225776aa635fa530432abbee4c30760fc748a5a7d0b2668059287f702afed484

Analysis

max time kernel
118s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

106ce9f941d28e6d18ebea1ba1cedee4.exe
Size

567KB
MD5

106ce9f941d28e6d18ebea1ba1cedee4
SHA1

f0f3be3e6e0d133a46910b1c1562dad91e5218e0
SHA256

225776aa635fa530432abbee4c30760fc748a5a7d0b2668059287f702afed484
SHA512

0276a3247c12fdbf3f73416182ccba1884301ce54859630ccb5749a5fb71780e8e9ee18e39902ba52d15a5c6914511a238fb616ad356936e9c1e5aded2ee47ae
SSDEEP

12288:RSqCaEZZ2TusjEi3fLuSv1UFEyt652c5phCX8xvNkmw1cBYV0azPVc:RSnsusl3ThvuSX2AhCs5Nbw1cCV0azO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2848	ecfcabfbcibf.exe

Loads dropped DLL 10 IoCs

pid	Process
2304	106ce9f941d28e6d18ebea1ba1cedee4.exe
2304	106ce9f941d28e6d18ebea1ba1cedee4.exe
2304	106ce9f941d28e6d18ebea1ba1cedee4.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
972	2848	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2904	wmic.exe
Token: SeSecurityPrivilege	2904	wmic.exe
Token: SeTakeOwnershipPrivilege	2904	wmic.exe
Token: SeLoadDriverPrivilege	2904	wmic.exe
Token: SeSystemProfilePrivilege	2904	wmic.exe
Token: SeSystemtimePrivilege	2904	wmic.exe
Token: SeProfSingleProcessPrivilege	2904	wmic.exe
Token: SeIncBasePriorityPrivilege	2904	wmic.exe
Token: SeCreatePagefilePrivilege	2904	wmic.exe
Token: SeBackupPrivilege	2904	wmic.exe
Token: SeRestorePrivilege	2904	wmic.exe
Token: SeShutdownPrivilege	2904	wmic.exe
Token: SeDebugPrivilege	2904	wmic.exe
Token: SeSystemEnvironmentPrivilege	2904	wmic.exe
Token: SeRemoteShutdownPrivilege	2904	wmic.exe
Token: SeUndockPrivilege	2904	wmic.exe
Token: SeManageVolumePrivilege	2904	wmic.exe
Token: 33	2904	wmic.exe
Token: 34	2904	wmic.exe
Token: 35	2904	wmic.exe
Token: SeIncreaseQuotaPrivilege	2904	wmic.exe
Token: SeSecurityPrivilege	2904	wmic.exe
Token: SeTakeOwnershipPrivilege	2904	wmic.exe
Token: SeLoadDriverPrivilege	2904	wmic.exe
Token: SeSystemProfilePrivilege	2904	wmic.exe
Token: SeSystemtimePrivilege	2904	wmic.exe
Token: SeProfSingleProcessPrivilege	2904	wmic.exe
Token: SeIncBasePriorityPrivilege	2904	wmic.exe
Token: SeCreatePagefilePrivilege	2904	wmic.exe
Token: SeBackupPrivilege	2904	wmic.exe
Token: SeRestorePrivilege	2904	wmic.exe
Token: SeShutdownPrivilege	2904	wmic.exe
Token: SeDebugPrivilege	2904	wmic.exe
Token: SeSystemEnvironmentPrivilege	2904	wmic.exe
Token: SeRemoteShutdownPrivilege	2904	wmic.exe
Token: SeUndockPrivilege	2904	wmic.exe
Token: SeManageVolumePrivilege	2904	wmic.exe
Token: 33	2904	wmic.exe
Token: 34	2904	wmic.exe
Token: 35	2904	wmic.exe
Token: SeIncreaseQuotaPrivilege	2956	wmic.exe
Token: SeSecurityPrivilege	2956	wmic.exe
