319467c3f42e0362efa16cc87d4952d9c1455d6f3864a9b6cb215efcd2377a1f

Analysis

max time kernel
88s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20f9518b683fdb3dadd0b22d2a30c64b.exe
Size

574KB
MD5

20f9518b683fdb3dadd0b22d2a30c64b
SHA1

58a135918c27b18f849df09963fa8731617a2a99
SHA256

319467c3f42e0362efa16cc87d4952d9c1455d6f3864a9b6cb215efcd2377a1f
SHA512

2c8f6329bb5ac2530c7ed993d1efb522aac5e6e602c60d2bba76e795c9802b464915c6912fc9b76c07f4c2318c23d301cd18238fb1b8a49fdbece78057508f48
SSDEEP

12288:4u0cjfyBYdfzRGE4OxueN1cJpWng7BSRZfjymE5s0Xd8F5oOqo:4u0cjqBYdfzRGEZNCDW8qhWs0XCF5o0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4252	bccjcabedebbg.exe

Loads dropped DLL 2 IoCs

pid	Process
4824	20f9518b683fdb3dadd0b22d2a30c64b.exe
4824	20f9518b683fdb3dadd0b22d2a30c64b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3052	4252	WerFault.exe	39

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4012	wmic.exe
Token: SeSecurityPrivilege	4012	wmic.exe
Token: SeTakeOwnershipPrivilege	4012	wmic.exe
Token: SeLoadDriverPrivilege	4012	wmic.exe
Token: SeSystemProfilePrivilege	4012	wmic.exe
Token: SeSystemtimePrivilege	4012	wmic.exe
Token: SeProfSingleProcessPrivilege	4012	wmic.exe
Token: SeIncBasePriorityPrivilege	4012	wmic.exe
Token: SeCreatePagefilePrivilege	4012	wmic.exe
Token: SeBackupPrivilege	4012	wmic.exe
Token: SeRestorePrivilege	4012	wmic.exe
Token: SeShutdownPrivilege	4012	wmic.exe
Token: SeDebugPrivilege	4012	wmic.exe
Token: SeSystemEnvironmentPrivilege	4012	wmic.exe
Token: SeRemoteShutdownPrivilege	4012	wmic.exe
Token: SeUndockPrivilege	4012	wmic.exe
Token: SeManageVolumePrivilege	4012	wmic.exe
Token: 33	4012	wmic.exe
Token: 34	4012	wmic.exe
Token: 35	4012	wmic.exe
Token: 36	4012	wmic.exe
Token: SeIncreaseQuotaPrivilege	4012	wmic.exe
Token: SeSecurityPrivilege	4012	wmic.exe
Token: SeTakeOwnershipPrivilege	4012	wmic.exe
Token: SeLoadDriverPrivilege	4012	wmic.exe
Token: SeSystemProfilePrivilege	4012	wmic.exe
Token: SeSystemtimePrivilege	4012	wmic.exe
Token: SeProfSingleProcessPrivilege	4012	wmic.exe
Token: SeIncBasePriorityPrivilege	4012	wmic.exe
Token: SeCreatePagefilePrivilege	4012	wmic.exe
Token: SeBackupPrivilege	4012	wmic.exe
Token: SeRestorePrivilege	4012	wmic.exe
Token: SeShutdownPrivilege	4012	wmic.exe
Token: SeDebugPrivilege	4012	wmic.exe
Token: SeSystemEnvironmentPrivilege	4012	wmic.exe
Token: SeRemoteShutdownPrivilege	4012	wmic.exe
Token: SeUndockPrivilege	4012	wmic.exe
Token: SeManageVolumePrivilege	4012	wmic.exe
Token: 33	4012	wmic.exe
Token: 34	4012	wmic.exe
Token: 35	4012	wmic.exe
Token: 36	4012	wmic.exe
Token: SeIncreaseQuotaPrivilege	4792	wmic.exe
Token: SeSecurityPrivilege	4792	wmic.exe
Token: SeTakeOwnershipPrivilege	4792	wmic.exe
Token: SeLoadDriverPrivilege	4792	wmic.exe
Token: SeSystemProfilePrivilege	4792	wmic.exe
Token: SeSystemtimePrivilege	4792	wmic.exe
Token: SeProfSingleProcessPrivilege	4792	wmic.exe
Token: SeIncBasePriorityPrivilege	4792	wmic.exe
Token: SeCreatePagefilePrivilege	4792	wmic.exe
Token: SeBackupPrivilege	4792	wmic.exe
Token: SeRestorePrivilege	4792	wmic.exe
Token: SeShutdownPrivilege	4792	wmic.exe
Token: SeDebugPrivilege	4792	wmic.exe
Token: SeSystemEnvironmentPrivilege	4792	wmic.exe
Token: SeRemoteShutdownPrivilege	4792	wmic.exe
Token: SeUndockPrivilege	4792	wmic.exe
Token: SeManageVolumePrivilege	4792	wmic.exe
Token: 33	4792	wmic.exe
Token: 34	4792	wmic.exe
Token: 35	4792	wmic.exe
Token: 36	4792	wmic.exe
Token: SeIncreaseQuotaPrivilege	4792	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4252	4824	20f9518b683fdb3dadd0b22d2a30c64b.exe	39
PID 4824 wrote to memory of 4252	4824	20f9518b683fdb3dadd0b22d2a30c64b.exe	39
PID 4824 wrote to memory of 4252	4824	20f9518b683fdb3dadd0b22d2a30c64b.exe	39
PID 4252 wrote to memory of 4012	4252	bccjcabedebbg.exe	40
PID 4252 wrote to memory of 4012	4252	bccjcabedebbg.exe	40
PID 4252 wrote to memory of 4012	4252	bccjcabedebbg.exe	40
PID 4252 wrote to memory of 4792	4252	bccjcabedebbg.exe	54
PID 4252 wrote to memory of 4792	4252	bccjcabedebbg.exe	54
PID 4252 wrote to memory of 4792	4252	bccjcabedebbg.exe	54
PID 4252 wrote to memory of 4424	4252	bccjcabedebbg.exe	50
PID 4252 wrote to memory of 4424	4252	bccjcabedebbg.exe	50
PID 4252 wrote to memory of 4424	4252	bccjcabedebbg.exe	50
PID 4252 wrote to memory of 3328	4252	bccjcabedebbg.exe	47
PID 4252 wrote to memory of 3328	4252	bccjcabedebbg.exe	47
PID 4252 wrote to memory of 3328	4252	bccjcabedebbg.exe	47
PID 4252 wrote to memory of 3252	4252	bccjcabedebbg.exe	49
PID 4252 wrote to memory of 3252	4252	bccjcabedebbg.exe	49
PID 4252 wrote to memory of 3252	4252	bccjcabedebbg.exe	49

C:\Users\Admin\AppData\Local\Temp\20f9518b683fdb3dadd0b22d2a30c64b.exe
"C:\Users\Admin\AppData\Local\Temp\20f9518b683fdb3dadd0b22d2a30c64b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe
  C:\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe 0-7-3-8-8-9-9-6-3-6-7 L0lGPDUnFylQTztQQkE1KBcmSEJOUE9LSEE8NCcaLD5CU01GPDUnFylAQz09KR0nSElGPlI9TV9CQTUoFyZNQkxPRUtcTUpDNGJxbmk6KCxrXWltKHFiXi1abWglW1huXihibl9sGCc6Q0NARUJENh0nPCg0Jy4aKEQrOiUpFyY+MDcmMRksPCw0JCsdKT01NiopGCZHTEw+TkNNXEhKQE07QFM2IChNSkc7TD1RWT5VRT41GCZHTEw+TkNNXEY5RDw3HSk+WD5cTUpDNBosP1FFWEBFPENASEI3GS9BTEtMVjlMTFFMRUs6KhgmS0I+SERZSFJXTUlDNx0pTUlGQjUpKygzNTIsNSwuGCdNRDcvGihETC41GCZJT0tOQk0+XE89QzpJSj9CTTpEPU1JQzcdKUJTWE9NRktAR0I3bXJuYhgnSTxOUkxHSUdEV01KPExcPjpZTDoqGCY/Q0E/UT0qHSdBSlY+Vkg6TUJAVz1FOkxWSk1FPTpeWWNqXx0pPU9QS0RHODtZUUNGRTYuKicpMCkvKio0IzUyKCwxLS4kSU0ZLDxHTkVGTDs9X0JNNS4tJSwxMyc4LCspMCc=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703569509.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703569509.txt bios get version
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703569509.txt bios get version
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703569509.txt bios get version
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 960
    3⤵
    - Program crash
    PID:3052
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703569509.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4252 -ip 4252
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703569509.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703569509.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703569509.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe

Filesize
64KB

MD5
0318e58c033613e5a0240dfbbfe6984e

SHA1
f409f6e8db0e9375cd53e55645a3ceb3e5dfb75c

SHA256
2f925854837a2106207d4d632733a6e4958788c1f2c5a9c007ae8a595813a217

SHA512
8f98f12cc2f7ac017c5406d7d31df3031bc400486c8f8aa3e7d0c2b06be266c95db304747fb1756d3354aa2b964398b24dce3daacb9e7cf18a016f65ce563abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bccjcabedebbg.exe

Filesize
114KB

MD5
3ea768e8218d01a850a3f7c362c05295

SHA1
6a221cb79f04aa83ff31a77a9a7b0a02fa277367

SHA256
ee12e29b06e2cd5d881c1f3637e412c65e071986d263b617108cbeb8a626ec42

SHA512
3598159285168797a4946147579c8fecfada5358988eaf1673005fd854e48ec9ae4a12d20b0f25b78b15d9ce46ee2eba97c8f12d275732375b80c1059e1fa354

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A0C.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A0C.tmp\zzp.dll

Filesize
108KB

MD5
2e352e4574545d13bbb4004f508c6f1e

SHA1
f90cadb5e3696167e183ba548abd4c8086566318

SHA256
3cee88da308c942dd2900192691779432f9326819fe7da08c9c555bf56a9fac0

SHA512
2cd3250bca3e4f998c7fcee4f17a3e1f01249ce4eab4b09373937551d0055ea1dfdad74149ab8281a1bf4b8195a492fb48eabbd04c63374a1561dcd910289da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A0C.tmp\zzp.dll

Filesize
57KB

MD5
7b70606919bd184f25c32e5bd2328888

SHA1
51d2743886dce3e430dd2dec3918b1efc37a79d7

SHA256
8c3c92988f80c9178ba5489bc3e98536459bcc89b9d71fec4772ae554ef68e2a

SHA512
10b77f84e85f271a386f546f9f02afcc6436c6b1b3980150e7c7b47b18c1b384a99591d26d55a3582b9bfb2896998eb54bf9cae91d066c2a3e1ca5f17e57da2a

Download Submit