2bb644c87bb8d69abe57a2354ccf525e58bb05e88cb821c95eefdd7a334b354f

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2044089d4fdac49d2e3a70a8281ab089.exe
Size

558KB
MD5

2044089d4fdac49d2e3a70a8281ab089
SHA1

ca1e60d632e13cd3ac5a66f9f4ee5dd7331d16a4
SHA256

2bb644c87bb8d69abe57a2354ccf525e58bb05e88cb821c95eefdd7a334b354f
SHA512

f3ef0b64784a30ce18b9dce2483719a3495048be535653d9ea42e5830899cdb3bae56ca5ff74859d55f575aea2f82eadc4dc0ca9feda631b78ae5596d84a1afb
SSDEEP

12288:OzFlIyk87PxAFXQuNY+C2NoQCKK4b0JKxXBJ9wbEszoyTuk:OzFl7kSJuNDGRJcR/wdb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3056	dcjcabfhdbhi.exe

Loads dropped DLL 10 IoCs

pid	Process
2908	2044089d4fdac49d2e3a70a8281ab089.exe
2908	2044089d4fdac49d2e3a70a8281ab089.exe
2908	2044089d4fdac49d2e3a70a8281ab089.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2164	3056	WerFault.exe	19

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2412	wmic.exe
Token: SeSecurityPrivilege	2412	wmic.exe
Token: SeTakeOwnershipPrivilege	2412	wmic.exe
Token: SeLoadDriverPrivilege	2412	wmic.exe
Token: SeSystemProfilePrivilege	2412	wmic.exe
Token: SeSystemtimePrivilege	2412	wmic.exe
Token: SeProfSingleProcessPrivilege	2412	wmic.exe
Token: SeIncBasePriorityPrivilege	2412	wmic.exe
Token: SeCreatePagefilePrivilege	2412	wmic.exe
Token: SeBackupPrivilege	2412	wmic.exe
Token: SeRestorePrivilege	2412	wmic.exe
Token: SeShutdownPrivilege	2412	wmic.exe
Token: SeDebugPrivilege	2412	wmic.exe
Token: SeSystemEnvironmentPrivilege	2412	wmic.exe
Token: SeRemoteShutdownPrivilege	2412	wmic.exe
Token: SeUndockPrivilege	2412	wmic.exe
Token: SeManageVolumePrivilege	2412	wmic.exe
Token: 33	2412	wmic.exe
Token: 34	2412	wmic.exe
Token: 35	2412	wmic.exe
Token: SeIncreaseQuotaPrivilege	2412	wmic.exe
Token: SeSecurityPrivilege	2412	wmic.exe
Token: SeTakeOwnershipPrivilege	2412	wmic.exe
Token: SeLoadDriverPrivilege	2412	wmic.exe
Token: SeSystemProfilePrivilege	2412	wmic.exe
Token: SeSystemtimePrivilege	2412	wmic.exe
Token: SeProfSingleProcessPrivilege	2412	wmic.exe
Token: SeIncBasePriorityPrivilege	2412	wmic.exe
Token: SeCreatePagefilePrivilege	2412	wmic.exe
Token: SeBackupPrivilege	2412	wmic.exe
Token: SeRestorePrivilege	2412	wmic.exe
Token: SeShutdownPrivilege	2412	wmic.exe
Token: SeDebugPrivilege	2412	wmic.exe
Token: SeSystemEnvironmentPrivilege	2412	wmic.exe
Token: SeRemoteShutdownPrivilege	2412	wmic.exe
Token: SeUndockPrivilege	2412	wmic.exe
Token: SeManageVolumePrivilege	2412	wmic.exe
Token: 33	2412	wmic.exe
Token: 34	2412	wmic.exe
Token: 35	2412	wmic.exe
Token: SeIncreaseQuotaPrivilege	2616	wmic.exe
Token: SeSecurityPrivilege	2616	wmic.exe
Token: SeTakeOwnershipPrivilege	2616	wmic.exe
Token: SeLoadDriverPrivilege	2616	wmic.exe
Token: SeSystemProfilePrivilege	2616	wmic.exe
Token: SeSystemtimePrivilege	2616	wmic.exe
Token: SeProfSingleProcessPrivilege	2616	wmic.exe
Token: SeIncBasePriorityPrivilege	2616	wmic.exe
Token: SeCreatePagefilePrivilege	2616	wmic.exe
Token: SeBackupPrivilege	2616	wmic.exe
Token: SeRestorePrivilege	2616	wmic.exe
Token: SeShutdownPrivilege	2616	wmic.exe
Token: SeDebugPrivilege	2616	wmic.exe
Token: SeSystemEnvironmentPrivilege	2616	wmic.exe
Token: SeRemoteShutdownPrivilege	2616	wmic.exe
Token: SeUndockPrivilege	2616	wmic.exe
Token: SeManageVolumePrivilege	2616	wmic.exe
Token: 33	2616	wmic.exe
Token: 34	2616	wmic.exe
Token: 35	2616	wmic.exe
Token: SeIncreaseQuotaPrivilege	2776	wmic.exe
Token: SeSecurityPrivilege	2776	wmic.exe
Token: SeTakeOwnershipPrivilege	2776	wmic.exe
Token: SeLoadDriverPrivilege	2776	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 3056	2908	2044089d4fdac49d2e3a70a8281ab089.exe	19
PID 2908 wrote to memory of 3056	2908	2044089d4fdac49d2e3a70a8281ab089.exe	19
PID 2908 wrote to memory of 3056	2908	2044089d4fdac49d2e3a70a8281ab089.exe	19
PID 2908 wrote to memory of 3056	2908	2044089d4fdac49d2e3a70a8281ab089.exe	19
PID 3056 wrote to memory of 2412	3056	dcjcabfhdbhi.exe	18
PID 3056 wrote to memory of 2412	3056	dcjcabfhdbhi.exe	18
PID 3056 wrote to memory of 2412	3056	dcjcabfhdbhi.exe	18
PID 3056 wrote to memory of 2412	3056	dcjcabfhdbhi.exe	18
PID 3056 wrote to memory of 2616	3056	dcjcabfhdbhi.exe	28
PID 3056 wrote to memory of 2616	3056	dcjcabfhdbhi.exe	28
PID 3056 wrote to memory of 2616	3056	dcjcabfhdbhi.exe	28
PID 3056 wrote to memory of 2616	3056	dcjcabfhdbhi.exe	28
PID 3056 wrote to memory of 2776	3056	dcjcabfhdbhi.exe	27
PID 3056 wrote to memory of 2776	3056	dcjcabfhdbhi.exe	27
PID 3056 wrote to memory of 2776	3056	dcjcabfhdbhi.exe	27
PID 3056 wrote to memory of 2776	3056	dcjcabfhdbhi.exe	27
PID 3056 wrote to memory of 1168	3056	dcjcabfhdbhi.exe	25
PID 3056 wrote to memory of 1168	3056	dcjcabfhdbhi.exe	25
PID 3056 wrote to memory of 1168	3056	dcjcabfhdbhi.exe	25
PID 3056 wrote to memory of 1168	3056	dcjcabfhdbhi.exe	25
PID 3056 wrote to memory of 2752	3056	dcjcabfhdbhi.exe	23
PID 3056 wrote to memory of 2752	3056	dcjcabfhdbhi.exe	23
PID 3056 wrote to memory of 2752	3056	dcjcabfhdbhi.exe	23
PID 3056 wrote to memory of 2752	3056	dcjcabfhdbhi.exe	23
PID 3056 wrote to memory of 2164	3056	dcjcabfhdbhi.exe	40
PID 3056 wrote to memory of 2164	3056	dcjcabfhdbhi.exe	40
PID 3056 wrote to memory of 2164	3056	dcjcabfhdbhi.exe	40
PID 3056 wrote to memory of 2164	3056	dcjcabfhdbhi.exe	40

C:\Users\Admin\AppData\Local\Temp\2044089d4fdac49d2e3a70a8281ab089.exe
"C:\Users\Admin\AppData\Local\Temp\2044089d4fdac49d2e3a70a8281ab089.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\dcjcabfhdbhi.exe
  C:\Users\Admin\AppData\Local\Temp\dcjcabfhdbhi.exe 2-0-5-4-8-6-9-0-5-1-7 LVBEQDUrLDU0MhktU1A+SEM7PSsfKExFT1NHTEJJPzwqHi8/RUtOQEQ4MSoxNC4cJz1ARDgvGS1QTUs8TzpUWkg9OzIrMCsrFy9OREtURU1bTUxDPWNzbW46KitrbG0uP0RMSS1PS0gnOFBLLUJMRkocJz1DST5KQkI9Gys8KzQtLB8oQjI4KSkaJkQuPCYvICpALDckMRsuPTM9KC0YKUdSSkNOQVRaTEpDTUE+WDYeL0tORz5MQ09ePlNMPDkYKUdSSkNOQVRaSjlHPD1CbmhlbGAhKio8YW1zYR4vQFQ9WUxSRzxhcnRrNicpbndyLV1td2lxZGlYZCliaGsvYmtnYWNlKGRacHRjK19pZmdnZG5uZFxwXW1cdHBvJ2N4YBwnP09FWkJGQkxESj03Fy9DTkxSXz1OR1FKRU08Kx4vT0Q5SEJZSlRYU1JHORgpTU04MRktRE4tNRomUlBNTUdNQFtPP0NDSkw+R008Qz1PSUw4HyhHU1pOTUhLSUhENnJycGEYKUlFT1RLTElJQ1dPSkVNXj0/WU45KhomSERDPlY9LBwnQ0pfP1hHP01EP1c/RUNNWElSRT85Xltjc2AfKEJPUkpESThEWkhJOzIrNCYrKDQpMC4zLjAcJ05ATUA8KjIyMjIrKigzMR8oQk9SSkRJOERaU0JLRTgvJywwLy0vKjMqLC0yLyw6LjUjP00=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703568198.txt bios get version
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703568198.txt bios get version
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703568198.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703568198.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2164

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703568198.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703568198.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso649.tmp\rqpxh.dll

Filesize
120KB

MD5
e74f9f8aac15853fff22c4b02f2cdc64

SHA1
a2ba834837d69b262e1b263d3bf99ee624019bd2

SHA256
c0f32c08a72e476dd9e6179fec70f168e585c0fd28d552e825cc3b3c5c1cc458

SHA512
3d91dec2336c07a922a6d7a87261e5bdff32118faabb4dc7d780551fe42db4649fc8279cadaadf59e23293c28fa5b425b4d9cd53e255b86f104bd53ef6f7f15e

Download Submit
\Users\Admin\AppData\Local\Temp\dcjcabfhdbhi.exe

Filesize
92KB

MD5
44f0bc61853805a9a5b9b70b36945d02

SHA1
1366e1e307b45f76e3f5c2b191a7a88f70879d09

SHA256
1fd730b90a121d6a8c5d43a746fafe1eb20b5b11b0b08c42ce754d7205ce2ef5

SHA512
981773578ee6f11a6768cf490bbf5dd30dd8e332567111d2867faac846261beec773c15fb43db9ec3223f415bf91d27479b4afb4ca81733e94b17d6d8c5a0f3c

Download Submit