16936e330545fd176549d12ce98d8a0ccb4e24617ad0728c7a2946a7df5d4e19

Analysis

max time kernel
143s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cc259d4fb7677bb0eb59437b7b8e15f.exe
Size

548KB
MD5

5cc259d4fb7677bb0eb59437b7b8e15f
SHA1

4f29abdbba5e212883ffba989f3cc024eee77ac9
SHA256

16936e330545fd176549d12ce98d8a0ccb4e24617ad0728c7a2946a7df5d4e19
SHA512

d2e7fb0c37e94897171b9e105bfb2ed8d960adb4618a66412dc0f36e25f1a71638007e8b5b3533b283d148d2b692bd9837e37240d70c3f561b9a6b8bbbd53807
SSDEEP

12288:D9CaEZZ2TusjEi3fLuSv1UFEyt652c5phCX8xvNkmw1cBYV0azPV+:DUsusl3ThvuSX2AhCs5Nbw1cCV0azQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1656	ecfcabfbcicdg.exe

Loads dropped DLL 2 IoCs

pid	Process
1872	5cc259d4fb7677bb0eb59437b7b8e15f.exe
1872	5cc259d4fb7677bb0eb59437b7b8e15f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1032	1656	WerFault.exe	25

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2908	wmic.exe
Token: SeSecurityPrivilege	2908	wmic.exe
Token: SeTakeOwnershipPrivilege	2908	wmic.exe
Token: SeLoadDriverPrivilege	2908	wmic.exe
Token: SeSystemProfilePrivilege	2908	wmic.exe
Token: SeSystemtimePrivilege	2908	wmic.exe
Token: SeProfSingleProcessPrivilege	2908	wmic.exe
Token: SeIncBasePriorityPrivilege	2908	wmic.exe
Token: SeCreatePagefilePrivilege	2908	wmic.exe
Token: SeBackupPrivilege	2908	wmic.exe
Token: SeRestorePrivilege	2908	wmic.exe
Token: SeShutdownPrivilege	2908	wmic.exe
Token: SeDebugPrivilege	2908	wmic.exe
Token: SeSystemEnvironmentPrivilege	2908	wmic.exe
Token: SeRemoteShutdownPrivilege	2908	wmic.exe
Token: SeUndockPrivilege	2908	wmic.exe
Token: SeManageVolumePrivilege	2908	wmic.exe
Token: 33	2908	wmic.exe
Token: 34	2908	wmic.exe
Token: 35	2908	wmic.exe
Token: 36	2908	wmic.exe
Token: SeIncreaseQuotaPrivilege	2908	wmic.exe
Token: SeSecurityPrivilege	2908	wmic.exe
Token: SeTakeOwnershipPrivilege	2908	wmic.exe
Token: SeLoadDriverPrivilege	2908	wmic.exe
Token: SeSystemProfilePrivilege	2908	wmic.exe
Token: SeSystemtimePrivilege	2908	wmic.exe
Token: SeProfSingleProcessPrivilege	2908	wmic.exe
Token: SeIncBasePriorityPrivilege	2908	wmic.exe
Token: SeCreatePagefilePrivilege	2908	wmic.exe
Token: SeBackupPrivilege	2908	wmic.exe
Token: SeRestorePrivilege	2908	wmic.exe
Token: SeShutdownPrivilege	2908	wmic.exe
Token: SeDebugPrivilege	2908	wmic.exe
Token: SeSystemEnvironmentPrivilege	2908	wmic.exe
Token: SeRemoteShutdownPrivilege	2908	wmic.exe
Token: SeUndockPrivilege	2908	wmic.exe
Token: SeManageVolumePrivilege	2908	wmic.exe
Token: 33	2908	wmic.exe
Token: 34	2908	wmic.exe
Token: 35	2908	wmic.exe
Token: 36	2908	wmic.exe
Token: SeIncreaseQuotaPrivilege	2172	wmic.exe
Token: SeSecurityPrivilege	2172	wmic.exe
Token: SeTakeOwnershipPrivilege	2172	wmic.exe
Token: SeLoadDriverPrivilege	2172	wmic.exe
Token: SeSystemProfilePrivilege	2172	wmic.exe
Token: SeSystemtimePrivilege	2172	wmic.exe
Token: SeProfSingleProcessPrivilege	2172	wmic.exe
Token: SeIncBasePriorityPrivilege	2172	wmic.exe
Token: SeCreatePagefilePrivilege	2172	wmic.exe
Token: SeBackupPrivilege	2172	wmic.exe
Token: SeRestorePrivilege	2172	wmic.exe
Token: SeShutdownPrivilege	2172	wmic.exe
Token: SeDebugPrivilege	2172	wmic.exe
Token: SeSystemEnvironmentPrivilege	2172	wmic.exe
Token: SeRemoteShutdownPrivilege	2172	wmic.exe
Token: SeUndockPrivilege	2172	wmic.exe
Token: SeManageVolumePrivilege	2172	wmic.exe
Token: 33	2172	wmic.exe
Token: 34	2172	wmic.exe
Token: 35	2172	wmic.exe
Token: 36	2172	wmic.exe
Token: SeIncreaseQuotaPrivilege	2172	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1656	1872	5cc259d4fb7677bb0eb59437b7b8e15f.exe	25
PID 1872 wrote to memory of 1656	1872	5cc259d4fb7677bb0eb59437b7b8e15f.exe	25
PID 1872 wrote to memory of 1656	1872	5cc259d4fb7677bb0eb59437b7b8e15f.exe	25
PID 1656 wrote to memory of 2908	1656	ecfcabfbcicdg.exe	20
PID 1656 wrote to memory of 2908	1656	ecfcabfbcicdg.exe	20
PID 1656 wrote to memory of 2908	1656	ecfcabfbcicdg.exe	20
PID 1656 wrote to memory of 2172	1656	ecfcabfbcicdg.exe	27
PID 1656 wrote to memory of 2172	1656	ecfcabfbcicdg.exe	27
PID 1656 wrote to memory of 2172	1656	ecfcabfbcicdg.exe	27
PID 1656 wrote to memory of 4168	1656	ecfcabfbcicdg.exe	36
PID 1656 wrote to memory of 4168	1656	ecfcabfbcicdg.exe	36
PID 1656 wrote to memory of 4168	1656	ecfcabfbcicdg.exe	36
PID 1656 wrote to memory of 3944	1656	ecfcabfbcicdg.exe	30
PID 1656 wrote to memory of 3944	1656	ecfcabfbcicdg.exe	30
PID 1656 wrote to memory of 3944	1656	ecfcabfbcicdg.exe	30
PID 1656 wrote to memory of 3308	1656	ecfcabfbcicdg.exe	35
PID 1656 wrote to memory of 3308	1656	ecfcabfbcicdg.exe	35
PID 1656 wrote to memory of 3308	1656	ecfcabfbcicdg.exe	35

C:\Users\Admin\AppData\Local\Temp\5cc259d4fb7677bb0eb59437b7b8e15f.exe
"C:\Users\Admin\AppData\Local\Temp\5cc259d4fb7677bb0eb59437b7b8e15f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe
  C:\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe 2#2#2#0#6#1#1#1#3#9#4 LU5HRDcyMS8tFytRU0BQQ0M8Lx0mSkNSVU9MSkhDOiccLUJHU05IQzwuMDM1Hi1DQ0M8Lx0mTFBNQlU9U15IQTQtNDcyIClSRFFTPE5dU1BMN2dzc20xKy1xcHYoQ0RSSCRQTU4rQUpPLUhLPUseLUFMQ0JKSEE0HC1CLz0nMB8uQSk5Ky8eLz4yPCwuFytCMjstKx8uQzI0KS8eLVBMTkNUQEtbTlBHVjtCWDwdJkxQTUJVPVNeRFJDPTseLVBMTkNUQEtbTD9LRTcfLkRVPFtTUEo9Gi5EV0JWP0tCSklIRDwfLD9LUVJdQkxOVlJCSTkuHi1UQkBNSlZGUV1TUEw3Hy5VSjQuHi1CUys8Hy5PTEpSR0tFWVZES0BGSUNHS0FBRFRRSTQcLUdRX0xUTVNGREE7cnB1Xx8uUUJLUVBMR05BXlRSQklbQj9XUzcxHy5FQEBDVjsxGi5IUlw7VUw/S0k9XkRNQElVTlJDRDdlYGtwXBwtQk1XSEtOQEFWRU47NzUoMTQtLyg0LDEeL05ITEQ6KDAwNzczLTA4NR0mQE1VTExJQENeUUBJQzsyLyw0LjEtKDEoMTgzMzk0NSc4SR4tU0E3TG55ZmNoXyMwZi4tLyolWmtrbl90Y2FrZCIqXilLUUk/KjUtLRwvYClVaWhjbnZwIkpSKTMuKyQyYShKUi8jMWIlLU1EUSI/SlApMigvLTQtLi41Jx4vT1FLPGVrcG4jMWEfMWUkL11jY3IsMCsxMGUrYGpkbSMyYFF0bVFgaWNCbXdoa25gYURdbF9lZWxeY2RtY2t3IzBmKzMxODYpMzIwMSUsZTAzLzA1MDUyMi0kMWUuKy43NzA3LjEyJDBdLDQwMDkqLzY4LytWLzd3Tj1mJDFjWkBXb0tDcXZIRkYuR0JpMU08MHBOUTxzTHhHZFxpL29FTkJtX1QxalkwcjZBaC5tTXlld0hGRm5KQS52SCtyd05QJ25IRUdySlIvcEVORXZOUWNwSUUwbVlCM2pWMmZrTS9xYVMwamZTUU1lY1RNb0p4P2xHaDByVT9GdmFBQmhYVllyR09xYmNHUHZNeT4=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704513871.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704513871.txt bios get version
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 872
    3⤵
    - Program crash
    PID:1032
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704513871.txt bios get version
    3⤵
    PID:3308
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704513871.txt bios get version
    3⤵
    PID:4168

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704513871.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1656 -ip 1656
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsq54F7.tmp\hyulanvh.dll

Filesize
107KB

MD5
9080b78b9a4590a6e43e41468a387819

SHA1
d79b2cfec3736bf6d58f627aeaad43ad75d9e142

SHA256
7c82ae5664963f23bd03b09fbcc5978295f482357f4c0c9f9af09828e7fab67c

SHA512
6f6ac05e8bda7936d9eeba49200041fd70a6b26964dc2f598fc1cc6680217b32eedd3652a9015713c182d660ae838b1f410644c56edac642649f6d03d2eb834b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq54F7.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit