746d641ec93776052881726aadf33595f55712050d5a1772a2874e0a4f4ea528

General

Target

setup.exe
Size

288KB
MD5

1935f4a33adbdcfa8f99c07ae30270c2
SHA1

fe5a867c0ea093097a0ce03fcf888c7c50f43cfe
SHA256

f4f5fcf6f656144ef95734b1b146cf57602ff69afa0cc84c01401295e9edaeef
SHA512

ee210c51856660e9b2a8bdf3b9a5d06e5c65f546a01439739fc56f0a78c3137c71f08eaaf771ce2085e0ceeae678a11137f803f74cd9e5e0681f8240f5e94135
SSDEEP

6144:FFJ0PaSE16vzeEdhxK9nf5LMuRA/TuX3LzY1cagPNdxL9D:waSE167/w9nBgLSX4VgPNF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1800	begcabjfeh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2160	1800	WerFault.exe	39

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4692	wmic.exe
Token: SeSecurityPrivilege	4692	wmic.exe
Token: SeTakeOwnershipPrivilege	4692	wmic.exe
Token: SeLoadDriverPrivilege	4692	wmic.exe
Token: SeSystemProfilePrivilege	4692	wmic.exe
Token: SeSystemtimePrivilege	4692	wmic.exe
Token: SeProfSingleProcessPrivilege	4692	wmic.exe
Token: SeIncBasePriorityPrivilege	4692	wmic.exe
Token: SeCreatePagefilePrivilege	4692	wmic.exe
Token: SeBackupPrivilege	4692	wmic.exe
Token: SeRestorePrivilege	4692	wmic.exe
Token: SeShutdownPrivilege	4692	wmic.exe
Token: SeDebugPrivilege	4692	wmic.exe
Token: SeSystemEnvironmentPrivilege	4692	wmic.exe
Token: SeRemoteShutdownPrivilege	4692	wmic.exe
Token: SeUndockPrivilege	4692	wmic.exe
Token: SeManageVolumePrivilege	4692	wmic.exe
Token: 33	4692	wmic.exe
Token: 34	4692	wmic.exe
Token: 35	4692	wmic.exe
Token: 36	4692	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 1800	2620	setup.exe	39
PID 2620 wrote to memory of 1800	2620	setup.exe	39
PID 2620 wrote to memory of 1800	2620	setup.exe	39
PID 1800 wrote to memory of 4692	1800	begcabjfeh.exe	41
PID 1800 wrote to memory of 4692	1800	begcabjfeh.exe	41
PID 1800 wrote to memory of 4692	1800	begcabjfeh.exe	41

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\begcabjfeh.exe
  C:\Users\Admin\AppData\Local\Temp\begcabjfeh.exe 9#2#5#4#6#1#2#5#9#0#3 Jk5EQDcxMSwuNx0mUVA+SkhCOCcgLEVDT1NJUUlEOz0tFy0/RU1TRz80MB0mQURANy8eKkdSTDtTPlBZSEI4JyAsSkNNUj9RXVBJTDpfcm9sNC4tYlx0K1tjbmcnc21rJGFtZ3EpZWhlbRsmQ0lAQUZFPjweKjsxOiQvGys+MTsoKCAsOzE4KSsfLT8rPSooHipALzwrLBcvTUlNP1E9U11LSUlTOEFUORouTk1GRFI6UlpBT0s/OBcvTUlNP1E9U11JOE1CNB4qQVJEXVBJTDoXLUBUP15BSDtMRkVDOBwpR01OS18/SU1STz9ROysXL1E/P0lHU05TWkxSSTQeKlJHPDAbJkRQKDsbK0xUTE9ATUJWVUBIPU5LQEBNPj5DUE5GPB4qQFNcSVNJUENMQzhrcnJcHipOP1NTTUVJSz5dUE8/UV0/OFlQNDAbK0JIQkBPPS4XLURPWUNXSThNRjpdQEo9UVdLS0VBNGRcaG1kHio7T1RFSko9Pl5HSzQxNCgsLTEoMDcuJTc0Fy1LPUxASkc8TFxATE5QO0tKOGtyclweKlBDTEM4KDQzKS8vNC81MBsmRExOTEdLO0NdT0BNQjQzKi4pMS4sLSouKTgtLjQzMCU4TQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703642158.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703642158.txt bios get version
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703642158.txt bios get version
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703642158.txt bios get version
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703642158.txt bios get version
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 924
    3⤵
    - Program crash
    PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1800 -ip 1800
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703642158.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703642158.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703642158.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\begcabjfeh.exe

Filesize
10KB

MD5
165cc02f43b630c400090248f7306843

SHA1
1833a9ff53bebf50062e28a4af9203fc52f88686

SHA256
2cd684ae1ec95e671548ace323a236821708814727370f92301302f05704d0c6

SHA512
df6be514592cfa537973d9ac2b03b1d63be87b790d743e23bfcf8a90a2aa2991ce7b3b71b61888e731907b1cd7b1190d8d129ddfd25c19de67b5f98f9c65eec9

Download Submit

Analysis

Sharing