f3459c1261078b4c3c1b5c9045f2bc3a1a43522ceaecd3ead28a2aa952b5794c

General

Target

217ebd8064afe605787d5e2075fdd3dd.exe
Size

698KB
MD5

217ebd8064afe605787d5e2075fdd3dd
SHA1

e105e719427f847eff6afe30d1626699729d169a
SHA256

f3459c1261078b4c3c1b5c9045f2bc3a1a43522ceaecd3ead28a2aa952b5794c
SHA512

2b81eae0e4ccac587a0103de3a3046985e71e2bf2c962ca60f991af00f09e0a8ffa01f660f08c13af398cd70582505940fda2387e77e9740e972cfe4d6b88c15
SSDEEP

12288:47D3AXrtoYYmphN2PEqibCISU6PzC5yMFURpgOgwfKkiSOb1erU9JgjgI:47sXrRY4hN2cqi2IqzqUROQfKkiSORwj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1332	cbgcabfifcca.exe

Loads dropped DLL 2 IoCs

pid	Process
1980	217ebd8064afe605787d5e2075fdd3dd.exe
1980	217ebd8064afe605787d5e2075fdd3dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3308	1332	WerFault.exe	20

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1216	wmic.exe
Token: SeSecurityPrivilege	1216	wmic.exe
Token: SeTakeOwnershipPrivilege	1216	wmic.exe
Token: SeLoadDriverPrivilege	1216	wmic.exe
Token: SeSystemProfilePrivilege	1216	wmic.exe
Token: SeSystemtimePrivilege	1216	wmic.exe
Token: SeProfSingleProcessPrivilege	1216	wmic.exe
Token: SeIncBasePriorityPrivilege	1216	wmic.exe
Token: SeCreatePagefilePrivilege	1216	wmic.exe
Token: SeBackupPrivilege	1216	wmic.exe
Token: SeRestorePrivilege	1216	wmic.exe
Token: SeShutdownPrivilege	1216	wmic.exe
Token: SeDebugPrivilege	1216	wmic.exe
Token: SeSystemEnvironmentPrivilege	1216	wmic.exe
Token: SeRemoteShutdownPrivilege	1216	wmic.exe
Token: SeUndockPrivilege	1216	wmic.exe
Token: SeManageVolumePrivilege	1216	wmic.exe
Token: 33	1216	wmic.exe
Token: 34	1216	wmic.exe
Token: 35	1216	wmic.exe
Token: 36	1216	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1332	1980	217ebd8064afe605787d5e2075fdd3dd.exe	20
PID 1980 wrote to memory of 1332	1980	217ebd8064afe605787d5e2075fdd3dd.exe	20
PID 1980 wrote to memory of 1332	1980	217ebd8064afe605787d5e2075fdd3dd.exe	20
PID 1332 wrote to memory of 1216	1332	cbgcabfifcca.exe	22
PID 1332 wrote to memory of 1216	1332	cbgcabfifcca.exe	22
PID 1332 wrote to memory of 1216	1332	cbgcabfifcca.exe	22

C:\Users\Admin\AppData\Local\Temp\217ebd8064afe605787d5e2075fdd3dd.exe
"C:\Users\Admin\AppData\Local\Temp\217ebd8064afe605787d5e2075fdd3dd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\cbgcabfifcca.exe
  C:\Users\Admin\AppData\Local\Temp\cbgcabfifcca.exe 7-3-0-4-9-1-6-8-6-8-9 KE1JQDQwLy0zKxcoUFU+R0g+NSoYJkdCVFNGUUVBPjUoGSxERUpTQzw3KigsMTMcJkJDPDcoFyhNUks7VD1MWUE7Ni8wMCowGidNPUlPQlJbTFFGNWJsa2k3LytqZGxuKGxfXiphbGcsXlluWSVia2ZrFy49REM7QkJBPRwmQys1JykXKEEyOSQwGic+KzQmLiArOzM3JSsYJj0yPSkoHylITEc7TkBUW0dRQ047O1A2HS9MSU4+TT1MVj5STD00HylITEc7TkBUW0VARz03QlhvXiArPFc/V09KQzZldHBnOSknZFltWmFsKmp0aCZdZ2QodGVeWG9qaylcZnBrbGtYYyk5b2xmPUk/PmxtXmRfQVs2NjUtKTIaJz9QPFhATUBDSEg9NxgmQUxTUFZBTEdRSzxLOjIcJlNCOUhDUEhSX1FJSzcYKU5ENi8gKztSKzUaJ0lOS1RFRERZTz9EOkhKRUVEQEE9T0pDNh0vRUpeTE1ITEBGQj1waXRfGClKPE1SUkpATUFXT0s8S1xEPVBSNyoaJz9CQUVUNDAaJ0NLVj1WTj1ESD1XP0Y6S1ZQUDxDN15bZGpeHS9ARlZIREk5O1hGUDkuMigqKyYoMTIuLTA2GidOQUQ+OjEwKTMrKS8sMCodL0BGVkhESTk7WFFJSTw8LCcrLiYrLTExITY0KzIyKConUEk=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get version
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get version
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 868
    3⤵
    - Program crash
    PID:3308
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get version
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get version
    3⤵
    PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 1332
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbgcabfifcca.exe

Filesize
92KB

MD5
70d0250d46ec32293e53cffd7d1b1dea

SHA1
6c4dce96bbff849b44c14e87c8b044223e25d57b

SHA256
5d2bc8884862a5a2140b47282ec4f2bb87ef358216062bfe8925c96f4e740799

SHA512
1e1a64c3f10bc499ee7a72fd817970f8e30f2aede8bfb055f34bddeeb63ff636bdbbf7910ac11e5d95830a52e912654832c4c9a267be71df6b5fe1b6a4e78fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv48B2.tmp\koi.dll

Filesize
120KB

MD5
ff3ac96d9d128501b224b26ad4b85486

SHA1
ce85c8ee340921b8660f6ad14b5429b3703b6bf5

SHA256
44b5ee3459781f5ca44873c738ca16b050b4101c49dcf8b0da556775be189963

SHA512
a2ab56bf0de5075817a600bb4cca472e82b8f207f5fbd886bbab3e4a8a58b7ed9acc180bbbd3c5646b9c52189962be468dc30fb48f66ade6aa87d3ec8f61e42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv48B2.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit

Analysis

Sharing