1356a5fd4fc5cf564472f4658a366f59f3a60a8371e97918bd283ed5f5b75af9

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8fc64321bc5e2eb39b999154c122b1d.exe
Size

575KB
MD5

f8fc64321bc5e2eb39b999154c122b1d
SHA1

7ab2d25a66ce875832b1b0f537dbe77efc3a1bd3
SHA256

1356a5fd4fc5cf564472f4658a366f59f3a60a8371e97918bd283ed5f5b75af9
SHA512

d3b4e322c005d1060ac63556c5942f5eacfaab6cf5353e478e5d5ef9f2b5a8fb95b48b3aadb54ed4608bb6caf7867dfb110b384c39ebee144728b5bc9a874c48
SSDEEP

12288:cSSc5f0V5iPd5lAurV6EGEEfSxoapDe3buf+RZjNuqYBE:c0f9HlVrV6EPpmPcM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4836	bbjcabfdccbb.exe

Loads dropped DLL 2 IoCs

pid	Process
640	f8fc64321bc5e2eb39b999154c122b1d.exe
640	f8fc64321bc5e2eb39b999154c122b1d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2100	4836	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2076	wmic.exe
Token: SeSecurityPrivilege	2076	wmic.exe
Token: SeTakeOwnershipPrivilege	2076	wmic.exe
Token: SeLoadDriverPrivilege	2076	wmic.exe
Token: SeSystemProfilePrivilege	2076	wmic.exe
Token: SeSystemtimePrivilege	2076	wmic.exe
Token: SeProfSingleProcessPrivilege	2076	wmic.exe
Token: SeIncBasePriorityPrivilege	2076	wmic.exe
Token: SeCreatePagefilePrivilege	2076	wmic.exe
Token: SeBackupPrivilege	2076	wmic.exe
Token: SeRestorePrivilege	2076	wmic.exe
Token: SeShutdownPrivilege	2076	wmic.exe
Token: SeDebugPrivilege	2076	wmic.exe
Token: SeSystemEnvironmentPrivilege	2076	wmic.exe
Token: SeRemoteShutdownPrivilege	2076	wmic.exe
Token: SeUndockPrivilege	2076	wmic.exe
Token: SeManageVolumePrivilege	2076	wmic.exe
Token: 33	2076	wmic.exe
Token: 34	2076	wmic.exe
Token: 35	2076	wmic.exe
Token: 36	2076	wmic.exe
Token: SeIncreaseQuotaPrivilege	2076	wmic.exe
Token: SeSecurityPrivilege	2076	wmic.exe
Token: SeTakeOwnershipPrivilege	2076	wmic.exe
Token: SeLoadDriverPrivilege	2076	wmic.exe
Token: SeSystemProfilePrivilege	2076	wmic.exe
Token: SeSystemtimePrivilege	2076	wmic.exe
Token: SeProfSingleProcessPrivilege	2076	wmic.exe
Token: SeIncBasePriorityPrivilege	2076	wmic.exe
Token: SeCreatePagefilePrivilege	2076	wmic.exe
Token: SeBackupPrivilege	2076	wmic.exe
Token: SeRestorePrivilege	2076	wmic.exe
Token: SeShutdownPrivilege	2076	wmic.exe
Token: SeDebugPrivilege	2076	wmic.exe
Token: SeSystemEnvironmentPrivilege	2076	wmic.exe
Token: SeRemoteShutdownPrivilege	2076	wmic.exe
Token: SeUndockPrivilege	2076	wmic.exe
Token: SeManageVolumePrivilege	2076	wmic.exe
Token: 33	2076	wmic.exe
Token: 34	2076	wmic.exe
Token: 35	2076	wmic.exe
Token: 36	2076	wmic.exe
Token: SeIncreaseQuotaPrivilege	4092	wmic.exe
Token: SeSecurityPrivilege	4092	wmic.exe
Token: SeTakeOwnershipPrivilege	4092	wmic.exe
Token: SeLoadDriverPrivilege	4092	wmic.exe
Token: SeSystemProfilePrivilege	4092	wmic.exe
Token: SeSystemtimePrivilege	4092	wmic.exe
Token: SeProfSingleProcessPrivilege	4092	wmic.exe
Token: SeIncBasePriorityPrivilege	4092	wmic.exe
Token: SeCreatePagefilePrivilege	4092	wmic.exe
Token: SeBackupPrivilege	4092	wmic.exe
Token: SeRestorePrivilege	4092	wmic.exe
Token: SeShutdownPrivilege	4092	wmic.exe
Token: SeDebugPrivilege	4092	wmic.exe
Token: SeSystemEnvironmentPrivilege	4092	wmic.exe
Token: SeRemoteShutdownPrivilege	4092	wmic.exe
Token: SeUndockPrivilege	4092	wmic.exe
Token: SeManageVolumePrivilege	4092	wmic.exe
Token: 33	4092	wmic.exe
Token: 34	4092	wmic.exe
Token: 35	4092	wmic.exe
Token: 36	4092	wmic.exe
Token: SeIncreaseQuotaPrivilege	4092	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 4836	640	f8fc64321bc5e2eb39b999154c122b1d.exe	37
PID 640 wrote to memory of 4836	640	f8fc64321bc5e2eb39b999154c122b1d.exe	37
PID 640 wrote to memory of 4836	640	f8fc64321bc5e2eb39b999154c122b1d.exe	37
PID 4836 wrote to memory of 2076	4836	bbjcabfdccbb.exe	20
PID 4836 wrote to memory of 2076	4836	bbjcabfdccbb.exe	20
PID 4836 wrote to memory of 2076	4836	bbjcabfdccbb.exe	20
PID 4836 wrote to memory of 4092	4836	bbjcabfdccbb.exe	35
PID 4836 wrote to memory of 4092	4836	bbjcabfdccbb.exe	35
PID 4836 wrote to memory of 4092	4836	bbjcabfdccbb.exe	35
PID 4836 wrote to memory of 408	4836	bbjcabfdccbb.exe	34
PID 4836 wrote to memory of 408	4836	bbjcabfdccbb.exe	34
PID 4836 wrote to memory of 408	4836	bbjcabfdccbb.exe	34
PID 4836 wrote to memory of 1084	4836	bbjcabfdccbb.exe	33
PID 4836 wrote to memory of 1084	4836	bbjcabfdccbb.exe	33
PID 4836 wrote to memory of 1084	4836	bbjcabfdccbb.exe	33
PID 4836 wrote to memory of 920	4836	bbjcabfdccbb.exe	32
PID 4836 wrote to memory of 920	4836	bbjcabfdccbb.exe	32
PID 4836 wrote to memory of 920	4836	bbjcabfdccbb.exe	32

C:\Users\Admin\AppData\Local\Temp\f8fc64321bc5e2eb39b999154c122b1d.exe
"C:\Users\Admin\AppData\Local\Temp\f8fc64321bc5e2eb39b999154c122b1d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe
  C:\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe 7-7-3-9-0-6-0-4-1-9-0 KElGOz0rMywwKiAoTFI5UENEOS8XL0c+UU5PTEtFQzQwGShBQFNOSUA8KTQwLTYXLz1JQDwnIChJT0ZET0NQXkBENisxJzQuICtSPFJPPk9WVUxMOWdrdGkzLCZzX3JyLWtoXiZeZ3AnZF1zWC5iZ2NmIClDSEg6S0I9OjBhXzYzMVs4Jis2LmUnNDFiKS1aWjFbLS0zMTBcNi8yNSg3MSArQyg9KhksOzI3LS0fJkQsNiooIClEMDwkMRkoQSw9JzEcLkdSSD1SOlRZUE5ITUE8UjoXL0pSS0NMQ01YQkxMOz0cLkdSSD1SOlRZTj1MPD0ZKEJPRVlVTks0ICg+VTxfPU1AS0BOPjYdJkhJU1BeOVJIUFA8UjcyHC5LSDpHSFBPT19RUUM9GShTRD0sICtDSjE2ZmUkY2ptKXRhcCoZLElVSFRFTDxfUD5JOk9HRUVMOEc+Tk9DPRovRVJWUk5HUUBNPz1wcWxlGShPPFRPUkpIRUdYTlA8UllEPVhKPSsZLD9JPkVUPCggKEJQVkRTTj1MQENYPks6UlNQUEQ7PV9aaWplGi9ATk5ORUg+O19DUDk1Ky4qLC4lNiouLjQXL01CSjw9KzQuMC0zLCk2KCApREtWRUxIOkFWVENNQTwoLyoyLCkwKzUmMTEwLTMyKCo7TQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4836

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704832853.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4836 -ip 4836
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 864
1⤵
- Program crash
PID:2100

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704832853.txt bios get version
1⤵
PID:920

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704832853.txt bios get version
1⤵
PID:1084

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704832853.txt bios get version
1⤵
PID:408

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704832853.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads