319467c3f42e0362efa16cc87d4952d9c1455d6f3864a9b6cb215efcd2377a1f

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20f9518b683fdb3dadd0b22d2a30c64b.exe
Size

574KB
MD5

20f9518b683fdb3dadd0b22d2a30c64b
SHA1

58a135918c27b18f849df09963fa8731617a2a99
SHA256

319467c3f42e0362efa16cc87d4952d9c1455d6f3864a9b6cb215efcd2377a1f
SHA512

2c8f6329bb5ac2530c7ed993d1efb522aac5e6e602c60d2bba76e795c9802b464915c6912fc9b76c07f4c2318c23d301cd18238fb1b8a49fdbece78057508f48
SSDEEP

12288:4u0cjfyBYdfzRGE4OxueN1cJpWng7BSRZfjymE5s0Xd8F5oOqo:4u0cjqBYdfzRGEZNCDW8qhWs0XCF5o0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2188	bccjcabedebbg.exe

Loads dropped DLL 10 IoCs

pid	Process
2232	20f9518b683fdb3dadd0b22d2a30c64b.exe
2232	20f9518b683fdb3dadd0b22d2a30c64b.exe
2232	20f9518b683fdb3dadd0b22d2a30c64b.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2612	2188	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2168	wmic.exe
Token: SeSecurityPrivilege	2168	wmic.exe
Token: SeTakeOwnershipPrivilege	2168	wmic.exe
Token: SeLoadDriverPrivilege	2168	wmic.exe
Token: SeSystemProfilePrivilege	2168	wmic.exe
Token: SeSystemtimePrivilege	2168	wmic.exe
Token: SeProfSingleProcessPrivilege	2168	wmic.exe
Token: SeIncBasePriorityPrivilege	2168	wmic.exe
Token: SeCreatePagefilePrivilege	2168	wmic.exe
Token: SeBackupPrivilege	2168	wmic.exe
Token: SeRestorePrivilege	2168	wmic.exe
Token: SeShutdownPrivilege	2168	wmic.exe
Token: SeDebugPrivilege	2168	wmic.exe
Token: SeSystemEnvironmentPrivilege	2168	wmic.exe
Token: SeRemoteShutdownPrivilege	2168	wmic.exe
Token: SeUndockPrivilege	2168	wmic.exe
Token: SeManageVolumePrivilege	2168	wmic.exe
Token: 33	2168	wmic.exe
Token: 34	2168	wmic.exe
Token: 35	2168	wmic.exe
Token: SeIncreaseQuotaPrivilege	2168	wmic.exe
Token: SeSecurityPrivilege	2168	wmic.exe
Token: SeTakeOwnershipPrivilege	2168	wmic.exe
Token: SeLoadDriverPrivilege	2168	wmic.exe
Token: SeSystemProfilePrivilege	2168	wmic.exe
Token: SeSystemtimePrivilege	2168	wmic.exe
Token: SeProfSingleProcessPrivilege	2168	wmic.exe
Token: SeIncBasePriorityPrivilege	2168	wmic.exe
Token: SeCreatePagefilePrivilege	2168	wmic.exe
Token: SeBackupPrivilege	2168	wmic.exe
Token: SeRestorePrivilege	2168	wmic.exe
Token: SeShutdownPrivilege	2168	wmic.exe
Token: SeDebugPrivilege	2168	wmic.exe
Token: SeSystemEnvironmentPrivilege	2168	wmic.exe
Token: SeRemoteShutdownPrivilege	2168	wmic.exe
Token: SeUndockPrivilege	2168	wmic.exe
Token: SeManageVolumePrivilege	2168	wmic.exe
Token: 33	2168	wmic.exe
Token: 34	2168	wmic.exe
Token: 35	2168	wmic.exe
Token: SeIncreaseQuotaPrivilege	2864	wmic.exe
Token: SeSecurityPrivilege	2864	wmic.exe
Token: SeTakeOwnershipPrivilege	2864	wmic.exe
Token: SeLoadDriverPrivilege	2864	wmic.exe
Token: SeSystemProfilePrivilege	2864	wmic.exe
Token: SeSystemtimePrivilege	2864	wmic.exe
Token: SeProfSingleProcessPrivilege	2864	wmic.exe
Token: SeIncBasePriorityPrivilege	2864	wmic.exe
Token: SeCreatePagefilePrivilege	2864	wmic.exe
Token: SeBackupPrivilege	2864	wmic.exe
Token: SeRestorePrivilege	2864	wmic.exe
Token: SeShutdownPrivilege	2864	wmic.exe
Token: SeDebugPrivilege	2864	wmic.exe
Token: SeSystemEnvironmentPrivilege	2864	wmic.exe
Token: SeRemoteShutdownPrivilege	2864	wmic.exe
Token: SeUndockPrivilege	2864	wmic.exe
Token: SeManageVolumePrivilege	2864	wmic.exe
Token: 33	2864	wmic.exe
Token: 34	2864	wmic.exe
Token: 35	2864	wmic.exe
Token: SeIncreaseQuotaPrivilege	2864	wmic.exe
Token: SeSecurityPrivilege	2864	wmic.exe
Token: SeTakeOwnershipPrivilege	2864	wmic.exe
Token: SeLoadDriverPrivilege	2864	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2188	2232	20f9518b683fdb3dadd0b22d2a30c64b.exe	30
PID 2232 wrote to memory of 2188	2232	20f9518b683fdb3dadd0b22d2a30c64b.exe	30
PID 2232 wrote to memory of 2188	2232	20f9518b683fdb3dadd0b22d2a30c64b.exe	30
PID 2232 wrote to memory of 2188	2232	20f9518b683fdb3dadd0b22d2a30c64b.exe	30
PID 2188 wrote to memory of 2168	2188	bccjcabedebbg.exe	28
PID 2188 wrote to memory of 2168	2188	bccjcabedebbg.exe	28
PID 2188 wrote to memory of 2168	2188	bccjcabedebbg.exe	28
PID 2188 wrote to memory of 2168	2188	bccjcabedebbg.exe	28
PID 2188 wrote to memory of 2864	2188	bccjcabedebbg.exe	32
PID 2188 wrote to memory of 2864	2188	bccjcabedebbg.exe	32
PID 2188 wrote to memory of 2864	2188	bccjcabedebbg.exe	32
PID 2188 wrote to memory of 2864	2188	bccjcabedebbg.exe	32
PID 2188 wrote to memory of 2772	2188	bccjcabedebbg.exe	34
PID 2188 wrote to memory of 2772	2188	bccjcabedebbg.exe	34
PID 2188 wrote to memory of 2772	2188	bccjcabedebbg.exe	34
PID 2188 wrote to memory of 2772	2188	bccjcabedebbg.exe	34
PID 2188 wrote to memory of 2616	2188	bccjcabedebbg.exe	40
PID 2188 wrote to memory of 2616	2188	bccjcabedebbg.exe	40
PID 2188 wrote to memory of 2616	2188	bccjcabedebbg.exe	40
PID 2188 wrote to memory of 2616	2188	bccjcabedebbg.exe	40
PID 2188 wrote to memory of 2716	2188	bccjcabedebbg.exe	38
PID 2188 wrote to memory of 2716	2188	bccjcabedebbg.exe	38
PID 2188 wrote to memory of 2716	2188	bccjcabedebbg.exe	38
PID 2188 wrote to memory of 2716	2188	bccjcabedebbg.exe	38
PID 2188 wrote to memory of 2612	2188	bccjcabedebbg.exe	39
PID 2188 wrote to memory of 2612	2188	bccjcabedebbg.exe	39
PID 2188 wrote to memory of 2612	2188	bccjcabedebbg.exe	39
PID 2188 wrote to memory of 2612	2188	bccjcabedebbg.exe	39

C:\Users\Admin\AppData\Local\Temp\20f9518b683fdb3dadd0b22d2a30c64b.exe
"C:\Users\Admin\AppData\Local\Temp\20f9518b683fdb3dadd0b22d2a30c64b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe
  C:\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe 0-7-3-8-8-9-9-6-3-6-7 L0lGPDUnFylQTztQQkE1KBcmSEJOUE9LSEE8NCcaLD5CU01GPDUnFylAQz09KR0nSElGPlI9TV9CQTUoFyZNQkxPRUtcTUpDNGJxbmk6KCxrXWltKHFiXi1abWglW1huXihibl9sGCc6Q0NARUJENh0nPCg0Jy4aKEQrOiUpFyY+MDcmMRksPCw0JCsdKT01NiopGCZHTEw+TkNNXEhKQE07QFM2IChNSkc7TD1RWT5VRT41GCZHTEw+TkNNXEY5RDw3HSk+WD5cTUpDNBosP1FFWEBFPENASEI3GS9BTEtMVjlMTFFMRUs6KhgmS0I+SERZSFJXTUlDNx0pTUlGQjUpKygzNTIsNSwuGCdNRDcvGihETC41GCZJT0tOQk0+XE89QzpJSj9CTTpEPU1JQzcdKUJTWE9NRktAR0I3bXJuYhgnSTxOUkxHSUdEV01KPExcPjpZTDoqGCY/Q0E/UT0qHSdBSlY+Vkg6TUJAVz1FOkxWSk1FPTpeWWNqXx0pPU9QS0RHODtZUUNGRTYuKicpMCkvKio0IzUyKCwxLS4kSU0ZLDxHTkVGTDs9X0JNNS4tJSwxMyc4LCspMCc=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703569535.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703569535.txt bios get version
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703569535.txt bios get version
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2612
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703569535.txt bios get version
    3⤵
    PID:2616

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703569535.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703569535.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703569535.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703569535.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe

Filesize
85KB

MD5
3cb7b13b5d49da1dddd537a77cf26eba

SHA1
b6ec8287d09a78b69d33e9a9081142689d4ba516

SHA256
e0d564d47a1d5bf92e3e59bae00fb1310e92e27583475752e6781bf133b2e44a

SHA512
4f2260c896b8572732346270748ca0bdd543c484d650d75a004dac9d1f7c73e7c56e84b3e382d544d7540a5683820469fef558f95834fb2299d64abf89767176

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst45C8.tmp\zzp.dll

Filesize
108KB

MD5
2e352e4574545d13bbb4004f508c6f1e

SHA1
f90cadb5e3696167e183ba548abd4c8086566318

SHA256
3cee88da308c942dd2900192691779432f9326819fe7da08c9c555bf56a9fac0

SHA512
2cd3250bca3e4f998c7fcee4f17a3e1f01249ce4eab4b09373937551d0055ea1dfdad74149ab8281a1bf4b8195a492fb48eabbd04c63374a1561dcd910289da6

Download Submit
\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe

Filesize
216KB

MD5
8db5ca232d513fa1e188c69a136632c6

SHA1
86c3d9d582bc512419671399e5bd611eb18b691f

SHA256
6a040c8156349f4ef731ac6e1c937a3859c9c0f6f8409fd3cf8f138e7b8e3ef4

SHA512
4c4666c12b982a377ade468a9a34654879c57e6802753276ea31f62191eb4f7c4b11de5aae166b7a3b1ebd6920635984e46b08ac8c4b30b8a94ce85b9d45b946

Download Submit
\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe

Filesize
61KB

MD5
a2e8cfd7f5b0691ff4a1d6554448a353

SHA1
a73cb5d3c33e5ed00472ab6b06ebf5da71fc82d7

SHA256
388dd20f3d726d32246780646c1e6f948e1e68a4357193ca71d07a6a8d65147a

SHA512
cbbf869cc54179f14a5458fc4fd66d060cf10356fc5795dcf41603fecc6ba06f9d4e9071264bd4c229e4065651afaf26a062c09c61364a0ffa85f8f897cc2f2e

Download Submit
\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe

Filesize
56KB

MD5
7ca163656ba1a11a18553d4d7afbc37c

SHA1
f1473ad60e1e1cbf8a71b6a26d2bb4e4cea84d03

SHA256
5b1c47d08b853680db726971983017529ba83b080c6d18c6514747c3edb383f4

SHA512
effdf671a44e7681c661fd6a592dcd85158c6713d38f31024004e83f2cc6e59a1ebc69ed0f73dabc145fed515ad841a5a140a7f0a8c8d2bd7641ca818b698115

Download Submit
\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe

Filesize
45KB

MD5
dda664acc2ab437febbd87faa705be7f

SHA1
9016feebb4061fc88c064171071f3721d656d2e9

SHA256
027f3b601ed69a368a862d6b2e9f20832212921e7a90b7ed5b4f7b9cd14a7cdb

SHA512
5e2d43fa8be4d0183509c8b8a90ef6d786559dba5c0e701e50932d72d8dcadf5f8a028fb6b7b6f915f7bea4ed7c89ff162899a04613e0cd5af16d10959efcef8

Download Submit
\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe

Filesize
79KB

MD5
5a7fd9604d7e58bb90318a9dfa946982

SHA1
a5c7ee9ba74fa54806e0c007aa8d1a60b9143d67

SHA256
a438639f4028e13e3f0320db8c6a50314373e1d95b8d714fdc9e5feb63ee2337

SHA512
c40ad63c0e212698aeab5b2ea49271e3f6215d3604bc0e9a457b35ee42488dd69b8c6daff0c8721bea3c7818aa7a452708355dd6d0f65313f055d32f5c954861

Download Submit
\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe

Filesize
71KB

MD5
9e51dd6b6ab70507f8b8b6bb7c595a58

SHA1
92e68a040c884ca4de19a7e208de2a38c6b15024

SHA256
a015201ac5c771a4d40cce1772e90520397736b6a8b4ff93dc12f9f095e7bb3d

SHA512
736353cfcf529a5eff57c66a8da86c53779a101f3ef20023b702376b78eb5da1caa4209986c9be049de8ae4d34d4e2c93378835971499d01043c48e5c298cb0e

Download Submit
\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe

Filesize
1KB

MD5
cbdb4c01eb793af33273ad64e02bf817

SHA1
04078d97c8230bcfddde76a2b6470f588fe1bfee

SHA256
64d9d6df960b5effad6fa898632a5f37bd06563e417152f97a920c1964e6f060

SHA512
ca0b59555a11ae12911653b951d304eb02c57abb5a8e4e8d769d1cc5927dc723a484f55f977ec5e0c72755cdfc19b500400127416820e4f60fbca02e76cb8c9a

Download Submit
\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe

Filesize
39KB

MD5
661c1c29307b43fad08735e29038894e

SHA1
a955ecaab2dd6c893da2b2f9cdc2d82caf7180c4

SHA256
ff08f6599ce8b70c05e0881b4c13266f9bafcd4863fced6067f581a644a4ae0b

SHA512
572b4177225ec473ba43ab55bb4f698c4a152c9bd4a66cbdc836219095a365def78df37a523d810b0b4155ce9eded63002842c8b9abba702f63b5762cc6f6d4c

Download Submit
\Users\Admin\AppData\Local\Temp\nst45C8.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit