055bc66cde5ddd4f5228300f5109abec817cb410c7c6f09f441abc66345d00ee

General

Target

01ff6a83f2334f3a0737e881552f44b9.exe
Size

557KB
MD5

01ff6a83f2334f3a0737e881552f44b9
SHA1

17f0871248f7de4d7ae8e1f3ba99cce5bc068761
SHA256

055bc66cde5ddd4f5228300f5109abec817cb410c7c6f09f441abc66345d00ee
SHA512

6d05cfef278bde2423feb258cf09c2c7794129c1918aabe037297a14e8a6f2e226c952dfeb7408d48d6a3d177de19955c8d4143a5c8b9d958291b2b3dba956c4
SSDEEP

12288:UsNZRBTfoDeRO1fdrvO8haa/vsLjRqIKIQ8uscEfWTkRLahkh:UWZRpfoRoa/vggIKIvncEFLahe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5056	efcabfieee.exe

Loads dropped DLL 2 IoCs

pid	Process
4960	01ff6a83f2334f3a0737e881552f44b9.exe
4960	01ff6a83f2334f3a0737e881552f44b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3188	5056	WerFault.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3748	wmic.exe
Token: SeSecurityPrivilege	3748	wmic.exe
Token: SeTakeOwnershipPrivilege	3748	wmic.exe
Token: SeLoadDriverPrivilege	3748	wmic.exe
Token: SeSystemProfilePrivilege	3748	wmic.exe
Token: SeSystemtimePrivilege	3748	wmic.exe
Token: SeProfSingleProcessPrivilege	3748	wmic.exe
Token: SeIncBasePriorityPrivilege	3748	wmic.exe
Token: SeCreatePagefilePrivilege	3748	wmic.exe
Token: SeBackupPrivilege	3748	wmic.exe
Token: SeRestorePrivilege	3748	wmic.exe
Token: SeShutdownPrivilege	3748	wmic.exe
Token: SeDebugPrivilege	3748	wmic.exe
Token: SeSystemEnvironmentPrivilege	3748	wmic.exe
Token: SeRemoteShutdownPrivilege	3748	wmic.exe
Token: SeUndockPrivilege	3748	wmic.exe
Token: SeManageVolumePrivilege	3748	wmic.exe
Token: 33	3748	wmic.exe
Token: 34	3748	wmic.exe
Token: 35	3748	wmic.exe
Token: 36	3748	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 5056	4960	01ff6a83f2334f3a0737e881552f44b9.exe	36
PID 4960 wrote to memory of 5056	4960	01ff6a83f2334f3a0737e881552f44b9.exe	36
PID 4960 wrote to memory of 5056	4960	01ff6a83f2334f3a0737e881552f44b9.exe	36
PID 5056 wrote to memory of 3748	5056	efcabfieee.exe	35
PID 5056 wrote to memory of 3748	5056	efcabfieee.exe	35
PID 5056 wrote to memory of 3748	5056	efcabfieee.exe	35

C:\Users\Admin\AppData\Local\Temp\01ff6a83f2334f3a0737e881552f44b9.exe
"C:\Users\Admin\AppData\Local\Temp\01ff6a83f2334f3a0737e881552f44b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\efcabfieee.exe
  C:\Users\Admin\AppData\Local\Temp\efcabfieee.exe 4-6-9-2-6-8-4-6-2-9-4 K0pAQjctMi8yFytPTzlOQzw5Kh4mSkFOTk1MQ0U+OygcKz5AUU5BQDc2LiwtGiZBQzw5Kh4mTE5JO1M9TFtDQjQ0LTIoHilLQUxUPE5bT0lKN2Bwbm4xKyttaXQoPEFNSSRQS0okP0pIKkNMPUscKTpKQztHQ0I0HCs+KDsuKC4vLicsHCk7MDcoHClCKjktGiZCLjUpKx4mQDE3JC8aJ0xMTTtRP05WTkxBUjtBUDkcKUdQSTxRPVJWQVFGODsaJ0xMTTtRP05WTDtFQTdEY11vYhwwKkhoW3dcbiEsJ1NqXF1uYxcrQVI8XU9KSDceJkFUP1ZBRzxIQ0w8ORwpP01NTFs8UEZTTz9JOyoYK05GOEpHU0ZTWU1ORjsXK1JHNDAaJ0BNLzQcK0xMTE5BST9dTkFIPUZLP0FJO0U8UU5GNB4pQU9ZUExKUENEQzdsbm9jFytOP0tTTEZFSEVWUU8/SV0+OVVNOykcK0JAQj9QOSseJkVPWTtXSDlJQ0FWQUo9SVdKTEE+O11daG1cHik8S1FMQ0s9PlZHSjUyMCwpMDUoLzIoKTUyHiZQRUc8OyssLjIwKjIuMi8eKTxLUUxDSz0+VlJDRUE3MiYxKywnLy8iLSw4KDQ2Ki8oSkU=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5056

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703505496.txt bios get version
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5056 -ip 5056
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 940
1⤵
- Program crash
PID:3188

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703505496.txt bios get version
1⤵
PID:3352

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703505496.txt bios get version
1⤵
PID:3896

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703505496.txt bios get version
1⤵
PID:1700

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703505496.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703505496.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703505496.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\efcabfieee.exe

Filesize
73KB

MD5
37779c4002f3bbd972f316576f560a2b

SHA1
107d390563bb024f1f8a9f6aaa5a5fe528941c5b

SHA256
e850053636c952540efbfd7ce66f8f571b97d282c895f64e40ab29642312cee2

SHA512
6a1d0d8247305080a555d8052687c228fe8911b079275012e4fbfca06e28e20bd6dbfd7cc28751567a6fa299b7da3f6df9cf822541053690848a8b8a1fe6a2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu46DD.tmp\bblcj.dll

Filesize
3KB

MD5
9d8e22acd1217100314bee3100e26166

SHA1
4aa70dfb2f7fca0fd06b6e2ec1bb57bcf9374d32

SHA256
eb00fa32d7a695b806cb3f765e8607c149a7552fb62c2e833aec222db59e704e

SHA512
a1bfaac58e9cbf926607d8f3aa27ad91aaa4d08771c1837afe60533652be4320cedea664737a01e462ecba767d018005957d41a4b4bceb4f853b36b720dd3a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu46DD.tmp\bblcj.dll

Filesize
97KB

MD5
59cd17b335a19a245dd3e795d2f61054

SHA1
077b11552e952c1a624f2fdb0c9df6952c8378b3

SHA256
a5688f0dcf916010069c7c9344287a241a74db45db6dbb6ab7cf31260b2ec10d

SHA512
712a67ed8360c623b8d6191be034548321a31bb419d0609ea6de62bf4e411fccdaaa42fad1b39746165e2e9b76a9ccd661eb486c00022873214fcd2eee5c3479

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu46DD.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu46DD.tmp\nsisunz.dll

Filesize
21KB

MD5
e9bd34b4998f911fd6f28e02258d8627

SHA1
f237cc0672c6f9afc5c7bc107befb0ce3f75f772

SHA256
8cd86a2c75f6ce75be900bfa7e61a528fee246a4b6575aa53434655923fc30d0

SHA512
9a52c421ed8e8443a66b69d46fdb34eaf6ddeb6eff4f685ae1fc54afe3ecca0873b84fecaf8f8c2b9e29c7e01f368b30ba4c952d869d710f1543c8be387e5683

Download Submit

Analysis

Sharing