Analysis
-
max time kernel
118s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 17:46
Static task
static1
Behavioral task
behavioral1
Sample
3208c7cea46deff6c23f33327518c273.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3208c7cea46deff6c23f33327518c273.exe
Resource
win10v2004-20231222-en
General
-
Target
3208c7cea46deff6c23f33327518c273.exe
-
Size
577KB
-
MD5
3208c7cea46deff6c23f33327518c273
-
SHA1
26d0740d47aa07961a3d43081c5cd3910bb53784
-
SHA256
1036b0baab1339684e2be48ded2faa6185b33d5965d4d164dd5817bbdbf8ecc8
-
SHA512
ad38059e4f913931dc56a5847b20904824f62b2f0f443f47291ea3ea33915f817743d839353c6ff1a3e52da18a17453d147692aa52777d8c23a689c5927b8aab
-
SSDEEP
12288:PWxWH9mKEfIC1YJV+BqL0Mh7sdx7DcKSimRDYPJzoYTYdeAA:PWxWHn0/15qL0Csf/c3XWhzzc6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2728 ecccabfbcahb.exe -
Loads dropped DLL 10 IoCs
pid Process 2332 3208c7cea46deff6c23f33327518c273.exe 2332 3208c7cea46deff6c23f33327518c273.exe 2332 3208c7cea46deff6c23f33327518c273.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2928 2728 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2900 wmic.exe Token: SeSecurityPrivilege 2900 wmic.exe Token: SeTakeOwnershipPrivilege 2900 wmic.exe Token: SeLoadDriverPrivilege 2900 wmic.exe Token: SeSystemProfilePrivilege 2900 wmic.exe Token: SeSystemtimePrivilege 2900 wmic.exe Token: SeProfSingleProcessPrivilege 2900 wmic.exe Token: SeIncBasePriorityPrivilege 2900 wmic.exe Token: SeCreatePagefilePrivilege 2900 wmic.exe Token: SeBackupPrivilege 2900 wmic.exe Token: SeRestorePrivilege 2900 wmic.exe Token: SeShutdownPrivilege 2900 wmic.exe Token: SeDebugPrivilege 2900 wmic.exe Token: SeSystemEnvironmentPrivilege 2900 wmic.exe Token: SeRemoteShutdownPrivilege 2900 wmic.exe Token: SeUndockPrivilege 2900 wmic.exe Token: SeManageVolumePrivilege 2900 wmic.exe Token: 33 2900 wmic.exe Token: 34 2900 wmic.exe Token: 35 2900 wmic.exe Token: SeIncreaseQuotaPrivilege 2900 wmic.exe Token: SeSecurityPrivilege 2900 wmic.exe Token: SeTakeOwnershipPrivilege 2900 wmic.exe Token: SeLoadDriverPrivilege 2900 wmic.exe Token: SeSystemProfilePrivilege 2900 wmic.exe Token: SeSystemtimePrivilege 2900 wmic.exe Token: SeProfSingleProcessPrivilege 2900 wmic.exe Token: SeIncBasePriorityPrivilege 2900 wmic.exe Token: SeCreatePagefilePrivilege 2900 wmic.exe Token: SeBackupPrivilege 2900 wmic.exe Token: SeRestorePrivilege 2900 wmic.exe Token: SeShutdownPrivilege 2900 wmic.exe Token: SeDebugPrivilege 2900 wmic.exe Token: SeSystemEnvironmentPrivilege 2900 wmic.exe Token: SeRemoteShutdownPrivilege 2900 wmic.exe Token: SeUndockPrivilege 2900 wmic.exe Token: SeManageVolumePrivilege 2900 wmic.exe Token: 33 2900 wmic.exe Token: 34 2900 wmic.exe Token: 35 2900 wmic.exe Token: SeIncreaseQuotaPrivilege 2964 wmic.exe Token: SeSecurityPrivilege 2964 wmic.exe Token: SeTakeOwnershipPrivilege 2964 wmic.exe Token: SeLoadDriverPrivilege 2964 wmic.exe Token: SeSystemProfilePrivilege 2964 wmic.exe Token: SeSystemtimePrivilege 2964 wmic.exe Token: SeProfSingleProcessPrivilege 2964 wmic.exe Token: SeIncBasePriorityPrivilege 2964 wmic.exe Token: SeCreatePagefilePrivilege 2964 wmic.exe Token: SeBackupPrivilege 2964 wmic.exe Token: SeRestorePrivilege 2964 wmic.exe Token: SeShutdownPrivilege 2964 wmic.exe Token: SeDebugPrivilege 2964 wmic.exe Token: SeSystemEnvironmentPrivilege 2964 wmic.exe Token: SeRemoteShutdownPrivilege 2964 wmic.exe Token: SeUndockPrivilege 2964 wmic.exe Token: SeManageVolumePrivilege 2964 wmic.exe Token: 33 2964 wmic.exe Token: 34 2964 wmic.exe Token: 35 2964 wmic.exe Token: SeIncreaseQuotaPrivilege 2692 wmic.exe Token: SeSecurityPrivilege 2692 wmic.exe Token: SeTakeOwnershipPrivilege 2692 wmic.exe Token: SeLoadDriverPrivilege 2692 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2728 2332 3208c7cea46deff6c23f33327518c273.exe 28 PID 2332 wrote to memory of 2728 2332 3208c7cea46deff6c23f33327518c273.exe 28 PID 2332 wrote to memory of 2728 2332 3208c7cea46deff6c23f33327518c273.exe 28 PID 2332 wrote to memory of 2728 2332 3208c7cea46deff6c23f33327518c273.exe 28 PID 2728 wrote to memory of 2900 2728 ecccabfbcahb.exe 29 PID 2728 wrote to memory of 2900 2728 ecccabfbcahb.exe 29 PID 2728 wrote to memory of 2900 2728 ecccabfbcahb.exe 29 PID 2728 wrote to memory of 2900 2728 ecccabfbcahb.exe 29 PID 2728 wrote to memory of 2964 2728 ecccabfbcahb.exe 32 PID 2728 wrote to memory of 2964 2728 ecccabfbcahb.exe 32 PID 2728 wrote to memory of 2964 2728 ecccabfbcahb.exe 32 PID 2728 wrote to memory of 2964 2728 ecccabfbcahb.exe 32 PID 2728 wrote to memory of 2692 2728 ecccabfbcahb.exe 34 PID 2728 wrote to memory of 2692 2728 ecccabfbcahb.exe 34 PID 2728 wrote to memory of 2692 2728 ecccabfbcahb.exe 34 PID 2728 wrote to memory of 2692 2728 ecccabfbcahb.exe 34 PID 2728 wrote to memory of 2612 2728 ecccabfbcahb.exe 36 PID 2728 wrote to memory of 2612 2728 ecccabfbcahb.exe 36 PID 2728 wrote to memory of 2612 2728 ecccabfbcahb.exe 36 PID 2728 wrote to memory of 2612 2728 ecccabfbcahb.exe 36 PID 2728 wrote to memory of 1044 2728 ecccabfbcahb.exe 38 PID 2728 wrote to memory of 1044 2728 ecccabfbcahb.exe 38 PID 2728 wrote to memory of 1044 2728 ecccabfbcahb.exe 38 PID 2728 wrote to memory of 1044 2728 ecccabfbcahb.exe 38 PID 2728 wrote to memory of 2928 2728 ecccabfbcahb.exe 40 PID 2728 wrote to memory of 2928 2728 ecccabfbcahb.exe 40 PID 2728 wrote to memory of 2928 2728 ecccabfbcahb.exe 40 PID 2728 wrote to memory of 2928 2728 ecccabfbcahb.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\3208c7cea46deff6c23f33327518c273.exe"C:\Users\Admin\AppData\Local\Temp\3208c7cea46deff6c23f33327518c273.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exeC:\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe 3\5\7\8\3\5\7\4\4\8\3 LEtCPDosMi8yKx0sTk46TUQ9OSwYLEtATU9MTURFQDUuIi0paG9qXXFfbGteaF41T2BiaV1fYh0qPUFQT0JAOSo0NCwrGCw+QkA5KB0sS0tHQVA8UFtBQTotLzExLhkrTz1PU0BLV1JNRTlkbHFtNSgncG1vKkA9UEgoTUdNKDpMTCZGS0FIGCw+RUU/Q0ZBOBknQSw2KS0YLEEtNiUuGyhALzUqLhsoPDE4Ji0cJ0EyOCYpHSpJTks8UkBPWEhPRE89P1E6HSpJSkw/Tj9QV0JSRzo1HSpJTks8UkBPWEY+SD45HCdCVUBYTU9HNhwrPVVCWjxFQUdCSkE1HSxDSEtRWjtOS09QQk02LR0qTUQ9RkhWSk5XUk1FORwnU0o4KxgsP0wtORgsT1BHTEZIPltTPUlASkY9Rkg6Q0FNT0k4GSdGTlhOUUZRRkg+NXFtbmEcJ09CT05KS0RHQ1tNUEJNWDw+VEw5LhgsRUQ9PVU4KhwrQVBcP1JGPkhCP1s9S0BNUkhRQD05YllpcGAZJ0FKUEpIRz5BWkJIOi4vKjQqKy4sMCYuLjAcK0xGSkA2KTEtMjI0KDQvKxknQUpQSkhHPkFaTUFKQDYwKyovLC0pKTIlLjYvKjctKyM5ShsoUT01HSxQS0Q6Y21wbB0wXiArXiItX2NhbG8rYWJkYjNdYW9jcWxrJ1tsaB4uYkpya09iZWI/aHNqZGxeX0ZZa1xgYW5XYWJrZWd2ICtiLiovLy0rKi8tKy4uKi8iLV9cbHJnaGtZYWpcZ1lkYGshLl5kYm8uLiIuX2whK2EuNCwuMCArMmAdMGEtMC8uLR4uMmQiMF8rLjYvLCEuLmsiLl0pKGtra2BtYHFpWmViICxgTl1malxgXSItL2JlZGJrXGZdIi5dTmFhal5iXg==2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get version3⤵PID:2612
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get version3⤵PID:1044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 3723⤵
- Loads dropped DLL
- Program crash
PID:2928
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
764KB
MD5dc10880872e4dec85fd3cf85ea6f2970
SHA199184caa5fa16e07f354f135c6cac285d3ddc98c
SHA2561829a771fe315e5dde7f8db0f93cefde9dda74a8116c40f1172a981b35d01cbe
SHA512da885bfb16d8c1dfd648cfa6ffacc643a7eb45fa050ffba89d60d7c1d648ac88ad122a220a9ed93c84cec79bf5a3e7037903b83f352cdba9edb37d2d536841a0
-
Filesize
438KB
MD512826accf7616849a74a48aae08570c5
SHA15f2b904099ccf25c170b5c16da4c5bbc55ac9a0d
SHA25669f766aff61a6cbad6c946995afff73f87f7b63187300a3e2a415d4b30c80540
SHA5129303cf167493d7bff30a9048c9348ba52612ed449da3fc3cb4ca737fbae2a452c9f04002ad0fb6462a9b7f3217139fe251721c21b3021d7d38f46f674ad49693
-
Filesize
385KB
MD527ed8c61cccf7b17bd650721bae91a3f
SHA11865c35a842818ba04679ec57c1fd3c45b0d6b0c
SHA2561075d450f8ac267c3371866ebc41672b4cc8e505edb136e96208c0bc345cc650
SHA512182825427bd8b17d87a541c3229c63f69b6cbc2921667089320f5c98d648fb72c2d67901f664fd7cb53f90fd8482de2b49d716907531b81a1b87d352740659b8
-
Filesize
322KB
MD51305f8b8adc0c71589badab72bd9c63b
SHA17166803c09abfdd3764f5e4313f638a7459bb95d
SHA25674c63689ab507cfed1fe1d78f9de7daf579e3fd207805450297ff56e71385e9d
SHA5124f9001fbd329334ecafe525f141d0e805d794bfbf0939a05cdad8105e4482eb9ea7be5a96f5e889ccc746167563994877e558a209a75f5f63ad53feb536e05fb
-
Filesize
294KB
MD55d066b3bedac03e731cf41a7e70fa589
SHA18ff0660271b56462ba93838b48914e502ab1646b
SHA2568f963f15128c5f93dd97c24cfdf7b63ea27721ceeb7c3dc85848eb742e5121dc
SHA51205a4b9a4ce95687e8f55fbfde57ca6dbc1f1476652f8d97bb6cbb99361fb2b7b4eafe807fcbdaaffdb248318f053ff2e01044b149a6b4c3dc863de7dccab8ec7
-
Filesize
126KB
MD5c526b978e30034662a151a5550fe542e
SHA1108435d9158192e66883d0fd913a8e10062549d1
SHA256ee08a1b206fa6e36e69b1bd37e5baf890bc5341141dd0cafc2a62e624f02a53a
SHA512820b4db91b934cc1b7cf8f480b524a148b07f44fed77b617fed49097cf2b93e2c7c8deaf0d8de657da09da4a43de915987b920bf5f4f3b348ea139b807ad8b80
-
Filesize
40KB
MD55f13dbc378792f23e598079fc1e4422b
SHA15813c05802f15930aa860b8363af2b58426c8adf
SHA2566e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
SHA5129270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5