1036b0baab1339684e2be48ded2faa6185b33d5965d4d164dd5817bbdbf8ecc8

Analysis

max time kernel
118s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3208c7cea46deff6c23f33327518c273.exe
Size

577KB
MD5

3208c7cea46deff6c23f33327518c273
SHA1

26d0740d47aa07961a3d43081c5cd3910bb53784
SHA256

1036b0baab1339684e2be48ded2faa6185b33d5965d4d164dd5817bbdbf8ecc8
SHA512

ad38059e4f913931dc56a5847b20904824f62b2f0f443f47291ea3ea33915f817743d839353c6ff1a3e52da18a17453d147692aa52777d8c23a689c5927b8aab
SSDEEP

12288:PWxWH9mKEfIC1YJV+BqL0Mh7sdx7DcKSimRDYPJzoYTYdeAA:PWxWHn0/15qL0Csf/c3XWhzzc6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2728	ecccabfbcahb.exe

Loads dropped DLL 10 IoCs

pid	Process
2332	3208c7cea46deff6c23f33327518c273.exe
2332	3208c7cea46deff6c23f33327518c273.exe
2332	3208c7cea46deff6c23f33327518c273.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2928	2728	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2900	wmic.exe
Token: SeSecurityPrivilege	2900	wmic.exe
Token: SeTakeOwnershipPrivilege	2900	wmic.exe
Token: SeLoadDriverPrivilege	2900	wmic.exe
Token: SeSystemProfilePrivilege	2900	wmic.exe
Token: SeSystemtimePrivilege	2900	wmic.exe
Token: SeProfSingleProcessPrivilege	2900	wmic.exe
Token: SeIncBasePriorityPrivilege	2900	wmic.exe
Token: SeCreatePagefilePrivilege	2900	wmic.exe
Token: SeBackupPrivilege	2900	wmic.exe
Token: SeRestorePrivilege	2900	wmic.exe
Token: SeShutdownPrivilege	2900	wmic.exe
Token: SeDebugPrivilege	2900	wmic.exe
Token: SeSystemEnvironmentPrivilege	2900	wmic.exe
Token: SeRemoteShutdownPrivilege	2900	wmic.exe
Token: SeUndockPrivilege	2900	wmic.exe
Token: SeManageVolumePrivilege	2900	wmic.exe
Token: 33	2900	wmic.exe
Token: 34	2900	wmic.exe
Token: 35	2900	wmic.exe
Token: SeIncreaseQuotaPrivilege	2900	wmic.exe
Token: SeSecurityPrivilege	2900	wmic.exe
Token: SeTakeOwnershipPrivilege	2900	wmic.exe
Token: SeLoadDriverPrivilege	2900	wmic.exe
Token: SeSystemProfilePrivilege	2900	wmic.exe
Token: SeSystemtimePrivilege	2900	wmic.exe
Token: SeProfSingleProcessPrivilege	2900	wmic.exe
Token: SeIncBasePriorityPrivilege	2900	wmic.exe
Token: SeCreatePagefilePrivilege	2900	wmic.exe
Token: SeBackupPrivilege	2900	wmic.exe
Token: SeRestorePrivilege	2900	wmic.exe
Token: SeShutdownPrivilege	2900	wmic.exe
Token: SeDebugPrivilege	2900	wmic.exe
Token: SeSystemEnvironmentPrivilege	2900	wmic.exe
Token: SeRemoteShutdownPrivilege	2900	wmic.exe
Token: SeUndockPrivilege	2900	wmic.exe
Token: SeManageVolumePrivilege	2900	wmic.exe
Token: 33	2900	wmic.exe
Token: 34	2900	wmic.exe
Token: 35	2900	wmic.exe
Token: SeIncreaseQuotaPrivilege	2964	wmic.exe
Token: SeSecurityPrivilege	2964	wmic.exe
Token: SeTakeOwnershipPrivilege	2964	wmic.exe
Token: SeLoadDriverPrivilege	2964	wmic.exe
Token: SeSystemProfilePrivilege	2964	wmic.exe
Token: SeSystemtimePrivilege	2964	wmic.exe
Token: SeProfSingleProcessPrivilege	2964	wmic.exe
Token: SeIncBasePriorityPrivilege	2964	wmic.exe
Token: SeCreatePagefilePrivilege	2964	wmic.exe
Token: SeBackupPrivilege	2964	wmic.exe
Token: SeRestorePrivilege	2964	wmic.exe
Token: SeShutdownPrivilege	2964	wmic.exe
Token: SeDebugPrivilege	2964	wmic.exe
Token: SeSystemEnvironmentPrivilege	2964	wmic.exe
Token: SeRemoteShutdownPrivilege	2964	wmic.exe
Token: SeUndockPrivilege	2964	wmic.exe
Token: SeManageVolumePrivilege	2964	wmic.exe
Token: 33	2964	wmic.exe
Token: 34	2964	wmic.exe
Token: 35	2964	wmic.exe
Token: SeIncreaseQuotaPrivilege	2692	wmic.exe
Token: SeSecurityPrivilege	2692	wmic.exe
Token: SeTakeOwnershipPrivilege	2692	wmic.exe
Token: SeLoadDriverPrivilege	2692	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2728	2332	3208c7cea46deff6c23f33327518c273.exe	28
PID 2332 wrote to memory of 2728	2332	3208c7cea46deff6c23f33327518c273.exe	28
PID 2332 wrote to memory of 2728	2332	3208c7cea46deff6c23f33327518c273.exe	28
PID 2332 wrote to memory of 2728	2332	3208c7cea46deff6c23f33327518c273.exe	28
PID 2728 wrote to memory of 2900	2728	ecccabfbcahb.exe	29
PID 2728 wrote to memory of 2900	2728	ecccabfbcahb.exe	29
PID 2728 wrote to memory of 2900	2728	ecccabfbcahb.exe	29
PID 2728 wrote to memory of 2900	2728	ecccabfbcahb.exe	29
PID 2728 wrote to memory of 2964	2728	ecccabfbcahb.exe	32
PID 2728 wrote to memory of 2964	2728	ecccabfbcahb.exe	32
PID 2728 wrote to memory of 2964	2728	ecccabfbcahb.exe	32
PID 2728 wrote to memory of 2964	2728	ecccabfbcahb.exe	32
PID 2728 wrote to memory of 2692	2728	ecccabfbcahb.exe	34
PID 2728 wrote to memory of 2692	2728	ecccabfbcahb.exe	34
PID 2728 wrote to memory of 2692	2728	ecccabfbcahb.exe	34
PID 2728 wrote to memory of 2692	2728	ecccabfbcahb.exe	34
PID 2728 wrote to memory of 2612	2728	ecccabfbcahb.exe	36
PID 2728 wrote to memory of 2612	2728	ecccabfbcahb.exe	36
PID 2728 wrote to memory of 2612	2728	ecccabfbcahb.exe	36
PID 2728 wrote to memory of 2612	2728	ecccabfbcahb.exe	36
PID 2728 wrote to memory of 1044	2728	ecccabfbcahb.exe	38
PID 2728 wrote to memory of 1044	2728	ecccabfbcahb.exe	38
PID 2728 wrote to memory of 1044	2728	ecccabfbcahb.exe	38
PID 2728 wrote to memory of 1044	2728	ecccabfbcahb.exe	38
PID 2728 wrote to memory of 2928	2728	ecccabfbcahb.exe	40
PID 2728 wrote to memory of 2928	2728	ecccabfbcahb.exe	40
PID 2728 wrote to memory of 2928	2728	ecccabfbcahb.exe	40
PID 2728 wrote to memory of 2928	2728	ecccabfbcahb.exe	40

C:\Users\Admin\AppData\Local\Temp\3208c7cea46deff6c23f33327518c273.exe
"C:\Users\Admin\AppData\Local\Temp\3208c7cea46deff6c23f33327518c273.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe
  C:\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe 3\5\7\8\3\5\7\4\4\8\3 LEtCPDosMi8yKx0sTk46TUQ9OSwYLEtATU9MTURFQDUuIi0paG9qXXFfbGteaF41T2BiaV1fYh0qPUFQT0JAOSo0NCwrGCw+QkA5KB0sS0tHQVA8UFtBQTotLzExLhkrTz1PU0BLV1JNRTlkbHFtNSgncG1vKkA9UEgoTUdNKDpMTCZGS0FIGCw+RUU/Q0ZBOBknQSw2KS0YLEEtNiUuGyhALzUqLhsoPDE4Ji0cJ0EyOCYpHSpJTks8UkBPWEhPRE89P1E6HSpJSkw/Tj9QV0JSRzo1HSpJTks8UkBPWEY+SD45HCdCVUBYTU9HNhwrPVVCWjxFQUdCSkE1HSxDSEtRWjtOS09QQk02LR0qTUQ9RkhWSk5XUk1FORwnU0o4KxgsP0wtORgsT1BHTEZIPltTPUlASkY9Rkg6Q0FNT0k4GSdGTlhOUUZRRkg+NXFtbmEcJ09CT05KS0RHQ1tNUEJNWDw+VEw5LhgsRUQ9PVU4KhwrQVBcP1JGPkhCP1s9S0BNUkhRQD05YllpcGAZJ0FKUEpIRz5BWkJIOi4vKjQqKy4sMCYuLjAcK0xGSkA2KTEtMjI0KDQvKxknQUpQSkhHPkFaTUFKQDYwKyovLC0pKTIlLjYvKjctKyM5ShsoUT01HSxQS0Q6Y21wbB0wXiArXiItX2NhbG8rYWJkYjNdYW9jcWxrJ1tsaB4uYkpya09iZWI/aHNqZGxeX0ZZa1xgYW5XYWJrZWd2ICtiLiovLy0rKi8tKy4uKi8iLV9cbHJnaGtZYWpcZ1lkYGshLl5kYm8uLiIuX2whK2EuNCwuMCArMmAdMGEtMC8uLR4uMmQiMF8rLjYvLCEuLmsiLl0pKGtra2BtYHFpWmViICxgTl1malxgXSItL2JlZGJrXGZdIi5dTmFhal5iXg==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get version
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get version
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703601411.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe

Filesize
764KB

MD5
dc10880872e4dec85fd3cf85ea6f2970

SHA1
99184caa5fa16e07f354f135c6cac285d3ddc98c

SHA256
1829a771fe315e5dde7f8db0f93cefde9dda74a8116c40f1172a981b35d01cbe

SHA512
da885bfb16d8c1dfd648cfa6ffacc643a7eb45fa050ffba89d60d7c1d648ac88ad122a220a9ed93c84cec79bf5a3e7037903b83f352cdba9edb37d2d536841a0

Download Submit
\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe

Filesize
438KB

MD5
12826accf7616849a74a48aae08570c5

SHA1
5f2b904099ccf25c170b5c16da4c5bbc55ac9a0d

SHA256
69f766aff61a6cbad6c946995afff73f87f7b63187300a3e2a415d4b30c80540

SHA512
9303cf167493d7bff30a9048c9348ba52612ed449da3fc3cb4ca737fbae2a452c9f04002ad0fb6462a9b7f3217139fe251721c21b3021d7d38f46f674ad49693

Download Submit
\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe

Filesize
385KB

MD5
27ed8c61cccf7b17bd650721bae91a3f

SHA1
1865c35a842818ba04679ec57c1fd3c45b0d6b0c

SHA256
1075d450f8ac267c3371866ebc41672b4cc8e505edb136e96208c0bc345cc650

SHA512
182825427bd8b17d87a541c3229c63f69b6cbc2921667089320f5c98d648fb72c2d67901f664fd7cb53f90fd8482de2b49d716907531b81a1b87d352740659b8

Download Submit
\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe

Filesize
322KB

MD5
1305f8b8adc0c71589badab72bd9c63b

SHA1
7166803c09abfdd3764f5e4313f638a7459bb95d

SHA256
74c63689ab507cfed1fe1d78f9de7daf579e3fd207805450297ff56e71385e9d

SHA512
4f9001fbd329334ecafe525f141d0e805d794bfbf0939a05cdad8105e4482eb9ea7be5a96f5e889ccc746167563994877e558a209a75f5f63ad53feb536e05fb

Download Submit
\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe

Filesize
294KB

MD5
5d066b3bedac03e731cf41a7e70fa589

SHA1
8ff0660271b56462ba93838b48914e502ab1646b

SHA256
8f963f15128c5f93dd97c24cfdf7b63ea27721ceeb7c3dc85848eb742e5121dc

SHA512
05a4b9a4ce95687e8f55fbfde57ca6dbc1f1476652f8d97bb6cbb99361fb2b7b4eafe807fcbdaaffdb248318f053ff2e01044b149a6b4c3dc863de7dccab8ec7

Download Submit
\Users\Admin\AppData\Local\Temp\nst9158.tmp\jzymz.dll

Filesize
126KB

MD5
c526b978e30034662a151a5550fe542e

SHA1
108435d9158192e66883d0fd913a8e10062549d1

SHA256
ee08a1b206fa6e36e69b1bd37e5baf890bc5341141dd0cafc2a62e624f02a53a

SHA512
820b4db91b934cc1b7cf8f480b524a148b07f44fed77b617fed49097cf2b93e2c7c8deaf0d8de657da09da4a43de915987b920bf5f4f3b348ea139b807ad8b80

Download Submit
\Users\Admin\AppData\Local\Temp\nst9158.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit