236ce6fdd52ec0482e121196b06668f2dadf4bd1cc8a506a91c11fdbe1c6a08c

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16320c05d8b7d2440e462b1d1fb838fe.exe
Size

557KB
MD5

16320c05d8b7d2440e462b1d1fb838fe
SHA1

112423a6352a5eda61b1f0347b1c209d84ea4e59
SHA256

236ce6fdd52ec0482e121196b06668f2dadf4bd1cc8a506a91c11fdbe1c6a08c
SHA512

2308433405295711e1b7c297df9c530caa88ee010a00385fa35376fc13178bb3646b2c863904c99ce9f2398f25e787251a76f33376cdf3696f45fa984916ec06
SSDEEP

12288:KcHGf9rGrlhZsiRsWFf/Vb/gxsImiQEbL6P2Dn9Vn:Kc2FY/nuQf/0zmS36+D9V

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2764	ecfcabfbddij.exe

Loads dropped DLL 10 IoCs

pid	Process
320	16320c05d8b7d2440e462b1d1fb838fe.exe
320	16320c05d8b7d2440e462b1d1fb838fe.exe
320	16320c05d8b7d2440e462b1d1fb838fe.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2628	2764	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2808	wmic.exe
Token: SeSecurityPrivilege	2808	wmic.exe
Token: SeTakeOwnershipPrivilege	2808	wmic.exe
Token: SeLoadDriverPrivilege	2808	wmic.exe
Token: SeSystemProfilePrivilege	2808	wmic.exe
Token: SeSystemtimePrivilege	2808	wmic.exe
Token: SeProfSingleProcessPrivilege	2808	wmic.exe
Token: SeIncBasePriorityPrivilege	2808	wmic.exe
Token: SeCreatePagefilePrivilege	2808	wmic.exe
Token: SeBackupPrivilege	2808	wmic.exe
Token: SeRestorePrivilege	2808	wmic.exe
Token: SeShutdownPrivilege	2808	wmic.exe
Token: SeDebugPrivilege	2808	wmic.exe
Token: SeSystemEnvironmentPrivilege	2808	wmic.exe
Token: SeRemoteShutdownPrivilege	2808	wmic.exe
Token: SeUndockPrivilege	2808	wmic.exe
Token: SeManageVolumePrivilege	2808	wmic.exe
Token: 33	2808	wmic.exe
Token: 34	2808	wmic.exe
Token: 35	2808	wmic.exe
Token: SeIncreaseQuotaPrivilege	2808	wmic.exe
Token: SeSecurityPrivilege	2808	wmic.exe
Token: SeTakeOwnershipPrivilege	2808	wmic.exe
Token: SeLoadDriverPrivilege	2808	wmic.exe
Token: SeSystemProfilePrivilege	2808	wmic.exe
Token: SeSystemtimePrivilege	2808	wmic.exe
Token: SeProfSingleProcessPrivilege	2808	wmic.exe
Token: SeIncBasePriorityPrivilege	2808	wmic.exe
Token: SeCreatePagefilePrivilege	2808	wmic.exe
Token: SeBackupPrivilege	2808	wmic.exe
Token: SeRestorePrivilege	2808	wmic.exe
Token: SeShutdownPrivilege	2808	wmic.exe
Token: SeDebugPrivilege	2808	wmic.exe
Token: SeSystemEnvironmentPrivilege	2808	wmic.exe
Token: SeRemoteShutdownPrivilege	2808	wmic.exe
Token: SeUndockPrivilege	2808	wmic.exe
Token: SeManageVolumePrivilege	2808	wmic.exe
Token: 33	2808	wmic.exe
Token: 34	2808	wmic.exe
Token: 35	2808	wmic.exe
Token: SeIncreaseQuotaPrivilege	2972	wmic.exe
Token: SeSecurityPrivilege	2972	wmic.exe
Token: SeTakeOwnershipPrivilege	2972	wmic.exe
Token: SeLoadDriverPrivilege	2972	wmic.exe
Token: SeSystemProfilePrivilege	2972	wmic.exe
Token: SeSystemtimePrivilege	2972	wmic.exe
Token: SeProfSingleProcessPrivilege	2972	wmic.exe
Token: SeIncBasePriorityPrivilege	2972	wmic.exe
Token: SeCreatePagefilePrivilege	2972	wmic.exe
Token: SeBackupPrivilege	2972	wmic.exe
Token: SeRestorePrivilege	2972	wmic.exe
Token: SeShutdownPrivilege	2972	wmic.exe
Token: SeDebugPrivilege	2972	wmic.exe
Token: SeSystemEnvironmentPrivilege	2972	wmic.exe
Token: SeRemoteShutdownPrivilege	2972	wmic.exe
Token: SeUndockPrivilege	2972	wmic.exe
Token: SeManageVolumePrivilege	2972	wmic.exe
Token: 33	2972	wmic.exe
Token: 34	2972	wmic.exe
Token: 35	2972	wmic.exe
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2764	320	16320c05d8b7d2440e462b1d1fb838fe.exe	28
PID 320 wrote to memory of 2764	320	16320c05d8b7d2440e462b1d1fb838fe.exe	28
PID 320 wrote to memory of 2764	320	16320c05d8b7d2440e462b1d1fb838fe.exe	28
PID 320 wrote to memory of 2764	320	16320c05d8b7d2440e462b1d1fb838fe.exe	28
PID 2764 wrote to memory of 2808	2764	ecfcabfbddij.exe	30
PID 2764 wrote to memory of 2808	2764	ecfcabfbddij.exe	30
PID 2764 wrote to memory of 2808	2764	ecfcabfbddij.exe	30
PID 2764 wrote to memory of 2808	2764	ecfcabfbddij.exe	30
PID 2764 wrote to memory of 2972	2764	ecfcabfbddij.exe	32
PID 2764 wrote to memory of 2972	2764	ecfcabfbddij.exe	32
PID 2764 wrote to memory of 2972	2764	ecfcabfbddij.exe	32
PID 2764 wrote to memory of 2972	2764	ecfcabfbddij.exe	32
PID 2764 wrote to memory of 2744	2764	ecfcabfbddij.exe	34
PID 2764 wrote to memory of 2744	2764	ecfcabfbddij.exe	34
PID 2764 wrote to memory of 2744	2764	ecfcabfbddij.exe	34
PID 2764 wrote to memory of 2744	2764	ecfcabfbddij.exe	34
PID 2764 wrote to memory of 2584	2764	ecfcabfbddij.exe	36
PID 2764 wrote to memory of 2584	2764	ecfcabfbddij.exe	36
PID 2764 wrote to memory of 2584	2764	ecfcabfbddij.exe	36
PID 2764 wrote to memory of 2584	2764	ecfcabfbddij.exe	36
PID 2764 wrote to memory of 2248	2764	ecfcabfbddij.exe	39
PID 2764 wrote to memory of 2248	2764	ecfcabfbddij.exe	39
PID 2764 wrote to memory of 2248	2764	ecfcabfbddij.exe	39
PID 2764 wrote to memory of 2248	2764	ecfcabfbddij.exe	39
PID 2764 wrote to memory of 2628	2764	ecfcabfbddij.exe	40
PID 2764 wrote to memory of 2628	2764	ecfcabfbddij.exe	40
PID 2764 wrote to memory of 2628	2764	ecfcabfbddij.exe	40
PID 2764 wrote to memory of 2628	2764	ecfcabfbddij.exe	40

C:\Users\Admin\AppData\Local\Temp\16320c05d8b7d2440e462b1d1fb838fe.exe
"C:\Users\Admin\AppData\Local\Temp\16320c05d8b7d2440e462b1d1fb838fe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exe
  C:\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exe 6)1)2)6)6)2)3)8)3)6)1 KU9HPjcvMCg0LR8pUlM8SkdBNS0aLkhEUlFJUEhBQTcvGi5CQ01SRjw6KzcvNTEaKUFGPDoqHylPUEk+U0BMXENDNzIxLC8eLEtCTFU/UV1PTEo6YHFubzQuLW1sdCs8Qk1KJ1NNSic/TUgrQ01ATh4pPUpGO0hDQzczUisqVGdBbG91Gi5CKzdMUkU/P1EaLkIsNysuGCw+MjcsLxopQjE1KisfKUMzNycvHSdNTE4+VEFOWU5PQVM7QlM8HilKUEw8Uj1TWURTRjs7HSdNTE4+VEFOWUw+RUI3HylEVj9ZU09EOhouP1dDWT1LQURGSEQ3Hy1CSVFRVz9MTlFSQ0w3MB0nUUJASEpXSU9dUkpJNx8pVUs3LB4sPFArPBouUE9IUkZFQllWP0tBSUdDRkU+QURPUUo3Gi1GS1xMVEhTR0c/O3Fqcl8fKVFDTk9QS0FLQV5PUkNMWUI+UVA3MRouRkM+Q1U1LhouQ1JdPlNMPkVGPV4/TUFMU05RPUE3ZVtrcV8aLUFHVEhLSUBCWUNOOjA1KDAyMSwtLCwyGCxOSEdEOysuMDYxNiwzMDQeKT5NVEZJSUA+XlJDR0M6LCwsNCkxLisvKDUyLTE5LjQoSkceLE0+N0xpeWdmZl8iKmMvLSoqJlFjbGFndG0qSFMpMCgvIitfJVZJVjQuIyk+aG1mZFFkYEVjciIqYy8yMS0xMCUmSEBRR0sfMWElZmdoXShBZF1qbSMlQWVqbGdkHzFkLiwsLSYvLTArLTcqJVFeXl5saB8xZC8tNSsrMxouT1FKN2JycWgiLWAfMWQfLGRkXXEoLysxMmAoZ2tebB8xYFFzaE5nal1BaXZoa21bXkteZl5hZGxeYl9qamxxIixlKzMwMzM3LywzLSQsZS8uLDc2MS8uNS0kMGArMi8xNjMxLjUxHy1kNTE0LDguNTYtMTdVKXVuTT12NVtkU3JEQF11RWc3Y0hBLXFJTkxtR1VLKkpBPW1HUjxsTWNlYlU7ZCxTP3dISj4vTUAuampTRXZqU0U+K0lARGtJLi9iT2opcF1oPGdXQWJqS0toYGRBQXFIc20=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703716266.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703716266.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703716266.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703716266.txt bios get version
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703716266.txt bios get version
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703716266.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exe

Filesize
447KB

MD5
d649f42a7d612249be1a43f0d5148453

SHA1
e3ea024304907fa7432e69bdd01987af126822cf

SHA256
1a16015ef75a740aca173d9239fa347682c2a5d6fb0c2d6895294f930debaa4f

SHA512
bdf9b7a775c437f17b18faeaf8aeba708effde3eea879b27a40f77760d530865f348a2d0ba16cf268339c67c0c91596086f511d5081fa019d3e8c7e23d77319c

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exe

Filesize
764KB

MD5
bb7755df875b511f227a3c9a537a0656

SHA1
8be1d764c5597e2f460d1a583e8dad558538e6cf

SHA256
ce2aea1e5e8a932f7032c68a858df90caa69e29f5994224ab15f3bc1accf8e2a

SHA512
9bb7c64a8fd154b65f8b0d9fcff5bd0cd8f76bd42ecdd566de0a6d820e14e9b4fb4a13fff0ef49d161aafdf5e8028d4534d13297d6405a0800c1a0f819446d8c

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exe

Filesize
120KB

MD5
01bf1e8abb319fc80c51ec81d3ef50dc

SHA1
0e9c92dc6ffaf331c7e4c2b686948200112602ab

SHA256
e085aa952fcd4d0f41bead64007fd049fc6f7bec80ba897889909fbbe0c5521d

SHA512
3e5a22993b1c02bcf6145a276bb5ff8fed38cc0e6660ce3986a2452b02cae2ff55619742185b3df45c310700a12392d5f3dd4bccbaf12a62aaa52a5d004909d5

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exe

Filesize
106KB

MD5
c7dcf44d74d8c082cbb6755e213c8045

SHA1
f8b5d8012fa7c5f7e445f925609866707a85ce02

SHA256
833a8dc5762825bbb255a51ab1322206d1992fd4965c0b306e5bf780d41a3d58

SHA512
434bf448d7e53942be290b35f2e794102190419b22fa41a6cd71837ba882c577e1faaa9ab5277dcb00b6e82b7aa7a9119c4c5ed7705f5bd9cab59b326bcd3f4c

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exe

Filesize
192KB

MD5
5607ba0382aa888e7cf6ccd5ff5d9b4b

SHA1
4784d605c8fb9d27278e4d64303f46bd3d082d36

SHA256
7f80652b8ff9fa3d8a47be68cc9597a1f9344e57ea97c697ca2e6a87e0b400b8

SHA512
5273cb2a94b26e67d013bfcef59957437a789711a913063d7c24cc80159dd8e998c6ae9f07918976d75ca5282fe43739b94e0bbbc8620bac89c02d89a159e961

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exe

Filesize
184KB

MD5
45f44fe5f7d6af27f861ecf4e0ed0b68

SHA1
dabc748a51116c9e15b5f48390e74320b3cbbdc3

SHA256
acc45508855d40f3e92cc2c79ec1bc5fd1f69137ef34779c53f2dfd7ec3873d6

SHA512
3c701c12ab8dccc7b0244ead800adf18a60058548e6454014c58c2229b1977419c38e90a719c244085ea7af9c3a8d3d40597adb359628eca7023106d92c36dfa

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exe

Filesize
186KB

MD5
d6dbb83a9ef849de5b3c392f308da90d

SHA1
c74751b1185b3ca474ffa74343b77b77997b371a

SHA256
086e4a2f9243825f51d4a1bed3919158a74ca169226e9fdead52318a36ce5bb4

SHA512
7a09aa34b19afdbb78047737f6567db8fcd9440876935a82e2b58702f82f84bcbdb6a6c071480426777dc5e41b9c478694ac19f65b87fa7f560fa18aa06aaac8

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exe

Filesize
150KB

MD5
ff794cbea88c2a8c54d1e507f109833e

SHA1
b0c2b056225ce8eefc2402e763cf81234962fc47

SHA256
e46fa909d9978c0e41401f32bb5882da02d27ce3a683ea9cb8b69c87b14eaa42

SHA512
202d128ebbea2bdd9a90a19b5b23c3392a56ab47d1495c9b8987d3847159afc17d75fa088f5fbf0241f42f51576cd0954febb53a4f6860a9a9e639449e401e2c

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exe

Filesize
97KB

MD5
6f1b1f3cffff42fa01f655a5577d0d6f

SHA1
1c94d2e242b10d8b41251cd3339aaa0c24874d42

SHA256
a23f7324b352b4b7e307630364f4408d8376925cd8e50421b621de7abb193de0

SHA512
f3b313675f4c6fa94eea8e34750d3d96e5e78e1d4657c8a5df23f7bbf8f75836cb441fe1282d48d22a37e8b42edcc429953f62cfc7598ffc7fc174a8cd0ab3a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4FE5.tmp\egpphhxi.dll

Filesize
121KB

MD5
daeaf465e2583962efc14f694599be9a

SHA1
70d34e6c4a875b5d648409203732b4ae4cde17c9

SHA256
c381de850bddd84c5fb99c84d47a8d86d40146f8242d343db6579b7468d720bb

SHA512
8d349759236e77b402f30581bc044f474d34b889a522261065f8943fbd9f997b45494249f523021e28b3bc41409414f9f985347b76adfc58445bae4ca86a97a1

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4FE5.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit