2390bb8229ae505bf251a7d3fde22fc76978f65e97f415dceefd01371ed15b3a

Analysis

max time kernel
119s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 02:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

450836e3b07748277286be9eae4e1a26.exe
Size

575KB
MD5

450836e3b07748277286be9eae4e1a26
SHA1

a53fbad56e8730abe425ecb4b2f58038cb0ec6f8
SHA256

2390bb8229ae505bf251a7d3fde22fc76978f65e97f415dceefd01371ed15b3a
SHA512

22e1496264d01d565881e88119f8bff7d22ec1bb55d1e7d2cad4670ce81c9b925bc49eafb284b6a8ec198398ae5fd16421a16dc8f0c08c1062fda1f39ec4ded1
SSDEEP

12288:BUWG0rpwvoERqOf0BXxKwQVSPNy0wE6ZU2M2Ds8TPyIjpL5m2LQ:BUWfFc0OsRxKcElZU2/LVpL5k

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	ecicabfbcabah.exe

Loads dropped DLL 10 IoCs

pid	Process
1716	450836e3b07748277286be9eae4e1a26.exe
1716	450836e3b07748277286be9eae4e1a26.exe
1716	450836e3b07748277286be9eae4e1a26.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2808	2696	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2880	wmic.exe
Token: SeSecurityPrivilege	2880	wmic.exe
Token: SeTakeOwnershipPrivilege	2880	wmic.exe
Token: SeLoadDriverPrivilege	2880	wmic.exe
Token: SeSystemProfilePrivilege	2880	wmic.exe
Token: SeSystemtimePrivilege	2880	wmic.exe
Token: SeProfSingleProcessPrivilege	2880	wmic.exe
Token: SeIncBasePriorityPrivilege	2880	wmic.exe
Token: SeCreatePagefilePrivilege	2880	wmic.exe
Token: SeBackupPrivilege	2880	wmic.exe
Token: SeRestorePrivilege	2880	wmic.exe
Token: SeShutdownPrivilege	2880	wmic.exe
Token: SeDebugPrivilege	2880	wmic.exe
Token: SeSystemEnvironmentPrivilege	2880	wmic.exe
Token: SeRemoteShutdownPrivilege	2880	wmic.exe
Token: SeUndockPrivilege	2880	wmic.exe
Token: SeManageVolumePrivilege	2880	wmic.exe
Token: 33	2880	wmic.exe
Token: 34	2880	wmic.exe
Token: 35	2880	wmic.exe
Token: SeIncreaseQuotaPrivilege	2880	wmic.exe
Token: SeSecurityPrivilege	2880	wmic.exe
Token: SeTakeOwnershipPrivilege	2880	wmic.exe
Token: SeLoadDriverPrivilege	2880	wmic.exe
Token: SeSystemProfilePrivilege	2880	wmic.exe
Token: SeSystemtimePrivilege	2880	wmic.exe
Token: SeProfSingleProcessPrivilege	2880	wmic.exe
Token: SeIncBasePriorityPrivilege	2880	wmic.exe
Token: SeCreatePagefilePrivilege	2880	wmic.exe
Token: SeBackupPrivilege	2880	wmic.exe
Token: SeRestorePrivilege	2880	wmic.exe
Token: SeShutdownPrivilege	2880	wmic.exe
Token: SeDebugPrivilege	2880	wmic.exe
Token: SeSystemEnvironmentPrivilege	2880	wmic.exe
Token: SeRemoteShutdownPrivilege	2880	wmic.exe
Token: SeUndockPrivilege	2880	wmic.exe
Token: SeManageVolumePrivilege	2880	wmic.exe
Token: 33	2880	wmic.exe
Token: 34	2880	wmic.exe
Token: 35	2880	wmic.exe
Token: SeIncreaseQuotaPrivilege	2760	wmic.exe
Token: SeSecurityPrivilege	2760	wmic.exe
Token: SeTakeOwnershipPrivilege	2760	wmic.exe
Token: SeLoadDriverPrivilege	2760	wmic.exe
Token: SeSystemProfilePrivilege	2760	wmic.exe
Token: SeSystemtimePrivilege	2760	wmic.exe
Token: SeProfSingleProcessPrivilege	2760	wmic.exe
Token: SeIncBasePriorityPrivilege	2760	wmic.exe
Token: SeCreatePagefilePrivilege	2760	wmic.exe
Token: SeBackupPrivilege	2760	wmic.exe
Token: SeRestorePrivilege	2760	wmic.exe
Token: SeShutdownPrivilege	2760	wmic.exe
Token: SeDebugPrivilege	2760	wmic.exe
Token: SeSystemEnvironmentPrivilege	2760	wmic.exe
Token: SeRemoteShutdownPrivilege	2760	wmic.exe
Token: SeUndockPrivilege	2760	wmic.exe
Token: SeManageVolumePrivilege	2760	wmic.exe
Token: 33	2760	wmic.exe
Token: 34	2760	wmic.exe
Token: 35	2760	wmic.exe
Token: SeIncreaseQuotaPrivilege	2612	wmic.exe
Token: SeSecurityPrivilege	2612	wmic.exe
Token: SeTakeOwnershipPrivilege	2612	wmic.exe
Token: SeLoadDriverPrivilege	2612	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2696	1716	450836e3b07748277286be9eae4e1a26.exe	28
PID 1716 wrote to memory of 2696	1716	450836e3b07748277286be9eae4e1a26.exe	28
PID 1716 wrote to memory of 2696	1716	450836e3b07748277286be9eae4e1a26.exe	28
PID 1716 wrote to memory of 2696	1716	450836e3b07748277286be9eae4e1a26.exe	28
PID 2696 wrote to memory of 2880	2696	ecicabfbcabah.exe	30
PID 2696 wrote to memory of 2880	2696	ecicabfbcabah.exe	30
PID 2696 wrote to memory of 2880	2696	ecicabfbcabah.exe	30
PID 2696 wrote to memory of 2880	2696	ecicabfbcabah.exe	30
PID 2696 wrote to memory of 2760	2696	ecicabfbcabah.exe	32
PID 2696 wrote to memory of 2760	2696	ecicabfbcabah.exe	32
PID 2696 wrote to memory of 2760	2696	ecicabfbcabah.exe	32
PID 2696 wrote to memory of 2760	2696	ecicabfbcabah.exe	32
PID 2696 wrote to memory of 2612	2696	ecicabfbcabah.exe	35
PID 2696 wrote to memory of 2612	2696	ecicabfbcabah.exe	35
PID 2696 wrote to memory of 2612	2696	ecicabfbcabah.exe	35
PID 2696 wrote to memory of 2612	2696	ecicabfbcabah.exe	35
PID 2696 wrote to memory of 2132	2696	ecicabfbcabah.exe	37
PID 2696 wrote to memory of 2132	2696	ecicabfbcabah.exe	37
PID 2696 wrote to memory of 2132	2696	ecicabfbcabah.exe	37
PID 2696 wrote to memory of 2132	2696	ecicabfbcabah.exe	37
PID 2696 wrote to memory of 1084	2696	ecicabfbcabah.exe	38
PID 2696 wrote to memory of 1084	2696	ecicabfbcabah.exe	38
PID 2696 wrote to memory of 1084	2696	ecicabfbcabah.exe	38
PID 2696 wrote to memory of 1084	2696	ecicabfbcabah.exe	38
PID 2696 wrote to memory of 2808	2696	ecicabfbcabah.exe	40
PID 2696 wrote to memory of 2808	2696	ecicabfbcabah.exe	40
PID 2696 wrote to memory of 2808	2696	ecicabfbcabah.exe	40
PID 2696 wrote to memory of 2808	2696	ecicabfbcabah.exe	40

C:\Users\Admin\AppData\Local\Temp\450836e3b07748277286be9eae4e1a26.exe
"C:\Users\Admin\AppData\Local\Temp\450836e3b07748277286be9eae4e1a26.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\ecicabfbcabah.exe
  C:\Users\Admin\AppData\Local\Temp\ecicabfbcabah.exe 3#2#1#7#4#5#4#6#8#5#6 LE5IPTksNS0uLhosUVQ7TERANygbKUtDU1BLTUdDPDgrIjAvaW5qYG9bb2hea2Q2TmBlZ1liXx0tQ0JPT0U+NS0xNC8xGSs+RT41KxosTlFIQFA/TldEPjowNTIwLhwpS0BMU0NRWFFNSDdgb25tOC4ob21yKDxATUgrU0hMKD1KSClDS0ROGSs+SEM7RkNBOx8oQCw5JykbKUEwPCYtGys+KzgnLh4uPTA4KSsYKj4yOywqHCpMTEc/T0BSXklORFI7O1Q3HS1PS0s/UT1MWj9SSkA2HCpMTEc/T0BSXkc9SEE3GCo/VUNeTk5HORonQFJCXUJGQEdFSD04GixGTkxQWj5MR1JNQlA8LhwqUEI5SUVWTVRYUU1INxgqUEo7MRkrP08rNRspT1NNTUVIQVlPQEZATUw+RUg9QT1QTEk7HyhFTltMTUlORktENnBtcV8YKkxCUlRLSkRKQVdQTUJQXj09VE83KhspRUdDPlQ4LRonRE1cQlhHPUhFPVdASEBQWElQQEA3XlxmcGMfKEBKU0hESjtBXUhJOS0tMCYsMCsvMykqLiwaJ09DSkM8KjAuLCwtNC8yMx8oQEpTSERKO0FdU0JJQDkuJy0yLDAvKjElLSoyLDM3LzQjTEgcKU08Nx0tVEtIOGRubGsfMF8kK2IgLmBfYG5vLGViaGA0Xl1uZXFtbydfamkfKmFMcmxTYmlgQGlvaWZsX2NGXWldYV1tWWFjb2VrdCEsXi0sLzAxKy4tLiwqLSwvIzFfYGpzaGRqW2FrYGddYmFsHS1gZGNzLjIgL2BoIC1hLzgsMi4hLC5fHzBiMTAzLC4fKjFmIjFjKzI0MC0dLTBrIzJdLSZsbGdfb2BybVppYCEtXE1fZmtgYGEgLjBeZGZibGBmYSAvXkpgY2pfZl4=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704507747.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704507747.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704507747.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704507747.txt bios get version
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704507747.txt bios get version
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ecicabfbcabah.exe

Filesize
245KB

MD5
7bc19cb8436d0455226e048fcbdb855e

SHA1
649d13dabe6ea44de35dce35bc9cb1a2dc1ccdf3

SHA256
c16195273d06e70aa4c65699c85d9324ac0b6368373f85f494cf0e61c1c632f9

SHA512
96ecc101525a0a1f22d1b3f431caedf1115a2968cb42ac5e9240a68d2b53a209b2e8d33a3f686b39d84040cd7ecf14cdfae7bf9377daf97ad81dbe27a0ffd9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso60C7.tmp\adsfad.dll

Filesize
121KB

MD5
a36c4fdf2a6fa3d53efd45137f13c95e

SHA1
41bc175214429a404b35bd671f65330b4244bf7d

SHA256
4606ff886cf287ac12653f1f284f390f047e8f103db8a3b97d3993671371e67d

SHA512
6b8cb70f60a035af016e92eb71551c3520b6d79889b04275e8eea4949d17b6e5a09cad5107ee1774af8af9d6efaa9e040bdc1ac1860bd8525f328d77e04eda27

Download Submit
\Users\Admin\AppData\Local\Temp\ecicabfbcabah.exe

Filesize
381KB

MD5
a3a13bdf6939b82ed6bdcf5ec8d61cfb

SHA1
cb0ec02365e05afab1f5ba495584f25806c7e491

SHA256
9bc9bcbe315b21cc966042dc40fc293d6dc7f71c6554ab74be59f06a4bfc5c20

SHA512
eede4056ee6fb7b9cf14c6b19cef8d4d8bc8371c7cf4ecc43c351613e4c74cc2323be9fbd406043c9d6116b2c2d2921d4640bb3c98ae86f6fc97004b0a1727e3

Download Submit
\Users\Admin\AppData\Local\Temp\nso60C7.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit