1356a5fd4fc5cf564472f4658a366f59f3a60a8371e97918bd283ed5f5b75af9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8fc64321bc5e2eb39b999154c122b1d.exe
Size

575KB
MD5

f8fc64321bc5e2eb39b999154c122b1d
SHA1

7ab2d25a66ce875832b1b0f537dbe77efc3a1bd3
SHA256

1356a5fd4fc5cf564472f4658a366f59f3a60a8371e97918bd283ed5f5b75af9
SHA512

d3b4e322c005d1060ac63556c5942f5eacfaab6cf5353e478e5d5ef9f2b5a8fb95b48b3aadb54ed4608bb6caf7867dfb110b384c39ebee144728b5bc9a874c48
SSDEEP

12288:cSSc5f0V5iPd5lAurV6EGEEfSxoapDe3buf+RZjNuqYBE:c0f9HlVrV6EPpmPcM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2744	bbjcabfdccbb.exe

Loads dropped DLL 10 IoCs

pid	Process
2264	f8fc64321bc5e2eb39b999154c122b1d.exe
2264	f8fc64321bc5e2eb39b999154c122b1d.exe
2264	f8fc64321bc5e2eb39b999154c122b1d.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2828	2744	WerFault.exe	31

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2788	wmic.exe
Token: SeSecurityPrivilege	2788	wmic.exe
Token: SeTakeOwnershipPrivilege	2788	wmic.exe
Token: SeLoadDriverPrivilege	2788	wmic.exe
Token: SeSystemProfilePrivilege	2788	wmic.exe
Token: SeSystemtimePrivilege	2788	wmic.exe
Token: SeProfSingleProcessPrivilege	2788	wmic.exe
Token: SeIncBasePriorityPrivilege	2788	wmic.exe
Token: SeCreatePagefilePrivilege	2788	wmic.exe
Token: SeBackupPrivilege	2788	wmic.exe
Token: SeRestorePrivilege	2788	wmic.exe
Token: SeShutdownPrivilege	2788	wmic.exe
Token: SeDebugPrivilege	2788	wmic.exe
Token: SeSystemEnvironmentPrivilege	2788	wmic.exe
Token: SeRemoteShutdownPrivilege	2788	wmic.exe
Token: SeUndockPrivilege	2788	wmic.exe
Token: SeManageVolumePrivilege	2788	wmic.exe
Token: 33	2788	wmic.exe
Token: 34	2788	wmic.exe
Token: 35	2788	wmic.exe
Token: SeIncreaseQuotaPrivilege	2788	wmic.exe
Token: SeSecurityPrivilege	2788	wmic.exe
Token: SeTakeOwnershipPrivilege	2788	wmic.exe
Token: SeLoadDriverPrivilege	2788	wmic.exe
Token: SeSystemProfilePrivilege	2788	wmic.exe
Token: SeSystemtimePrivilege	2788	wmic.exe
Token: SeProfSingleProcessPrivilege	2788	wmic.exe
Token: SeIncBasePriorityPrivilege	2788	wmic.exe
Token: SeCreatePagefilePrivilege	2788	wmic.exe
Token: SeBackupPrivilege	2788	wmic.exe
Token: SeRestorePrivilege	2788	wmic.exe
Token: SeShutdownPrivilege	2788	wmic.exe
Token: SeDebugPrivilege	2788	wmic.exe
Token: SeSystemEnvironmentPrivilege	2788	wmic.exe
Token: SeRemoteShutdownPrivilege	2788	wmic.exe
Token: SeUndockPrivilege	2788	wmic.exe
Token: SeManageVolumePrivilege	2788	wmic.exe
Token: 33	2788	wmic.exe
Token: 34	2788	wmic.exe
Token: 35	2788	wmic.exe
Token: SeIncreaseQuotaPrivilege	2624	wmic.exe
Token: SeSecurityPrivilege	2624	wmic.exe
Token: SeTakeOwnershipPrivilege	2624	wmic.exe
Token: SeLoadDriverPrivilege	2624	wmic.exe
Token: SeSystemProfilePrivilege	2624	wmic.exe
Token: SeSystemtimePrivilege	2624	wmic.exe
Token: SeProfSingleProcessPrivilege	2624	wmic.exe
Token: SeIncBasePriorityPrivilege	2624	wmic.exe
Token: SeCreatePagefilePrivilege	2624	wmic.exe
Token: SeBackupPrivilege	2624	wmic.exe
Token: SeRestorePrivilege	2624	wmic.exe
Token: SeShutdownPrivilege	2624	wmic.exe
Token: SeDebugPrivilege	2624	wmic.exe
Token: SeSystemEnvironmentPrivilege	2624	wmic.exe
Token: SeRemoteShutdownPrivilege	2624	wmic.exe
Token: SeUndockPrivilege	2624	wmic.exe
Token: SeManageVolumePrivilege	2624	wmic.exe
Token: 33	2624	wmic.exe
Token: 34	2624	wmic.exe
Token: 35	2624	wmic.exe
Token: SeIncreaseQuotaPrivilege	2708	wmic.exe
Token: SeSecurityPrivilege	2708	wmic.exe
Token: SeTakeOwnershipPrivilege	2708	wmic.exe
Token: SeLoadDriverPrivilege	2708	wmic.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2744	2264	f8fc64321bc5e2eb39b999154c122b1d.exe	31
PID 2264 wrote to memory of 2744	2264	f8fc64321bc5e2eb39b999154c122b1d.exe	31
PID 2264 wrote to memory of 2744	2264	f8fc64321bc5e2eb39b999154c122b1d.exe	31
PID 2264 wrote to memory of 2744	2264	f8fc64321bc5e2eb39b999154c122b1d.exe	31
PID 2264 wrote to memory of 2744	2264	f8fc64321bc5e2eb39b999154c122b1d.exe	31
PID 2264 wrote to memory of 2744	2264	f8fc64321bc5e2eb39b999154c122b1d.exe	31
PID 2264 wrote to memory of 2744	2264	f8fc64321bc5e2eb39b999154c122b1d.exe	31
PID 2744 wrote to memory of 2788	2744	bbjcabfdccbb.exe	21
PID 2744 wrote to memory of 2788	2744	bbjcabfdccbb.exe	21
PID 2744 wrote to memory of 2788	2744	bbjcabfdccbb.exe	21
PID 2744 wrote to memory of 2788	2744	bbjcabfdccbb.exe	21
PID 2744 wrote to memory of 2624	2744	bbjcabfdccbb.exe	24
PID 2744 wrote to memory of 2624	2744	bbjcabfdccbb.exe	24
PID 2744 wrote to memory of 2624	2744	bbjcabfdccbb.exe	24
PID 2744 wrote to memory of 2624	2744	bbjcabfdccbb.exe	24
PID 2744 wrote to memory of 2708	2744	bbjcabfdccbb.exe	30
PID 2744 wrote to memory of 2708	2744	bbjcabfdccbb.exe	30
PID 2744 wrote to memory of 2708	2744	bbjcabfdccbb.exe	30
PID 2744 wrote to memory of 2708	2744	bbjcabfdccbb.exe	30
PID 2744 wrote to memory of 2552	2744	bbjcabfdccbb.exe	28
PID 2744 wrote to memory of 2552	2744	bbjcabfdccbb.exe	28
PID 2744 wrote to memory of 2552	2744	bbjcabfdccbb.exe	28
PID 2744 wrote to memory of 2552	2744	bbjcabfdccbb.exe	28
PID 2744 wrote to memory of 2992	2744	bbjcabfdccbb.exe	26
PID 2744 wrote to memory of 2992	2744	bbjcabfdccbb.exe	26
PID 2744 wrote to memory of 2992	2744	bbjcabfdccbb.exe	26
PID 2744 wrote to memory of 2992	2744	bbjcabfdccbb.exe	26
PID 2744 wrote to memory of 2828	2744	bbjcabfdccbb.exe	40
PID 2744 wrote to memory of 2828	2744	bbjcabfdccbb.exe	40
PID 2744 wrote to memory of 2828	2744	bbjcabfdccbb.exe	40
PID 2744 wrote to memory of 2828	2744	bbjcabfdccbb.exe	40

C:\Users\Admin\AppData\Local\Temp\f8fc64321bc5e2eb39b999154c122b1d.exe
"C:\Users\Admin\AppData\Local\Temp\f8fc64321bc5e2eb39b999154c122b1d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe
  C:\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe 7-7-3-9-0-6-0-4-1-9-0 KElGOz0rMywwKiAoTFI5UENEOS8XL0c+UU5PTEtFQzQwGShBQFNOSUA8KTQwLTYXLz1JQDwnIChJT0ZET0NQXkBENisxJzQuICtSPFJPPk9WVUxMOWdrdGkzLCZzX3JyLWtoXiZeZ3AnZF1zWC5iZ2NmIClDSEg6S0I9OjBhXzYzMVs4Jis2LmUnNDFiKS1aWjFbLS0zMTBcNi8yNSg3MSArQyg9KhksOzI3LS0fJkQsNiooIClEMDwkMRkoQSw9JzEcLkdSSD1SOlRZUE5ITUE8UjoXL0pSS0NMQ01YQkxMOz0cLkdSSD1SOlRZTj1MPD0ZKEJPRVlVTks0ICg+VTxfPU1AS0BOPjYdJkhJU1BeOVJIUFA8UjcyHC5LSDpHSFBPT19RUUM9GShTRD0sICtDSjE2ZmUkY2ptKXRhcCoZLElVSFRFTDxfUD5JOk9HRUVMOEc+Tk9DPRovRVJWUk5HUUBNPz1wcWxlGShPPFRPUkpIRUdYTlA8UllEPVhKPSsZLD9JPkVUPCggKEJQVkRTTj1MQENYPks6UlNQUEQ7PV9aaWplGi9ATk5ORUg+O19DUDk1Ky4qLC4lNiouLjQXL01CSjw9KzQuMC0zLCk2KCApREtWRUxIOkFWVENNQTwoLyoyLCkwKzUmMTEwLTMyKCo7TQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2828

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704832850.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704832850.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704832850.txt bios get version
1⤵
PID:2992

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704832850.txt bios get version
1⤵
PID:2552

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704832850.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704832850.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe

Filesize
381KB

MD5
14a0444285985b05543918309d1d781c

SHA1
2835a3f5ea5ecf754d9b889ab8e84fa095a7447f

SHA256
4491aa3b6ca90206665c8f0e082289053e74fb43a783752e7f3f3e6869074785

SHA512
93657311e1aca496858b6b4df8f717a9e669aa910d37ff67df1f648366b6e295a7cdd7d7c234d9701ff9477840f7864d8c55c5279d6e35ac663075c63459e19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst235A.tmp\day.dll

Filesize
111KB

MD5
f77cdda6c86781185bbd665b1d1fe54e

SHA1
128346254df7243521e8ff5ad8933fba998b49b8

SHA256
2e561b51631b85b1520e13877b46f24a5960099484857fbc7e897e389a2d319e

SHA512
aca6dbda68308551e3bc7469828df78e62c0a58db3b8f011aca1e0bb049316e6eec70837ed30437f9d8cc84def4f537b7538e0c4c93385bd0d762770ceb53262

Download Submit
\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe

Filesize
538KB

MD5
87d39a05e92422873a9aaf35d29b91f3

SHA1
8a93359f01a394a88674049d2d9b230dcc35d21d

SHA256
4202a6af0483a468970181c0fcd1e006cf3dd5e2b9fb2ce3165a5ca6c848cabc

SHA512
98a34ebbc2bbd28acc60898cc77e8e03f73d81d6a45f55f9b418200234e0ef0a45b738c863fc6e0f1f9ab59654d60884315d74b1ea9624c512c6e462c2537410

Download Submit
\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe

Filesize
106KB

MD5
dfa53215a9216495e44157115d59323c

SHA1
46ddb55ac2a7222f902136dbba29c38803979ade

SHA256
fae45e841b09e0e48c8b2a1e10c6c9210fc50eeb1049f5def29f8c84ae3534c8

SHA512
01dbc44023a5b662c2b05cb75f65275c37e5e0459191b3c2f3280914b47b3ef6f05973ad6b4b515ce20edde1294c44c03ed27cba624b62531ca56f7681efac61

Download Submit
\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe

Filesize
114KB

MD5
6f855a4c074c19e8a0fb598b16322e2c

SHA1
e6637d5114101a806ac30be60d3d7b1cd3569fd9

SHA256
9056307ef936a3903bf78228bb18e0149b08452f39dd763e757aed7446908a84

SHA512
442deac33f65af4e313041d88083c75c58498c5b82b1a84be5000db14b999a98de636b8f2b7beb9dcf90ce67bcf0a276e7d92d379cb1418bcc46eb3e15bb174e

Download Submit
\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe

Filesize
323KB

MD5
c0e945be46d01da1456c039306471632

SHA1
a0422ac0c42ab2e04177e26383c93d69ecd29a94

SHA256
689d941b25fbb09a6fd740af0e31d5d66ebfae5d124155e0d372e7078ec00726

SHA512
d69593b101870245dfe810750dab5c1a86d2f989a02a873755c5b60c203ecefea8b8dc8d1a45cf5a0bdf4842cad4e4ded4ebfbea2d6ec1e06bb0ff8243cf62cf

Download Submit
\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe

Filesize
137KB

MD5
68b3c781e8fe5656f67039f9d2cc00d1

SHA1
4aa588b3650e416e8668675b2d5bfd7c45c9ecaf

SHA256
7b5ef69abd8c79be1fff9a121f846ea6d2f537c3a5e50c04024c737c5196f9aa

SHA512
341e729b7f73a383fa6200322a995a4d4ea7c9495f871fffbab9180f495ab44a74898c9db14b912cad37db4738e87b57cfd6412eb8af7fb19e991318a478cf78

Download Submit
\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe

Filesize
205KB

MD5
2ba1f392a5e40923adbddbec812e8c1c

SHA1
8019c82310c09ade0a5c8646fccf7aef88281219

SHA256
7aa53cee35ff41b8d51a3102522f2063bb371a6e62d9c970f2d862efb0659b4a

SHA512
ac79702e743d6b89aa4ed1baa7ecf4eb98e1b53bbffa873c93aeb13e6f2846c7613faae5dded3f5b8a4914d25c403250a26da5904938a9a805fb7a551c6dc4af

Download Submit
\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe

Filesize
126KB

MD5
882e143e27e8cc053cf1f99d0dfa6f0c

SHA1
d9e95c957f67ce5aa8fda39700281d5c96339dd4

SHA256
9beab2f71d2ed07ffa23c2f76264d3ec6611a65e802c29ecddbd069021b26c1e

SHA512
1ca479f9cbbfbb5d4796abc836c8b0f767b95fec6ed9e20182cce1ef166b42f281ef0b98e91b1fdedb222d5af2eeaddc1e6877686ae7a1e20370a819d92759eb

Download Submit
\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe

Filesize
94KB

MD5
279d1e6dd775c5bfc6753697d4e80ef1

SHA1
8a887ab2143174b7a51a15020f110f81777d2a82

SHA256
7b96694ad9f40c3741993400afb76edf7e1aa0692ce6bc26236d852c594f3dbc

SHA512
b6354464bc424131b335f88147350a6ba4e6e3c0be4537e243eb8a9ae8801640e7f50dc02d8fd1952b598ed5a628c038e5fc2f8794809152fee55eca6cd711d9

Download Submit
\Users\Admin\AppData\Local\Temp\nst235A.tmp\nsisunz.dll

Filesize
27KB

MD5
0bdd1fe9b5e5f8c390b3d9d582edeb61

SHA1
7ed2ba7eb026f4c6f18bb13984b3b7ddd6005c01

SHA256
15142e526974c6483ba9f38eaff6515157e60c56d0a039958053441000893488

SHA512
030d21cba9a594f9cac8a25f62ad519a43af00a8450ba934dada4eb27a35983ad9c96d58469e8afc2c6c360bfd714b982e8295eaa3add353aa59533fd9969ea7

Download Submit