3e99395c5a6bce5bd7fc497c7ceac1398e2e2cf3ff490b0b08b0a850f6d036d7

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccb8a67f16958d3647f4a693cc11f593.exe
Size

581KB
MD5

ccb8a67f16958d3647f4a693cc11f593
SHA1

18d85b968085c87a3d034875f0f7879642b7b99d
SHA256

3e99395c5a6bce5bd7fc497c7ceac1398e2e2cf3ff490b0b08b0a850f6d036d7
SHA512

8d2dd4885394f38bf8f70bbc9d9c382ebc01a7ce7723efd0973047ba212f4fdcf3b3471e6459796a0ec048c0ab25bf1eb647c950a72cfb16f11bb5e833399f71
SSDEEP

12288:oibnu+nlsKDPNvWrLxxn8RvW8bqO1OVtOXZGGBJ763c:oMta4PN0c+8OOeAGGBR6s

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	1431496922.exe

Loads dropped DLL 11 IoCs

pid	Process
2908	ccb8a67f16958d3647f4a693cc11f593.exe
2908	ccb8a67f16958d3647f4a693cc11f593.exe
2908	ccb8a67f16958d3647f4a693cc11f593.exe
2908	ccb8a67f16958d3647f4a693cc11f593.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
560	2688	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2164	wmic.exe
Token: SeSecurityPrivilege	2164	wmic.exe
Token: SeTakeOwnershipPrivilege	2164	wmic.exe
Token: SeLoadDriverPrivilege	2164	wmic.exe
Token: SeSystemProfilePrivilege	2164	wmic.exe
Token: SeSystemtimePrivilege	2164	wmic.exe
Token: SeProfSingleProcessPrivilege	2164	wmic.exe
Token: SeIncBasePriorityPrivilege	2164	wmic.exe
Token: SeCreatePagefilePrivilege	2164	wmic.exe
Token: SeBackupPrivilege	2164	wmic.exe
Token: SeRestorePrivilege	2164	wmic.exe
Token: SeShutdownPrivilege	2164	wmic.exe
Token: SeDebugPrivilege	2164	wmic.exe
Token: SeSystemEnvironmentPrivilege	2164	wmic.exe
Token: SeRemoteShutdownPrivilege	2164	wmic.exe
Token: SeUndockPrivilege	2164	wmic.exe
Token: SeManageVolumePrivilege	2164	wmic.exe
Token: 33	2164	wmic.exe
Token: 34	2164	wmic.exe
Token: 35	2164	wmic.exe
Token: SeIncreaseQuotaPrivilege	2164	wmic.exe
Token: SeSecurityPrivilege	2164	wmic.exe
Token: SeTakeOwnershipPrivilege	2164	wmic.exe
Token: SeLoadDriverPrivilege	2164	wmic.exe
Token: SeSystemProfilePrivilege	2164	wmic.exe
Token: SeSystemtimePrivilege	2164	wmic.exe
Token: SeProfSingleProcessPrivilege	2164	wmic.exe
Token: SeIncBasePriorityPrivilege	2164	wmic.exe
Token: SeCreatePagefilePrivilege	2164	wmic.exe
Token: SeBackupPrivilege	2164	wmic.exe
Token: SeRestorePrivilege	2164	wmic.exe
Token: SeShutdownPrivilege	2164	wmic.exe
Token: SeDebugPrivilege	2164	wmic.exe
Token: SeSystemEnvironmentPrivilege	2164	wmic.exe
Token: SeRemoteShutdownPrivilege	2164	wmic.exe
Token: SeUndockPrivilege	2164	wmic.exe
Token: SeManageVolumePrivilege	2164	wmic.exe
Token: 33	2164	wmic.exe
Token: 34	2164	wmic.exe
Token: 35	2164	wmic.exe
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemProfilePrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeProfSingleProcessPrivilege	2080	wmic.exe
Token: SeIncBasePriorityPrivilege	2080	wmic.exe
Token: SeCreatePagefilePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeDebugPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeRemoteShutdownPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: 33	2080	wmic.exe
Token: 34	2080	wmic.exe
Token: 35	2080	wmic.exe
Token: SeIncreaseQuotaPrivilege	1888	wmic.exe
Token: SeSecurityPrivilege	1888	wmic.exe
Token: SeTakeOwnershipPrivilege	1888	wmic.exe
Token: SeLoadDriverPrivilege	1888	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2688	2908	ccb8a67f16958d3647f4a693cc11f593.exe	28
PID 2908 wrote to memory of 2688	2908	ccb8a67f16958d3647f4a693cc11f593.exe	28
PID 2908 wrote to memory of 2688	2908	ccb8a67f16958d3647f4a693cc11f593.exe	28
PID 2908 wrote to memory of 2688	2908	ccb8a67f16958d3647f4a693cc11f593.exe	28
PID 2688 wrote to memory of 2164	2688	1431496922.exe	29
PID 2688 wrote to memory of 2164	2688	1431496922.exe	29
PID 2688 wrote to memory of 2164	2688	1431496922.exe	29
PID 2688 wrote to memory of 2164	2688	1431496922.exe	29
PID 2688 wrote to memory of 2080	2688	1431496922.exe	32
PID 2688 wrote to memory of 2080	2688	1431496922.exe	32
PID 2688 wrote to memory of 2080	2688	1431496922.exe	32
PID 2688 wrote to memory of 2080	2688	1431496922.exe	32
PID 2688 wrote to memory of 1888	2688	1431496922.exe	34
PID 2688 wrote to memory of 1888	2688	1431496922.exe	34
PID 2688 wrote to memory of 1888	2688	1431496922.exe	34
PID 2688 wrote to memory of 1888	2688	1431496922.exe	34
PID 2688 wrote to memory of 2436	2688	1431496922.exe	36
PID 2688 wrote to memory of 2436	2688	1431496922.exe	36
PID 2688 wrote to memory of 2436	2688	1431496922.exe	36
PID 2688 wrote to memory of 2436	2688	1431496922.exe	36
PID 2688 wrote to memory of 2856	2688	1431496922.exe	38
PID 2688 wrote to memory of 2856	2688	1431496922.exe	38
PID 2688 wrote to memory of 2856	2688	1431496922.exe	38
PID 2688 wrote to memory of 2856	2688	1431496922.exe	38
PID 2688 wrote to memory of 560	2688	1431496922.exe	40
PID 2688 wrote to memory of 560	2688	1431496922.exe	40
PID 2688 wrote to memory of 560	2688	1431496922.exe	40
PID 2688 wrote to memory of 560	2688	1431496922.exe	40

C:\Users\Admin\AppData\Local\Temp\ccb8a67f16958d3647f4a693cc11f593.exe
"C:\Users\Admin\AppData\Local\Temp\ccb8a67f16958d3647f4a693cc11f593.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\1431496922.exe
  C:\Users\Admin\AppData\Local\Temp\1431496922.exe 0)1)6)5)4)5)1)3)8)9)7 L09DPzktNzIYJkxVQUpEQDgvHSdFPlRWSU1HREM6KRcoREhNT0U/PC8tKTAyHyk+RT88LRgmSVJOPlA/T15GPDQrNDMtLhwqUkJKTT5SXk9NSDhncWxnMy8ubW1yKUNCS0ImVE5KKD1LTytBRT9PHyk+SERCSEE7NjUyMWFhMmA2WVouYjMyXV9cYS0uXVswZGBcYS02NCssGS9DKzgpLB8sPCk2LTAaKkAuPCopFyhEMzcoLRsuQS00JjEfKUtOSkNSO0tYUFFDUT0+WDoYJklSTj5QP09eQk1DOj0fKUtOSkNSO0tYTkBHQDlFYHNZFyhFVz9aUU1LOmBrbXA5KSpfX20rWllcZG0rKV9qbCxiaV4tN28tMSh2ZmZbaHdyJ2QxMzUrXW9eIC4/U0FaQko8Q0JORDcbK0NOUExWO1JOUU5BTTwvGCZNSEBIRlVKVFxNSUU9HylRSTgxHSc7TDE8WzFdLWFhKFksMzEuLzAwY14wWVs1ZDMyLi8wNl4vWjcfKU1RSVNGRTxYV0RGPktIREZFOEBFVExHORsuRktWS1VNTkRJQDxxamxeIC5MQFBQUUtBRUBfVE1ATlpDPlFKNjIfKUNFP0RVNSgZL0hNWkBUTT5FQDxfREg+TlRPUT07NmZgZm5hGy5BR05HTE47P1tETzoqJywuNiopLTE1Ky8uGS9TQ0hBODAxKyguMDIyLTEbLkFHTkdMTjs/W09ISj00Li8wLSouKzAyIi4zNTY0KzElQEoYJk5BPEdqdmRraVkcK2Y0KCsnI1ZmZltod3IlSVAmNSspHCxiKlFKUzEzJiM4aXBrX1JhXUpmbBwrZjQtMiouNSggQkFUTEYgLl4qaWFiXitGX15naigoO19rb2xfIC5hMy8mJycyMissKiwyMiNKWmZgbGQhLWUyKy4nMzUaKlFNSzpga21wJC1cIS1lIipdYGVzbCksLC81a19ocC1jaWJqJC9eSW5uU2NoYT9udGZjaGFjR1xqXGZialZdZW9manUgMWMpKywxNCouNC00IipdKjQyKzAsLjcvLRwrZjAuLi0wLzAwKS4lMmA0NTE0MTEnLDIyK1Noc3RKPEgrY0NpckpPUGFPcVx0TE1mL0d4T2hHPGtxRmQwcUdULC1FeU1wXFNVZGA+MGtiay9tVWV2NFJlP3BgQVVkVFJpQ1BAVlhTUj5wR1NFLVF6TWFGUmdkSCkrak14MnRJT0xwTyhseldmZi1UaWAoRExzbkctQStWQVthUjNVZV1DZ2xMP0lrZEYqZUlCQGBDTjpnS2YsZlRWdGpQT2xgUmhnb0lURmpaeUhyU1NBclY7Ym9kUjJ1R2lZZFJNLnFiLGpwVWlKKUVMVmJdaD1kVjBkaVEyb2lSaVFhXj88KVNrLytUZFVhUT5TZ2BmY3BUaXFvUUB0cltkQmFYL2ReWldZZEk/cnNKZUFcTjAuLlRoSHBPSi16V2ZrZFN4MXJRT2ttUi1CX1dBQSdHVEAqQ1M9Y15lZilNaEgvVmg3LUNI
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710551349.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710551349.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710551349.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710551349.txt bios get version
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710551349.txt bios get version
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81710551349.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\1431496922.exe

Filesize
788KB

MD5
bd3bc4a00de77d4a5f673af52adf22a3

SHA1
c546ed8ac5e3dab7eda502c56c18af4ee4aff685

SHA256
52f7b065b46daff1434ff990a4d1d63f807e801daf460406a288be5278d1924d

SHA512
b3ef48c9039d55623184c888dc5a87a3d2472d40766d7bd3a2908a0366c16bb0acf3e46ced74d2311920f72447f3dde620e43df22a047b4cc6ee62d6dea41557

Download Submit
\Users\Admin\AppData\Local\Temp\1431496922.exe

Filesize
685KB

MD5
36fcdd7f48b0f84e063408da46d899f2

SHA1
31ed7a687910f8c0f9cd5b502ff5154b4a46075b

SHA256
8ffef7fb9b07f83396c55249801d3679e10e06f67aab78bd03b95d4f3b726b43

SHA512
7d90f3c6beff787fd6b36a965c51fb3d6cfb29a84a7a584d9046b8d6157e3aa9e7d2abd00153b55f25cf471016b6ce7777d437787671faf5a59bcf082a6dfb0e

Download Submit
\Users\Admin\AppData\Local\Temp\1431496922.exe

Filesize
577KB

MD5
d88c7c571c051fa53d18f7e5ad19aaf8

SHA1
585df6983b35f9a73dc800b4d410705464352280

SHA256
013ab5fbc1ff30049b45b7a977bde420864c1b68dc6e93301a11c4a0bcca187d

SHA512
7d881b6f5d29d60f7082d7a142260335e654559d86ff5335622e9bcb03ef4795980b8a21b4a370a0bf2df92e6d1efbd11bc0415c270e9bfb1e829e5ebf026eb3

Download Submit
\Users\Admin\AppData\Local\Temp\1431496922.exe

Filesize
650KB

MD5
ae25e883440bf96231188c18ac865045

SHA1
43187e9237d7bc7b346c49f4182f87434d2abdd6

SHA256
3f8df1ad5a5eac9d1768c11de66d321e809a8c151a38b6e4b6a1ca13765ed8f0

SHA512
52163af785b08316e302d60fb0646f5505331e72e1d72446944847a37ee8d8ad634124357913201bf1e9b7be43414d48501999c99602b3a9a45b9d3dbb88cfbd

Download Submit
\Users\Admin\AppData\Local\Temp\1431496922.exe

Filesize
522KB

MD5
43958f15d610707d99108c661c160b91

SHA1
37aaf59110f83a888cae30b96867970c68e8cb6a

SHA256
6fc2a23ada6d1bc03da31336582494a42b9b4c6d1e911c579b7c585376762dfa

SHA512
996572a62a71f76ab998123e475b4e5413a66f133a65848f2ea82e1862873548d715c4a330b14cf341c4cd53280ae89d0b23865957693eb6a274360b7b98d8fd

Download Submit
\Users\Admin\AppData\Local\Temp\1431496922.exe

Filesize
549KB

MD5
78244a31d617d8f9b16d8b628924411b

SHA1
3de81044db011d9682e4a8e198f4ad0309709541

SHA256
9bfe881e23a59be64b45c6d03f899c09326b4b2f28a535ffb3fad8047b31131c

SHA512
75d9b938e83c836f5948b0035d2300ce8cf0151a16ac0ef30c6cf1ef71e548d4458e6797be160d7244dcd944098e66be60dd1dbb76c0ba5508fce76344d29430

Download Submit
\Users\Admin\AppData\Local\Temp\nso92BF.tmp\ceasszt.dll

Filesize
153KB

MD5
c942f1029ebc7b3c037d4c8ea537c490

SHA1
683da5f8b3687ae1f112c23476759f6f921059d3

SHA256
6b0b502278a56f0a36ff8015f0d99b261f35a57b7e54d96888258740233b87cc

SHA512
8d34f31e9d2b09f4dda7fdf062f0c8dd06a03243bc1f6ac9ac854c429866d4ab4512e2c46f61508bce8d39ec7284f21d4053e6794d3fa5a088f334960dafdf0c

Download Submit
\Users\Admin\AppData\Local\Temp\nso92BF.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit