72c16f2e532119cee4ec7e628082de17428808bb7cb4a21232381979e1fe4785

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03d8721913a84f27d905cfb0489eb281.exe
Size

698KB
MD5

03d8721913a84f27d905cfb0489eb281
SHA1

a8432e312deabc99f8b5ebc2b186b99b58ad95d1
SHA256

72c16f2e532119cee4ec7e628082de17428808bb7cb4a21232381979e1fe4785
SHA512

9fdaebc14a850c8da7f91e4572a1460649d2a7c79c0aeeee4a8087dd199a93382e73f04a2b10f4d1594901bb29746372265fd875558fd96192e77cb2b1675fac
SSDEEP

12288:3faET5LvZnFt554YMCuap1LUfPqoNhNVyAlBNByfgsJhjz3vDSEy+a3JgjgG:3fRZxFtYfCuapgZL3lBNByIsHvveELJH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2680	cbgcabficfc.exe

Loads dropped DLL 10 IoCs

pid	Process
2612	03d8721913a84f27d905cfb0489eb281.exe
2612	03d8721913a84f27d905cfb0489eb281.exe
2612	03d8721913a84f27d905cfb0489eb281.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2948	2680	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2808	wmic.exe
Token: SeSecurityPrivilege	2808	wmic.exe
Token: SeTakeOwnershipPrivilege	2808	wmic.exe
Token: SeLoadDriverPrivilege	2808	wmic.exe
Token: SeSystemProfilePrivilege	2808	wmic.exe
Token: SeSystemtimePrivilege	2808	wmic.exe
Token: SeProfSingleProcessPrivilege	2808	wmic.exe
Token: SeIncBasePriorityPrivilege	2808	wmic.exe
Token: SeCreatePagefilePrivilege	2808	wmic.exe
Token: SeBackupPrivilege	2808	wmic.exe
Token: SeRestorePrivilege	2808	wmic.exe
Token: SeShutdownPrivilege	2808	wmic.exe
Token: SeDebugPrivilege	2808	wmic.exe
Token: SeSystemEnvironmentPrivilege	2808	wmic.exe
Token: SeRemoteShutdownPrivilege	2808	wmic.exe
Token: SeUndockPrivilege	2808	wmic.exe
Token: SeManageVolumePrivilege	2808	wmic.exe
Token: 33	2808	wmic.exe
Token: 34	2808	wmic.exe
Token: 35	2808	wmic.exe
Token: SeIncreaseQuotaPrivilege	2808	wmic.exe
Token: SeSecurityPrivilege	2808	wmic.exe
Token: SeTakeOwnershipPrivilege	2808	wmic.exe
Token: SeLoadDriverPrivilege	2808	wmic.exe
Token: SeSystemProfilePrivilege	2808	wmic.exe
Token: SeSystemtimePrivilege	2808	wmic.exe
Token: SeProfSingleProcessPrivilege	2808	wmic.exe
Token: SeIncBasePriorityPrivilege	2808	wmic.exe
Token: SeCreatePagefilePrivilege	2808	wmic.exe
Token: SeBackupPrivilege	2808	wmic.exe
Token: SeRestorePrivilege	2808	wmic.exe
Token: SeShutdownPrivilege	2808	wmic.exe
Token: SeDebugPrivilege	2808	wmic.exe
Token: SeSystemEnvironmentPrivilege	2808	wmic.exe
Token: SeRemoteShutdownPrivilege	2808	wmic.exe
Token: SeUndockPrivilege	2808	wmic.exe
Token: SeManageVolumePrivilege	2808	wmic.exe
Token: 33	2808	wmic.exe
Token: 34	2808	wmic.exe
Token: 35	2808	wmic.exe
Token: SeIncreaseQuotaPrivilege	2560	wmic.exe
Token: SeSecurityPrivilege	2560	wmic.exe
Token: SeTakeOwnershipPrivilege	2560	wmic.exe
Token: SeLoadDriverPrivilege	2560	wmic.exe
Token: SeSystemProfilePrivilege	2560	wmic.exe
Token: SeSystemtimePrivilege	2560	wmic.exe
Token: SeProfSingleProcessPrivilege	2560	wmic.exe
Token: SeIncBasePriorityPrivilege	2560	wmic.exe
Token: SeCreatePagefilePrivilege	2560	wmic.exe
Token: SeBackupPrivilege	2560	wmic.exe
Token: SeRestorePrivilege	2560	wmic.exe
Token: SeShutdownPrivilege	2560	wmic.exe
Token: SeDebugPrivilege	2560	wmic.exe
Token: SeSystemEnvironmentPrivilege	2560	wmic.exe
Token: SeRemoteShutdownPrivilege	2560	wmic.exe
Token: SeUndockPrivilege	2560	wmic.exe
Token: SeManageVolumePrivilege	2560	wmic.exe
Token: 33	2560	wmic.exe
Token: 34	2560	wmic.exe
Token: 35	2560	wmic.exe
Token: SeIncreaseQuotaPrivilege	2560	wmic.exe
Token: SeSecurityPrivilege	2560	wmic.exe
Token: SeTakeOwnershipPrivilege	2560	wmic.exe
Token: SeLoadDriverPrivilege	2560	wmic.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2680	2612	03d8721913a84f27d905cfb0489eb281.exe	27
PID 2612 wrote to memory of 2680	2612	03d8721913a84f27d905cfb0489eb281.exe	27
PID 2612 wrote to memory of 2680	2612	03d8721913a84f27d905cfb0489eb281.exe	27
PID 2612 wrote to memory of 2680	2612	03d8721913a84f27d905cfb0489eb281.exe	27
PID 2612 wrote to memory of 2680	2612	03d8721913a84f27d905cfb0489eb281.exe	27
PID 2612 wrote to memory of 2680	2612	03d8721913a84f27d905cfb0489eb281.exe	27
PID 2612 wrote to memory of 2680	2612	03d8721913a84f27d905cfb0489eb281.exe	27
PID 2680 wrote to memory of 2808	2680	cbgcabficfc.exe	16
PID 2680 wrote to memory of 2808	2680	cbgcabficfc.exe	16
PID 2680 wrote to memory of 2808	2680	cbgcabficfc.exe	16
PID 2680 wrote to memory of 2808	2680	cbgcabficfc.exe	16
PID 2680 wrote to memory of 2560	2680	cbgcabficfc.exe	19
PID 2680 wrote to memory of 2560	2680	cbgcabficfc.exe	19
PID 2680 wrote to memory of 2560	2680	cbgcabficfc.exe	19
PID 2680 wrote to memory of 2560	2680	cbgcabficfc.exe	19
PID 2680 wrote to memory of 1668	2680	cbgcabficfc.exe	26
PID 2680 wrote to memory of 1668	2680	cbgcabficfc.exe	26
PID 2680 wrote to memory of 1668	2680	cbgcabficfc.exe	26
PID 2680 wrote to memory of 1668	2680	cbgcabficfc.exe	26
PID 2680 wrote to memory of 2076	2680	cbgcabficfc.exe	25
PID 2680 wrote to memory of 2076	2680	cbgcabficfc.exe	25
PID 2680 wrote to memory of 2076	2680	cbgcabficfc.exe	25
PID 2680 wrote to memory of 2076	2680	cbgcabficfc.exe	25
PID 2680 wrote to memory of 2408	2680	cbgcabficfc.exe	23
PID 2680 wrote to memory of 2408	2680	cbgcabficfc.exe	23
PID 2680 wrote to memory of 2408	2680	cbgcabficfc.exe	23
PID 2680 wrote to memory of 2408	2680	cbgcabficfc.exe	23
PID 2680 wrote to memory of 2948	2680	cbgcabficfc.exe	22
PID 2680 wrote to memory of 2948	2680	cbgcabficfc.exe	22
PID 2680 wrote to memory of 2948	2680	cbgcabficfc.exe	22
PID 2680 wrote to memory of 2948	2680	cbgcabficfc.exe	22

C:\Users\Admin\AppData\Local\Temp\03d8721913a84f27d905cfb0489eb281.exe
"C:\Users\Admin\AppData\Local\Temp\03d8721913a84f27d905cfb0489eb281.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe
  C:\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe 5-9-5-4-5-7-6-5-3-4-7 KkdEQDgqMSwxNBkqSlA+S0I+OC0cKEk8T1NKS0VEQTkqGyY/RU5NQz86LiwrLiscKjxDPzosGSpHTUs/Tj1PXEU9OCktLjEpGipQQUtRPE1bUEtGOGVwbWsxKituXmxxK3BhYCRcbGsmXlxxXSdkZWFrGyg9R0Y/REQ7OBwqPSs4Ki0ZKjstOSgqGipBLzYoKBsrPy03KC4cKD8sOCksGSlLT0s9UDpPW0tLQ1E+P1I4FypMTUg+UEBQWEBMRz04GSlLT0s9UDpPW0k6R0A6TEtKO1A/T1hIPEpBGSo8U0FaTkxHOhwoQE9AWz5GPkdGSj44FypESkxOWj9OSFJKQE44KxoqUUQ6SUJUS1BYT01JORkqTUg5LRkpP1AtNhsmTVFJTUNIQltQQEM+S0g+Q0g+Qz5QSUc5GyhDTlxOTklLRElANm5tcmEZKklAUFBLSERLQ1hQSkBOWj07VFA5KxsmQ0U/PlI4LhwoREpaQFRHO0hGP1hART5OVElOQEE5X1xjbmEbKD5KVEpFSjg/W0RJNzI2KioyJykxMCcrMDQcKE9ASEE4Ki4tMSwyMyw0MxsoPkpUSkVKOD9bT0JHQDouKCwtKi4rKi8lLzYuMTEuMyVJRw==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2680

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437232.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437232.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:2948

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437232.txt bios get version
1⤵
PID:2408

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437232.txt bios get version
1⤵
PID:2076

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437232.txt bios get version
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703437232.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703437232.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703437232.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe

Filesize
333KB

MD5
f3a41a73812fcee42f2065f5c908e614

SHA1
48d96b3f92f09c609623b5d41335cb8b1b0ba0b7

SHA256
c1344196155f35bdac8326becc5a59f23125e31391abd4ab6c154130a732dc4e

SHA512
1798bf11a7b69b0ab1bd5166d47b97765104362ae1c4a8d9482e56c1ca674d88b8099bb8422e8fbfb0ed413a540df9d4f4ce9e4f6b0c960622007aa6e53a77ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst24E0.tmp\koi.dll

Filesize
62KB

MD5
dbfad75d63d726684d2339842732f49d

SHA1
f9636ddea7ab28010f7b9a945bb6d5ab9a3d39d8

SHA256
282a05303d3b637864757d129bff7fab3b0a6ac19a9f51531e3976ec44781bd9

SHA512
df1594b6ae4347864d631d4bf1de6e8ed8703cee5708d48a1cb13197e255a00047d3fe412886d6a6debce8619a29a047fc71fa7e275e7c85877bbaf35f9c0cf5

Download Submit
\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe

Filesize
57KB

MD5
39ff5e32c7912ab009cf38ad57f47d01

SHA1
41133fd396357119b558c9642c9aefbf1e7a26c3

SHA256
6b9c25b1e26c7d42b1e8bfb7abd4c82d6f499c985148a5d67ba62b54518750f4

SHA512
38cce352921d0237b26688d878825c49e88fc70be8c1c438623a7b0b36cffafe381be4b369c7a6a38662f4fbe7a5fd952903bc837440916dc5b9e2924e86aa36

Download Submit
\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe

Filesize
204KB

MD5
2b011a352d68350002872eb832c24f3c

SHA1
7c144b7a9754371d1e3eca7f2467f69e2ff76db3

SHA256
6fe7383231a3f57b8f210e4b33c488cbb21371614bfe23c26789d3ca47a74b2d

SHA512
dc8cc2a692f1ab499100f722a2d08989bfeee8e65242603c12960d6264ee0cc130b70e665fce152fa99cfe0af7dde56cc1e020d322b56351d8af3349b233f796

Download Submit
\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe

Filesize
304KB

MD5
e697cbf7ef3903b0429b4412e9fca314

SHA1
6751875012c5d7b47ba899c9336247119712a79e

SHA256
3fb772a5e8a003d3f9abbc27086c571e02c999a7ddb610e3dee389048f3f3d0b

SHA512
8f04afcf01f54a69d4d2ae2409abea86f0ad63f1bcfb056e4e40ff1f1982df02b18f30c7a6b94c2feaec4934537918cdad601636588d2b7dfb362e6cd1147199

Download Submit
\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe

Filesize
1KB

MD5
bcb0c8241660d0d0048b045d8403024d

SHA1
07f54f77b6b64cc781bf86fbe89c52131a47a81b

SHA256
403d6e2534cd4bd2d461d2cb79938ec792e357c551605b73b4102ba0914fd27d

SHA512
8e971df27a36282d5c1aaf18148b2b2d7cdfcd065b430ce9c11ba46fc131068bdc0fc3138a90993e9a970e3acc6e7a336b67774495061e04a06d4497005ed02d

Download Submit
\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe

Filesize
4KB

MD5
a8401924e93acf939a927dbc8526f775

SHA1
963688b3e8dddb6e5f67a0ffbecb4246cb030a50

SHA256
ab99f49384be324d46d5e9eac98a7d20c5408fa8a4e55220447d13a3fc177730

SHA512
f3d72048c49af73a356081f31e55c1e90cd345d0dbd54b0c7c4090d23fc6f4976c9c7350ebeb2ebdf14fdc96f1ac45dc9cccc61cc37681b79a5407915bb097be

Download Submit
\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe

Filesize
35KB

MD5
61125c2688906ba33f5830e8cea5afb2

SHA1
164451f570a0ce22e6dff8af12edb1d17e7c5382

SHA256
f2f74d92afd0a4d38d21490ae5d3cccc55571462cc5fadacb128acb10217a94a

SHA512
23f4879011244fe3ee66dd3d4c0b9945e4b66f2c620e64502b3139e5194883bcad65c59665d8a51f0f646832f15d0d764aae76a504f3b5c2a6aa08f43daa6c1c

Download Submit
\Users\Admin\AppData\Local\Temp\nst24E0.tmp\koi.dll

Filesize
120KB

MD5
ff3ac96d9d128501b224b26ad4b85486

SHA1
ce85c8ee340921b8660f6ad14b5429b3703b6bf5

SHA256
44b5ee3459781f5ca44873c738ca16b050b4101c49dcf8b0da556775be189963

SHA512
a2ab56bf0de5075817a600bb4cca472e82b8f207f5fbd886bbab3e4a8a58b7ed9acc180bbbd3c5646b9c52189962be468dc30fb48f66ade6aa87d3ec8f61e42f

Download Submit
\Users\Admin\AppData\Local\Temp\nst24E0.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit