1386350a4a9ab54dba60866115bacab8183de087512e04d6d75bb7c9faab13b6

Analysis

max time kernel
103s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05d695301498cbdafedb752f24e4f8f5.exe
Size

573KB
MD5

05d695301498cbdafedb752f24e4f8f5
SHA1

57972ae10cc99d351fbc8d9a032e3b128ddbdf72
SHA256

1386350a4a9ab54dba60866115bacab8183de087512e04d6d75bb7c9faab13b6
SHA512

f1fed856a269b7b9410ef720421362e58ec893ccbbd20779f52256fccbb71a54d2d32854e6d3b66a38ebc2d655f94153f690bf7ef740a53726d655f497843f40
SSDEEP

12288:0K5hEjCQZF0vTT3B6UWgDJWmSjCnbllzHj:09ZFGs5mSjs3/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2860	bcbcabfdibgi.exe

Loads dropped DLL 10 IoCs

pid	Process
2108	05d695301498cbdafedb752f24e4f8f5.exe
2108	05d695301498cbdafedb752f24e4f8f5.exe
2108	05d695301498cbdafedb752f24e4f8f5.exe
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2096	2860	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2364	wmic.exe
Token: SeSecurityPrivilege	2364	wmic.exe
Token: SeTakeOwnershipPrivilege	2364	wmic.exe
Token: SeLoadDriverPrivilege	2364	wmic.exe
Token: SeSystemProfilePrivilege	2364	wmic.exe
Token: SeSystemtimePrivilege	2364	wmic.exe
Token: SeProfSingleProcessPrivilege	2364	wmic.exe
Token: SeIncBasePriorityPrivilege	2364	wmic.exe
Token: SeCreatePagefilePrivilege	2364	wmic.exe
Token: SeBackupPrivilege	2364	wmic.exe
Token: SeRestorePrivilege	2364	wmic.exe
Token: SeShutdownPrivilege	2364	wmic.exe
Token: SeDebugPrivilege	2364	wmic.exe
Token: SeSystemEnvironmentPrivilege	2364	wmic.exe
Token: SeRemoteShutdownPrivilege	2364	wmic.exe
Token: SeUndockPrivilege	2364	wmic.exe
Token: SeManageVolumePrivilege	2364	wmic.exe
Token: 33	2364	wmic.exe
Token: 34	2364	wmic.exe
Token: 35	2364	wmic.exe
Token: SeIncreaseQuotaPrivilege	2364	wmic.exe
Token: SeSecurityPrivilege	2364	wmic.exe
Token: SeTakeOwnershipPrivilege	2364	wmic.exe
Token: SeLoadDriverPrivilege	2364	wmic.exe
Token: SeSystemProfilePrivilege	2364	wmic.exe
Token: SeSystemtimePrivilege	2364	wmic.exe
Token: SeProfSingleProcessPrivilege	2364	wmic.exe
Token: SeIncBasePriorityPrivilege	2364	wmic.exe
Token: SeCreatePagefilePrivilege	2364	wmic.exe
Token: SeBackupPrivilege	2364	wmic.exe
Token: SeRestorePrivilege	2364	wmic.exe
Token: SeShutdownPrivilege	2364	wmic.exe
Token: SeDebugPrivilege	2364	wmic.exe
Token: SeSystemEnvironmentPrivilege	2364	wmic.exe
Token: SeRemoteShutdownPrivilege	2364	wmic.exe
Token: SeUndockPrivilege	2364	wmic.exe
Token: SeManageVolumePrivilege	2364	wmic.exe
Token: 33	2364	wmic.exe
Token: 34	2364	wmic.exe
Token: 35	2364	wmic.exe
Token: SeIncreaseQuotaPrivilege	1948	wmic.exe
Token: SeSecurityPrivilege	1948	wmic.exe
Token: SeTakeOwnershipPrivilege	1948	wmic.exe
Token: SeLoadDriverPrivilege	1948	wmic.exe
Token: SeSystemProfilePrivilege	1948	wmic.exe
Token: SeSystemtimePrivilege	1948	wmic.exe
Token: SeProfSingleProcessPrivilege	1948	wmic.exe
Token: SeIncBasePriorityPrivilege	1948	wmic.exe
Token: SeCreatePagefilePrivilege	1948	wmic.exe
Token: SeBackupPrivilege	1948	wmic.exe
Token: SeRestorePrivilege	1948	wmic.exe
Token: SeShutdownPrivilege	1948	wmic.exe
Token: SeDebugPrivilege	1948	wmic.exe
Token: SeSystemEnvironmentPrivilege	1948	wmic.exe
Token: SeRemoteShutdownPrivilege	1948	wmic.exe
Token: SeUndockPrivilege	1948	wmic.exe
Token: SeManageVolumePrivilege	1948	wmic.exe
Token: 33	1948	wmic.exe
Token: 34	1948	wmic.exe
Token: 35	1948	wmic.exe
Token: SeIncreaseQuotaPrivilege	2940	wmic.exe
Token: SeSecurityPrivilege	2940	wmic.exe
Token: SeTakeOwnershipPrivilege	2940	wmic.exe
Token: SeLoadDriverPrivilege	2940	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2860	2108	05d695301498cbdafedb752f24e4f8f5.exe	28
PID 2108 wrote to memory of 2860	2108	05d695301498cbdafedb752f24e4f8f5.exe	28
PID 2108 wrote to memory of 2860	2108	05d695301498cbdafedb752f24e4f8f5.exe	28
PID 2108 wrote to memory of 2860	2108	05d695301498cbdafedb752f24e4f8f5.exe	28
PID 2860 wrote to memory of 2364	2860	bcbcabfdibgi.exe	29
PID 2860 wrote to memory of 2364	2860	bcbcabfdibgi.exe	29
PID 2860 wrote to memory of 2364	2860	bcbcabfdibgi.exe	29
PID 2860 wrote to memory of 2364	2860	bcbcabfdibgi.exe	29
PID 2860 wrote to memory of 1948	2860	bcbcabfdibgi.exe	32
PID 2860 wrote to memory of 1948	2860	bcbcabfdibgi.exe	32
PID 2860 wrote to memory of 1948	2860	bcbcabfdibgi.exe	32
PID 2860 wrote to memory of 1948	2860	bcbcabfdibgi.exe	32
PID 2860 wrote to memory of 2940	2860	bcbcabfdibgi.exe	34
PID 2860 wrote to memory of 2940	2860	bcbcabfdibgi.exe	34
PID 2860 wrote to memory of 2940	2860	bcbcabfdibgi.exe	34
PID 2860 wrote to memory of 2940	2860	bcbcabfdibgi.exe	34
PID 2860 wrote to memory of 2472	2860	bcbcabfdibgi.exe	37
PID 2860 wrote to memory of 2472	2860	bcbcabfdibgi.exe	37
PID 2860 wrote to memory of 2472	2860	bcbcabfdibgi.exe	37
PID 2860 wrote to memory of 2472	2860	bcbcabfdibgi.exe	37
PID 2860 wrote to memory of 2008	2860	bcbcabfdibgi.exe	38
PID 2860 wrote to memory of 2008	2860	bcbcabfdibgi.exe	38
PID 2860 wrote to memory of 2008	2860	bcbcabfdibgi.exe	38
PID 2860 wrote to memory of 2008	2860	bcbcabfdibgi.exe	38
PID 2860 wrote to memory of 2096	2860	bcbcabfdibgi.exe	40
PID 2860 wrote to memory of 2096	2860	bcbcabfdibgi.exe	40
PID 2860 wrote to memory of 2096	2860	bcbcabfdibgi.exe	40
PID 2860 wrote to memory of 2096	2860	bcbcabfdibgi.exe	40

C:\Users\Admin\AppData\Local\Temp\05d695301498cbdafedb752f24e4f8f5.exe
"C:\Users\Admin\AppData\Local\Temp\05d695301498cbdafedb752f24e4f8f5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\bcbcabfdibgi.exe
  C:\Users\Admin\AppData\Local\Temp\bcbcabfdibgi.exe 1-0-4-3-3-2-7-0-1-7-6 LlBFQTowLDMfKE1UQkxGQTspIC5HP1NXS09IRz09LxkpQ0lPUUZCNjIzLyowICtARkI2MB8oSlFPQFJAUlhJQzYrNTkwHSxRPlJVPkxeVU5JOmZtdG8zKS5zYW9zLG1oZCZbb3ApYV5yWi5oZ2BuICtASUc8S0g9Ny8wNS8uMy8zNikrNzgvNTMwMTkzKxouRC06LS4yMjAuMDI3HCxBMDYtMBkpQzM5Ki4eKEQzNicwICtBMjsmMR8oSlFPQFJAUlhQUUJQQENVOh0tSVJOPU9CVFtCUko6PR8oSlFPQFJAUlhOQEY/PCArQlVDWFVRRTcfL0FVQl08TUNFQ01FOR0sRkhTU1g8UU9TUEJQNjIfKE5HQUpIVk1OX1RLRjwgK1NKOysgLj1NMD0cLE9TR1RIRj9eV0FJQE1GRUhGO0ZFUU9JOxkvSExZUVVKUUZLPj1za29kICtPQlJOUk1CSEZfUVBCUFhEQFJNPDIcLEVHPUVXNisfL0VQXEJSTkBGQ0JfQUtAUFJQUz4+PGZdaXBjGS9DSFFNTEs+QV1CUDwrKy8uMTErMycxMy4aLlRFSkI7KjQxKjIvNDUzLx4oRE5QSEtPPUFcUkJNRDYrLjItLC8uKjUpKjQzOTYvLyg6TQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703640665.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703640665.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703640665.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703640665.txt bios get version
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703640665.txt bios get version
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703640665.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\bcbcabfdibgi.exe

Filesize
822KB

MD5
89069ebfa105ee79371c91fac314ab36

SHA1
278a1fd15d213a9e8520026e02582a692d9e015d

SHA256
81c83e71ec65cf580b2541a0951eac8acee2bd163418dd844b1af9fb9bda8dbc

SHA512
7c9d7acbed2048548036fef95840227ccb2bf175de8b9f86a38cdfdb18b460d66ba9e5e359060347d260d9b2b1a475be2583dd93439be0ad97a0738ecdeeddcc

Download Submit
\Users\Admin\AppData\Local\Temp\nse83C1.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
\Users\Admin\AppData\Local\Temp\nse83C1.tmp\uoo.dll

Filesize
111KB

MD5
85b8a264242b4d7485ea38d284d7bdb0

SHA1
0f57e423af53ea24c6d65ccfb0bd619468ed9034

SHA256
6792ff415316004c700f38300e64ffe2867d1a0d981148b56adbd2280bdb600c

SHA512
2535371b31e75a7ff921e8838455dc7a0913b8334a9f3f05c361b6b8bbdd89d4548c7b299d3588c83a7b741e5b1ba37886d15c3d810412f89ddd680d808c4da6

Download Submit