1036b0baab1339684e2be48ded2faa6185b33d5965d4d164dd5817bbdbf8ecc8

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3208c7cea46deff6c23f33327518c273.exe
Size

577KB
MD5

3208c7cea46deff6c23f33327518c273
SHA1

26d0740d47aa07961a3d43081c5cd3910bb53784
SHA256

1036b0baab1339684e2be48ded2faa6185b33d5965d4d164dd5817bbdbf8ecc8
SHA512

ad38059e4f913931dc56a5847b20904824f62b2f0f443f47291ea3ea33915f817743d839353c6ff1a3e52da18a17453d147692aa52777d8c23a689c5927b8aab
SSDEEP

12288:PWxWH9mKEfIC1YJV+BqL0Mh7sdx7DcKSimRDYPJzoYTYdeAA:PWxWHn0/15qL0Csf/c3XWhzzc6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2084	ecccabfbcahb.exe

Loads dropped DLL 2 IoCs

pid	Process
2448	3208c7cea46deff6c23f33327518c273.exe
2448	3208c7cea46deff6c23f33327518c273.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3276	2084	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4444	wmic.exe
Token: SeSecurityPrivilege	4444	wmic.exe
Token: SeTakeOwnershipPrivilege	4444	wmic.exe
Token: SeLoadDriverPrivilege	4444	wmic.exe
Token: SeSystemProfilePrivilege	4444	wmic.exe
Token: SeSystemtimePrivilege	4444	wmic.exe
Token: SeProfSingleProcessPrivilege	4444	wmic.exe
Token: SeIncBasePriorityPrivilege	4444	wmic.exe
Token: SeCreatePagefilePrivilege	4444	wmic.exe
Token: SeBackupPrivilege	4444	wmic.exe
Token: SeRestorePrivilege	4444	wmic.exe
Token: SeShutdownPrivilege	4444	wmic.exe
Token: SeDebugPrivilege	4444	wmic.exe
Token: SeSystemEnvironmentPrivilege	4444	wmic.exe
Token: SeRemoteShutdownPrivilege	4444	wmic.exe
Token: SeUndockPrivilege	4444	wmic.exe
Token: SeManageVolumePrivilege	4444	wmic.exe
Token: 33	4444	wmic.exe
Token: 34	4444	wmic.exe
Token: 35	4444	wmic.exe
Token: 36	4444	wmic.exe
Token: SeIncreaseQuotaPrivilege	4444	wmic.exe
Token: SeSecurityPrivilege	4444	wmic.exe
Token: SeTakeOwnershipPrivilege	4444	wmic.exe
Token: SeLoadDriverPrivilege	4444	wmic.exe
Token: SeSystemProfilePrivilege	4444	wmic.exe
Token: SeSystemtimePrivilege	4444	wmic.exe
Token: SeProfSingleProcessPrivilege	4444	wmic.exe
Token: SeIncBasePriorityPrivilege	4444	wmic.exe
Token: SeCreatePagefilePrivilege	4444	wmic.exe
Token: SeBackupPrivilege	4444	wmic.exe
Token: SeRestorePrivilege	4444	wmic.exe
Token: SeShutdownPrivilege	4444	wmic.exe
Token: SeDebugPrivilege	4444	wmic.exe
Token: SeSystemEnvironmentPrivilege	4444	wmic.exe
Token: SeRemoteShutdownPrivilege	4444	wmic.exe
Token: SeUndockPrivilege	4444	wmic.exe
Token: SeManageVolumePrivilege	4444	wmic.exe
Token: 33	4444	wmic.exe
Token: 34	4444	wmic.exe
Token: 35	4444	wmic.exe
Token: 36	4444	wmic.exe
Token: SeIncreaseQuotaPrivilege	3396	wmic.exe
Token: SeSecurityPrivilege	3396	wmic.exe
Token: SeTakeOwnershipPrivilege	3396	wmic.exe
Token: SeLoadDriverPrivilege	3396	wmic.exe
Token: SeSystemProfilePrivilege	3396	wmic.exe
Token: SeSystemtimePrivilege	3396	wmic.exe
Token: SeProfSingleProcessPrivilege	3396	wmic.exe
Token: SeIncBasePriorityPrivilege	3396	wmic.exe
Token: SeCreatePagefilePrivilege	3396	wmic.exe
Token: SeBackupPrivilege	3396	wmic.exe
Token: SeRestorePrivilege	3396	wmic.exe
Token: SeShutdownPrivilege	3396	wmic.exe
Token: SeDebugPrivilege	3396	wmic.exe
Token: SeSystemEnvironmentPrivilege	3396	wmic.exe
Token: SeRemoteShutdownPrivilege	3396	wmic.exe
Token: SeUndockPrivilege	3396	wmic.exe
Token: SeManageVolumePrivilege	3396	wmic.exe
Token: 33	3396	wmic.exe
Token: 34	3396	wmic.exe
Token: 35	3396	wmic.exe
Token: 36	3396	wmic.exe
Token: SeIncreaseQuotaPrivilege	3396	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2084	2448	3208c7cea46deff6c23f33327518c273.exe	32
PID 2448 wrote to memory of 2084	2448	3208c7cea46deff6c23f33327518c273.exe	32
PID 2448 wrote to memory of 2084	2448	3208c7cea46deff6c23f33327518c273.exe	32
PID 2084 wrote to memory of 4444	2084	ecccabfbcahb.exe	19
PID 2084 wrote to memory of 4444	2084	ecccabfbcahb.exe	19
PID 2084 wrote to memory of 4444	2084	ecccabfbcahb.exe	19
PID 2084 wrote to memory of 3396	2084	ecccabfbcahb.exe	31
PID 2084 wrote to memory of 3396	2084	ecccabfbcahb.exe	31
PID 2084 wrote to memory of 3396	2084	ecccabfbcahb.exe	31
PID 2084 wrote to memory of 4108	2084	ecccabfbcahb.exe	30
PID 2084 wrote to memory of 4108	2084	ecccabfbcahb.exe	30
PID 2084 wrote to memory of 4108	2084	ecccabfbcahb.exe	30
PID 2084 wrote to memory of 3452	2084	ecccabfbcahb.exe	29
PID 2084 wrote to memory of 3452	2084	ecccabfbcahb.exe	29
PID 2084 wrote to memory of 3452	2084	ecccabfbcahb.exe	29
PID 2084 wrote to memory of 4764	2084	ecccabfbcahb.exe	28
PID 2084 wrote to memory of 4764	2084	ecccabfbcahb.exe	28
PID 2084 wrote to memory of 4764	2084	ecccabfbcahb.exe	28

C:\Users\Admin\AppData\Local\Temp\3208c7cea46deff6c23f33327518c273.exe
"C:\Users\Admin\AppData\Local\Temp\3208c7cea46deff6c23f33327518c273.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe
  C:\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe 3\5\7\8\3\5\7\4\4\8\3 LEtCPDosMi8yKx0sTk46TUQ9OSwYLEtATU9MTURFQDUuIi0paG9qXXFfbGteaF41T2BiaV1fYh0qPUFQT0JAOSo0NCwrGCw+QkA5KB0sS0tHQVA8UFtBQTotLzExLhkrTz1PU0BLV1JNRTlkbHFtNSgncG1vKkA9UEgoTUdNKDpMTCZGS0FIGCw+RUU/Q0ZBOBknQSw2KS0YLEEtNiUuGyhALzUqLhsoPDE4Ji0cJ0EyOCYpHSpJTks8UkBPWEhPRE89P1E6HSpJSkw/Tj9QV0JSRzo1HSpJTks8UkBPWEY+SD45HCdCVUBYTU9HNhwrPVVCWjxFQUdCSkE1HSxDSEtRWjtOS09QQk02LR0qTUQ9RkhWSk5XUk1FORwnU0o4KxgsP0wtORgsT1BHTEZIPltTPUlASkY9Rkg6Q0FNT0k4GSdGTlhOUUZRRkg+NXFtbmEcJ09CT05KS0RHQ1tNUEJNWDw+VEw5LhgsRUQ9PVU4KhwrQVBcP1JGPkhCP1s9S0BNUkhRQD05YllpcGAZJ0FKUEpIRz5BWkJIOi4vKjQqKy4sMCYuLjAcK0xGSkA2KTEtMjI0KDQvKxknQUpQSkhHPkFaTUFKQDYwKyovLC0pKTIlLjYvKjctKyM5ShsoUT01HSxQS0Q6Y21wbB0wXiArXiItX2NhbG8rYWJkYjNdYW9jcWxrJ1tsaB4uYkpya09iZWI/aHNqZGxeX0ZZa1xgYW5XYWJrZWd2ICtiLiovLy0rKi8tKy4uKi8iLV9cbHJnaGtZYWpcZ1lkYGshLl5kYm8uLiIuX2whK2EuNCwuMCArMmAdMGEtMC8uLR4uMmQiMF8rLjYvLCEuLmsiLl0pKGtra2BtYHFpWmViICxgTl1malxgXSItL2JlZGJrXGZdIi5dTmFhal5iXg==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2084

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601459.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2084 -ip 2084
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 960
1⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601459.txt bios get version
1⤵
PID:4764

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601459.txt bios get version
1⤵
PID:3452

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601459.txt bios get version
1⤵
PID:4108

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703601459.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703601459.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703601459.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703601459.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe

Filesize
60KB

MD5
a4d3d585e0c7378fb211fa2f698c1e34

SHA1
2226324c95d846e8b31a92ea4d61ef6e6690d1b3

SHA256
261f45abcd4b93e993067e8bc816a2ecbc20e55b8e8a1b8b2d03ea2a65b8e340

SHA512
5dada8707cf0c9604245879f5a42fe69df54bc5d18d185930795e7f33232e3b309126d02855017f237628254c36fa1162f09fdb22f60d4e7250d2bccde9214db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecccabfbcahb.exe

Filesize
76KB

MD5
f3ac27632010ff595c7079941a42cc6e

SHA1
a5a352874b21cab5d4948e25e5afaacc8a6caabd

SHA256
c93de8c315e45ba67ee3a3edada54be0dab145e5baca3d2d12af53885ce80046

SHA512
5cf0702d08390d4564f89a1791a87748c1b29bfc1cbc7b706f79ddeb6e650fcc2e8968d262600ba57f5d1772d41b5fa9beb4ec0e3f2bc844376611a978638e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso43FF.tmp\jzymz.dll

Filesize
50KB

MD5
c92c4d90a90b8445369a8dd0e145e2f8

SHA1
f1a18204ada4d40360619c5116bb4f1c6b143542

SHA256
488bbdfe384b2e7346c671d109ac2718758a74a40a2ef908fbf45b707914a7cc

SHA512
1fe583c4244f7580bdfba10515914696a6d934dd68a310a1fc0d7319136a55c14d792cafae6230ebe5a87d79de927684c73359a058c8d778ad594de037c40d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso43FF.tmp\jzymz.dll

Filesize
73KB

MD5
039768d6026100d3979b509c37e9d8c0

SHA1
bc69b5c26b3412e350e4293a3f650757302995ca

SHA256
f537f6f850a1271853e103baf3c68be13b80fa3f9692fa0ae4d0e9cd4008f7e8

SHA512
5793448d9ad159620f271c1c30fb654ddbfc6c5eb86e7e16360c7782c59d437f2be80cbacb9ab13001a4668ef3c0bd19f192c9f14fcded5943cf73e5be9e07e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso43FF.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit