1155d79f43e9e6246df3564128a7a5ac105759ae2e134e7a3a74bfa52c0b4629

Analysis

max time kernel
122s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65cecf6a15994ffc1a86feeb41f495ae.exe
Size

611KB
MD5

65cecf6a15994ffc1a86feeb41f495ae
SHA1

0fd13f9aa8d1da016a2f02348ed39e7c80e33c12
SHA256

1155d79f43e9e6246df3564128a7a5ac105759ae2e134e7a3a74bfa52c0b4629
SHA512

4fca8369cc4c19cf5f7a8eae28b8646f070013c0e6d5dc8c0638dab1b449e1b40e3b9b58713dcf01105dd462ececefe8ba79f2d44b46532fd301dd602f1eb278
SSDEEP

12288:hOU3aGSE++yo/REQZAcZq4129Ak5Koe6bDaW2kiZtEf9sSKMX5OLe5E1:hOuanu/+QZAcoJR5UfH2qMX5L5e

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2396	cccabfhdcc.exe

Loads dropped DLL 10 IoCs

pid	Process
1076	65cecf6a15994ffc1a86feeb41f495ae.exe
1076	65cecf6a15994ffc1a86feeb41f495ae.exe
1076	65cecf6a15994ffc1a86feeb41f495ae.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	2396	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2464	wmic.exe
Token: SeSecurityPrivilege	2464	wmic.exe
Token: SeTakeOwnershipPrivilege	2464	wmic.exe
Token: SeLoadDriverPrivilege	2464	wmic.exe
Token: SeSystemProfilePrivilege	2464	wmic.exe
Token: SeSystemtimePrivilege	2464	wmic.exe
Token: SeProfSingleProcessPrivilege	2464	wmic.exe
Token: SeIncBasePriorityPrivilege	2464	wmic.exe
Token: SeCreatePagefilePrivilege	2464	wmic.exe
Token: SeBackupPrivilege	2464	wmic.exe
Token: SeRestorePrivilege	2464	wmic.exe
Token: SeShutdownPrivilege	2464	wmic.exe
Token: SeDebugPrivilege	2464	wmic.exe
Token: SeSystemEnvironmentPrivilege	2464	wmic.exe
Token: SeRemoteShutdownPrivilege	2464	wmic.exe
Token: SeUndockPrivilege	2464	wmic.exe
Token: SeManageVolumePrivilege	2464	wmic.exe
Token: 33	2464	wmic.exe
Token: 34	2464	wmic.exe
Token: 35	2464	wmic.exe
Token: SeIncreaseQuotaPrivilege	2464	wmic.exe
Token: SeSecurityPrivilege	2464	wmic.exe
Token: SeTakeOwnershipPrivilege	2464	wmic.exe
Token: SeLoadDriverPrivilege	2464	wmic.exe
Token: SeSystemProfilePrivilege	2464	wmic.exe
Token: SeSystemtimePrivilege	2464	wmic.exe
Token: SeProfSingleProcessPrivilege	2464	wmic.exe
Token: SeIncBasePriorityPrivilege	2464	wmic.exe
Token: SeCreatePagefilePrivilege	2464	wmic.exe
Token: SeBackupPrivilege	2464	wmic.exe
Token: SeRestorePrivilege	2464	wmic.exe
Token: SeShutdownPrivilege	2464	wmic.exe
Token: SeDebugPrivilege	2464	wmic.exe
Token: SeSystemEnvironmentPrivilege	2464	wmic.exe
Token: SeRemoteShutdownPrivilege	2464	wmic.exe
Token: SeUndockPrivilege	2464	wmic.exe
Token: SeManageVolumePrivilege	2464	wmic.exe
Token: 33	2464	wmic.exe
Token: 34	2464	wmic.exe
Token: 35	2464	wmic.exe
Token: SeIncreaseQuotaPrivilege	2660	wmic.exe
Token: SeSecurityPrivilege	2660	wmic.exe
Token: SeTakeOwnershipPrivilege	2660	wmic.exe
Token: SeLoadDriverPrivilege	2660	wmic.exe
Token: SeSystemProfilePrivilege	2660	wmic.exe
Token: SeSystemtimePrivilege	2660	wmic.exe
Token: SeProfSingleProcessPrivilege	2660	wmic.exe
Token: SeIncBasePriorityPrivilege	2660	wmic.exe
Token: SeCreatePagefilePrivilege	2660	wmic.exe
Token: SeBackupPrivilege	2660	wmic.exe
Token: SeRestorePrivilege	2660	wmic.exe
Token: SeShutdownPrivilege	2660	wmic.exe
Token: SeDebugPrivilege	2660	wmic.exe
Token: SeSystemEnvironmentPrivilege	2660	wmic.exe
Token: SeRemoteShutdownPrivilege	2660	wmic.exe
Token: SeUndockPrivilege	2660	wmic.exe
Token: SeManageVolumePrivilege	2660	wmic.exe
Token: 33	2660	wmic.exe
Token: 34	2660	wmic.exe
Token: 35	2660	wmic.exe
Token: SeIncreaseQuotaPrivilege	2768	wmic.exe
Token: SeSecurityPrivilege	2768	wmic.exe
Token: SeTakeOwnershipPrivilege	2768	wmic.exe
Token: SeLoadDriverPrivilege	2768	wmic.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 2396	1076	65cecf6a15994ffc1a86feeb41f495ae.exe	28
PID 1076 wrote to memory of 2396	1076	65cecf6a15994ffc1a86feeb41f495ae.exe	28
PID 1076 wrote to memory of 2396	1076	65cecf6a15994ffc1a86feeb41f495ae.exe	28
PID 1076 wrote to memory of 2396	1076	65cecf6a15994ffc1a86feeb41f495ae.exe	28
PID 1076 wrote to memory of 2396	1076	65cecf6a15994ffc1a86feeb41f495ae.exe	28
PID 1076 wrote to memory of 2396	1076	65cecf6a15994ffc1a86feeb41f495ae.exe	28
PID 1076 wrote to memory of 2396	1076	65cecf6a15994ffc1a86feeb41f495ae.exe	28
PID 2396 wrote to memory of 2464	2396	cccabfhdcc.exe	29
PID 2396 wrote to memory of 2464	2396	cccabfhdcc.exe	29
PID 2396 wrote to memory of 2464	2396	cccabfhdcc.exe	29
PID 2396 wrote to memory of 2464	2396	cccabfhdcc.exe	29
PID 2396 wrote to memory of 2660	2396	cccabfhdcc.exe	32
PID 2396 wrote to memory of 2660	2396	cccabfhdcc.exe	32
PID 2396 wrote to memory of 2660	2396	cccabfhdcc.exe	32
PID 2396 wrote to memory of 2660	2396	cccabfhdcc.exe	32
PID 2396 wrote to memory of 2768	2396	cccabfhdcc.exe	34
PID 2396 wrote to memory of 2768	2396	cccabfhdcc.exe	34
PID 2396 wrote to memory of 2768	2396	cccabfhdcc.exe	34
PID 2396 wrote to memory of 2768	2396	cccabfhdcc.exe	34
PID 2396 wrote to memory of 2628	2396	cccabfhdcc.exe	36
PID 2396 wrote to memory of 2628	2396	cccabfhdcc.exe	36
PID 2396 wrote to memory of 2628	2396	cccabfhdcc.exe	36
PID 2396 wrote to memory of 2628	2396	cccabfhdcc.exe	36
PID 2396 wrote to memory of 2228	2396	cccabfhdcc.exe	38
PID 2396 wrote to memory of 2228	2396	cccabfhdcc.exe	38
PID 2396 wrote to memory of 2228	2396	cccabfhdcc.exe	38
PID 2396 wrote to memory of 2228	2396	cccabfhdcc.exe	38
PID 2396 wrote to memory of 2700	2396	cccabfhdcc.exe	40
PID 2396 wrote to memory of 2700	2396	cccabfhdcc.exe	40
PID 2396 wrote to memory of 2700	2396	cccabfhdcc.exe	40
PID 2396 wrote to memory of 2700	2396	cccabfhdcc.exe	40

C:\Users\Admin\AppData\Local\Temp\65cecf6a15994ffc1a86feeb41f495ae.exe
"C:\Users\Admin\AppData\Local\Temp\65cecf6a15994ffc1a86feeb41f495ae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\cccabfhdcc.exe
  C:\Users\Admin\AppData\Local\Temp\cccabfhdcc.exe 5-8-7-0-1-4-0-2-5-3-1 KkhCRDwtODcvLR8qS05CT0VEOysdLkk9TVdOTktHPzowGyc9SVJQSUI4LzQrMSsgLj9JQjgtHypIS09DUUNSWkZDOCotMjY0IC1OQlFRPUtfVE5MO2Nxc2syKC9yYXJ0KXFnYCVacG8pZF9vXi1kZl9vHytDSkRASkQ8NiAuQDE7Kx0uPyo2LTAcL0IuOiwsGChEMzktLxssQzA1JjEfK1BQSkFUPkxYUFFFVj8+VjwbJ0lSTkBVQU9cRFBEOj0fK1BQSkFUPkxYTkBJRTtFXnVcHSswUXFucmRqZCAqKUVtcmlwamtsYGZtIC5BWENaUlFHNWF0c2w6LSpeb2trbHRgcGlhLWNjL2teNWRpLnEuK2BoWXNvbV13cSlgbmgnY3JkKTdzMS0scmFnZG5zcytkMjcxJl54ZBwvQ1NCXj5FPUxISkU7GyxHSktNX0FOT1VOQlE4KhkvU0RBTEZWTlBXTlJLOSAtUUo8LRgoRFItPS8vLzE0KSszNS00NywwK1BLJWFlYmwwNC8rLisuLG5ebioxNSs+YGtvbGEsNCwxZDMtMGMyL2ZjNDViXCouNzI0NmEyYWMxKV1jYzIscXBfaF81KjAxMjIuWmNgXSkpZDczODYvMGAyK1owNS1hLjAwZDAwLjNkNDJkGyxRUEZNSUxBX1VASUJKRT5JTD1HQ1BPSzgYKElSW1JTSVFISD02dHFxZR4qT0RPTUtOSEpHXVBQRE1XPUFYTz0wGyxHRDw+WDwtIC1EUF4/UUdBTEVDXUBLQk1RSVREQD1kXGlyYBgoRE5TTkpKPkNaQUk9NjEuLy4wLSwsLi4wLzUeKlFISD02MTMuMjcsLzI0KhkvQ0tXTEdMQD9XTUlMQT0wKi8uLSgqNSk1OjAxNzItIklN
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703697317.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703697317.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703697317.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703697317.txt bios get version
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703697317.txt bios get version
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703697317.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9A8C.tmp\7tm.dll

Filesize
121KB

MD5
b7c88041bb05a8b5e5fe4336b4554fad

SHA1
9000e6b54e86245ae1fbc259563e0f514ed5b434

SHA256
d8039d7364def8247da83b5b3d824a72096ddaa0a585881902e238093056ea83

SHA512
2aadf59392888801100bac11b5e4c0c67244624a38eba0007112bb9fe61d0ec61183154ee4e99e2af5389704462665a55fa1b2a539d6cd2fb1c5b7fd438f4b96

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfhdcc.exe

Filesize
864KB

MD5
46b4280e48dba14e546ad06aa59b69e0

SHA1
0b2925cb7776ed3211bdb66f1e5fbaf2ca442ae7

SHA256
9750c95815844548dfb9113f2c1a813ea356a8209343f5d8aae4fe9f5475826b

SHA512
432c4e43a4d4b933d0950d6e9bae3d509814f8905fe28062487149b20ee50f40aaa64546e5d0a1aed29ad346d68533f46c14844e32e86f35cf5c4c4af04dfeb5

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfhdcc.exe

Filesize
312KB

MD5
ba4b8707d24f644bee36a78fc9eca386

SHA1
1ed39e3d2819ea24c3b43ffad7d4e0b61950dbc9

SHA256
43aa4730b5efc6f1f8c75a7422ccb0be306da237c014cbdc73fdb3f209d82189

SHA512
1b3015159a6a8a4b01c7465d9b1d9ad257aa01f586b4774d37d24c1d4ca6b2b91d7a1f18c83f4773b95018da554f95b80a71008a5da327791fc94536cf36d087

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfhdcc.exe

Filesize
657KB

MD5
748f2033f5826ab87eae68f8a042d6bd

SHA1
6c847e55bc69c3b45aa52e3f71965052a8e3844a

SHA256
34382d1ea67e95a202bb902c4ac84d4fa1af8b86184b5d3039360dd713201b27

SHA512
815dff595d37c5fb0b8412ca980fe3c689861b15de6e21311de216ec6c252e2211a6a9b4780966ecfe5e090bd9697772c2dbdc11498b5dcf026f07ba1ca4bca7

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfhdcc.exe

Filesize
529KB

MD5
81068be3bf68023c524740e7cffd818f

SHA1
895784a502cf577c978a848a943bc3ad98c4c38b

SHA256
f0c0f2ec7e506474a70afba27977974a57c59a7d2430c6ee11072997cc1d36d9

SHA512
2ad778b8e1b5890944c48cadff47d5304235146f70426e643920f220b0495dd04646206b82b6bd61a17fb0d743ee97e40bec02b6a0dc9364e04622568926c11f

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfhdcc.exe

Filesize
768KB

MD5
f265154c132192fa1e8f4268ded7e609

SHA1
a2f79a095b4a17f5057ad990690494640b650d88

SHA256
827cc68629758a4f0457d64ac0121059707955c4ca51bd8e3c0d6d1ec3b62d9a

SHA512
0e7d0447034525acd63cfb30ade991868c888dc1991e56cdb4ac60438ca63842563728b9ffb25ec9e5ff52f7553b4295b66fe4ed18c4f4df88483415ff5fea51

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfhdcc.exe

Filesize
229KB

MD5
7b6347d53420c8b172f8fd9a8a8b2dd2

SHA1
bec08f714692efe2fb0d1f1757bd7bf4bfefc78c

SHA256
4ad48ddfdc82d4f84bdb7a88e2ec1ca98eaf3bda1857a97c4357b4230effed07

SHA512
57c32ebe72733c46209ef4fce39db8ee8dcd69f1dd0dfd49732b54a59379d85fa19e8372ff720dfba7acc299c84777860f8ebeebd20ad990a022680629bdc1a4

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfhdcc.exe

Filesize
252KB

MD5
f4870226d5ab99e244294a156ec187f9

SHA1
a172c1b09489fcaa6abc89c7d0e7038092e6dfc7

SHA256
4e36298b141e4a96759b7ce3fe5bde65ac995580c2a23772abed77d728991821

SHA512
66e68b2069c53787cee4ada820e15f4bd528c30072e1094dfb23a95d86fa1d6b17e2e16c3178832a0ecafe4d00053ec79133f4e26fbb10ec90e251965cdb5857

Download Submit
\Users\Admin\AppData\Local\Temp\cccabfhdcc.exe

Filesize
302KB

MD5
cceb63632fbcb5070350975c7e33b6c1

SHA1
91beb6483d07cd954b5689d817b1dc145a830637

SHA256
ab64a415fb3087d97c38fe7a00a0b833f1abbe83064cad3647529bd7d5051169

SHA512
24e64f94561f64d1b810781cd47c9de9e80dfaefb7d5b3651ded57f752a881d8797ab8c0cbffd4b41dc2688378a5e7af364f7c5073be10e4406b7b51b570f1b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9A8C.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit