169eafbbe094f1079902b3819f8335f359a018cc9e628d7b6815d2a011f3c91e

Analysis

max time kernel
118s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bcefe0fd43049b20d9358bcbb6e86f2.exe
Size

624KB
MD5

2bcefe0fd43049b20d9358bcbb6e86f2
SHA1

48f2d44b45f7d3ff89b97e9cc3f90b52ba89ce30
SHA256

169eafbbe094f1079902b3819f8335f359a018cc9e628d7b6815d2a011f3c91e
SHA512

9bcb8e2ee752f2ff860325191ba0a47d69773f070ecfbbff326ed74d5719c65e1d30891e34854a96d88a8f45a69b55f9186ea05841191bf6a26c83b7321d0d15
SSDEEP

12288:Gb5zSNvCTAUJBOelNgt6FDc+yhorVIK/hIH9b4gR85ap/Mr9GijgdTJ777NXH:Gbl/TAUJkelN+acJhoBIK/eHR4gR9pso

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	dcbcabfcdgg.exe

Loads dropped DLL 10 IoCs

pid	Process
860	2bcefe0fd43049b20d9358bcbb6e86f2.exe
860	2bcefe0fd43049b20d9358bcbb6e86f2.exe
860	2bcefe0fd43049b20d9358bcbb6e86f2.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1624	2836	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3056	wmic.exe
Token: SeSecurityPrivilege	3056	wmic.exe
Token: SeTakeOwnershipPrivilege	3056	wmic.exe
Token: SeLoadDriverPrivilege	3056	wmic.exe
Token: SeSystemProfilePrivilege	3056	wmic.exe
Token: SeSystemtimePrivilege	3056	wmic.exe
Token: SeProfSingleProcessPrivilege	3056	wmic.exe
Token: SeIncBasePriorityPrivilege	3056	wmic.exe
Token: SeCreatePagefilePrivilege	3056	wmic.exe
Token: SeBackupPrivilege	3056	wmic.exe
Token: SeRestorePrivilege	3056	wmic.exe
Token: SeShutdownPrivilege	3056	wmic.exe
Token: SeDebugPrivilege	3056	wmic.exe
Token: SeSystemEnvironmentPrivilege	3056	wmic.exe
Token: SeRemoteShutdownPrivilege	3056	wmic.exe
Token: SeUndockPrivilege	3056	wmic.exe
Token: SeManageVolumePrivilege	3056	wmic.exe
Token: 33	3056	wmic.exe
Token: 34	3056	wmic.exe
Token: 35	3056	wmic.exe
Token: SeIncreaseQuotaPrivilege	3056	wmic.exe
Token: SeSecurityPrivilege	3056	wmic.exe
Token: SeTakeOwnershipPrivilege	3056	wmic.exe
Token: SeLoadDriverPrivilege	3056	wmic.exe
Token: SeSystemProfilePrivilege	3056	wmic.exe
Token: SeSystemtimePrivilege	3056	wmic.exe
Token: SeProfSingleProcessPrivilege	3056	wmic.exe
Token: SeIncBasePriorityPrivilege	3056	wmic.exe
Token: SeCreatePagefilePrivilege	3056	wmic.exe
Token: SeBackupPrivilege	3056	wmic.exe
Token: SeRestorePrivilege	3056	wmic.exe
Token: SeShutdownPrivilege	3056	wmic.exe
Token: SeDebugPrivilege	3056	wmic.exe
Token: SeSystemEnvironmentPrivilege	3056	wmic.exe
Token: SeRemoteShutdownPrivilege	3056	wmic.exe
Token: SeUndockPrivilege	3056	wmic.exe
Token: SeManageVolumePrivilege	3056	wmic.exe
Token: 33	3056	wmic.exe
Token: 34	3056	wmic.exe
Token: 35	3056	wmic.exe
Token: SeIncreaseQuotaPrivilege	2704	wmic.exe
Token: SeSecurityPrivilege	2704	wmic.exe
Token: SeTakeOwnershipPrivilege	2704	wmic.exe
Token: SeLoadDriverPrivilege	2704	wmic.exe
Token: SeSystemProfilePrivilege	2704	wmic.exe
Token: SeSystemtimePrivilege	2704	wmic.exe
Token: SeProfSingleProcessPrivilege	2704	wmic.exe
Token: SeIncBasePriorityPrivilege	2704	wmic.exe
Token: SeCreatePagefilePrivilege	2704	wmic.exe
Token: SeBackupPrivilege	2704	wmic.exe
Token: SeRestorePrivilege	2704	wmic.exe
Token: SeShutdownPrivilege	2704	wmic.exe
Token: SeDebugPrivilege	2704	wmic.exe
Token: SeSystemEnvironmentPrivilege	2704	wmic.exe
Token: SeRemoteShutdownPrivilege	2704	wmic.exe
Token: SeUndockPrivilege	2704	wmic.exe
Token: SeManageVolumePrivilege	2704	wmic.exe
Token: 33	2704	wmic.exe
Token: 34	2704	wmic.exe
Token: 35	2704	wmic.exe
Token: SeIncreaseQuotaPrivilege	2704	wmic.exe
Token: SeSecurityPrivilege	2704	wmic.exe
Token: SeTakeOwnershipPrivilege	2704	wmic.exe
Token: SeLoadDriverPrivilege	2704	wmic.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2836	860	2bcefe0fd43049b20d9358bcbb6e86f2.exe	28
PID 860 wrote to memory of 2836	860	2bcefe0fd43049b20d9358bcbb6e86f2.exe	28
PID 860 wrote to memory of 2836	860	2bcefe0fd43049b20d9358bcbb6e86f2.exe	28
PID 860 wrote to memory of 2836	860	2bcefe0fd43049b20d9358bcbb6e86f2.exe	28
PID 860 wrote to memory of 2836	860	2bcefe0fd43049b20d9358bcbb6e86f2.exe	28
PID 860 wrote to memory of 2836	860	2bcefe0fd43049b20d9358bcbb6e86f2.exe	28
PID 860 wrote to memory of 2836	860	2bcefe0fd43049b20d9358bcbb6e86f2.exe	28
PID 2836 wrote to memory of 3056	2836	dcbcabfcdgg.exe	29
PID 2836 wrote to memory of 3056	2836	dcbcabfcdgg.exe	29
PID 2836 wrote to memory of 3056	2836	dcbcabfcdgg.exe	29
PID 2836 wrote to memory of 3056	2836	dcbcabfcdgg.exe	29
PID 2836 wrote to memory of 2704	2836	dcbcabfcdgg.exe	33
PID 2836 wrote to memory of 2704	2836	dcbcabfcdgg.exe	33
PID 2836 wrote to memory of 2704	2836	dcbcabfcdgg.exe	33
PID 2836 wrote to memory of 2704	2836	dcbcabfcdgg.exe	33
PID 2836 wrote to memory of 2632	2836	dcbcabfcdgg.exe	35
PID 2836 wrote to memory of 2632	2836	dcbcabfcdgg.exe	35
PID 2836 wrote to memory of 2632	2836	dcbcabfcdgg.exe	35
PID 2836 wrote to memory of 2632	2836	dcbcabfcdgg.exe	35
PID 2836 wrote to memory of 2104	2836	dcbcabfcdgg.exe	37
PID 2836 wrote to memory of 2104	2836	dcbcabfcdgg.exe	37
PID 2836 wrote to memory of 2104	2836	dcbcabfcdgg.exe	37
PID 2836 wrote to memory of 2104	2836	dcbcabfcdgg.exe	37
PID 2836 wrote to memory of 2868	2836	dcbcabfcdgg.exe	39
PID 2836 wrote to memory of 2868	2836	dcbcabfcdgg.exe	39
PID 2836 wrote to memory of 2868	2836	dcbcabfcdgg.exe	39
PID 2836 wrote to memory of 2868	2836	dcbcabfcdgg.exe	39
PID 2836 wrote to memory of 1624	2836	dcbcabfcdgg.exe	40
PID 2836 wrote to memory of 1624	2836	dcbcabfcdgg.exe	40
PID 2836 wrote to memory of 1624	2836	dcbcabfcdgg.exe	40
PID 2836 wrote to memory of 1624	2836	dcbcabfcdgg.exe	40

C:\Users\Admin\AppData\Local\Temp\2bcefe0fd43049b20d9358bcbb6e86f2.exe
"C:\Users\Admin\AppData\Local\Temp\2bcefe0fd43049b20d9358bcbb6e86f2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\dcbcabfcdgg.exe
  C:\Users\Admin\AppData\Local\Temp\dcbcabfcdgg.exe 5-9-0-7-3-1-5-1-8-7-6 KkdJPTo1NDgsGSlOTEJJRkM4LxgoSEBLV0hPSkRDNSoaKjtJTFFIPzwxLC0xFy88RkM4LxgoSk1GRE5AU1pIPDYyMi83GSxSQFFOPkxaTFJFOmdvc2gzKSpqcm8rQ0BSQyZOSkctOk1PKUhGP0kbJkNFRkJGSDw2Gio7MTYqMBsuPCs3KCggKEEyOCwpGSk/Kz0mLh8qQy02JywXL0lPTj9UO01ZS0lJTz5CVDwYKEpNRkROQFNaRE1FOzgXL0lPTj9UO01ZSThNPjp0T25qa19pa19MYnNwbxgoP1M8X05PSzhnbG1qNSYvXWx2aWtnWl4oZWVwK3RvbmprX2lrLlxsbCpuayhxZGVkaHRyKnNqWl1mJnNtXmFnZCdeaF9nb2Jrcyp0bGhsbVxubSwfKkRQPlk+RERFRk1APBgoQkpKVFg/UUpWSz5MOCwgKFFHPE1DUklQVlVLSTwbLk5GNy0XLz1QMDg2KCwxGyZSTktTREw9WFFAQ0NISkRETDlAP1BJTDYdLkRSV0tPSUtJRkI8b3FtXhoqSUVNUlFJSEZAWVBKRUtcQzxYSzYsGyZIQkFEUzwpGSlESl89Vk08TEE8WUBFQ0tWT09EPDZgXGNzXh0uP05PR0ZKOERYRk84My4nLiwlODIrNDMfJ01DSDw9KjExMTgtLjArMCAoQU5STURIOz9WVEJKRDgyJysrKikwKjIpLzkrLDQtMCpJSg==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704192587.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704192587.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704192587.txt bios get version
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704192587.txt bios get version
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704192587.txt bios get version
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704192587.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704192587.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704192587.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcbcabfcdgg.exe

Filesize
114KB

MD5
b0ab52ea877d078aafcc83ab69d08f1b

SHA1
3c6458106ef522f8385e112202f47723ff777d76

SHA256
3f88a77e58200675a13c0a19feb735a9524e095cd26634ae8aa7d617601240ba

SHA512
da53838450818e86b572f182f45aa5551eb6e6ef07e78774b88a0d60dbdd168aa83624b705563dc0376616493433c4f2c5ba0c2641f44ed4b3ad40b2888f7c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6865.tmp\hjitj.dll

Filesize
152KB

MD5
2ecf9b2f329e33c43fe2e3215d92253f

SHA1
c9e1ae862c3700120b93ccc8a1992cc67b3b0206

SHA256
ac31d5f46cd2c64fecb9de96a6039f073228b65f9645f8317e556dac8224fb50

SHA512
2299f10d88877768b4cd3dd7cbd1d1d62dce9c518add546717cc945522e467038f35f0b7436f02d8f3afdd7e896a3bfb8a3b0c1702165b2a0eee73f47c61688c

Download Submit
\Users\Admin\AppData\Local\Temp\dcbcabfcdgg.exe

Filesize
105KB

MD5
e3236e0ee2d459158f258c8425dd6ef6

SHA1
f45d01c8678cebdfcc55b70b34cc877e4e88d392

SHA256
5a1f9203fc90bb41274af85e45adc739ea5b33717962264e7788d41a5ba96229

SHA512
d8c3dcaf230de29fb5ca45a747daf3fa5b7a5779d36cf7f057d933ade0cc8810ae5e562732878ed89b6252822319e7047c7fe2461d5d20c8c0531abc0798d93e

Download Submit
\Users\Admin\AppData\Local\Temp\dcbcabfcdgg.exe

Filesize
434KB

MD5
04b0f416279fa305bf09ec56654b1ba6

SHA1
78702d77a25da056ee4c990768319671cee77ed8

SHA256
7f8e8118dcc5b20173c7fca87a7d9bb5f5d1f9fd49bee1a804f6441bf894d437

SHA512
f4d09744dd72acb62d9bce4da0a0751edef4684373d6ebb2c0fa0596cf2f94394b49b74e18df19ad436da5b9acfaead8e5018a1a640c77a487b29d3222bf71c1

Download Submit
\Users\Admin\AppData\Local\Temp\dcbcabfcdgg.exe

Filesize
598KB

MD5
b66df9568aeb4882e3090f2a89061742

SHA1
4f0ad493d87595d8c82e8cfe7076d6c6d81204a6

SHA256
e8c325d6b4e19a21dd73dece36facd4b6797f8608f7d63706095003dd5c99ee4

SHA512
986c5c60f583803fac7ddc1c64164c86ace6a44a7be9ec304e15c08ebe8c41fa8aeb0fabbe2228457e6dc5fc8a89d606d9eb4d19b6fdbdaff2ce796729385d16

Download Submit
\Users\Admin\AppData\Local\Temp\dcbcabfcdgg.exe

Filesize
587KB

MD5
d4ef8fd1b9ca9981cad1371544cf8d5d

SHA1
d104c735212b085de06b2c9b398b1e86eb55f67c

SHA256
cebef18625d367aa0ddc7949ee5fa169f0611a895749d2a85f8f4078f00df7a0

SHA512
dab52cd161d3558bd916e2e8b791a5eaa98233743e087b322c07d61f2c6122386d30ecdd2d97031095a90a4180bbea5677d36c6b9cd241d3370ab32583744b98

Download Submit
\Users\Admin\AppData\Local\Temp\dcbcabfcdgg.exe

Filesize
617KB

MD5
54fe88caa7945d5814235dd603a5f1fc

SHA1
46e0510047fbd0c254de3512c6d3068c74d7e37c

SHA256
3410fe752ae125f5df352cd11f0c421a537d1a81e4e01d648f4761518ba1af8d

SHA512
4383e77f022d1e2a1bb802f8423ac4c70e313849832e1b7fdcaf9f73879c3ed2017f4b17a2a1f349097c453165f13d39e8445578ef7e39b688b0a0735b7c44a9

Download Submit
\Users\Admin\AppData\Local\Temp\dcbcabfcdgg.exe

Filesize
506KB

MD5
f5af20590d3b782a34e362b3903291b1

SHA1
5e3b4b55a7e7d2138d3f2758a8952b15d1f3ead7

SHA256
0eb3a483ad4962a5ba7d0347a4955117d56eb6b37331ceadc8d45205ad433ab2

SHA512
3a76145e24c57d5e60cee596e2574a48a2b5b3726122440ba648ae9db2706ded4b1c43696b950dc1a4faf35a1cfe7094398ce2f54aa07dd7c0a89ea05be6d830

Download Submit
\Users\Admin\AppData\Local\Temp\dcbcabfcdgg.exe

Filesize
480KB

MD5
e886ecdcda2c5a7953ba180984d81785

SHA1
9e1e41e68fc45c58bd31bc6a230fe27df16acb46

SHA256
3c8012959ffd1961856e31b0283feff1e0169dd8259a42acea164215d9c90e6d

SHA512
745609fded205824f17244e11755b8cab99b7e85f68246d1caeee367ba05a3418a835137b25da1e771e8d7ef43b6ad78ab9127455dfce98afc87458c2750840b

Download Submit
\Users\Admin\AppData\Local\Temp\dcbcabfcdgg.exe

Filesize
363KB

MD5
6fc997e488b2fa728fdcc21f58d6bd2a

SHA1
0db1e1031f21540559a2c7ee656433606b2bcf02

SHA256
137567d7eb605bc2b5d22ef59c6f3a85f303669c122790a8a8586ca0fb9c34d2

SHA512
043182d44c5547c8844d665e7ed75ebb2b21830f87c12ce61776ce0c611a10457e7baf5966d4086c7fd90bb6952666ed0797e1d9ce8d755f9c6004b7a092c821

Download Submit
\Users\Admin\AppData\Local\Temp\nso6865.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit