Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/03/2024, 06:05

General

  • Target

    c7df6ebac28de20ebbdf09f570d5c6b3.exe

  • Size

    642KB

  • MD5

    c7df6ebac28de20ebbdf09f570d5c6b3

  • SHA1

    cbe182de2a56a8d84d0aa80e37e1331ef1961422

  • SHA256

    21f8c57f7b987e665d400ff7542c34528aac712b6a1c45d18c336b22940478fd

  • SHA512

    33fc619f95f2832de08d7f0304dec588f3e1bacc9369316ca302bbd52c781a5d2130d20bf4450ae98cfd92035777739dce95105b10e798f082689729c4eb11c9

  • SSDEEP

    12288:c6ARp+7TjVtM3JvOT7MqYiTVMrLTn6sJIvPJTfUn6D8tExkrJ0mTQPT3RZTafc8Y:cBRpEOJvOTiwm6AI5bdw/Z8P7RZT386x

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7df6ebac28de20ebbdf09f570d5c6b3.exe
    "C:\Users\Admin\AppData\Local\Temp\c7df6ebac28de20ebbdf09f570d5c6b3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Users\Admin\AppData\Local\Temp\bedfhegfae.exe
      C:\Users\Admin\AppData\Local\Temp\bedfhegfae.exe 2^4^9^5^3^1^2^0^2^1^8 LUxAPzowNzM0MhgtT0w9TUhCPS4fJ0xBS1JMUUlJQjwpIy4na29uYnVhc2ZfaVw4T2RnbV9mXR4rO0RQU0dEOzEvNS0pGyxCR0Q7LxgtTElKQVRBVF1IPDsuLTQxMh4vUURKVEFJWlJRSj1mc2xuNiYqcHF0LkJES0kpS0pNLD9QTi1BTEJGGyxCSklBSkFCORcqQTA7LS8fJ0IuNCguHy1EMTwlLxwmPzE8KzEeLjwzOSQsHS5OUk1DTUFQVktPSFRBQVg1HitHTUxDU0NSXj1TSDg4HS5OUk1DTUFQVkk+TEM9Hi49VkFWUE9LOyAtRFBDWzpIQUtHTkM8GC1ERk5RXkBSTVZLQ040MB0uUkg/TUNXS0xaUlFKPR4uTks5KRssQ1ExOx8nUFFFT0ZMQ19VRERBS0RARkw/R0NUSko5FypGUl1SU01MR0k8OHFxc2UeLkpDUExNS0hMR11US0NOVj8+WFE9MB8nRkU7QFU8LyAtSEtdQFBJPkxHQ11ERkFOUEtRREI9ZGBkcWEXKkFOVU5KTjlCW0BLOjMvLjQ0Ji80KSkuODIgLVNBS0E0LDEyMzczMys0NBcqQU5VTkpOOUJbS0RKRDs3LTAnMCwoMCcwMDoxODIwNCFLSg==
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get serialnumber
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1992
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1096
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get version
        3⤵
          PID:4440
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get version
          3⤵
            PID:4472
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get version
            3⤵
              PID:3432
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 952
              3⤵
              • Program crash
              PID:1480
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1552 -ip 1552
          1⤵
            PID:2304
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:3056

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\81710396344.txt

              Filesize

              66B

              MD5

              9025468f85256136f923096b01375964

              SHA1

              7fcd174999661594fa5f88890ffb195e9858cc52

              SHA256

              d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

              SHA512

              92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

            • C:\Users\Admin\AppData\Local\Temp\81710396344.txt

              Filesize

              2B

              MD5

              f3b25701fe362ec84616a93a45ce9998

              SHA1

              d62636d8caec13f04e28442a0a6fa1afeb024bbb

              SHA256

              b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

              SHA512

              98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            • C:\Users\Admin\AppData\Local\Temp\81710396344.txt

              Filesize

              58B

              MD5

              dd876faf0fd44a5fab3e82368e2e8b15

              SHA1

              01b04083fa278dda3a81705ca5abcfee487a3c90

              SHA256

              5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

              SHA512

              e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

            • C:\Users\Admin\AppData\Local\Temp\bedfhegfae.exe

              Filesize

              763KB

              MD5

              ab63528ff6d78d76b683b002f4572360

              SHA1

              09bd7d4eaec671f0c99cb6b98f32bca75397349b

              SHA256

              4cf5c585a5770746ed1c99e45b17e51283307b53742de668d3186adc8ff8f9e0

              SHA512

              fcf4344f9439efa5c54511048d802f4cd62dd0825b76836025ccbe9c484c2f55f830846bc75cd194bc62e919cc671d3484c8a23829f7dfa532b0e6db11486990

            • C:\Users\Admin\AppData\Local\Temp\nsc23B1.tmp\ZipDLL.dll

              Filesize

              163KB

              MD5

              2dc35ddcabcb2b24919b9afae4ec3091

              SHA1

              9eeed33c3abc656353a7ebd1c66af38cccadd939

              SHA256

              6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

              SHA512

              0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

            • C:\Users\Admin\AppData\Local\Temp\nsc23B1.tmp\docqoul.dll

              Filesize

              166KB

              MD5

              53151bef33d66c48ac125453d985793f

              SHA1

              c7698b54280742fe8dc745ce736e8e4344c09477

              SHA256

              014565ad3a80d4767fbd327ea6b078fce2e80017cba355c302c91aa034984eaf

              SHA512

              b2f3e118573c037bf759d2b7fb5ee5278abc574244d635d21eef0018aa062429fe03ad0a4256b1a1b1f16070d3819f99d728442a74e02d4ece7ceec5ea4ec041