ee1d3de7c2e0dcdb2750fe73c91f0c91960399543232e6d8b374203dc2aad898

Analysis

max time kernel
0s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10555ac8ff2ab216b9ec6244717ac3ef.exe
Size

571KB
MD5

10555ac8ff2ab216b9ec6244717ac3ef
SHA1

4d520a382d205b867aa9344dd4730c6e0fe057b7
SHA256

ee1d3de7c2e0dcdb2750fe73c91f0c91960399543232e6d8b374203dc2aad898
SHA512

a088c547b826c515b02057a063c657eed379de5a4efe2f1c50a3cee9fc085848f49fe6742a591bf75a307e6b7a0bd757c42bf60141a6ed4465617a0d4d958f9a
SSDEEP

12288:2ciVODz6tgS9n75UOYjG+I8uzO0e0FvZk:2cfU5UOuI8uTlq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	bcgcabffgbgc.exe

Loads dropped DLL 3 IoCs

pid	Process
3056	10555ac8ff2ab216b9ec6244717ac3ef.exe
3056	10555ac8ff2ab216b9ec6244717ac3ef.exe
3056	10555ac8ff2ab216b9ec6244717ac3ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3020	2672	WerFault.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2740	wmic.exe
Token: SeSecurityPrivilege	2740	wmic.exe
Token: SeTakeOwnershipPrivilege	2740	wmic.exe
Token: SeLoadDriverPrivilege	2740	wmic.exe
Token: SeSystemProfilePrivilege	2740	wmic.exe
Token: SeSystemtimePrivilege	2740	wmic.exe
Token: SeProfSingleProcessPrivilege	2740	wmic.exe
Token: SeIncBasePriorityPrivilege	2740	wmic.exe
Token: SeCreatePagefilePrivilege	2740	wmic.exe
Token: SeBackupPrivilege	2740	wmic.exe
Token: SeRestorePrivilege	2740	wmic.exe
Token: SeShutdownPrivilege	2740	wmic.exe
Token: SeDebugPrivilege	2740	wmic.exe
Token: SeSystemEnvironmentPrivilege	2740	wmic.exe
Token: SeRemoteShutdownPrivilege	2740	wmic.exe
Token: SeUndockPrivilege	2740	wmic.exe
Token: SeManageVolumePrivilege	2740	wmic.exe
Token: 33	2740	wmic.exe
Token: 34	2740	wmic.exe
Token: 35	2740	wmic.exe
Token: SeIncreaseQuotaPrivilege	2740	wmic.exe
Token: SeSecurityPrivilege	2740	wmic.exe
Token: SeTakeOwnershipPrivilege	2740	wmic.exe
Token: SeLoadDriverPrivilege	2740	wmic.exe
Token: SeSystemProfilePrivilege	2740	wmic.exe
Token: SeSystemtimePrivilege	2740	wmic.exe
Token: SeProfSingleProcessPrivilege	2740	wmic.exe
Token: SeIncBasePriorityPrivilege	2740	wmic.exe
Token: SeCreatePagefilePrivilege	2740	wmic.exe
Token: SeBackupPrivilege	2740	wmic.exe
Token: SeRestorePrivilege	2740	wmic.exe
Token: SeShutdownPrivilege	2740	wmic.exe
Token: SeDebugPrivilege	2740	wmic.exe
Token: SeSystemEnvironmentPrivilege	2740	wmic.exe
Token: SeRemoteShutdownPrivilege	2740	wmic.exe
Token: SeUndockPrivilege	2740	wmic.exe
Token: SeManageVolumePrivilege	2740	wmic.exe
Token: 33	2740	wmic.exe
Token: 34	2740	wmic.exe
Token: 35	2740	wmic.exe
Token: SeIncreaseQuotaPrivilege	2704	wmic.exe
Token: SeSecurityPrivilege	2704	wmic.exe
Token: SeTakeOwnershipPrivilege	2704	wmic.exe
Token: SeLoadDriverPrivilege	2704	wmic.exe
Token: SeSystemProfilePrivilege	2704	wmic.exe
Token: SeSystemtimePrivilege	2704	wmic.exe
Token: SeProfSingleProcessPrivilege	2704	wmic.exe
Token: SeIncBasePriorityPrivilege	2704	wmic.exe
Token: SeCreatePagefilePrivilege	2704	wmic.exe
Token: SeBackupPrivilege	2704	wmic.exe
Token: SeRestorePrivilege	2704	wmic.exe
Token: SeShutdownPrivilege	2704	wmic.exe
Token: SeDebugPrivilege	2704	wmic.exe
Token: SeSystemEnvironmentPrivilege	2704	wmic.exe
Token: SeRemoteShutdownPrivilege	2704	wmic.exe
Token: SeUndockPrivilege	2704	wmic.exe
Token: SeManageVolumePrivilege	2704	wmic.exe
Token: 33	2704	wmic.exe
Token: 34	2704	wmic.exe
Token: 35	2704	wmic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2672	3056	10555ac8ff2ab216b9ec6244717ac3ef.exe	28
PID 3056 wrote to memory of 2672	3056	10555ac8ff2ab216b9ec6244717ac3ef.exe	28
PID 3056 wrote to memory of 2672	3056	10555ac8ff2ab216b9ec6244717ac3ef.exe	28
PID 3056 wrote to memory of 2672	3056	10555ac8ff2ab216b9ec6244717ac3ef.exe	28
PID 2672 wrote to memory of 2740	2672	bcgcabffgbgc.exe	18
PID 2672 wrote to memory of 2740	2672	bcgcabffgbgc.exe	18
PID 2672 wrote to memory of 2740	2672	bcgcabffgbgc.exe	18
PID 2672 wrote to memory of 2740	2672	bcgcabffgbgc.exe	18
PID 2672 wrote to memory of 2704	2672	bcgcabffgbgc.exe	27
PID 2672 wrote to memory of 2704	2672	bcgcabffgbgc.exe	27
PID 2672 wrote to memory of 2704	2672	bcgcabffgbgc.exe	27
PID 2672 wrote to memory of 2704	2672	bcgcabffgbgc.exe	27

C:\Users\Admin\AppData\Local\Temp\10555ac8ff2ab216b9ec6244717ac3ef.exe
"C:\Users\Admin\AppData\Local\Temp\10555ac8ff2ab216b9ec6244717ac3ef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\bcgcabffgbgc.exe
  C:\Users\Admin\AppData\Local\Temp\bcgcabffgbgc.exe 5-4-4-6-6-1-5-2-7-8-3 KkxFPjc2Li4rGCxOUT5KQ0M4LhknS0BQU0lMSkRCNigdKkBFTU5IPzsrLDIvLxwpPUg/OykYLEtOSz5PQk9dQjw6LDI1LhouTkNLTkJNW1FMRjxjcm1oNyorb19sdSlyYV0qXGxsJ15gb18nYWthaxwpPUtEQURBQTguLDMtLy8wMTAyGytAKzc1NDQyGCw/LjknKx8qQiw1KiwcKz4uPCgvGSdBMDkpKxouS1BIPFI+UFtKTEhRPzxROhsrTExJQ1BBTVdCUEg9NxouS1BIPFI+UFtIO0xAOxknQlNBW09MSzgeKD1VQFs/Rz5LREw+NR0qREtNTl49UEhPUEBOOSwaLk9GOkZIVEtRWU9RRzsZJ1NIOS4aKUNOLzYYLE1RSk5DTEBdUD1JPktJP0NMPEU+TU9HORwpQ1JaUE5GUURJQTducXBjGSdPQFBRTEhISUVYTVBATls+O1hOOysYLENFQD9SPCweKEFQWkBVSDtMREFYPUs+TlVKTkQ/O19ZaW5hHCk+TlJMRUc+P1tFSjc3MCwqMC0pLTQoKzUsHihMRkhBOSsuMS0xKSwwLi4cKT5OUkxFRz4/W1BDR0Q4LygqMyouLCsvKTM4LCo3LC4mSkc=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2672

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703536525.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703536525.txt bios get version
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 368
1⤵
- Program crash
PID:3020

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703536525.txt bios get version
1⤵
PID:2600

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703536525.txt bios get version
1⤵
PID:2896

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703536525.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsiA1F.tmp\vdo.dll

Filesize
108KB

MD5
e523cbb093e10f4ed00cde8bed41b52a

SHA1
fae85c50248cc84e87576aab5efd8fd98e2ab53f

SHA256
52629ac09c7a718d295f3dc9ef9c2f0a31a73696f40fd776e8dc803f00d3d1c2

SHA512
2575cce375fde35bb9a4a90363db5125829748d0b0c7e097f6d064f6738a8a4f7d40f474a0d821fcfa4e5a520dc0aea45a66559578ab74455c15e067c4d930fa

Download Submit