060df481878b0310b4a2ac3bd28e05ddc7fb01576bbf8ca90f911a8bb770fe01

Analysis

max time kernel
118s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11ce95d1a52d4682ffc9a6ed46d4d526.exe
Size

558KB
MD5

11ce95d1a52d4682ffc9a6ed46d4d526
SHA1

77bf2ac4cbb122e12bb8602acbc1dfba3fb77498
SHA256

060df481878b0310b4a2ac3bd28e05ddc7fb01576bbf8ca90f911a8bb770fe01
SHA512

352398b3341b01df207731f2296aae3adf1050c0683ed2879f8799b03653f419ced5943f1ed363e6dc5f34510e8d1a615157e44627371b1073cbb1dd408195f8
SSDEEP

12288:SFcQa8ByYTniUnfJEQbXeyY/334HXbJ1etH29+kFLavpJ9:SWZ8/nHyNQHXjetW9ZLavpJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2780	eecabfifbhh.exe

Loads dropped DLL 10 IoCs

pid	Process
2172	11ce95d1a52d4682ffc9a6ed46d4d526.exe
2172	11ce95d1a52d4682ffc9a6ed46d4d526.exe
2172	11ce95d1a52d4682ffc9a6ed46d4d526.exe
1508	WerFault.exe
1508	WerFault.exe
1508	WerFault.exe
1508	WerFault.exe
1508	WerFault.exe
1508	WerFault.exe
1508	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1508	2780	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2776	wmic.exe
Token: SeSecurityPrivilege	2776	wmic.exe
Token: SeTakeOwnershipPrivilege	2776	wmic.exe
Token: SeLoadDriverPrivilege	2776	wmic.exe
Token: SeSystemProfilePrivilege	2776	wmic.exe
Token: SeSystemtimePrivilege	2776	wmic.exe
Token: SeProfSingleProcessPrivilege	2776	wmic.exe
Token: SeIncBasePriorityPrivilege	2776	wmic.exe
Token: SeCreatePagefilePrivilege	2776	wmic.exe
Token: SeBackupPrivilege	2776	wmic.exe
Token: SeRestorePrivilege	2776	wmic.exe
Token: SeShutdownPrivilege	2776	wmic.exe
Token: SeDebugPrivilege	2776	wmic.exe
Token: SeSystemEnvironmentPrivilege	2776	wmic.exe
Token: SeRemoteShutdownPrivilege	2776	wmic.exe
Token: SeUndockPrivilege	2776	wmic.exe
Token: SeManageVolumePrivilege	2776	wmic.exe
Token: 33	2776	wmic.exe
Token: 34	2776	wmic.exe
Token: 35	2776	wmic.exe
Token: SeIncreaseQuotaPrivilege	2776	wmic.exe
Token: SeSecurityPrivilege	2776	wmic.exe
Token: SeTakeOwnershipPrivilege	2776	wmic.exe
Token: SeLoadDriverPrivilege	2776	wmic.exe
Token: SeSystemProfilePrivilege	2776	wmic.exe
Token: SeSystemtimePrivilege	2776	wmic.exe
Token: SeProfSingleProcessPrivilege	2776	wmic.exe
Token: SeIncBasePriorityPrivilege	2776	wmic.exe
Token: SeCreatePagefilePrivilege	2776	wmic.exe
Token: SeBackupPrivilege	2776	wmic.exe
Token: SeRestorePrivilege	2776	wmic.exe
Token: SeShutdownPrivilege	2776	wmic.exe
Token: SeDebugPrivilege	2776	wmic.exe
Token: SeSystemEnvironmentPrivilege	2776	wmic.exe
Token: SeRemoteShutdownPrivilege	2776	wmic.exe
Token: SeUndockPrivilege	2776	wmic.exe
Token: SeManageVolumePrivilege	2776	wmic.exe
Token: 33	2776	wmic.exe
Token: 34	2776	wmic.exe
Token: 35	2776	wmic.exe
Token: SeIncreaseQuotaPrivilege	2716	wmic.exe
Token: SeSecurityPrivilege	2716	wmic.exe
Token: SeTakeOwnershipPrivilege	2716	wmic.exe
Token: SeLoadDriverPrivilege	2716	wmic.exe
Token: SeSystemProfilePrivilege	2716	wmic.exe
Token: SeSystemtimePrivilege	2716	wmic.exe
Token: SeProfSingleProcessPrivilege	2716	wmic.exe
Token: SeIncBasePriorityPrivilege	2716	wmic.exe
Token: SeCreatePagefilePrivilege	2716	wmic.exe
Token: SeBackupPrivilege	2716	wmic.exe
Token: SeRestorePrivilege	2716	wmic.exe
Token: SeShutdownPrivilege	2716	wmic.exe
Token: SeDebugPrivilege	2716	wmic.exe
Token: SeSystemEnvironmentPrivilege	2716	wmic.exe
Token: SeRemoteShutdownPrivilege	2716	wmic.exe
Token: SeUndockPrivilege	2716	wmic.exe
Token: SeManageVolumePrivilege	2716	wmic.exe
Token: 33	2716	wmic.exe
Token: 34	2716	wmic.exe
Token: 35	2716	wmic.exe
Token: SeIncreaseQuotaPrivilege	2768	wmic.exe
Token: SeSecurityPrivilege	2768	wmic.exe
Token: SeTakeOwnershipPrivilege	2768	wmic.exe
Token: SeLoadDriverPrivilege	2768	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2780	2172	11ce95d1a52d4682ffc9a6ed46d4d526.exe	28
PID 2172 wrote to memory of 2780	2172	11ce95d1a52d4682ffc9a6ed46d4d526.exe	28
PID 2172 wrote to memory of 2780	2172	11ce95d1a52d4682ffc9a6ed46d4d526.exe	28
PID 2172 wrote to memory of 2780	2172	11ce95d1a52d4682ffc9a6ed46d4d526.exe	28
PID 2780 wrote to memory of 2776	2780	eecabfifbhh.exe	29
PID 2780 wrote to memory of 2776	2780	eecabfifbhh.exe	29
PID 2780 wrote to memory of 2776	2780	eecabfifbhh.exe	29
PID 2780 wrote to memory of 2776	2780	eecabfifbhh.exe	29
PID 2780 wrote to memory of 2716	2780	eecabfifbhh.exe	32
PID 2780 wrote to memory of 2716	2780	eecabfifbhh.exe	32
PID 2780 wrote to memory of 2716	2780	eecabfifbhh.exe	32
PID 2780 wrote to memory of 2716	2780	eecabfifbhh.exe	32
PID 2780 wrote to memory of 2768	2780	eecabfifbhh.exe	34
PID 2780 wrote to memory of 2768	2780	eecabfifbhh.exe	34
PID 2780 wrote to memory of 2768	2780	eecabfifbhh.exe	34
PID 2780 wrote to memory of 2768	2780	eecabfifbhh.exe	34
PID 2780 wrote to memory of 2648	2780	eecabfifbhh.exe	37
PID 2780 wrote to memory of 2648	2780	eecabfifbhh.exe	37
PID 2780 wrote to memory of 2648	2780	eecabfifbhh.exe	37
PID 2780 wrote to memory of 2648	2780	eecabfifbhh.exe	37
PID 2780 wrote to memory of 3044	2780	eecabfifbhh.exe	38
PID 2780 wrote to memory of 3044	2780	eecabfifbhh.exe	38
PID 2780 wrote to memory of 3044	2780	eecabfifbhh.exe	38
PID 2780 wrote to memory of 3044	2780	eecabfifbhh.exe	38
PID 2780 wrote to memory of 1508	2780	eecabfifbhh.exe	40
PID 2780 wrote to memory of 1508	2780	eecabfifbhh.exe	40
PID 2780 wrote to memory of 1508	2780	eecabfifbhh.exe	40
PID 2780 wrote to memory of 1508	2780	eecabfifbhh.exe	40

C:\Users\Admin\AppData\Local\Temp\11ce95d1a52d4682ffc9a6ed46d4d526.exe
"C:\Users\Admin\AppData\Local\Temp\11ce95d1a52d4682ffc9a6ed46d4d526.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\eecabfifbhh.exe
  C:\Users\Admin\AppData\Local\Temp\eecabfifbhh.exe 4-6-1-1-9-5-9-6-0-6-5 K0pIQzQsKio3LRsrTVRBR0Q7NzAaKko/U1ZGTUJDRDcrHClDSEpPQD49LC8yKjAfJj5APj0qGytKUU47UDpOX0M/OSs1OCsbJk1FTFFBTF5USUc0YnRuazYpLnJpcSU+RU1GKU5OTyQ8R0ouQ0lCSR8uOkdAPUtDPzkxaDAnUWgyYW9mHClDMDRJTEdCP00cKUMxNCgoGi8+LjknMB8mPys3LSsbKz40PCQsFylQTEpAT0JTVktJQ1Y7PlU3Hy5HTUY+VT1PWz9USzg4FylQTEpAT0JTVkk4R0U3Gys/V0RWUElGPRoqQVJEXjpIO0ZJSEA5Gi5HRk5LWUJMSlNNRFE0LRcpVEI8SkVYTkxaTExMNxsrUEw8KRsmPlMrOBwpUVRFT0BHRVlSQUZCTkRAQEdBQUBRTEs8FypATV9MUEpOSEw8OGtsdV8bK0xEU0xNRUNOQVpRTURRVj84U1M3LRwpR0g7QE83MRoqRU1eQ1BJOEdJPVpBSEJRUEtLP0Q3YV1mcmQXKjtJV0hHSztDXkBLNDIwKDEqLDQzJSwnKyApT0VHRDwoLykyMTIrNTA4HyY/RlFORko9Pl5TQEg8NzQpLyssLzAsJS80NTA1LDMpT0Q=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703539909.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703539909.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703539909.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703539909.txt bios get version
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703539909.txt bios get version
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703539909.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\eecabfifbhh.exe

Filesize
334KB

MD5
557e673f2ba8b33bb58f7bf47196f91c

SHA1
ce329fd4534bc23f468e67879d953bea20c7d88f

SHA256
cc7cd0307dc40d8cd46a0148927b118b7aa8f0ee4fc031b88d0bfb4c1c4f608d

SHA512
e2b0ea1994842a2aa38f55fecb554e4be258baf2bfa4ce5356e5b502743276d99b4807b6bed1347ee4a874479c0224ed7550fc52f92eefcc3fa9efdabaf4dde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso76B7.tmp\jcnbi.dll

Filesize
125KB

MD5
3232bc8cd522d31af49c199c41035978

SHA1
1ad2b61c062fad0a6a4cea5c5849973223ef50f9

SHA256
eb709cfa42bd006cbb894d88268343f15ece1f0a39a831a9290697f75ebeb4e6

SHA512
52f3fb7f3751d401e498d10611d8f5dbf367c79b54db86ff85bfe17ce4246b5c759cbda2d762c3436d02bec1964707c74ef40ebec52c290ce530f831a3c8bb78

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfifbhh.exe

Filesize
426KB

MD5
ffc1d70594ab888cc55fd2267da4b160

SHA1
bf578cd2878d3fcab8aa77c5b1501f8b68c1ec54

SHA256
dbaed9c5ea03f32738dd7916ac3a83d975b644e57cae7b0ab29b4ed3a183fd0a

SHA512
2f7c6671c1a3f6c3c7c83a173fbd8e91c0759e4311aa901e590f4073a6fa7d37b0c7316dd12a13f2e2d6f58d416d60054b6fbe97a47fb26af23c4f589eefbea7

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfifbhh.exe

Filesize
172KB

MD5
9bb97c828fbf7df2ca824b2fa9cdcb2c

SHA1
54e6fafd40ff0f9f6b0eaa419aa373d6b999e27a

SHA256
4cc08be3f55cb08cd083cc14c48e162fd15a17414d84e5075f10e1863fb3b20e

SHA512
e35cb67e44d50b69636cba41f60bac7e589e7de36e09bb27a3890285248b4eaa293a616e70dcf1f08ba47be85ae191d751e63dc8aedfc2fc587e4e392d564add

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfifbhh.exe

Filesize
92KB

MD5
bdfcffc07c3384d73a9896622943944d

SHA1
e15931bfb23a3c0fbfd217ddc0f47728285fbcdc

SHA256
cf0441704705e06f9e792712cc7895cf35713f84fd7376e346158f1a310b1c24

SHA512
85ba19beb67fdca4a65de642085a23757c9443bf2d758502b903a507c251f128fa8a04aab3073e4f5ab515921b8bbbe035177ed2528ed1e6e3be7a3811b3ee01

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfifbhh.exe

Filesize
155KB

MD5
9d4df227d6e65dabc7dd4f260f2e8193

SHA1
8e68abde25c4c07f7a81117c2cf19e5b583b07c4

SHA256
af61c7219852c7c73080aa7e166283f77ded9828fffade7ca1b63290e562fff4

SHA512
5600184b2d1509ec717953945729372f7a2f83e2242719920aa4c11546a220002f5f04988197e74f24f87b9325fb3bcac001061e46766c35346f1d7022b97c61

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfifbhh.exe

Filesize
122KB

MD5
549e14ab4897df1796d01cea56f319f7

SHA1
4e60dca8f2dff25452206ab6e6ddb712117f1dca

SHA256
941ad02605f97972cbaf7cd5ab5167f3dd6a6f266794d5d579a6a7fd96298218

SHA512
2e621e978f1902a1d5980143c0602dc575235f9e6884f0e3a782b044ede7e6a0671c06c035474a89ab33bd4c6764b6183249836e9ea5a2e224da1e219e5b0047

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfifbhh.exe

Filesize
61KB

MD5
cdecad5851094b0f28dab126c1c20758

SHA1
327fb16d2621e8c8770923dadee3c594ae1caad4

SHA256
700dfd3d35fa1b9c17fa4c4a6b9ac5011c910a59573dba3df0139e28738abcf2

SHA512
fcdef55d93be42cc8ee8b7bc54e4538a4c5bc3009efca00185cb08650fa9a2a6ebb192be995e47fcfd163896d15a0d995e100da49ba3d4ac078a8b0d4598e182

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfifbhh.exe

Filesize
96KB

MD5
72a67fea34c51fe944b85ab32000140f

SHA1
db0f246f0de0c3a3eb89615ec057183175c984ab

SHA256
13b1175d12a6e950526205e6a11a648192a3e1a4d009ad6b3b5834f1bce6af3d

SHA512
3dee11d12311aadea92646558c6aa7697445f7c17f6f1abc7d7862ed1e7adec53c566d9e8c785c4f5d62f1f041d066d48beacedd5017b32e904cd42b48ed816b

Download Submit
\Users\Admin\AppData\Local\Temp\eecabfifbhh.exe

Filesize
73KB

MD5
3ea4bfc31fd76e24044307689c0d3348

SHA1
91cc1475c65a8bdf89231e44919a76b0a1288221

SHA256
c05413e7b4abc983b43bd1149c4963bd277dd505a9e181bf0f55122fafe080b3

SHA512
fde375c2fa821816970bd84ed44fdf586bb8608d48eb5e9403e279d8c39158c9bcf8130d5f563fbffd5bab57394b0d0e1021e1f3ec0578ab906be24ec3c16f1a

Download Submit
\Users\Admin\AppData\Local\Temp\nso76B7.tmp\jcnbi.dll

Filesize
81KB

MD5
93d49fb5fbc44c9e04052df9a7df5990

SHA1
99f5ff1306d3cf348d419df41530f5fa8b117f37

SHA256
30d7e95b8ee85d0479f83d188357135f38d365576ecd25a0719454e9f1717464

SHA512
b1ba17447b98a67f4bdf724d75244a632e6e9d240139b764a5a3f80a9678617c2f5f9a4abb98200fb8b2baceb94c9b0b9d1e560a4a574e86d154cdca349f61f9

Download Submit
\Users\Admin\AppData\Local\Temp\nso76B7.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit