Analysis

  • max time kernel
    118s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 17:46

General

  • Target

    3208c7cea46deff6c23f33327518c273.exe

  • Size

    577KB

  • MD5

    3208c7cea46deff6c23f33327518c273

  • SHA1

    26d0740d47aa07961a3d43081c5cd3910bb53784

  • SHA256

    1036b0baab1339684e2be48ded2faa6185b33d5965d4d164dd5817bbdbf8ecc8

  • SHA512

    ad38059e4f913931dc56a5847b20904824f62b2f0f443f47291ea3ea33915f817743d839353c6ff1a3e52da18a17453d147692aa52777d8c23a689c5927b8aab

  • SSDEEP

    12288:PWxWH9mKEfIC1YJV+BqL0Mh7sdx7DcKSimRDYPJzoYTYdeAA:PWxWHn0/15qL0Csf/c3XWhzzc6

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3208c7cea46deff6c23f33327518c273.exe
    "C:\Users\Admin\AppData\Local\Temp\3208c7cea46deff6c23f33327518c273.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe
      C:\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe 3\5\7\8\3\5\7\4\4\8\3 LEtCPDosMi8yKx0sTk46TUQ9OSwYLEtATU9MTURFQDUuIi0paG9qXXFfbGteaF41T2BiaV1fYh0qPUFQT0JAOSo0NCwrGCw+QkA5KB0sS0tHQVA8UFtBQTotLzExLhkrTz1PU0BLV1JNRTlkbHFtNSgncG1vKkA9UEgoTUdNKDpMTCZGS0FIGCw+RUU/Q0ZBOBknQSw2KS0YLEEtNiUuGyhALzUqLhsoPDE4Ji0cJ0EyOCYpHSpJTks8UkBPWEhPRE89P1E6HSpJSkw/Tj9QV0JSRzo1HSpJTks8UkBPWEY+SD45HCdCVUBYTU9HNhwrPVVCWjxFQUdCSkE1HSxDSEtRWjtOS09QQk02LR0qTUQ9RkhWSk5XUk1FORwnU0o4KxgsP0wtORgsT1BHTEZIPltTPUlASkY9Rkg6Q0FNT0k4GSdGTlhOUUZRRkg+NXFtbmEcJ09CT05KS0RHQ1tNUEJNWDw+VEw5LhgsRUQ9PVU4KhwrQVBcP1JGPkhCP1s9S0BNUkhRQD05YllpcGAZJ0FKUEpIRz5BWkJIOi4vKjQqKy4sMCYuLjAcK0xGSkA2KTEtMjI0KDQvKxknQUpQSkhHPkFaTUFKQDYwKyovLC0pKTIlLjYvKjctKyM5ShsoUT01HSxQS0Q6Y21wbB0wXiArXiItX2NhbG8rYWJkYjNdYW9jcWxrJ1tsaB4uYkpya09iZWI/aHNqZGxeX0ZZa1xgYW5XYWJrZWd2ICtiLiovLy0rKi8tKy4uKi8iLV9cbHJnaGtZYWpcZ1lkYGshLl5kYm8uLiIuX2whK2EuNCwuMCArMmAdMGEtMC8uLR4uMmQiMF8rLjYvLCEuLmsiLl0pKGtra2BtYHFpWmViICxgTl1malxgXSItL2JlZGJrXGZdIi5dTmFhal5iXg==
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get serialnumber
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2900
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2964
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get version
        3⤵
          PID:2612
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601411.txt bios get version
          3⤵
            PID:1044
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 372
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:2928

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\81703601411.txt

        Filesize

        66B

        MD5

        9025468f85256136f923096b01375964

        SHA1

        7fcd174999661594fa5f88890ffb195e9858cc52

        SHA256

        d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

        SHA512

        92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

      • \Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe

        Filesize

        764KB

        MD5

        dc10880872e4dec85fd3cf85ea6f2970

        SHA1

        99184caa5fa16e07f354f135c6cac285d3ddc98c

        SHA256

        1829a771fe315e5dde7f8db0f93cefde9dda74a8116c40f1172a981b35d01cbe

        SHA512

        da885bfb16d8c1dfd648cfa6ffacc643a7eb45fa050ffba89d60d7c1d648ac88ad122a220a9ed93c84cec79bf5a3e7037903b83f352cdba9edb37d2d536841a0

      • \Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe

        Filesize

        438KB

        MD5

        12826accf7616849a74a48aae08570c5

        SHA1

        5f2b904099ccf25c170b5c16da4c5bbc55ac9a0d

        SHA256

        69f766aff61a6cbad6c946995afff73f87f7b63187300a3e2a415d4b30c80540

        SHA512

        9303cf167493d7bff30a9048c9348ba52612ed449da3fc3cb4ca737fbae2a452c9f04002ad0fb6462a9b7f3217139fe251721c21b3021d7d38f46f674ad49693

      • \Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe

        Filesize

        385KB

        MD5

        27ed8c61cccf7b17bd650721bae91a3f

        SHA1

        1865c35a842818ba04679ec57c1fd3c45b0d6b0c

        SHA256

        1075d450f8ac267c3371866ebc41672b4cc8e505edb136e96208c0bc345cc650

        SHA512

        182825427bd8b17d87a541c3229c63f69b6cbc2921667089320f5c98d648fb72c2d67901f664fd7cb53f90fd8482de2b49d716907531b81a1b87d352740659b8

      • \Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe

        Filesize

        322KB

        MD5

        1305f8b8adc0c71589badab72bd9c63b

        SHA1

        7166803c09abfdd3764f5e4313f638a7459bb95d

        SHA256

        74c63689ab507cfed1fe1d78f9de7daf579e3fd207805450297ff56e71385e9d

        SHA512

        4f9001fbd329334ecafe525f141d0e805d794bfbf0939a05cdad8105e4482eb9ea7be5a96f5e889ccc746167563994877e558a209a75f5f63ad53feb536e05fb

      • \Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe

        Filesize

        294KB

        MD5

        5d066b3bedac03e731cf41a7e70fa589

        SHA1

        8ff0660271b56462ba93838b48914e502ab1646b

        SHA256

        8f963f15128c5f93dd97c24cfdf7b63ea27721ceeb7c3dc85848eb742e5121dc

        SHA512

        05a4b9a4ce95687e8f55fbfde57ca6dbc1f1476652f8d97bb6cbb99361fb2b7b4eafe807fcbdaaffdb248318f053ff2e01044b149a6b4c3dc863de7dccab8ec7

      • \Users\Admin\AppData\Local\Temp\nst9158.tmp\jzymz.dll

        Filesize

        126KB

        MD5

        c526b978e30034662a151a5550fe542e

        SHA1

        108435d9158192e66883d0fd913a8e10062549d1

        SHA256

        ee08a1b206fa6e36e69b1bd37e5baf890bc5341141dd0cafc2a62e624f02a53a

        SHA512

        820b4db91b934cc1b7cf8f480b524a148b07f44fed77b617fed49097cf2b93e2c7c8deaf0d8de657da09da4a43de915987b920bf5f4f3b348ea139b807ad8b80

      • \Users\Admin\AppData\Local\Temp\nst9158.tmp\nsisunz.dll

        Filesize

        40KB

        MD5

        5f13dbc378792f23e598079fc1e4422b

        SHA1

        5813c05802f15930aa860b8363af2b58426c8adf

        SHA256

        6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

        SHA512

        9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5