05e1b452b099bf79943b925ca6d70e2491d13529ecbe28521de0f99554045202

Analysis

max time kernel
120s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10f50c7d2bf11557db5d60325e5bcc84.exe
Size

577KB
MD5

10f50c7d2bf11557db5d60325e5bcc84
SHA1

00ae0fd3a325376f4b7f351a5f9df3df8b8762e4
SHA256

05e1b452b099bf79943b925ca6d70e2491d13529ecbe28521de0f99554045202
SHA512

7e2236939816ce1dec65fc4265dede4664975dc495aef0efeacc08d73c07886def65a0d8981af9511540e6b9fe1a46fbcc725dbdb25a7be4b525e0accf2f6a70
SSDEEP

12288:XjnoIMqBJpEJ8+4upsUrOzxTJjefhV2b0qRXDjY/Xrt:XjnompEJdWzJ0foX4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	cccabfdgbic.exe

Loads dropped DLL 10 IoCs

pid	Process
2232	10f50c7d2bf11557db5d60325e5bcc84.exe
2232	10f50c7d2bf11557db5d60325e5bcc84.exe
2232	10f50c7d2bf11557db5d60325e5bcc84.exe
376	WerFault.exe
376	WerFault.exe
376	WerFault.exe
376	WerFault.exe
376	WerFault.exe
376	WerFault.exe
376	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
376	2688	WerFault.exe	29

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2588	wmic.exe
Token: SeSecurityPrivilege	2588	wmic.exe
Token: SeTakeOwnershipPrivilege	2588	wmic.exe
Token: SeLoadDriverPrivilege	2588	wmic.exe
Token: SeSystemProfilePrivilege	2588	wmic.exe
Token: SeSystemtimePrivilege	2588	wmic.exe
Token: SeProfSingleProcessPrivilege	2588	wmic.exe
Token: SeIncBasePriorityPrivilege	2588	wmic.exe
Token: SeCreatePagefilePrivilege	2588	wmic.exe
Token: SeBackupPrivilege	2588	wmic.exe
Token: SeRestorePrivilege	2588	wmic.exe
Token: SeShutdownPrivilege	2588	wmic.exe
Token: SeDebugPrivilege	2588	wmic.exe
Token: SeSystemEnvironmentPrivilege	2588	wmic.exe
Token: SeRemoteShutdownPrivilege	2588	wmic.exe
Token: SeUndockPrivilege	2588	wmic.exe
Token: SeManageVolumePrivilege	2588	wmic.exe
Token: 33	2588	wmic.exe
Token: 34	2588	wmic.exe
Token: 35	2588	wmic.exe
Token: SeIncreaseQuotaPrivilege	2588	wmic.exe
Token: SeSecurityPrivilege	2588	wmic.exe
Token: SeTakeOwnershipPrivilege	2588	wmic.exe
Token: SeLoadDriverPrivilege	2588	wmic.exe
Token: SeSystemProfilePrivilege	2588	wmic.exe
Token: SeSystemtimePrivilege	2588	wmic.exe
Token: SeProfSingleProcessPrivilege	2588	wmic.exe
Token: SeIncBasePriorityPrivilege	2588	wmic.exe
Token: SeCreatePagefilePrivilege	2588	wmic.exe
Token: SeBackupPrivilege	2588	wmic.exe
Token: SeRestorePrivilege	2588	wmic.exe
Token: SeShutdownPrivilege	2588	wmic.exe
Token: SeDebugPrivilege	2588	wmic.exe
Token: SeSystemEnvironmentPrivilege	2588	wmic.exe
Token: SeRemoteShutdownPrivilege	2588	wmic.exe
Token: SeUndockPrivilege	2588	wmic.exe
Token: SeManageVolumePrivilege	2588	wmic.exe
Token: 33	2588	wmic.exe
Token: 34	2588	wmic.exe
Token: 35	2588	wmic.exe
Token: SeIncreaseQuotaPrivilege	2616	wmic.exe
Token: SeSecurityPrivilege	2616	wmic.exe
Token: SeTakeOwnershipPrivilege	2616	wmic.exe
Token: SeLoadDriverPrivilege	2616	wmic.exe
Token: SeSystemProfilePrivilege	2616	wmic.exe
Token: SeSystemtimePrivilege	2616	wmic.exe
Token: SeProfSingleProcessPrivilege	2616	wmic.exe
Token: SeIncBasePriorityPrivilege	2616	wmic.exe
Token: SeCreatePagefilePrivilege	2616	wmic.exe
Token: SeBackupPrivilege	2616	wmic.exe
Token: SeRestorePrivilege	2616	wmic.exe
Token: SeShutdownPrivilege	2616	wmic.exe
Token: SeDebugPrivilege	2616	wmic.exe
Token: SeSystemEnvironmentPrivilege	2616	wmic.exe
Token: SeRemoteShutdownPrivilege	2616	wmic.exe
Token: SeUndockPrivilege	2616	wmic.exe
Token: SeManageVolumePrivilege	2616	wmic.exe
Token: 33	2616	wmic.exe
Token: 34	2616	wmic.exe
Token: 35	2616	wmic.exe
Token: SeIncreaseQuotaPrivilege	1992	wmic.exe
Token: SeSecurityPrivilege	1992	wmic.exe
Token: SeTakeOwnershipPrivilege	1992	wmic.exe
Token: SeLoadDriverPrivilege	1992	wmic.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2688	2232	10f50c7d2bf11557db5d60325e5bcc84.exe	29
PID 2232 wrote to memory of 2688	2232	10f50c7d2bf11557db5d60325e5bcc84.exe	29
PID 2232 wrote to memory of 2688	2232	10f50c7d2bf11557db5d60325e5bcc84.exe	29
PID 2232 wrote to memory of 2688	2232	10f50c7d2bf11557db5d60325e5bcc84.exe	29
PID 2232 wrote to memory of 2688	2232	10f50c7d2bf11557db5d60325e5bcc84.exe	29
PID 2232 wrote to memory of 2688	2232	10f50c7d2bf11557db5d60325e5bcc84.exe	29
PID 2232 wrote to memory of 2688	2232	10f50c7d2bf11557db5d60325e5bcc84.exe	29
PID 2688 wrote to memory of 2588	2688	cccabfdgbic.exe	30
PID 2688 wrote to memory of 2588	2688	cccabfdgbic.exe	30
PID 2688 wrote to memory of 2588	2688	cccabfdgbic.exe	30
PID 2688 wrote to memory of 2588	2688	cccabfdgbic.exe	30
PID 2688 wrote to memory of 2616	2688	cccabfdgbic.exe	33
PID 2688 wrote to memory of 2616	2688	cccabfdgbic.exe	33
PID 2688 wrote to memory of 2616	2688	cccabfdgbic.exe	33
PID 2688 wrote to memory of 2616	2688	cccabfdgbic.exe	33
PID 2688 wrote to memory of 1992	2688	cccabfdgbic.exe	35
PID 2688 wrote to memory of 1992	2688	cccabfdgbic.exe	35
PID 2688 wrote to memory of 1992	2688	cccabfdgbic.exe	35
PID 2688 wrote to memory of 1992	2688	cccabfdgbic.exe	35
PID 2688 wrote to memory of 764	2688	cccabfdgbic.exe	38
PID 2688 wrote to memory of 764	2688	cccabfdgbic.exe	38
PID 2688 wrote to memory of 764	2688	cccabfdgbic.exe	38
PID 2688 wrote to memory of 764	2688	cccabfdgbic.exe	38
PID 2688 wrote to memory of 2180	2688	cccabfdgbic.exe	39
PID 2688 wrote to memory of 2180	2688	cccabfdgbic.exe	39
PID 2688 wrote to memory of 2180	2688	cccabfdgbic.exe	39
PID 2688 wrote to memory of 2180	2688	cccabfdgbic.exe	39
PID 2688 wrote to memory of 376	2688	cccabfdgbic.exe	41
PID 2688 wrote to memory of 376	2688	cccabfdgbic.exe	41
PID 2688 wrote to memory of 376	2688	cccabfdgbic.exe	41
PID 2688 wrote to memory of 376	2688	cccabfdgbic.exe	41

C:\Users\Admin\AppData\Local\Temp\10f50c7d2bf11557db5d60325e5bcc84.exe
"C:\Users\Admin\AppData\Local\Temp\10f50c7d2bf11557db5d60325e5bcc84.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\cccabfdgbic.exe
  C:\Users\Admin\AppData\Local\Temp\cccabfdgbic.exe 6-7-5-9-9-7-3-3-8-2-8 KUlEOzQqNTEvMhgpTFA5R0JBOigeJ0g+T05GS0hGPDspGig/QEpNRkE1MC0yKS4XJjxGQTUuGClJTUY7TkBRV0c8NysuMCkyHSxLQ0pQPk1WTEtJOmBybGozKiZqXm9zJnJgXyZcZ2cmYV5sXyZjZ2FmFyhASUFBQ0M9OBcmPS46JS8YKT0tNCQqHSw8MTUnKhsmOy06KikeJz4uOCQoGSxNSk08TzxPVkdLRlM5QVE3GSpHSUhBUjtSVz9ORzg0GSxNSk08TzxPVkU6SkI1UV1ubmsXJj5VQldTSkY2GyY8UUJcO0s8RkJJPDQZLEVHUUxZO01GTkxCTzUwGClNQzhFRFZMTV1NTEU4FyZPSjoqHic+TCw0KCkyLSkeJ0xOSUtARkJcT0NEPUhIPEBGPkQ9U0pGNhsmQExcT01MTENGQDRra3JiGC1KP01QSUVCS0RXU0s/S1o7OFJQOioeJ0JCPzxPNi4dJ0dLWT1URThGRkBXQ0Y9S1RHSz5BOl5fZG1eGyY7SFRLRE05PlhERzQqNDMmLykvJywnLCcvMikeJ05CSDw0KjEvKjYuMTItMBcoQUxPTERJOj9WS0JKQjUwJywoLScoLic2Mi4tNCs0IThG
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703691874.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703691874.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703691874.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703691874.txt bios get version
    3⤵
    PID:764
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703691874.txt bios get version
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703691874.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE715.tmp\gxr.dll

Filesize
125KB

MD5
99a6fea9c25b372d3ec08180173cd947

SHA1
a5d8df9a5dc069452444e0bf972998f87dda9ccb

SHA256
9b2f0d2cfb9eacdabfbe4a78d3f1a539ea75f6a641c59799e012aa17ec8e82b2

SHA512
6faa64c2f16d8008d6be74d4c22b4b4fcb3eca3a07acd1b3f392098d9d4fbb0315e206859cc24451a42f88b214e90a5d196553a97a267ad452be005701e7257f

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfdgbic.exe

Filesize
822KB

MD5
4e2125ef7db05b037e68cb220ea9e573

SHA1
8c11c04a82b16d48b959272eb247544c89717c96

SHA256
8fd8872b2e260cd35669124d5a6539a83d68af4af7dd6ec9b2c423a27a981983

SHA512
11a5b7fe8a6cd9f84c7fc2f04051abd780bd947a58aac1297b763dfebad18fdd8db3ccf2308e1349626129c0427e4f8ecb18059912e39232ac38af9925fc9020

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfdgbic.exe

Filesize
115KB

MD5
d135eef61785f732f49d1082c10904c4

SHA1
6fbb3265da2ac991cac7ee8849ae5bc1592d0955

SHA256
83d6ae89aaa45d9dde2c20871507edc5296b95177f27b2594675317bf851df38

SHA512
436beb6fb3950c5f384d59910df1ea0c4074c4b29153c98a9fffbace2f5bc008c4653611ea878b6b39ff736aaccb365fd76c86b3e73518b4fef0c2b2d11f4172

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfdgbic.exe

Filesize
182KB

MD5
f79f9c276d59ada60c3d6dfea65b05bb

SHA1
e0778438ab1a1223513d7de3575859d90d4a7e58

SHA256
74cbd55af1efb431a73303c722e1e225c3e6a40cc9840391ae998ff479dbf8a9

SHA512
eb5f81979e3ad98e785a95809c5a0a8f8dc55498320412b9b0f3552ca4501355fd5501529a90c655c14caeffa5707fe0cb21dd0a9c68d4d48a90400beefe7e85

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfdgbic.exe

Filesize
230KB

MD5
7fe4cdb5396a0064710f028d8429ac6c

SHA1
a3df52b83fd811e3bf57179844cf66a5df12dc5f

SHA256
4751e86bc8399687c2ecd9d9f10175fe9fdc306ca2028f77a1a6d2c84d34aefa

SHA512
a00a7f72cded52ad15ee1e78a15107dbf972aeadb6404e18094afd2dc0f49d6c968b1877c16deebab659fa0f4855272c01fe1ba58c1e05e2ad1b93f15a30685d

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfdgbic.exe

Filesize
83KB

MD5
fa31265969043d5d1e5cbecedb91794a

SHA1
7d06a31c4a433180ceffccf69ef1a09bc795363e

SHA256
edacfa20faf937f39d12fd4da53dd03f986e49553fceb929f7afa953df7cc79c

SHA512
5333a61aeaa3897ea8a01ec01634dc2912a79f825ae4bcfb2f15ab806553343b7d4387e8ebd70d5628fecf4699e4fcb95732d50fbb42631ce35cd57f5526d0c6

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfdgbic.exe

Filesize
107KB

MD5
3041a2493ac2c2b5c843fffa10122cc4

SHA1
4e1ec59491487ac4bcd46bdcc8c728c74dba1f46

SHA256
1e2ca369ebafcf01c8401edcec0675d2d0b9ffffb61e3e31f68d1e0676c405e9

SHA512
cea31ebf77f97fbfd4f0af6b7d6055a593e4fff1ed15db3c6b25fb5f6120b446aaea9afac983a3ee263170ff91e5b08845246500a196af8af2afdf91440c2c9a

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfdgbic.exe

Filesize
70KB

MD5
c5117db6da9683b185b9aac0290e7ff2

SHA1
f6f162aef576ef1a474087603794f6ea80b3b386

SHA256
5949f003f98641df78d4908ce9da68213964df110e8240bb070793c9a1b9c09d

SHA512
5be1861da9ba6285f5c968bf95cf687093e74942699546221ff03aa186dc565fd4da47af812b161311938792236848ed44cb1743b5fce078cfb1d7cdda9e682e

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE715.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit