15bcbaae8b681f0a73e983045b68b1e380003d40f6363f3ccfb0d4224c5c5c6d

Analysis

max time kernel
144s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 19:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3743a67dcde560c6d0423a2bf48c3288.exe
Size

611KB
MD5

3743a67dcde560c6d0423a2bf48c3288
SHA1

7deabc66b61b3b1f63fb0a99296ed079f9e7af66
SHA256

15bcbaae8b681f0a73e983045b68b1e380003d40f6363f3ccfb0d4224c5c5c6d
SHA512

436e83f00d86c282bdb851aed5342350d98ef5cc9aa135ab51c0ffe6e9012fbff67d99daede65f4b1f04237a53f0aba1397c6c3d5d484fb55ce5ae78b52d3f76
SSDEEP

12288:RdzgF/Av9NexYuA0thhzjm8eFKk9EoIcdNNVpNal72qAZP:Rd6+exeihljyKk9EkY7B8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4044	ccicabfiabgi.exe

Loads dropped DLL 2 IoCs

pid	Process
2916	3743a67dcde560c6d0423a2bf48c3288.exe
2916	3743a67dcde560c6d0423a2bf48c3288.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2944	4044	WerFault.exe	88

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3940	wmic.exe
Token: SeSecurityPrivilege	3940	wmic.exe
Token: SeTakeOwnershipPrivilege	3940	wmic.exe
Token: SeLoadDriverPrivilege	3940	wmic.exe
Token: SeSystemProfilePrivilege	3940	wmic.exe
Token: SeSystemtimePrivilege	3940	wmic.exe
Token: SeProfSingleProcessPrivilege	3940	wmic.exe
Token: SeIncBasePriorityPrivilege	3940	wmic.exe
Token: SeCreatePagefilePrivilege	3940	wmic.exe
Token: SeBackupPrivilege	3940	wmic.exe
Token: SeRestorePrivilege	3940	wmic.exe
Token: SeShutdownPrivilege	3940	wmic.exe
Token: SeDebugPrivilege	3940	wmic.exe
Token: SeSystemEnvironmentPrivilege	3940	wmic.exe
Token: SeRemoteShutdownPrivilege	3940	wmic.exe
Token: SeUndockPrivilege	3940	wmic.exe
Token: SeManageVolumePrivilege	3940	wmic.exe
Token: 33	3940	wmic.exe
Token: 34	3940	wmic.exe
Token: 35	3940	wmic.exe
Token: 36	3940	wmic.exe
Token: SeIncreaseQuotaPrivilege	3940	wmic.exe
Token: SeSecurityPrivilege	3940	wmic.exe
Token: SeTakeOwnershipPrivilege	3940	wmic.exe
Token: SeLoadDriverPrivilege	3940	wmic.exe
Token: SeSystemProfilePrivilege	3940	wmic.exe
Token: SeSystemtimePrivilege	3940	wmic.exe
Token: SeProfSingleProcessPrivilege	3940	wmic.exe
Token: SeIncBasePriorityPrivilege	3940	wmic.exe
Token: SeCreatePagefilePrivilege	3940	wmic.exe
Token: SeBackupPrivilege	3940	wmic.exe
Token: SeRestorePrivilege	3940	wmic.exe
Token: SeShutdownPrivilege	3940	wmic.exe
Token: SeDebugPrivilege	3940	wmic.exe
Token: SeSystemEnvironmentPrivilege	3940	wmic.exe
Token: SeRemoteShutdownPrivilege	3940	wmic.exe
Token: SeUndockPrivilege	3940	wmic.exe
Token: SeManageVolumePrivilege	3940	wmic.exe
Token: 33	3940	wmic.exe
Token: 34	3940	wmic.exe
Token: 35	3940	wmic.exe
Token: 36	3940	wmic.exe
Token: SeIncreaseQuotaPrivilege	1676	wmic.exe
Token: SeSecurityPrivilege	1676	wmic.exe
Token: SeTakeOwnershipPrivilege	1676	wmic.exe
Token: SeLoadDriverPrivilege	1676	wmic.exe
Token: SeSystemProfilePrivilege	1676	wmic.exe
Token: SeSystemtimePrivilege	1676	wmic.exe
Token: SeProfSingleProcessPrivilege	1676	wmic.exe
Token: SeIncBasePriorityPrivilege	1676	wmic.exe
Token: SeCreatePagefilePrivilege	1676	wmic.exe
Token: SeBackupPrivilege	1676	wmic.exe
Token: SeRestorePrivilege	1676	wmic.exe
Token: SeShutdownPrivilege	1676	wmic.exe
Token: SeDebugPrivilege	1676	wmic.exe
Token: SeSystemEnvironmentPrivilege	1676	wmic.exe
Token: SeRemoteShutdownPrivilege	1676	wmic.exe
Token: SeUndockPrivilege	1676	wmic.exe
Token: SeManageVolumePrivilege	1676	wmic.exe
Token: 33	1676	wmic.exe
Token: 34	1676	wmic.exe
Token: 35	1676	wmic.exe
Token: 36	1676	wmic.exe
Token: SeIncreaseQuotaPrivilege	1676	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 4044	2916	3743a67dcde560c6d0423a2bf48c3288.exe	88
PID 2916 wrote to memory of 4044	2916	3743a67dcde560c6d0423a2bf48c3288.exe	88
PID 2916 wrote to memory of 4044	2916	3743a67dcde560c6d0423a2bf48c3288.exe	88
PID 4044 wrote to memory of 3940	4044	ccicabfiabgi.exe	89
PID 4044 wrote to memory of 3940	4044	ccicabfiabgi.exe	89
PID 4044 wrote to memory of 3940	4044	ccicabfiabgi.exe	89
PID 4044 wrote to memory of 1676	4044	ccicabfiabgi.exe	94
PID 4044 wrote to memory of 1676	4044	ccicabfiabgi.exe	94
PID 4044 wrote to memory of 1676	4044	ccicabfiabgi.exe	94
PID 4044 wrote to memory of 1220	4044	ccicabfiabgi.exe	96
PID 4044 wrote to memory of 1220	4044	ccicabfiabgi.exe	96
PID 4044 wrote to memory of 1220	4044	ccicabfiabgi.exe	96
PID 4044 wrote to memory of 2064	4044	ccicabfiabgi.exe	97
PID 4044 wrote to memory of 2064	4044	ccicabfiabgi.exe	97
PID 4044 wrote to memory of 2064	4044	ccicabfiabgi.exe	97
PID 4044 wrote to memory of 2180	4044	ccicabfiabgi.exe	99
PID 4044 wrote to memory of 2180	4044	ccicabfiabgi.exe	99
PID 4044 wrote to memory of 2180	4044	ccicabfiabgi.exe	99

C:\Users\Admin\AppData\Local\Temp\3743a67dcde560c6d0423a2bf48c3288.exe
"C:\Users\Admin\AppData\Local\Temp\3743a67dcde560c6d0423a2bf48c3288.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\ccicabfiabgi.exe
  C:\Users\Admin\AppData\Local\Temp\ccicabfiabgi.exe 5-8-3-1-3-4-1-7-4-1-5 KkhGQzotMi00MBsqS1JBTUVDNiwfKkk9UVZMTkpCQDwsGydBSFBQSD05MSsvLzUfLD9IPTkvGypIT05BUUJNW0g/OCk2NTEzHyhPRE1RPU9eUk5LNmRzb2syLC5wYXFvKnNjYCVeb20pY1pwYClkZmNuHStCRUVCRkQ8Oh8sQDA2KTAbKjwvPCotHyhAMjgoKR0uQTA8Ji0fKj8tOiwuHC5JTk4/UDtRXk1OSE89QlQ4GCxPT0tDTj9TWkBNSUA6HC5JTk4/UDtRXks9TD45WXBoWXAkLyxRXnJkaWJdHh8sQVc+W1RNRzVXdGpdch4uL01gbmJtZGEgHi4vKCAqLUNsc21la2BfGydCV0JbQkZAS0RJPTofLEROTFBePU1HVFJCTjwrHC5PQzlLSlZLVFhRUUc4GCxVSjkxGStDTiw1HS5PUU1NRUxAWk9CS0BLTD5FTDxCPVJRSTkfKEVSWk1NS1NGSUQ2cHFwYBgsUUJQVEtKSElCV1JSQk5ePT1YTjgqHS5FRUM+VDwsGydGUlxAWEc9TEQ+V0JNQE5YSVBEPzheXmtwYR8oQE5SSURMQEFbSEk5NTIpKi8wKy0zKyoxKzIYLFNGSUQ2LTMtMCg1MTAtNRkrQ0pSRklOPkBeTUVMQDgqLDE1KzEpLTQlLCo3MC42NC8mQEg=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703611613.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703611613.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703611613.txt bios get version
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703611613.txt bios get version
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703611613.txt bios get version
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 924
    3⤵
    - Program crash
    PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4044 -ip 4044
1⤵
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703611613.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703611613.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccicabfiabgi.exe

Filesize
361KB

MD5
a214b0483fd54f822ea0ae2d0c3c9d87

SHA1
42147c508393809d9bc90428a443f91ea7d8126e

SHA256
6ea2406cb9b4f13d3f7395b91b2a8891fd629172347f6ed5139a0fc2dcec551c

SHA512
745ef59b6ce79bc7ee7f9bce863fd8667c82d61f67a1b5f36ce1d29c5b1fa1ea18a323dad37ea44711dd61ca7efdc2a0313c6e71b51d71e8424c1797fc03892e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccicabfiabgi.exe

Filesize
809KB

MD5
075f2a0a5f643faa43f36832cd3f3d5f

SHA1
0f4dccf54a56f139a50ca87cbf7ce7831fef37e2

SHA256
2633a0d49d0953b3aea5d4725d4a42f0d22b3b179b291a1b201811c17f4d7c3d

SHA512
98a8a82d84ccc271669270c1fdd66fdfd883a7cf3088f8b1952af747c6bd0b90969ea3a5dd060c76a733c85b7d1dfb7f39596471f82ea2efe4415c6d09bbd390

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc733D.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc733D.tmp\slhjx.dll

Filesize
152KB

MD5
35b88fd1e608d7db05e24747cef69aeb

SHA1
90c8fb8d16e8e95ef88889808081c4c8af3bf45b

SHA256
81bef62ce4440d383c55889fd6c9535a345a2445aa2aab04a384cf5b90edf1eb

SHA512
5ebe39e8d62922a890d01a23fbb13e837385ab32b71414ea9338bee704dca5b1899da9e63632032294cc03cc25919cf4d3000466eaf676d07249a99691f8bc59

Download Submit