Token: SeTakeOwnershipPrivilege	2956	wmic.exe
Token: SeLoadDriverPrivilege	2956	wmic.exe
Token: SeSystemProfilePrivilege	2956	wmic.exe
Token: SeSystemtimePrivilege	2956	wmic.exe
Token: SeProfSingleProcessPrivilege	2956	wmic.exe
Token: SeIncBasePriorityPrivilege	2956	wmic.exe
Token: SeCreatePagefilePrivilege	2956	wmic.exe
Token: SeBackupPrivilege	2956	wmic.exe
Token: SeRestorePrivilege	2956	wmic.exe
Token: SeShutdownPrivilege	2956	wmic.exe
Token: SeDebugPrivilege	2956	wmic.exe
Token: SeSystemEnvironmentPrivilege	2956	wmic.exe
Token: SeRemoteShutdownPrivilege	2956	wmic.exe
Token: SeUndockPrivilege	2956	wmic.exe
Token: SeManageVolumePrivilege	2956	wmic.exe
Token: 33	2956	wmic.exe
Token: 34	2956	wmic.exe
Token: 35	2956	wmic.exe
Token: SeIncreaseQuotaPrivilege	2628	wmic.exe
Token: SeSecurityPrivilege	2628	wmic.exe
Token: SeTakeOwnershipPrivilege	2628	wmic.exe
Token: SeLoadDriverPrivilege	2628	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2848	2304	106ce9f941d28e6d18ebea1ba1cedee4.exe	28
PID 2304 wrote to memory of 2848	2304	106ce9f941d28e6d18ebea1ba1cedee4.exe	28
PID 2304 wrote to memory of 2848	2304	106ce9f941d28e6d18ebea1ba1cedee4.exe	28
PID 2304 wrote to memory of 2848	2304	106ce9f941d28e6d18ebea1ba1cedee4.exe	28
PID 2848 wrote to memory of 2904	2848	ecfcabfbcibf.exe	29
PID 2848 wrote to memory of 2904	2848	ecfcabfbcibf.exe	29
PID 2848 wrote to memory of 2904	2848	ecfcabfbcibf.exe	29
PID 2848 wrote to memory of 2904	2848	ecfcabfbcibf.exe	29
PID 2848 wrote to memory of 2956	2848	ecfcabfbcibf.exe	32
PID 2848 wrote to memory of 2956	2848	ecfcabfbcibf.exe	32
PID 2848 wrote to memory of 2956	2848	ecfcabfbcibf.exe	32
PID 2848 wrote to memory of 2956	2848	ecfcabfbcibf.exe	32
PID 2848 wrote to memory of 2628	2848	ecfcabfbcibf.exe	34
PID 2848 wrote to memory of 2628	2848	ecfcabfbcibf.exe	34
PID 2848 wrote to memory of 2628	2848	ecfcabfbcibf.exe	34
PID 2848 wrote to memory of 2628	2848	ecfcabfbcibf.exe	34
PID 2848 wrote to memory of 2068	2848	ecfcabfbcibf.exe	36
PID 2848 wrote to memory of 2068	2848	ecfcabfbcibf.exe	36
PID 2848 wrote to memory of 2068	2848	ecfcabfbcibf.exe	36
PID 2848 wrote to memory of 2068	2848	ecfcabfbcibf.exe	36
PID 2848 wrote to memory of 1952	2848	ecfcabfbcibf.exe	38
PID 2848 wrote to memory of 1952	2848	ecfcabfbcibf.exe	38
PID 2848 wrote to memory of 1952	2848	ecfcabfbcibf.exe	38
PID 2848 wrote to memory of 1952	2848	ecfcabfbcibf.exe	38
PID 2848 wrote to memory of 972	2848	ecfcabfbcibf.exe	40
PID 2848 wrote to memory of 972	2848	ecfcabfbcibf.exe	40
PID 2848 wrote to memory of 972	2848	ecfcabfbcibf.exe	40
PID 2848 wrote to memory of 972	2848	ecfcabfbcibf.exe	40

C:\Users\Admin\AppData\Local\Temp\106ce9f941d28e6d18ebea1ba1cedee4.exe
"C:\Users\Admin\AppData\Local\Temp\106ce9f941d28e6d18ebea1ba1cedee4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\ecfcabfbcibf.exe
  C:\Users\Admin\AppData\Local\Temp\ecfcabfbcibf.exe 3]3]4]3]8]2]0]4]0]1]4 LE1FQTUvNC84MBwsUFE/SEdEOTAfK0tCUFRHUEtFRDwtHSxARktSSUA9MSwtNC4dJ0FJQD0vHCxNTkw8U0NQX0hAOi41LywvICtTRE5TQk5cTVBMOWhzcG03KyxrcHYqRERPSCpQTEgrQUxQLUVLQ0sdJ0FMRUNKRUE6HCw8Lz0pMR8rQS85KikeL0AzPCkuHStBLDstLSAuQDI6KS4YLVBOT0NRQFFbTUpHVj1DWDkdLExPR0JVP1ReQVJJPToYLVBOT0NRQFFbSzlLRTlMZGJxIi4tLCMyLERkXWEiLi0rIzIsRnFhYiIuLTxtd2psbl1hIi4tSEElLjBGXWpiHCw9VkVbVVFIOh0rQlBDXz9NQ0hGS0E6GC1IS1NTWz9PS1RLQ1I5MB8rUUU9S0NXT1FfVE5JOhwsTks9LiAuQFAuOR0nUFVKVEhJQlxTQkRBT0lFSEk+REFSSko9HC9IT1xPUUtMR01BPXNucmIcLEpDVFFSTUVLRFtSS0NSW0RAVVA6Lh0nRklARVc5Lh0rRktdRFVOQElGQFtCRkFSVVBTQUE6Yl5kcWUcL0NLVEtITDlCX0VQPC01NiovKTAuLTg0Ki8vLB0nUklJRTwtMS81NiszOC84HytBTFNLRE1BQF9TRUpCOTEnMDUrMi8tMicwNyoxOjE4KT1KHStSOTtNa3poaGleIS9eMi4sKydfbGpsXmxnYmhlJC9fKElQQUMrMi4vITBfJ1RhbGRrd3InS1EnMiYvJS9iKk9TLiEwWikuSkVTJ0BJTigqLDAqNS8zLzQlHSdTUkg9Z3BxbSEwWSMyYiUxYmRicCsoLzItZi1la2NrIipkUnFuU2VqYkBsb2xsa2FjSV5rXWRdcF9gZW9obHYhL14vNC45OCw1NTAyHTBmLTQxNTYtNDUsMyUuZjAwLzY1LTA2NDElMmIzLy40LC4wMDA3NFZUSnZEdzAhMmVfQWh0STtxeUh5UWBMUUV0REJjbUhsVTRJdkZtTERBaWFmUm1FRC11YUNCMFUwP3FUT1RmS3pQbFZENTBZa3hqV1UxdU5pZXJgbXRyWFJ1Q1MvcGRZQ0Z4RmpDMFVPL3NdanJiVkVoclBVMWRXMWRjXi0xLVJHUmljP0pwRlJCaFdpQXFJdmFDXmQvZkdVSWtgLzFwWTBGX0kvbD9IUT9cYFdRaVlpQ2hUL3BkWmlFOFBEQ2lfO0t1R1VJYQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703515898.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703515898.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703515898.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703515898.txt bios get version
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703515898.txt bios get version
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703515898.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcibf.exe

Filesize
764KB

MD5
56e6f7c16992d8b2f5912ba01bfe93ee

SHA1
c2c33e2445618d79aa4920acb862d533c5a153cf

SHA256
5a930fb5a147e14030be8ea9e869b61b236ae100559a7825637f6512c0386463

SHA512
8dbce6daa39070549110e426f9a5f879a25c2764787931f812ad6501b45e93d8fc9d20e183e10364f29ad73c59cfd01fd9bb8acbd69d23c59b736cd40deececa

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcibf.exe

Filesize
500KB

MD5
bee923ef02d2523a5ce9250eb0bd552c

SHA1
df50c2e2631bf9a4c6f9137cf573e5da5c872973

SHA256
7514b9b4d918dcf1bb5093ccaa9d1a1603e3b1882bdc1d57d9caf896bfa2e437

SHA512
be97232784ff0854815aba417349355b943af3593dcdf8f5e426de80411c6ec594b7f913d5abc5c84508f808a530c1c8ee7a302b41f614cb710d11576eba42df

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcibf.exe

Filesize
322KB

MD5
9ce761cfe0da5b4c76614a8a9be6b861

SHA1
f8c30fcc527f6c238673b1691abbc47e468cbc7a

SHA256
928b7c401d003518e2f850bbaaa77f6c202fc946e3334a9ef2252220f8a51776

SHA512
1721812c9baaf93c186529948d01912832e3e98f525a273fef11edd292fb3fedb1dbdda3cf2fc1b1acfc2a4a6ed33cfa0f075d0c5a861f9fac797414861bf6fc

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcibf.exe

Filesize
506KB

MD5
b4e39699c559a92b25b7bbc8310350a0

SHA1
31d6c3247b2810ba2d1f8ee8c7eff6187b919a6d

SHA256
1df32d230be8383c43242711464994e42364f5cf36bcb88094a25b2981f6881a

SHA512
406e6b36c30e9e8dd12a738d2819205179295c09654f35cec37a7b9c8ce3a627d8d58e1f1e0f281720b7983203b6b27c96adb0f763b5944e28d01df5c47e0ed0

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcibf.exe

Filesize
351KB

MD5
db63684362170af00ec3eabb9a80d24f

SHA1
defb7dfc2023ed27788c3ff3eaecb7f6c041ca75

SHA256
c7069844a56f9b5330f92daea213241a6cd7948b7e5b585a3a81c5e54ac8a4db

SHA512
81f59215bff844136b43616eabffff1ab5daaf9e4dc26ac9e1ff2ff893c8954b6ddce1396858a2a25d02648f8ba6e3623f022ec8c1227f37294d24b98208ebbc

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcibf.exe

Filesize
344KB

MD5
c315a2c22182ea59426531267135eb6d

SHA1
47e734d9f24b40cc6fdad72a7caf1969445adef0

SHA256
9d6f4220031911c5bbf9f7f1222cb38a1164181c5a8f8eb5681b68983b3ea50a

SHA512
e96fc01dcd513cf5158a097decfcce9d014280e9f3e71466f5092f360c7931d831aa8f73cfa23cb7ce5d34bc5d8d314778b72fd8fd19e0c98947ae1904cdabf0

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcibf.exe

Filesize
426KB

MD5
ff3d50fc64c82e9cbc37e96f5539ffd4

SHA1
35e6510acdf39cafd42673445669e655a256df90

SHA256
95eb8f117ad744d4b338c902689f3a625e61a7d5c25ed5ccab8474f37da815b3

SHA512
7b4d75932236baf11809b2bb039bb68741f505714d5b6603a1b0d21ad41d8192f40118e8b4fdc3ec7bee64e791640fb6bfcd5df562827427ad14c5215a3c5361

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB166.tmp\hyulanvh.dll

Filesize
107KB

MD5
9080b78b9a4590a6e43e41468a387819

SHA1
d79b2cfec3736bf6d58f627aeaad43ad75d9e142

SHA256
7c82ae5664963f23bd03b09fbcc5978295f482357f4c0c9f9af09828e7fab67c

SHA512
6f6ac05e8bda7936d9eeba49200041fd70a6b26964dc2f598fc1cc6680217b32eedd3652a9015713c182d660ae838b1f410644c56edac642649f6d03d2eb834b

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB166.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit