1266331de7090e034d41af30a37f50a1d7e796ad9050489c0c81428fa6ea6a50

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0014b01e182206d99d4ca70d14083906.exe
Size

575KB
MD5

0014b01e182206d99d4ca70d14083906
SHA1

2674f3ea8e70d8ee3d3099baeea89cc17c6af71d
SHA256

1266331de7090e034d41af30a37f50a1d7e796ad9050489c0c81428fa6ea6a50
SHA512

3b44b0908d6d58c72a115ca7b33849f7dd1e1cbf36d627663117b558af9fdb3a1cf3e77765277944d4318434584b10524f8f3b1759a9e0d8c09742bef5a58fee
SSDEEP

12288:c5Lu2+wmfgPgNSHSpsAcFyYLYk1+jsVjn6g1LP4X+Sra6UkfKds:c5K2+NfXSHUKy2Yk1wwn6+O+SrvaG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2056	echcabfbcabeh.exe

Loads dropped DLL 10 IoCs

pid	Process
3000	0014b01e182206d99d4ca70d14083906.exe
3000	0014b01e182206d99d4ca70d14083906.exe
3000	0014b01e182206d99d4ca70d14083906.exe
476	WerFault.exe
476	WerFault.exe
476	WerFault.exe
476	WerFault.exe
476	WerFault.exe
476	WerFault.exe
476	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
476	2056	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2576	wmic.exe
Token: SeSecurityPrivilege	2576	wmic.exe
Token: SeTakeOwnershipPrivilege	2576	wmic.exe
Token: SeLoadDriverPrivilege	2576	wmic.exe
Token: SeSystemProfilePrivilege	2576	wmic.exe
Token: SeSystemtimePrivilege	2576	wmic.exe
Token: SeProfSingleProcessPrivilege	2576	wmic.exe
Token: SeIncBasePriorityPrivilege	2576	wmic.exe
Token: SeCreatePagefilePrivilege	2576	wmic.exe
Token: SeBackupPrivilege	2576	wmic.exe
Token: SeRestorePrivilege	2576	wmic.exe
Token: SeShutdownPrivilege	2576	wmic.exe
Token: SeDebugPrivilege	2576	wmic.exe
Token: SeSystemEnvironmentPrivilege	2576	wmic.exe
Token: SeRemoteShutdownPrivilege	2576	wmic.exe
Token: SeUndockPrivilege	2576	wmic.exe
Token: SeManageVolumePrivilege	2576	wmic.exe
Token: 33	2576	wmic.exe
Token: 34	2576	wmic.exe
Token: 35	2576	wmic.exe
Token: SeIncreaseQuotaPrivilege	2576	wmic.exe
Token: SeSecurityPrivilege	2576	wmic.exe
Token: SeTakeOwnershipPrivilege	2576	wmic.exe
Token: SeLoadDriverPrivilege	2576	wmic.exe
Token: SeSystemProfilePrivilege	2576	wmic.exe
Token: SeSystemtimePrivilege	2576	wmic.exe
Token: SeProfSingleProcessPrivilege	2576	wmic.exe
Token: SeIncBasePriorityPrivilege	2576	wmic.exe
Token: SeCreatePagefilePrivilege	2576	wmic.exe
Token: SeBackupPrivilege	2576	wmic.exe
Token: SeRestorePrivilege	2576	wmic.exe
Token: SeShutdownPrivilege	2576	wmic.exe
Token: SeDebugPrivilege	2576	wmic.exe
Token: SeSystemEnvironmentPrivilege	2576	wmic.exe
Token: SeRemoteShutdownPrivilege	2576	wmic.exe
Token: SeUndockPrivilege	2576	wmic.exe
Token: SeManageVolumePrivilege	2576	wmic.exe
Token: 33	2576	wmic.exe
Token: 34	2576	wmic.exe
Token: 35	2576	wmic.exe
Token: SeIncreaseQuotaPrivilege	2628	wmic.exe
Token: SeSecurityPrivilege	2628	wmic.exe
Token: SeTakeOwnershipPrivilege	2628	wmic.exe
Token: SeLoadDriverPrivilege	2628	wmic.exe
Token: SeSystemProfilePrivilege	2628	wmic.exe
Token: SeSystemtimePrivilege	2628	wmic.exe
Token: SeProfSingleProcessPrivilege	2628	wmic.exe
Token: SeIncBasePriorityPrivilege	2628	wmic.exe
Token: SeCreatePagefilePrivilege	2628	wmic.exe
Token: SeBackupPrivilege	2628	wmic.exe
Token: SeRestorePrivilege	2628	wmic.exe
Token: SeShutdownPrivilege	2628	wmic.exe
Token: SeDebugPrivilege	2628	wmic.exe
Token: SeSystemEnvironmentPrivilege	2628	wmic.exe
Token: SeRemoteShutdownPrivilege	2628	wmic.exe
Token: SeUndockPrivilege	2628	wmic.exe
Token: SeManageVolumePrivilege	2628	wmic.exe
Token: 33	2628	wmic.exe
Token: 34	2628	wmic.exe
Token: 35	2628	wmic.exe
Token: SeIncreaseQuotaPrivilege	2648	wmic.exe
Token: SeSecurityPrivilege	2648	wmic.exe
Token: SeTakeOwnershipPrivilege	2648	wmic.exe
Token: SeLoadDriverPrivilege	2648	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2056	3000	0014b01e182206d99d4ca70d14083906.exe	28
PID 3000 wrote to memory of 2056	3000	0014b01e182206d99d4ca70d14083906.exe	28
PID 3000 wrote to memory of 2056	3000	0014b01e182206d99d4ca70d14083906.exe	28
PID 3000 wrote to memory of 2056	3000	0014b01e182206d99d4ca70d14083906.exe	28
PID 2056 wrote to memory of 2576	2056	echcabfbcabeh.exe	27
PID 2056 wrote to memory of 2576	2056	echcabfbcabeh.exe	27
PID 2056 wrote to memory of 2576	2056	echcabfbcabeh.exe	27
PID 2056 wrote to memory of 2576	2056	echcabfbcabeh.exe	27
PID 2056 wrote to memory of 2628	2056	echcabfbcabeh.exe	26
PID 2056 wrote to memory of 2628	2056	echcabfbcabeh.exe	26
PID 2056 wrote to memory of 2628	2056	echcabfbcabeh.exe	26
PID 2056 wrote to memory of 2628	2056	echcabfbcabeh.exe	26
PID 2056 wrote to memory of 2648	2056	echcabfbcabeh.exe	24
PID 2056 wrote to memory of 2648	2056	echcabfbcabeh.exe	24
PID 2056 wrote to memory of 2648	2056	echcabfbcabeh.exe	24
PID 2056 wrote to memory of 2648	2056	echcabfbcabeh.exe	24
PID 2056 wrote to memory of 2704	2056	echcabfbcabeh.exe	23
PID 2056 wrote to memory of 2704	2056	echcabfbcabeh.exe	23
PID 2056 wrote to memory of 2704	2056	echcabfbcabeh.exe	23
PID 2056 wrote to memory of 2704	2056	echcabfbcabeh.exe	23
PID 2056 wrote to memory of 2540	2056	echcabfbcabeh.exe	21
PID 2056 wrote to memory of 2540	2056	echcabfbcabeh.exe	21
PID 2056 wrote to memory of 2540	2056	echcabfbcabeh.exe	21
PID 2056 wrote to memory of 2540	2056	echcabfbcabeh.exe	21
PID 2056 wrote to memory of 476	2056	echcabfbcabeh.exe	40
PID 2056 wrote to memory of 476	2056	echcabfbcabeh.exe	40
PID 2056 wrote to memory of 476	2056	echcabfbcabeh.exe	40
PID 2056 wrote to memory of 476	2056	echcabfbcabeh.exe	40

C:\Users\Admin\AppData\Local\Temp\0014b01e182206d99d4ca70d14083906.exe
"C:\Users\Admin\AppData\Local\Temp\0014b01e182206d99d4ca70d14083906.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\echcabfbcabeh.exe
  C:\Users\Admin\AppData\Local\Temp\echcabfbcabeh.exe 1/7/5/5/4/1/7/0/7/2/9 LklEPzkwMjMvMRcuTFA9TEg9PSkeJk0+T1JLUURJPTsoJCsra25uXXVccmVgZmA4TmRibVplXB8oP0RPU0JENjAuNiotGytCQkQ2LhcuSU1KQFQ8VFhHOzwrMTQwMhkvTENJVT5NWlFRRT1hcmtvMyoqb3FvLj1DSkomT0pMLDpQSSxATT9KGytCRUk8SUBDNhsqQDA2LSoeJkMrOCgtHyhELDskMBkqPzA8JjEZLTs0NigsHC5JUkhCTEJNWktOSE9BPFc0HyhLTUtDTkNNXTxURTw4HC5JUkhCTEJNWkk9TD49GS08Vz5aUE5LNiAoQ09EWD5IQEtCTj47Fy5BSk5QXjtSSFVKREs4MBwuTUg6TEJYSFBaUVFFPRktTUw2LRsrQ0wxNh4mUU5JT0VMPl9QQ0NCSEhARUw6Rz5TSUs2GypFUlhSTkxLSEZAOHBxbmUZLUlETVBNSkhHR1hTSkRLWj89WEw9Kx4mR0I/QFQ8KiAoR0pePVRJPUxCQ1hDRUJLVEtQRD09X19jcl4bKkBOUE5FTThDWERLOTMvLjAvJTIuKS4cLk1JRkM0MC0uKy0yMDYqNxcuPUpSSktIQT1dS0hGQDgwLis3KDAnMC4lLC45KzYzMzApSUgbK1Q6PRktTFFFOGNwc2klLF8cMV8gLWJmXnRrLF1oZWAzYGRsa21tZy1camghMV9SbmxLaGZgP2t2Z2xoX1tMWmlcY2RrX11jZ2todCAuZSsyKzApMSstLS4xKzIrIyllXWpyamtoYV1rWG1aYmBuJCtmYGNrNC8gLmJvHjNdLzAyLy4gLjVdJSxiKTYwLC0hMS9sHjFbMS80Ly8kKzZnIypjKiZrbm5ddVxyZWBmYCAvY0tlYmtYZl4gLTJlYmxebFhsXiAuYFFeaWZfXmQ=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:476

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704240971.txt bios get version
1⤵
PID:2540

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704240971.txt bios get version
1⤵
PID:2704

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704240971.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704240971.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704240971.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704240971.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\echcabfbcabeh.exe

Filesize
382KB

MD5
d0b2460d9950437f9dd714aa144a76bd

SHA1
e62dd16d7ea3f81be516aee49e0d19ff524c2261

SHA256
b8bbd8ab50a735f4287746b9ae18e4923609e4190203eb34f72603d4ffe422c5

SHA512
e37caceadc342ab34a3724be6b14f87d0f4d989326ff9aa657cc3554a3b34bdf7c87e505c5fc9f2d9fb2525edba7bf475c579d084173f4dcfbe48b9849bb4b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst621E.tmp\kallqfcy.dll

Filesize
121KB

MD5
b3334929246529d6df2fb12aa7eaa7f2

SHA1
349ab1a9c6abdf84a27d4c8d5a355c2a5f691d3f

SHA256
2f404223e010337e39e5236d5e17a784b03a4e904068f6556f258043e4e893f7

SHA512
e82fcf1419229ac77fa806192325209940d3fc834a79d946b10bd27f3120c244d4c5373c03d53e73eadfc512144a1433d94e4fbd09d179221caf2dacfe6c30d7

Download Submit
\Users\Admin\AppData\Local\Temp\echcabfbcabeh.exe

Filesize
764KB

MD5
bd752e69baeb1c088bcef812e1f57b32

SHA1
3de77b55cef6e3fc949cd531d9809faa0b469da9

SHA256
7829a1f8f3d3a213a7e8b4bd9b03b7670173361c13b570ddaba06490abb7b7da

SHA512
ee9ff03549dda85bd179dbb3bcaf8e94ef7046eecb4dd998aea89404283e94f9d0b84c6dddb182c773c71ba82c25e4bcc8a70e1538b76e912af8073dc5e8a328

Download Submit
\Users\Admin\AppData\Local\Temp\echcabfbcabeh.exe

Filesize
381KB

MD5
7e9d014702878b224ccbf1be56589fbe

SHA1
6e45a36cf4e5b9d3c564eedfafeae81c137a9bda

SHA256
8ba6360cf3d73dd3ce03d93ef340d29a7700b4287ed65d4798e85174271726c5

SHA512
88b9dcd803f702f38bc81592dff7da5e03bb76770c2d9d758b1eb187281a5be434e6940b998a990dc05e86798493a853a18ff63905f99f58e49687894ef87be3

Download Submit
\Users\Admin\AppData\Local\Temp\echcabfbcabeh.exe

Filesize
92KB

MD5
dfacfcf11d72a4ef67c64cee2bc6d2b5

SHA1
4d18e2a0264fc7cc00f0582134cb648593920ca9

SHA256
f5cc07607984bc2dc2ef23fc3659f3aec386a74dbf5d11b2580bdd385f37916b

SHA512
2f42c54e719b3bef836b29dd4a58a279e35e2ea18860a22cd77627b26960763efe47cc269282c0410a6ad323aa81c59f484ad0276ffc8508856383f4484d6e99

Download Submit
\Users\Admin\AppData\Local\Temp\nst621E.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit