2335af0f1f32c4457296f40e539330a294e8b21460cdb8755e715a0fec6be859

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1673ce11369e685bd9b1fa3dd7a8153.exe
Size

600KB
MD5

a1673ce11369e685bd9b1fa3dd7a8153
SHA1

34bd4ccc809222345246db9f611f474f382e1b32
SHA256

2335af0f1f32c4457296f40e539330a294e8b21460cdb8755e715a0fec6be859
SHA512

a1e6164e7777bf7e7c169276b99d43409830bd07910b4e2866a029e844e9d8174769fa343ee335b22f8b61af6f4542188cb9077f7bdecb2240212e19215a19b6
SSDEEP

12288:neHuihjaB44ZoATF87V4swu1JLb+MI7gK2YW7gPlXT:neOhu4/F8BTwu1JLbFTK2U

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2516	ccecabffhbd.exe

Loads dropped DLL 10 IoCs

pid	Process
1364	a1673ce11369e685bd9b1fa3dd7a8153.exe
1364	a1673ce11369e685bd9b1fa3dd7a8153.exe
1364	a1673ce11369e685bd9b1fa3dd7a8153.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	2516	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2608	wmic.exe
Token: SeSecurityPrivilege	2608	wmic.exe
Token: SeTakeOwnershipPrivilege	2608	wmic.exe
Token: SeLoadDriverPrivilege	2608	wmic.exe
Token: SeSystemProfilePrivilege	2608	wmic.exe
Token: SeSystemtimePrivilege	2608	wmic.exe
Token: SeProfSingleProcessPrivilege	2608	wmic.exe
Token: SeIncBasePriorityPrivilege	2608	wmic.exe
Token: SeCreatePagefilePrivilege	2608	wmic.exe
Token: SeBackupPrivilege	2608	wmic.exe
Token: SeRestorePrivilege	2608	wmic.exe
Token: SeShutdownPrivilege	2608	wmic.exe
Token: SeDebugPrivilege	2608	wmic.exe
Token: SeSystemEnvironmentPrivilege	2608	wmic.exe
Token: SeRemoteShutdownPrivilege	2608	wmic.exe
Token: SeUndockPrivilege	2608	wmic.exe
Token: SeManageVolumePrivilege	2608	wmic.exe
Token: 33	2608	wmic.exe
Token: 34	2608	wmic.exe
Token: 35	2608	wmic.exe
Token: SeIncreaseQuotaPrivilege	2608	wmic.exe
Token: SeSecurityPrivilege	2608	wmic.exe
Token: SeTakeOwnershipPrivilege	2608	wmic.exe
Token: SeLoadDriverPrivilege	2608	wmic.exe
Token: SeSystemProfilePrivilege	2608	wmic.exe
Token: SeSystemtimePrivilege	2608	wmic.exe
Token: SeProfSingleProcessPrivilege	2608	wmic.exe
Token: SeIncBasePriorityPrivilege	2608	wmic.exe
Token: SeCreatePagefilePrivilege	2608	wmic.exe
Token: SeBackupPrivilege	2608	wmic.exe
Token: SeRestorePrivilege	2608	wmic.exe
Token: SeShutdownPrivilege	2608	wmic.exe
Token: SeDebugPrivilege	2608	wmic.exe
Token: SeSystemEnvironmentPrivilege	2608	wmic.exe
Token: SeRemoteShutdownPrivilege	2608	wmic.exe
Token: SeUndockPrivilege	2608	wmic.exe
Token: SeManageVolumePrivilege	2608	wmic.exe
Token: 33	2608	wmic.exe
Token: 34	2608	wmic.exe
Token: 35	2608	wmic.exe
Token: SeIncreaseQuotaPrivilege	2524	wmic.exe
Token: SeSecurityPrivilege	2524	wmic.exe
Token: SeTakeOwnershipPrivilege	2524	wmic.exe
Token: SeLoadDriverPrivilege	2524	wmic.exe
Token: SeSystemProfilePrivilege	2524	wmic.exe
Token: SeSystemtimePrivilege	2524	wmic.exe
Token: SeProfSingleProcessPrivilege	2524	wmic.exe
Token: SeIncBasePriorityPrivilege	2524	wmic.exe
Token: SeCreatePagefilePrivilege	2524	wmic.exe
Token: SeBackupPrivilege	2524	wmic.exe
Token: SeRestorePrivilege	2524	wmic.exe
Token: SeShutdownPrivilege	2524	wmic.exe
Token: SeDebugPrivilege	2524	wmic.exe
Token: SeSystemEnvironmentPrivilege	2524	wmic.exe
Token: SeRemoteShutdownPrivilege	2524	wmic.exe
Token: SeUndockPrivilege	2524	wmic.exe
Token: SeManageVolumePrivilege	2524	wmic.exe
Token: 33	2524	wmic.exe
Token: 34	2524	wmic.exe
Token: 35	2524	wmic.exe
Token: SeIncreaseQuotaPrivilege	1780	wmic.exe
Token: SeSecurityPrivilege	1780	wmic.exe
Token: SeTakeOwnershipPrivilege	1780	wmic.exe
Token: SeLoadDriverPrivilege	1780	wmic.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2516	1364	a1673ce11369e685bd9b1fa3dd7a8153.exe	28
PID 1364 wrote to memory of 2516	1364	a1673ce11369e685bd9b1fa3dd7a8153.exe	28
PID 1364 wrote to memory of 2516	1364	a1673ce11369e685bd9b1fa3dd7a8153.exe	28
PID 1364 wrote to memory of 2516	1364	a1673ce11369e685bd9b1fa3dd7a8153.exe	28
PID 1364 wrote to memory of 2516	1364	a1673ce11369e685bd9b1fa3dd7a8153.exe	28
PID 1364 wrote to memory of 2516	1364	a1673ce11369e685bd9b1fa3dd7a8153.exe	28
PID 1364 wrote to memory of 2516	1364	a1673ce11369e685bd9b1fa3dd7a8153.exe	28
PID 2516 wrote to memory of 2608	2516	ccecabffhbd.exe	29
PID 2516 wrote to memory of 2608	2516	ccecabffhbd.exe	29
PID 2516 wrote to memory of 2608	2516	ccecabffhbd.exe	29
PID 2516 wrote to memory of 2608	2516	ccecabffhbd.exe	29
PID 2516 wrote to memory of 2524	2516	ccecabffhbd.exe	32
PID 2516 wrote to memory of 2524	2516	ccecabffhbd.exe	32
PID 2516 wrote to memory of 2524	2516	ccecabffhbd.exe	32
PID 2516 wrote to memory of 2524	2516	ccecabffhbd.exe	32
PID 2516 wrote to memory of 1780	2516	ccecabffhbd.exe	34
PID 2516 wrote to memory of 1780	2516	ccecabffhbd.exe	34
PID 2516 wrote to memory of 1780	2516	ccecabffhbd.exe	34
PID 2516 wrote to memory of 1780	2516	ccecabffhbd.exe	34
PID 2516 wrote to memory of 2528	2516	ccecabffhbd.exe	36
PID 2516 wrote to memory of 2528	2516	ccecabffhbd.exe	36
PID 2516 wrote to memory of 2528	2516	ccecabffhbd.exe	36
PID 2516 wrote to memory of 2528	2516	ccecabffhbd.exe	36
PID 2516 wrote to memory of 1516	2516	ccecabffhbd.exe	38
PID 2516 wrote to memory of 1516	2516	ccecabffhbd.exe	38
PID 2516 wrote to memory of 1516	2516	ccecabffhbd.exe	38
PID 2516 wrote to memory of 1516	2516	ccecabffhbd.exe	38
PID 2516 wrote to memory of 2764	2516	ccecabffhbd.exe	40
PID 2516 wrote to memory of 2764	2516	ccecabffhbd.exe	40
PID 2516 wrote to memory of 2764	2516	ccecabffhbd.exe	40
PID 2516 wrote to memory of 2764	2516	ccecabffhbd.exe	40

C:\Users\Admin\AppData\Local\Temp\a1673ce11369e685bd9b1fa3dd7a8153.exe
"C:\Users\Admin\AppData\Local\Temp\a1673ce11369e685bd9b1fa3dd7a8153.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\ccecabffhbd.exe
  C:\Users\Admin\AppData\Local\Temp\ccecabffhbd.exe 7-6-4-8-9-2-7-9-8-4-4 KEpFPDQwKy0uHCtMTz5IQEI2JxgrSj5OU0dJSUI7NS0cKD5FS0tHPTQqLywxKxwnOkc9NCgcK0lMSzxMQU1WQUA5KywuLyweKEo9TlI+TFtNSUo2X2xwbDMpK2tccG8lbGRhJltsaCRiWmtZKmVnYGsYJkFFQDtHRT03HCc7LzYkKRwrPSw5JSgeKDsrOSkqGis8KzsmKBgrQC43KSkXLUlJR0BRPE5bSElHTzg7VTkZKUxKRkJOOkxbQU5GPTUXLUlJR0BRPE5bRjhLPjQYK0FRP1tNSUo2FydBVD5ZP0U7SkJFPTkcKEJLS0tdO0lHU08+TDkpFy1NPzlKR1JJUVdMUEU0GCtSRjcuGCZCTCg1HCtLT0pMQEs+Vk9BSDxJST1ASzo+PVFORTccJ0BRWElNSlBCR0E1a3BuXBgrTj5OUUpFR0c+V1FPPkxbPDhXTDQqHCtBQ0A9TzsqFydFT1g+VUY4S0I6V0FKPExVSEtDPTReXWhsXxwnO01QRURLPT1ZRUg0LzIpJjQtJyssLSUwLioYK1BCR0E1KDIrKy81LjIzMhgmQkhORkhLOj5bTEBLPjQqKy4tKS4oKDMjKjIwNTMvMiJHSw==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81708763085.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81708763085.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81708763085.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81708763085.txt bios get version
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81708763085.txt bios get version
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81708763085.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4876.tmp\rtm.dll

Filesize
125KB

MD5
dcf5bed7cdb5677ce2eb2b53e3baf344

SHA1
af8e22a2a976bd33892a5fb73548b1e5a2ae63fe

SHA256
ae175ba3963a7c8d65f252266de0058630c9c7395b6e2f3b6b817a5285b8f544

SHA512
30ca7aa4b7f43deafbde4c90682d9eb611551b5c26a77d92427e8d17b307842914ef0cc1f1ed50809d34d2e8408a5dae4527406dd40dbd1a323c8bed492261fd

Download Submit
\Users\Admin\AppData\Local\Temp\ccecabffhbd.exe

Filesize
824KB

MD5
c0f2b4b899992f2bdc96f4f0f3b65e09

SHA1
bedd56cee52f89cdeb8beec0e1012792e0f450d6

SHA256
6cc66545a4ec5a2a2ee44ca4250a0b8b73fd4d1103d0e0ee97af0a3d18e59a34

SHA512
be2775c81030bc1ba52e512b7cd4c29da64aa35665e3a35898562ad3b826c358e46e217b6f4d0f0e28529a1903e768376f67d0f220e2c1095104aa4d01d4eb06

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4876.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit