic.exe
Token: SeIncreaseQuotaPrivilege	1976	wmic.exe
Token: SeSecurityPrivilege	1976	wmic.exe
Token: SeTakeOwnershipPrivilege	1976	wmic.exe
Token: SeLoadDriverPrivilege	1976	wmic.exe
Token: SeSystemProfilePrivilege	1976	wmic.exe
Token: SeSystemtimePrivilege	1976	wmic.exe
Token: SeProfSingleProcessPrivilege	1976	wmic.exe
Token: SeIncBasePriorityPrivilege	1976	wmic.exe
Token: SeCreatePagefilePrivilege	1976	wmic.exe
Token: SeBackupPrivilege	1976	wmic.exe
Token: SeRestorePrivilege	1976	wmic.exe
Token: SeShutdownPrivilege	1976	wmic.exe
Token: SeDebugPrivilege	1976	wmic.exe
Token: SeSystemEnvironmentPrivilege	1976	wmic.exe
Token: SeRemoteShutdownPrivilege	1976	wmic.exe
Token: SeUndockPrivilege	1976	wmic.exe
Token: SeManageVolumePrivilege	1976	wmic.exe
Token: 33	1976	wmic.exe
Token: 34	1976	wmic.exe
Token: 35	1976	wmic.exe
Token: 36	1976	wmic.exe
Token: SeIncreaseQuotaPrivilege	4088	wmic.exe
Token: SeSecurityPrivilege	4088	wmic.exe
Token: SeTakeOwnershipPrivilege	4088	wmic.exe
Token: SeLoadDriverPrivilege	4088	wmic.exe
Token: SeSystemProfilePrivilege	4088	wmic.exe
Token: SeSystemtimePrivilege	4088	wmic.exe
Token: SeProfSingleProcessPrivilege	4088	wmic.exe
Token: SeIncBasePriorityPrivilege	4088	wmic.exe
Token: SeCreatePagefilePrivilege	4088	wmic.exe
Token: SeBackupPrivilege	4088	wmic.exe
Token: SeRestorePrivilege	4088	wmic.exe
Token: SeShutdownPrivilege	4088	wmic.exe
Token: SeDebugPrivilege	4088	wmic.exe
Token: SeSystemEnvironmentPrivilege	4088	wmic.exe
Token: SeRemoteShutdownPrivilege	4088	wmic.exe
Token: SeUndockPrivilege	4088	wmic.exe
Token: SeManageVolumePrivilege	4088	wmic.exe
Token: 33	4088	wmic.exe
Token: 34	4088	wmic.exe
Token: 35	4088	wmic.exe
Token: 36	4088	wmic.exe
Token: SeIncreaseQuotaPrivilege	4088	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 1680	4536	04160e1527deb2ecd29feb37ec84febc.exe	33
PID 4536 wrote to memory of 1680	4536	04160e1527deb2ecd29feb37ec84febc.exe	33
PID 4536 wrote to memory of 1680	4536	04160e1527deb2ecd29feb37ec84febc.exe	33
PID 1680 wrote to memory of 1976	1680	ebicabfbcafh.exe	20
PID 1680 wrote to memory of 1976	1680	ebicabfbcafh.exe	20
PID 1680 wrote to memory of 1976	1680	ebicabfbcafh.exe	20
PID 1680 wrote to memory of 4088	1680	ebicabfbcafh.exe	32
PID 1680 wrote to memory of 4088	1680	ebicabfbcafh.exe	32
PID 1680 wrote to memory of 4088	1680	ebicabfbcafh.exe	32
PID 1680 wrote to memory of 1820	1680	ebicabfbcafh.exe	116
PID 1680 wrote to memory of 1820	1680	ebicabfbcafh.exe	116
PID 1680 wrote to memory of 1820	1680	ebicabfbcafh.exe	116
PID 1680 wrote to memory of 1568	1680	ebicabfbcafh.exe	29
PID 1680 wrote to memory of 1568	1680	ebicabfbcafh.exe	29
PID 1680 wrote to memory of 1568	1680	ebicabfbcafh.exe	29
PID 1680 wrote to memory of 4468	1680	ebicabfbcafh.exe	27
PID 1680 wrote to memory of 4468	1680	ebicabfbcafh.exe	27
PID 1680 wrote to memory of 4468	1680	ebicabfbcafh.exe	27

C:\Users\Admin\AppData\Local\Temp\04160e1527deb2ecd29feb37ec84febc.exe
"C:\Users\Admin\AppData\Local\Temp\04160e1527deb2ecd29feb37ec84febc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe
  C:\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe 7)1)2)3)4)4)6)1)9)0)3 KE9HQTktMzItMx0oUlM/TEU+PCcgLEdEUlRLTkVIOz0uHjEubW5rXnRadGtabGM6TmFjbFhnYhkuQkZPUENDNDI0MDAwHSs/Q0M0MB0oT1BMQFE9U1ZJQTYxNDYwLxouSkVPT0RQXFFORjxfdHFpOS0sb25wLTtFUEQsUkxMKTtPRy5GR0VNHSs/Rkg6S0Y9PB4sQC03LCggLD0xOyotHClDKj0qKh8tQTA5JzAXL0EuPCsuHCtKUUZEUjxTXU1ORVBAOlk6GS5OT0tAT0JLX0JOSz86HCtKUUZEUjxTXUs9ST88Fy9CUURdUk5INx8mRVU+XkFKQEhDTTw9HShHTVBQWzxRRldQPlE7MhwrTkc4TkhSTlNcUU5GPBcvU0Y8MB0rQE0wNCAsS1RMUUVJP15ORUk8TktCRUk7RjxVT0U8HixFT1lRTE5RQkxDOnBub2QXL08+U1NPSkVIRlZVUD5RXUE9VU08KSAsQUhCQlQ5Kx8mSVBYQ1dLPUlDQlZFSzxRV01QQT48XWFpbGQeLEBLUU1DTz49XkdNOTMyLSg4NCcxLy0qLis3Fy9RQkxDOi0wLDgqOC0sNS4dK0BJVkVMTDpDXVFFST88Ky8uMS4wLS0xJDUxMDMzLy4nTEkaLkxBOhkuU09IOWJza3AiLGAjL2IhLGVeZXFrLWRmaGEyY1xzaG1ubitfa2ckKWZPbm1SZmlhPm5ubmloYGJKXWpbZlxyXF1kbmlrdR8xXTIvKzEwLy4uLDEpMi8rJDBjYGtxbWNvXl1sX2tdY19xHDJjYGRyMjIhLWVnJTBdMDcwMi8fMS1kIixjMDQzLSwkKTZpHjJiLzI1LjIcMjNnJDFhLSdqcWZkclxzbF5pYR8yW1JiYmxfZGEhLDVdaWlebV9qYSEtY0llZmZgZWI=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 940
    3⤵
    - Program crash
    PID:868

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437852.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437852.txt bios get version
1⤵
PID:4468

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437852.txt bios get version
1⤵
PID:1568

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437852.txt bios get version
1⤵
PID:1820

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437852.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1680 -ip 1680
1⤵
PID:4268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703437852.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703437852.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703437852.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe

Filesize
99KB

MD5
03ebc927a51bf5051032d5d5faf30c06

SHA1
474f9245d1366e67292a2defdb7dd6c9c8e2cae4

SHA256
82d463aea2b768a70089080df0c832b85e3b4da0bfcfce153487c3f5e0fda83f

SHA512
712ae05eb98f3c1df6be5695fdf26a02be3913ecb80878330716e6d4bbd2cd4106938979f7240fa3aa0ee1c13249aee745cfb98640b8310d469ec0de72179dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebicabfbcafh.exe

Filesize
102KB

MD5
1512a512b275669060cb30dfe112a26c

SHA1
8671f0002179027a3320c5cdf63c00e2b0c95edc

SHA256
050f9ff0f2dde9ffc2dc23f0a2fbc2f8b8d724664632596529e71a9b25727496

SHA512
765d9de288c6e5252445f5952eaa0ad5cc7f7c6d4d6687c4c3954c92e9db8c9b5be2824b8f763f16f71a2932ea67da558107c68073e511e2dd85bbf76a9a5ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\fntiv.dll

Filesize
126KB

MD5
bfb847c2716c7903efa8fcf5ecb6ee06

SHA1
bf04cd8df341cec68e75c75cd7452ce8076dfe4a

SHA256
301b48fdcd912d8b07c7e70306082146c7b672af53253e771bff2372a59faca6

SHA512
918b3f2f4fe3f84a328dc3e1dbdd2855b8c11a660e4db612f8fc5942c066b3bed6fe4a7a619a68796db42cb612e7c3b09d28ac4b556dabbadc7573eb1d9ca5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\fntiv.dll

Filesize
77KB

MD5
9a92a5f70a8cf375177b769187f48a73

SHA1
811d919e2fe13e2ae689d9f8b2988657da39d97c

SHA256
7d6f5727a8446c5270b6a5399bcb164725873e5e416a76db9a59230da1cace1d

SHA512
226290b4aeeaf58243a1f32da48daca0d6baf825796e02a91dc3da178ca20f0418c0214bbd0fcb988d6f7d9275fc2fa2bb0f4b830d6eee47f28f4607ca8cc38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit