15f2d3d74c265cd73e1ec541b91bdcaca954a60a61bb07e5aa0424d60738c881

Analysis

max time kernel
121s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0739aa5a4712b1e887cdc4af3d492ea5.exe
Size

576KB
MD5

0739aa5a4712b1e887cdc4af3d492ea5
SHA1

d0ef4f44527394e840a02e6c4b29bf45d357f4f7
SHA256

15f2d3d74c265cd73e1ec541b91bdcaca954a60a61bb07e5aa0424d60738c881
SHA512

a9f46249355bd443c538bb370c03c4643a5e507f4955d5b4ff7ce00c92d10c2a5eb508b04bacbd8bd274215c64a1f39427c6ff4746220f9b2d77d545820eff2f
SSDEEP

12288:Zh4frUfFxboTc7cpH3cY9Q30Wt58iKN4APAMG+UTwU:Zh4DUdCT4cF3X9Q3X8pYM3wX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2816	eecabfbcacbb.exe

Loads dropped DLL 10 IoCs

pid	Process
1616	0739aa5a4712b1e887cdc4af3d492ea5.exe
1616	0739aa5a4712b1e887cdc4af3d492ea5.exe
1616	0739aa5a4712b1e887cdc4af3d492ea5.exe
476	WerFault.exe
476	WerFault.exe
476	WerFault.exe
476	WerFault.exe
476	WerFault.exe
476	WerFault.exe
476	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
476	2816	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2992	wmic.exe
Token: SeSecurityPrivilege	2992	wmic.exe
Token: SeTakeOwnershipPrivilege	2992	wmic.exe
Token: SeLoadDriverPrivilege	2992	wmic.exe
Token: SeSystemProfilePrivilege	2992	wmic.exe
Token: SeSystemtimePrivilege	2992	wmic.exe
Token: SeProfSingleProcessPrivilege	2992	wmic.exe
Token: SeIncBasePriorityPrivilege	2992	wmic.exe
Token: SeCreatePagefilePrivilege	2992	wmic.exe
Token: SeBackupPrivilege	2992	wmic.exe
Token: SeRestorePrivilege	2992	wmic.exe
Token: SeShutdownPrivilege	2992	wmic.exe
Token: SeDebugPrivilege	2992	wmic.exe
Token: SeSystemEnvironmentPrivilege	2992	wmic.exe
Token: SeRemoteShutdownPrivilege	2992	wmic.exe
Token: SeUndockPrivilege	2992	wmic.exe
Token: SeManageVolumePrivilege	2992	wmic.exe
Token: 33	2992	wmic.exe
Token: 34	2992	wmic.exe
Token: 35	2992	wmic.exe
Token: SeIncreaseQuotaPrivilege	2992	wmic.exe
Token: SeSecurityPrivilege	2992	wmic.exe
Token: SeTakeOwnershipPrivilege	2992	wmic.exe
Token: SeLoadDriverPrivilege	2992	wmic.exe
Token: SeSystemProfilePrivilege	2992	wmic.exe
Token: SeSystemtimePrivilege	2992	wmic.exe
Token: SeProfSingleProcessPrivilege	2992	wmic.exe
Token: SeIncBasePriorityPrivilege	2992	wmic.exe
Token: SeCreatePagefilePrivilege	2992	wmic.exe
Token: SeBackupPrivilege	2992	wmic.exe
Token: SeRestorePrivilege	2992	wmic.exe
Token: SeShutdownPrivilege	2992	wmic.exe
Token: SeDebugPrivilege	2992	wmic.exe
Token: SeSystemEnvironmentPrivilege	2992	wmic.exe
Token: SeRemoteShutdownPrivilege	2992	wmic.exe
Token: SeUndockPrivilege	2992	wmic.exe
Token: SeManageVolumePrivilege	2992	wmic.exe
Token: 33	2992	wmic.exe
Token: 34	2992	wmic.exe
Token: 35	2992	wmic.exe
Token: SeIncreaseQuotaPrivilege	2968	wmic.exe
Token: SeSecurityPrivilege	2968	wmic.exe
Token: SeTakeOwnershipPrivilege	2968	wmic.exe
Token: SeLoadDriverPrivilege	2968	wmic.exe
Token: SeSystemProfilePrivilege	2968	wmic.exe
Token: SeSystemtimePrivilege	2968	wmic.exe
Token: SeProfSingleProcessPrivilege	2968	wmic.exe
Token: SeIncBasePriorityPrivilege	2968	wmic.exe
Token: SeCreatePagefilePrivilege	2968	wmic.exe
Token: SeBackupPrivilege	2968	wmic.exe
Token: SeRestorePrivilege	2968	wmic.exe
Token: SeShutdownPrivilege	2968	wmic.exe
Token: SeDebugPrivilege	2968	wmic.exe
Token: SeSystemEnvironmentPrivilege	2968	wmic.exe
Token: SeRemoteShutdownPrivilege	2968	wmic.exe
Token: SeUndockPrivilege	2968	wmic.exe
Token: SeManageVolumePrivilege	2968	wmic.exe
Token: 33	2968	wmic.exe
Token: 34	2968	wmic.exe
Token: 35	2968	wmic.exe
Token: SeIncreaseQuotaPrivilege	2968	wmic.exe
Token: SeSecurityPrivilege	2968	wmic.exe
Token: SeTakeOwnershipPrivilege	2968	wmic.exe
Token: SeLoadDriverPrivilege	2968	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2816	1616	0739aa5a4712b1e887cdc4af3d492ea5.exe	28
PID 1616 wrote to memory of 2816	1616	0739aa5a4712b1e887cdc4af3d492ea5.exe	28
PID 1616 wrote to memory of 2816	1616	0739aa5a4712b1e887cdc4af3d492ea5.exe	28
PID 1616 wrote to memory of 2816	1616	0739aa5a4712b1e887cdc4af3d492ea5.exe	28
PID 2816 wrote to memory of 2992	2816	eecabfbcacbb.exe	29
PID 2816 wrote to memory of 2992	2816	eecabfbcacbb.exe	29
PID 2816 wrote to memory of 2992	2816	eecabfbcacbb.exe	29
PID 2816 wrote to memory of 2992	2816	eecabfbcacbb.exe	29
PID 2816 wrote to memory of 2968	2816	eecabfbcacbb.exe	32
PID 2816 wrote to memory of 2968	2816	eecabfbcacbb.exe	32
PID 2816 wrote to memory of 2968	2816	eecabfbcacbb.exe	32
PID 2816 wrote to memory of 2968	2816	eecabfbcacbb.exe	32
PID 2816 wrote to memory of 2600	2816	eecabfbcacbb.exe	35
PID 2816 wrote to memory of 2600	2816	eecabfbcacbb.exe	35
PID 2816 wrote to memory of 2600	2816	eecabfbcacbb.exe	35
PID 2816 wrote to memory of 2600	2816	eecabfbcacbb.exe	35
PID 2816 wrote to memory of 2624	2816	eecabfbcacbb.exe	37
PID 2816 wrote to memory of 2624	2816	eecabfbcacbb.exe	37
PID 2816 wrote to memory of 2624	2816	eecabfbcacbb.exe	37
PID 2816 wrote to memory of 2624	2816	eecabfbcacbb.exe	37
PID 2816 wrote to memory of 2904	2816	eecabfbcacbb.exe	38
PID 2816 wrote to memory of 2904	2816	eecabfbcacbb.exe	38
PID 2816 wrote to memory of 2904	2816	eecabfbcacbb.exe	38
PID 2816 wrote to memory of 2904	2816	eecabfbcacbb.exe	38
PID 2816 wrote to memory of 476	2816	eecabfbcacbb.exe	40
PID 2816 wrote to memory of 476	2816	eecabfbcacbb.exe	40
PID 2816 wrote to memory of 476	2816	eecabfbcacbb.exe	40
PID 2816 wrote to memory of 476	2816	eecabfbcacbb.exe	40

C:\Users\Admin\AppData\Local\Temp\0739aa5a4712b1e887cdc4af3d492ea5.exe
"C:\Users\Admin\AppData\Local\Temp\0739aa5a4712b1e887cdc4af3d492ea5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\eecabfbcacbb.exe
  C:\Users\Admin\AppData\Local\Temp\eecabfbcacbb.exe 6-7-9-0-8-3-9-2-7-2-5 KUlARDUuMDEvMRspTExCSEY7OykeKkg+S1dHT0JHPTssHysncGpsW3NccmlbZlw9SmJga1plYBooO0lLUUBCNjAyMSopICdAQEI2LhspSUlPPFI6UlhHPzcrLTksMBctTENNUD5JX01PQzthcm9qMyYva29tLD1DTkUmS09IKjhOSSxESD9GICdAQ0c8SUQ+NhcvPC40KyoeKj4rNC0pHSZCLDsoKxkmRCw6JC8ZLT8vNiQxGCxHUEhCUD1NVlBKRk0/PFc4GihHUkdBTEFNXUBPRTg9GCxHUEhCUD1NVk45Sjw7GS1AUj5WVUpJNB4oQ1M/WDpNPElATD47GylBRlNMXDlQSFVOP0s0NRgsS0Y6TEZTSExfTU9DOxktUUc2KSAnQUovNh4qTE5FVEFKPF1QQ0c9SERFQUo4RT5TTUY2Fy9BUFZQTkxPQ0Y8PWxvbGMZLU0/TUxSRkZFRVhTTj9LVkQ5Vko7Kx4qQkI7RVA6KB4oR05ZPVBOOUpAQVhDST1LUFBMQjs7X19nbV4XLzxMTkxFTTw+WEBQNS4lLyksLSwsJTMqHSZSQktANyorMjAuKzQtMS0aKDtPT0tDTTpCWk5CREU1MSYyKDArKy4hMSk3KS4zMS0kOkQ=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703446236.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703446236.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703446236.txt bios get version
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703446236.txt bios get version
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703446236.txt bios get version
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703446236.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703446236.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703446236.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd6F28.tmp\kyxic.dll

Filesize
125KB

MD5
6f454a53fbd45b9e2c36d7ebbdbbf4b3

SHA1
e55437cc42f61babd04db06874ef39837d58f58e

SHA256
1382987f2d8c35a506215f4ba55849f52c284817e30c32c40168926b0181f673

SHA512
73465aa71107fa32daff96caa28f039c55e757373340403014c3dfb0425743638200d42021713d99873830c8438f18924ba7053847f26974756a71d65e4f4130

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfbcacbb.exe

Filesize
764KB

MD5
4997b457b92c542dd233d2703e20a0ae

SHA1
36d83f89332b39f962269e9c131e5b354bb8d7d2

SHA256
7291450c074ba68c6bf3e603da4e436194b4027e18f490ea3ac3e7a07628cc6e

SHA512
e4ccc4c66a9d27b7ca3282a137177b95cbd90bf6d2bef77c82782d8031e96a6637057e74ab0b25e897246b6ef44f519041761e0ee707462c497eec939c189e88

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfbcacbb.exe

Filesize
349KB

MD5
6a126872099c5a93a2be408611498fa5

SHA1
fa987cba2d946398afc86083939257dfa3060310

SHA256
94e27ad7481866cd5aff296a111e04e3e991af82126f8a429bb46d1efa0a488e

SHA512
14b9cc93c505c77730626a5b013d70d94270472d87add7c2da128747208c0ebe13143b7f46388fe76a063e52c99e3d2ccd5de692c9c868ae6a5ce6606b2d0386

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfbcacbb.exe

Filesize
233KB

MD5
fbe00588720a9f51f8d1660da901db8d

SHA1
02dcbe5fdc7c20b3de649b80896bc56554d32325

SHA256
99be5bc8bd09e0a0c2bc43b5bb4a6d43088d7e7d9c3254a526e6e4e72c23333e

SHA512
43cfa66ae14d3dbb9b6ea8872d1cb4ed00895d16485beb138ad6c72c9531b2d8a7dcb2a1d782303237b395791522924b4d7896ffa3cb2078de2af49422a88ab4

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfbcacbb.exe

Filesize
183KB

MD5
595d91946d2059192af351df6ccb5b53

SHA1
3dee44c9b5af5785a164afe2e3d21f54886374e6

SHA256
3cd2e34e5107a4fb1d125c123dda13010847e1aec55e74899ee684c3507395b5

SHA512
68bcc403e1c24334b67fc62d3b86a96d8b0846bc982c1ba71e9dfb06d25792201f8e32c5c176f35e44fcccba0f305837dc4543f011195e7d3d5e75ac675a85a2

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfbcacbb.exe

Filesize
268KB

MD5
35456d7c584e6a27719c1bb1ab5a45ef

SHA1
99c5f4252d1c3af10b5f9bf0bec4479f2a267f1a

SHA256
efd363ca7d736345334cf276207e01d5db9d1a2aee40d359acc899b4fa6d5dfd

SHA512
b7cc4189a13eaf583f8012d01daccbd6264d73dd4d6d57d67b23f9f0b63fdc5d17704e25098a8fb50aa86c8f6c826f35cb3e48b71d5cadd9bad27829a0e5b378

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfbcacbb.exe

Filesize
234KB

MD5
4cd3be4724c6a2d71fa920e42ebda2c9

SHA1
89795cade79c9b2819d9e9eba57ebfe771dd13db

SHA256
7c6d871a6e47fc9719ed7cd98c2f9828033cb1e28b273baf57f7b125cd44d029

SHA512
93c889316cffe20d44906c5c79672875691f77ee4e372685b141579dcaeb4b47666c9637ea0111fcccb3020f72f8bad23af6b563319caac564f8a4c34bb1c704

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfbcacbb.exe

Filesize
358KB

MD5
d901da4172d2a9a2319e8199da08dd97

SHA1
ea0fc57185501f6fe196cca1dd54e5917d5d3aa9

SHA256
39fc4b85dad17ed56dfd982236168abdfc2b356c0157c25b84cfb01a49956f26

SHA512
a5b42b452eb45e44ebcae6e90197bab4988b58bf857c78d22df7adb6d8df0374149c0a3ca54065e5c62df4facdf77fc0105dc59b1bcd3326fde46d3ab3276437

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfbcacbb.exe

Filesize
235KB

MD5
45979bd9f9b136eb74b853bc420094cd

SHA1
d2c3cf68e4934a78701f3d0a784af2a082993f64

SHA256
207b94111138e176020e58409684c64e67a8bea406f118d06a727c8ead1604ab

SHA512
b2de8807d6571fda02c613c80f8e5bcad74fac502495a70d28e9cee314fc4b5f1db2960ecf0c1cd94cbbb04f9a8cf7830076e9fb51273a6c2c094f44d28b9935

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6F28.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit