72c16f2e532119cee4ec7e628082de17428808bb7cb4a21232381979e1fe4785

Analysis

max time kernel
92s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03d8721913a84f27d905cfb0489eb281.exe
Size

698KB
MD5

03d8721913a84f27d905cfb0489eb281
SHA1

a8432e312deabc99f8b5ebc2b186b99b58ad95d1
SHA256

72c16f2e532119cee4ec7e628082de17428808bb7cb4a21232381979e1fe4785
SHA512

9fdaebc14a850c8da7f91e4572a1460649d2a7c79c0aeeee4a8087dd199a93382e73f04a2b10f4d1594901bb29746372265fd875558fd96192e77cb2b1675fac
SSDEEP

12288:3faET5LvZnFt554YMCuap1LUfPqoNhNVyAlBNByfgsJhjz3vDSEy+a3JgjgG:3fRZxFtYfCuapgZL3lBNByIsHvveELJH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1384	cbgcabficfc.exe

Loads dropped DLL 2 IoCs

pid	Process
4568	03d8721913a84f27d905cfb0489eb281.exe
4568	03d8721913a84f27d905cfb0489eb281.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3708	1384	WerFault.exe	87

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4596	wmic.exe
Token: SeSecurityPrivilege	4596	wmic.exe
Token: SeTakeOwnershipPrivilege	4596	wmic.exe
Token: SeLoadDriverPrivilege	4596	wmic.exe
Token: SeSystemProfilePrivilege	4596	wmic.exe
Token: SeSystemtimePrivilege	4596	wmic.exe
Token: SeProfSingleProcessPrivilege	4596	wmic.exe
Token: SeIncBasePriorityPrivilege	4596	wmic.exe
Token: SeCreatePagefilePrivilege	4596	wmic.exe
Token: SeBackupPrivilege	4596	wmic.exe
Token: SeRestorePrivilege	4596	wmic.exe
Token: SeShutdownPrivilege	4596	wmic.exe
Token: SeDebugPrivilege	4596	wmic.exe
Token: SeSystemEnvironmentPrivilege	4596	wmic.exe
Token: SeRemoteShutdownPrivilege	4596	wmic.exe
Token: SeUndockPrivilege	4596	wmic.exe
Token: SeManageVolumePrivilege	4596	wmic.exe
Token: 33	4596	wmic.exe
Token: 34	4596	wmic.exe
Token: 35	4596	wmic.exe
Token: 36	4596	wmic.exe
Token: SeIncreaseQuotaPrivilege	4596	wmic.exe
Token: SeSecurityPrivilege	4596	wmic.exe
Token: SeTakeOwnershipPrivilege	4596	wmic.exe
Token: SeLoadDriverPrivilege	4596	wmic.exe
Token: SeSystemProfilePrivilege	4596	wmic.exe
Token: SeSystemtimePrivilege	4596	wmic.exe
Token: SeProfSingleProcessPrivilege	4596	wmic.exe
Token: SeIncBasePriorityPrivilege	4596	wmic.exe
Token: SeCreatePagefilePrivilege	4596	wmic.exe
Token: SeBackupPrivilege	4596	wmic.exe
Token: SeRestorePrivilege	4596	wmic.exe
Token: SeShutdownPrivilege	4596	wmic.exe
Token: SeDebugPrivilege	4596	wmic.exe
Token: SeSystemEnvironmentPrivilege	4596	wmic.exe
Token: SeRemoteShutdownPrivilege	4596	wmic.exe
Token: SeUndockPrivilege	4596	wmic.exe
Token: SeManageVolumePrivilege	4596	wmic.exe
Token: 33	4596	wmic.exe
Token: 34	4596	wmic.exe
Token: 35	4596	wmic.exe
Token: 36	4596	wmic.exe
Token: SeIncreaseQuotaPrivilege	2576	wmic.exe
Token: SeSecurityPrivilege	2576	wmic.exe
Token: SeTakeOwnershipPrivilege	2576	wmic.exe
Token: SeLoadDriverPrivilege	2576	wmic.exe
Token: SeSystemProfilePrivilege	2576	wmic.exe
Token: SeSystemtimePrivilege	2576	wmic.exe
Token: SeProfSingleProcessPrivilege	2576	wmic.exe
Token: SeIncBasePriorityPrivilege	2576	wmic.exe
Token: SeCreatePagefilePrivilege	2576	wmic.exe
Token: SeBackupPrivilege	2576	wmic.exe
Token: SeRestorePrivilege	2576	wmic.exe
Token: SeShutdownPrivilege	2576	wmic.exe
Token: SeDebugPrivilege	2576	wmic.exe
Token: SeSystemEnvironmentPrivilege	2576	wmic.exe
Token: SeRemoteShutdownPrivilege	2576	wmic.exe
Token: SeUndockPrivilege	2576	wmic.exe
Token: SeManageVolumePrivilege	2576	wmic.exe
Token: 33	2576	wmic.exe
Token: 34	2576	wmic.exe
Token: 35	2576	wmic.exe
Token: 36	2576	wmic.exe
Token: SeIncreaseQuotaPrivilege	2576	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 1384	4568	03d8721913a84f27d905cfb0489eb281.exe	87
PID 4568 wrote to memory of 1384	4568	03d8721913a84f27d905cfb0489eb281.exe	87
PID 4568 wrote to memory of 1384	4568	03d8721913a84f27d905cfb0489eb281.exe	87
PID 1384 wrote to memory of 4596	1384	cbgcabficfc.exe	89
PID 1384 wrote to memory of 4596	1384	cbgcabficfc.exe	89
PID 1384 wrote to memory of 4596	1384	cbgcabficfc.exe	89
PID 1384 wrote to memory of 2576	1384	cbgcabficfc.exe	95
PID 1384 wrote to memory of 2576	1384	cbgcabficfc.exe	95
PID 1384 wrote to memory of 2576	1384	cbgcabficfc.exe	95
PID 1384 wrote to memory of 1592	1384	cbgcabficfc.exe	96
PID 1384 wrote to memory of 1592	1384	cbgcabficfc.exe	96
PID 1384 wrote to memory of 1592	1384	cbgcabficfc.exe	96
PID 1384 wrote to memory of 4504	1384	cbgcabficfc.exe	99
PID 1384 wrote to memory of 4504	1384	cbgcabficfc.exe	99
PID 1384 wrote to memory of 4504	1384	cbgcabficfc.exe	99
PID 1384 wrote to memory of 1864	1384	cbgcabficfc.exe	101
PID 1384 wrote to memory of 1864	1384	cbgcabficfc.exe	101
PID 1384 wrote to memory of 1864	1384	cbgcabficfc.exe	101

C:\Users\Admin\AppData\Local\Temp\03d8721913a84f27d905cfb0489eb281.exe
"C:\Users\Admin\AppData\Local\Temp\03d8721913a84f27d905cfb0489eb281.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe
  C:\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe 5-9-5-4-5-7-6-5-3-4-7 KkdEQDgqMSwxNBkqSlA+S0I+OC0cKEk8T1NKS0VEQTkqGyY/RU5NQz86LiwrLiscKjxDPzosGSpHTUs/Tj1PXEU9OCktLjEpGipQQUtRPE1bUEtGOGVwbWsxKituXmxxK3BhYCRcbGsmXlxxXSdkZWFrGyg9R0Y/REQ7OBwqPSs4Ki0ZKjstOSgqGipBLzYoKBsrPy03KC4cKD8sOCksGSlLT0s9UDpPW0tLQ1E+P1I4FypMTUg+UEBQWEBMRz04GSlLT0s9UDpPW0k6R0A6TEtKO1A/T1hIPEpBGSo8U0FaTkxHOhwoQE9AWz5GPkdGSj44FypESkxOWj9OSFJKQE44KxoqUUQ6SUJUS1BYT01JORkqTUg5LRkpP1AtNhsmTVFJTUNIQltQQEM+S0g+Q0g+Qz5QSUc5GyhDTlxOTklLRElANm5tcmEZKklAUFBLSERLQ1hQSkBOWj07VFA5KxsmQ0U/PlI4LhwoREpaQFRHO0hGP1hART5OVElOQEE5X1xjbmEbKD5KVEpFSjg/W0RJNzI2KioyJykxMCcrMDQcKE9ASEE4Ki4tMSwyMyw0MxsoPkpUSkVKOD9bT0JHQDouKCwtKi4rKi8lLzYuMTEuMyVJRw==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437204.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4596
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437204.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437204.txt bios get version
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437204.txt bios get version
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703437204.txt bios get version
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 864
    3⤵
    - Program crash
    PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1384 -ip 1384
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703437204.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703437204.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703437204.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe

Filesize
1007KB

MD5
5285fdd9723e446fbef0d516e6c92c72

SHA1
8575ee9d7dd7df32fe3b500ea0d99cec1d09d8cb

SHA256
8fe9ada0595935329b64f1dc133be68891c29212033fbb1e5b0ec8ee8c582352

SHA512
7572f7995310af15e4673d739fcbde75430ea5359819690568009cd053d2b784c8a985f1305ff86bae29eef3757ecdb6f61a6d5f0bebe08a5517809b7825434c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbgcabficfc.exe

Filesize
1.0MB

MD5
04fa9d4dfa4d82d948e74402a35436d5

SHA1
ed99af71c2d11de0307b1e6a292d601bc717c86a

SHA256
b32e4f0864ff469e18d67ce5b04a9e11864d0aba3633b429c2bb9ddb76215548

SHA512
2b45156874b49e9c7ff49172f606bc4d7fbc908445121a2d2d0325bc76f65bff9457fca55ebbc4a05ce51644bb2c55c9a4374aafe8be2c30fb02abc76c1c125f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu52A5.tmp\koi.dll

Filesize
120KB

MD5
ff3ac96d9d128501b224b26ad4b85486

SHA1
ce85c8ee340921b8660f6ad14b5429b3703b6bf5

SHA256
44b5ee3459781f5ca44873c738ca16b050b4101c49dcf8b0da556775be189963

SHA512
a2ab56bf0de5075817a600bb4cca472e82b8f207f5fbd886bbab3e4a8a58b7ed9acc180bbbd3c5646b9c52189962be468dc30fb48f66ade6aa87d3ec8f61e42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu52A5.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit