20d0e5e717a95936e3e59ae945381a19c15ce6ef4b7eb341f7c3d4adf3e49cfc

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20d0e5e717a95936e3e59ae945381a19c15ce6ef4b7eb341f7c3d4adf3e49cfcN.exe
Size

575KB
MD5

f2d19bd9f35cff9a3d69133f19be7a60
SHA1

69400b2126ba4b1ca478b6866db13ea87e77df17
SHA256

20d0e5e717a95936e3e59ae945381a19c15ce6ef4b7eb341f7c3d4adf3e49cfc
SHA512

8524bf6592a05e572a0c7cd808cb5580dccec76173452b49a89e454a81e46dde2d668bfcd3addf90f059ae4c8b76c8082ff0b73ecba25e89e47b87a72aef535e
SSDEEP

12288:eAfu2+wmfgPgNSHSpsAcFyYLYk1+jsVjn6g1LP4X+Sra6UkfKdQ:eAW2+NfXSHUKy2Yk1wwn6+O+SrvaG

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
220	echcabfbcadd.exe

Loads dropped DLL 2 IoCs

pid	Process
2728	20d0e5e717a95936e3e59ae945381a19c15ce6ef4b7eb341f7c3d4adf3e49cfcN.exe
2728	20d0e5e717a95936e3e59ae945381a19c15ce6ef4b7eb341f7c3d4adf3e49cfcN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2812	220	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20d0e5e717a95936e3e59ae945381a19c15ce6ef4b7eb341f7c3d4adf3e49cfcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	echcabfbcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4476	wmic.exe
Token: SeSecurityPrivilege	4476	wmic.exe
Token: SeTakeOwnershipPrivilege	4476	wmic.exe
Token: SeLoadDriverPrivilege	4476	wmic.exe
Token: SeSystemProfilePrivilege	4476	wmic.exe
Token: SeSystemtimePrivilege	4476	wmic.exe
Token: SeProfSingleProcessPrivilege	4476	wmic.exe
Token: SeIncBasePriorityPrivilege	4476	wmic.exe
Token: SeCreatePagefilePrivilege	4476	wmic.exe
Token: SeBackupPrivilege	4476	wmic.exe
Token: SeRestorePrivilege	4476	wmic.exe
Token: SeShutdownPrivilege	4476	wmic.exe
Token: SeDebugPrivilege	4476	wmic.exe
Token: SeSystemEnvironmentPrivilege	4476	wmic.exe
Token: SeRemoteShutdownPrivilege	4476	wmic.exe
Token: SeUndockPrivilege	4476	wmic.exe
Token: SeManageVolumePrivilege	4476	wmic.exe
Token: 33	4476	wmic.exe
Token: 34	4476	wmic.exe
Token: 35	4476	wmic.exe
Token: 36	4476	wmic.exe
Token: SeIncreaseQuotaPrivilege	4476	wmic.exe
Token: SeSecurityPrivilege	4476	wmic.exe
Token: SeTakeOwnershipPrivilege	4476	wmic.exe
Token: SeLoadDriverPrivilege	4476	wmic.exe
Token: SeSystemProfilePrivilege	4476	wmic.exe
Token: SeSystemtimePrivilege	4476	wmic.exe
Token: SeProfSingleProcessPrivilege	4476	wmic.exe
Token: SeIncBasePriorityPrivilege	4476	wmic.exe
Token: SeCreatePagefilePrivilege	4476	wmic.exe
Token: SeBackupPrivilege	4476	wmic.exe
Token: SeRestorePrivilege	4476	wmic.exe
Token: SeShutdownPrivilege	4476	wmic.exe
Token: SeDebugPrivilege	4476	wmic.exe
Token: SeSystemEnvironmentPrivilege	4476	wmic.exe
Token: SeRemoteShutdownPrivilege	4476	wmic.exe
Token: SeUndockPrivilege	4476	wmic.exe
Token: SeManageVolumePrivilege	4476	wmic.exe
Token: 33	4476	wmic.exe
Token: 34	4476	wmic.exe
Token: 35	4476	wmic.exe
Token: 36	4476	wmic.exe
Token: SeIncreaseQuotaPrivilege	1280	wmic.exe
Token: SeSecurityPrivilege	1280	wmic.exe
Token: SeTakeOwnershipPrivilege	1280	wmic.exe
Token: SeLoadDriverPrivilege	1280	wmic.exe
Token: SeSystemProfilePrivilege	1280	wmic.exe
Token: SeSystemtimePrivilege	1280	wmic.exe
Token: SeProfSingleProcessPrivilege	1280	wmic.exe
Token: SeIncBasePriorityPrivilege	1280	wmic.exe
Token: SeCreatePagefilePrivilege	1280	wmic.exe
Token: SeBackupPrivilege	1280	wmic.exe
Token: SeRestorePrivilege	1280	wmic.exe
Token: SeShutdownPrivilege	1280	wmic.exe
Token: SeDebugPrivilege	1280	wmic.exe
Token: SeSystemEnvironmentPrivilege	1280	wmic.exe
Token: SeRemoteShutdownPrivilege	1280	wmic.exe
Token: SeUndockPrivilege	1280	wmic.exe
Token: SeManageVolumePrivilege	1280	wmic.exe
Token: 33	1280	wmic.exe
Token: 34	1280	wmic.exe
Token: 35	1280	wmic.exe
Token: 36	1280	wmic.exe
Token: SeIncreaseQuotaPrivilege	1280	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 220	2728	20d0e5e717a95936e3e59ae945381a19c15ce6ef4b7eb341f7c3d4adf3e49cfcN.exe	82
PID 2728 wrote to memory of 220	2728	20d0e5e717a95936e3e59ae945381a19c15ce6ef4b7eb341f7c3d4adf3e49cfcN.exe	82
PID 2728 wrote to memory of 220	2728	20d0e5e717a95936e3e59ae945381a19c15ce6ef4b7eb341f7c3d4adf3e49cfcN.exe	82
PID 220 wrote to memory of 4476	220	echcabfbcadd.exe	83
PID 220 wrote to memory of 4476	220	echcabfbcadd.exe	83
PID 220 wrote to memory of 4476	220	echcabfbcadd.exe	83
PID 220 wrote to memory of 1280	220	echcabfbcadd.exe	86
PID 220 wrote to memory of 1280	220	echcabfbcadd.exe	86
PID 220 wrote to memory of 1280	220	echcabfbcadd.exe	86
PID 220 wrote to memory of 952	220	echcabfbcadd.exe	88
PID 220 wrote to memory of 952	220	echcabfbcadd.exe	88
PID 220 wrote to memory of 952	220	echcabfbcadd.exe	88
PID 220 wrote to memory of 1888	220	echcabfbcadd.exe	90
PID 220 wrote to memory of 1888	220	echcabfbcadd.exe	90
PID 220 wrote to memory of 1888	220	echcabfbcadd.exe	90
PID 220 wrote to memory of 2556	220	echcabfbcadd.exe	92
PID 220 wrote to memory of 2556	220	echcabfbcadd.exe	92
PID 220 wrote to memory of 2556	220	echcabfbcadd.exe	92

C:\Users\Admin\AppData\Local\Temp\20d0e5e717a95936e3e59ae945381a19c15ce6ef4b7eb341f7c3d4adf3e49cfcN.exe
"C:\Users\Admin\AppData\Local\Temp\20d0e5e717a95936e3e59ae945381a19c15ce6ef4b7eb341f7c3d4adf3e49cfcN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\echcabfbcadd.exe
  C:\Users\Admin\AppData\Local\Temp\echcabfbcadd.exe 4*6*6*0*8*6*3*4*3*1*2 K0pDRDUrNi8zMh4rTU9CSENBOS0fLUo/TldHTEhFQTwvISwqcGppYXFgc2xdZ189Sl9maV5mYxwpPklLTkZAOjE1MyssICc9RkA6Lx4rSkxPPE9AUFxIQjksMDksLR0rUERQUj9MX01MSTllc3JsNCkva2xzKkFEUUcnTk9IJz5MTS1HSkBJICc9SUVASkdANxovPCs6KS4fLUAsNy0pGixAMDwrLRopRCw3Ki0dLkIxNycxGClNTkxDUz9OWVBKQ1M9QFg7HClKUkc+Uj9RXkNRRjs9GClNTkxDUz9OWU45R0I5HS5DVD9ZVUpGOhwsRFZBWT1NPEZGSkI8HitCSVNMWT9OTFZRQUw3NRgpUUQ+TUlVSU9fTUxJOR0uVEk3LCAnPlAtOh8tTk9IVEFHQltUREo/SUdFQUc+Q0JUUEg3Gi9BTVxOUk1SRUc/PWxscmEdLlBBTk9SRkNLQ1xUUUFMWUQ5U1A5Lx8tREM+RVA3LhwsSFFbPlNOOUdGP1xETD9MU1BMP0E5Y2Bqb18aLzxJVEpJTj9AWUNQNS4zKi4wNCorLTAmLjEcLFNHST83MSwtLS0xLy8uMBovPElUSklOP0BZTklFPzowLDE1KywqMS0kLjYtNzgwMCRQRRosUT48HitPTEw1YnFwbSQxXR8sZh0sY2Nic3AqYGNsXTJhYXBqcmtqKGNnZyIuY1Fzak5jbV0+bHNra21dXkdhZltkYW9eYmFqZm9xHy9iLzEwLiwsMiosLy4vMTAhLGBkZ3FraGxgYmlbaGFfX28hL2VlYW4vNh0tY2wiMmItMy02Kx8vMmEkMWAsMTcpLCIuM2sjL14sNjEuMCEvNWwhLV4xI2pva2F0YXBoW21dHzBgT2RnaVthZR0sM2Jma2NqW2dlHS1hTmJoa11hXw==
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81727479771.txt bios get serialnumber
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81727479771.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81727479771.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    PID:952
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81727479771.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1888
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81727479771.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 940
    3⤵
    - Program crash
    PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 220 -ip 220
1⤵
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81727479771.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81727479771.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81727479771.txt

Filesize
58B

MD5
f8e2f71e123c5a848f2a83d2a7aef11e

SHA1
5e7a9a2937fa4f06fdf3e33d7def7de431c159b4

SHA256
79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121

SHA512
8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

Download Submit
C:\Users\Admin\AppData\Local\Temp\echcabfbcadd.exe

Filesize
764KB

MD5
bd752e69baeb1c088bcef812e1f57b32

SHA1
3de77b55cef6e3fc949cd531d9809faa0b469da9

SHA256
7829a1f8f3d3a213a7e8b4bd9b03b7670173361c13b570ddaba06490abb7b7da

SHA512
ee9ff03549dda85bd179dbb3bcaf8e94ef7046eecb4dd998aea89404283e94f9d0b84c6dddb182c773c71ba82c25e4bcc8a70e1538b76e912af8073dc5e8a328

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa6D61.tmp\kallqfcy.dll

Filesize
121KB

MD5
b3334929246529d6df2fb12aa7eaa7f2

SHA1
349ab1a9c6abdf84a27d4c8d5a355c2a5f691d3f

SHA256
2f404223e010337e39e5236d5e17a784b03a4e904068f6556f258043e4e893f7

SHA512
e82fcf1419229ac77fa806192325209940d3fc834a79d946b10bd27f3120c244d4c5373c03d53e73eadfc512144a1433d94e4fbd09d179221caf2dacfe6c30d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa6D61.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit