cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf

Analysis

max time kernel
44s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-10-2022 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf.exe
Size

717KB
MD5

6afe1b28edf1bc908e50c9fe69c03050
SHA1

7fbc569129f0e9407c751ba770e8afc7d9fd96dc
SHA256

cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf
SHA512

2cfad9d0919fa706ef549f636a69983eb232909fdb2c20bb4b60eb7a6adcaa94ab59207c4a6f5e9d4a4aa9af5cf6941998fad10c8fb82329062233d92d802428
SSDEEP

12288:/2LdfpR0dhqX8nY3MQV58cqpN2mLK3SJ/rAPAPV6GKEBqfc8vy4h:+LdfYLc3MQX8Fam8SJ/UA82H86

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
940	bedjjifhbj.exe

Loads dropped DLL 11 IoCs

pid	Process
852	cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf.exe
852	cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf.exe
852	cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf.exe
852	cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1876	940	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1020	wmic.exe
Token: SeSecurityPrivilege	1020	wmic.exe
Token: SeTakeOwnershipPrivilege	1020	wmic.exe
Token: SeLoadDriverPrivilege	1020	wmic.exe
Token: SeSystemProfilePrivilege	1020	wmic.exe
Token: SeSystemtimePrivilege	1020	wmic.exe
Token: SeProfSingleProcessPrivilege	1020	wmic.exe
Token: SeIncBasePriorityPrivilege	1020	wmic.exe
Token: SeCreatePagefilePrivilege	1020	wmic.exe
Token: SeBackupPrivilege	1020	wmic.exe
Token: SeRestorePrivilege	1020	wmic.exe
Token: SeShutdownPrivilege	1020	wmic.exe
Token: SeDebugPrivilege	1020	wmic.exe
Token: SeSystemEnvironmentPrivilege	1020	wmic.exe
Token: SeRemoteShutdownPrivilege	1020	wmic.exe
Token: SeUndockPrivilege	1020	wmic.exe
Token: SeManageVolumePrivilege	1020	wmic.exe
Token: 33	1020	wmic.exe
Token: 34	1020	wmic.exe
Token: 35	1020	wmic.exe
Token: SeIncreaseQuotaPrivilege	1020	wmic.exe
Token: SeSecurityPrivilege	1020	wmic.exe
Token: SeTakeOwnershipPrivilege	1020	wmic.exe
Token: SeLoadDriverPrivilege	1020	wmic.exe
Token: SeSystemProfilePrivilege	1020	wmic.exe
Token: SeSystemtimePrivilege	1020	wmic.exe
Token: SeProfSingleProcessPrivilege	1020	wmic.exe
Token: SeIncBasePriorityPrivilege	1020	wmic.exe
Token: SeCreatePagefilePrivilege	1020	wmic.exe
Token: SeBackupPrivilege	1020	wmic.exe
Token: SeRestorePrivilege	1020	wmic.exe
Token: SeShutdownPrivilege	1020	wmic.exe
Token: SeDebugPrivilege	1020	wmic.exe
Token: SeSystemEnvironmentPrivilege	1020	wmic.exe
Token: SeRemoteShutdownPrivilege	1020	wmic.exe
Token: SeUndockPrivilege	1020	wmic.exe
Token: SeManageVolumePrivilege	1020	wmic.exe
Token: 33	1020	wmic.exe
Token: 34	1020	wmic.exe
Token: 35	1020	wmic.exe
Token: SeIncreaseQuotaPrivilege	1768	wmic.exe
Token: SeSecurityPrivilege	1768	wmic.exe
Token: SeTakeOwnershipPrivilege	1768	wmic.exe
Token: SeLoadDriverPrivilege	1768	wmic.exe
Token: SeSystemProfilePrivilege	1768	wmic.exe
Token: SeSystemtimePrivilege	1768	wmic.exe
Token: SeProfSingleProcessPrivilege	1768	wmic.exe
Token: SeIncBasePriorityPrivilege	1768	wmic.exe
Token: SeCreatePagefilePrivilege	1768	wmic.exe
Token: SeBackupPrivilege	1768	wmic.exe
Token: SeRestorePrivilege	1768	wmic.exe
Token: SeShutdownPrivilege	1768	wmic.exe
Token: SeDebugPrivilege	1768	wmic.exe
Token: SeSystemEnvironmentPrivilege	1768	wmic.exe
Token: SeRemoteShutdownPrivilege	1768	wmic.exe
Token: SeUndockPrivilege	1768	wmic.exe
Token: SeManageVolumePrivilege	1768	wmic.exe
Token: 33	1768	wmic.exe
Token: 34	1768	wmic.exe
Token: 35	1768	wmic.exe
Token: SeIncreaseQuotaPrivilege	1768	wmic.exe
Token: SeSecurityPrivilege	1768	wmic.exe
Token: SeTakeOwnershipPrivilege	1768	wmic.exe
Token: SeLoadDriverPrivilege	1768	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 940	852	cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf.exe	27
PID 852 wrote to memory of 940	852	cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf.exe	27
PID 852 wrote to memory of 940	852	cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf.exe	27
PID 852 wrote to memory of 940	852	cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf.exe	27
PID 940 wrote to memory of 1020	940	bedjjifhbj.exe	28
PID 940 wrote to memory of 1020	940	bedjjifhbj.exe	28
PID 940 wrote to memory of 1020	940	bedjjifhbj.exe	28
PID 940 wrote to memory of 1020	940	bedjjifhbj.exe	28
PID 940 wrote to memory of 1768	940	bedjjifhbj.exe	31
PID 940 wrote to memory of 1768	940	bedjjifhbj.exe	31
PID 940 wrote to memory of 1768	940	bedjjifhbj.exe	31
PID 940 wrote to memory of 1768	940	bedjjifhbj.exe	31
PID 940 wrote to memory of 1744	940	bedjjifhbj.exe	33
PID 940 wrote to memory of 1744	940	bedjjifhbj.exe	33
PID 940 wrote to memory of 1744	940	bedjjifhbj.exe	33
PID 940 wrote to memory of 1744	940	bedjjifhbj.exe	33
PID 940 wrote to memory of 1912	940	bedjjifhbj.exe	35
PID 940 wrote to memory of 1912	940	bedjjifhbj.exe	35
PID 940 wrote to memory of 1912	940	bedjjifhbj.exe	35
PID 940 wrote to memory of 1912	940	bedjjifhbj.exe	35
PID 940 wrote to memory of 1940	940	bedjjifhbj.exe	37
PID 940 wrote to memory of 1940	940	bedjjifhbj.exe	37
PID 940 wrote to memory of 1940	940	bedjjifhbj.exe	37
PID 940 wrote to memory of 1940	940	bedjjifhbj.exe	37
PID 940 wrote to memory of 1876	940	bedjjifhbj.exe	39
PID 940 wrote to memory of 1876	940	bedjjifhbj.exe	39
PID 940 wrote to memory of 1876	940	bedjjifhbj.exe	39
PID 940 wrote to memory of 1876	940	bedjjifhbj.exe	39

C:\Users\Admin\AppData\Local\Temp\cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf.exe
"C:\Users\Admin\AppData\Local\Temp\cf2faf27788d585a326987c0be333ff345fa59f6d5cd6eadea48d79388f1d1bf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\bedjjifhbj.exe
  C:\Users\Admin\AppData\Local\Temp\bedjjifhbj.exe 2|8|6|5|5|6|0|2|4|0|2 LUhDPzgrOTYwMh4tS089S0NEOywgLUw9TlJKTEtHQD0vHic+RE5OSUI5MjQvLisbKj1JQjkwHi1ITEo/T0NSW0lCOyovLi8xIC1PRVBUPUxaUExMO2R0cm4yKSpubHYsQEVRSSVOSksnQU5MLkdMPkkbKj1MRz9LR0I1Gio/Kz0rLSAtQio3KCwaL0IvPSsvGCk/LzctLxwvQjM1JywbKVBQS0RTQUxZS01DVj8/WTseJ0pNSj5VQVBfQ1NEOzgbKVBQS0RTQUxZSTxHRTtBZHBfb01qYW4lMCxFYnBZcSAtKk1fdCUwLi8oMykqJTAsRlNKRB8tKz1yX19rIzAoHy0rHzIuR2V3Hic/U0BZVVBIPWZybGo1KiliY290Mm5bKF5qZy9xYXRzbiZfc2AaL0NURV1BRT5HREhFOxwvRk1LTlo9TE9VT0VQOykaKk9CQUxHWU1TV09NRzcgLVJNOzAYKT9OKz0eK1JTTExDSEBZV0NIQ01LPUNIPEFFU05MOx4nQ05aTFVMUElLQzVubXBfIC1ORVJTSkhESUFfU09FUF08O1RONzIeK0hHQj1SOCwaL0dPX0JXRjtIRD1fQ0pDUFdITkA/N2ZfaHNjHic+SlJITE09RF1HSDcsKSsyNSo0NiwvMBsqSkFQPUxKQ0RZRElNVD9ITDtyam9gGylUR0lFOy8sLTQ0MzAvMTkeLTxJUklGTz9AX1JHRT84MykxNysyLi8tJCw1KzU4MTkoTkU=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81664652345.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81664652345.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81664652345.txt bios get version
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81664652345.txt bios get version
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81664652345.txt bios get version
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81664652345.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81664652345.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81664652345.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81664652345.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81664652345.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedjjifhbj.exe

Filesize
807KB

MD5
a96bb402a3b15119fa0e849a04fef00a

SHA1
bd3a89276a59051a70fc24dae3cb3487b195765e

SHA256
a43a3d341e180debc241df4380765f0f8bd9d7d0871d6b64a73bbdc5d1332303

SHA512
eab299c20f8a35a25f1e9b86bbac6adc49f700ffef1958a8a66ad5a50575db5f243d3184f59319a947d8a0c95d0aeda732e281ccf8b81915c05d807d2decc7c5

Download Submit
\Users\Admin\AppData\Local\Temp\bedjjifhbj.exe

Filesize
807KB

MD5
a96bb402a3b15119fa0e849a04fef00a

SHA1
bd3a89276a59051a70fc24dae3cb3487b195765e

SHA256
a43a3d341e180debc241df4380765f0f8bd9d7d0871d6b64a73bbdc5d1332303

SHA512
eab299c20f8a35a25f1e9b86bbac6adc49f700ffef1958a8a66ad5a50575db5f243d3184f59319a947d8a0c95d0aeda732e281ccf8b81915c05d807d2decc7c5

Download Submit
\Users\Admin\AppData\Local\Temp\bedjjifhbj.exe

Filesize
807KB

MD5
a96bb402a3b15119fa0e849a04fef00a

SHA1
bd3a89276a59051a70fc24dae3cb3487b195765e

SHA256
a43a3d341e180debc241df4380765f0f8bd9d7d0871d6b64a73bbdc5d1332303

SHA512
eab299c20f8a35a25f1e9b86bbac6adc49f700ffef1958a8a66ad5a50575db5f243d3184f59319a947d8a0c95d0aeda732e281ccf8b81915c05d807d2decc7c5

Download Submit
\Users\Admin\AppData\Local\Temp\bedjjifhbj.exe

Filesize
807KB

MD5
a96bb402a3b15119fa0e849a04fef00a

SHA1
bd3a89276a59051a70fc24dae3cb3487b195765e

SHA256
a43a3d341e180debc241df4380765f0f8bd9d7d0871d6b64a73bbdc5d1332303

SHA512
eab299c20f8a35a25f1e9b86bbac6adc49f700ffef1958a8a66ad5a50575db5f243d3184f59319a947d8a0c95d0aeda732e281ccf8b81915c05d807d2decc7c5

Download Submit
\Users\Admin\AppData\Local\Temp\bedjjifhbj.exe

Filesize
807KB

MD5
a96bb402a3b15119fa0e849a04fef00a

SHA1
bd3a89276a59051a70fc24dae3cb3487b195765e

SHA256
a43a3d341e180debc241df4380765f0f8bd9d7d0871d6b64a73bbdc5d1332303

SHA512
eab299c20f8a35a25f1e9b86bbac6adc49f700ffef1958a8a66ad5a50575db5f243d3184f59319a947d8a0c95d0aeda732e281ccf8b81915c05d807d2decc7c5

Download Submit
\Users\Admin\AppData\Local\Temp\bedjjifhbj.exe

Filesize
807KB

MD5
a96bb402a3b15119fa0e849a04fef00a

SHA1
bd3a89276a59051a70fc24dae3cb3487b195765e

SHA256
a43a3d341e180debc241df4380765f0f8bd9d7d0871d6b64a73bbdc5d1332303

SHA512
eab299c20f8a35a25f1e9b86bbac6adc49f700ffef1958a8a66ad5a50575db5f243d3184f59319a947d8a0c95d0aeda732e281ccf8b81915c05d807d2decc7c5

Download Submit
\Users\Admin\AppData\Local\Temp\bedjjifhbj.exe

Filesize
807KB

MD5
a96bb402a3b15119fa0e849a04fef00a

SHA1
bd3a89276a59051a70fc24dae3cb3487b195765e

SHA256
a43a3d341e180debc241df4380765f0f8bd9d7d0871d6b64a73bbdc5d1332303

SHA512
eab299c20f8a35a25f1e9b86bbac6adc49f700ffef1958a8a66ad5a50575db5f243d3184f59319a947d8a0c95d0aeda732e281ccf8b81915c05d807d2decc7c5

Download Submit
\Users\Admin\AppData\Local\Temp\bedjjifhbj.exe

Filesize
807KB

MD5
a96bb402a3b15119fa0e849a04fef00a

SHA1
bd3a89276a59051a70fc24dae3cb3487b195765e

SHA256
a43a3d341e180debc241df4380765f0f8bd9d7d0871d6b64a73bbdc5d1332303

SHA512
eab299c20f8a35a25f1e9b86bbac6adc49f700ffef1958a8a66ad5a50575db5f243d3184f59319a947d8a0c95d0aeda732e281ccf8b81915c05d807d2decc7c5

Download Submit
\Users\Admin\AppData\Local\Temp\bedjjifhbj.exe

Filesize
807KB

MD5
a96bb402a3b15119fa0e849a04fef00a

SHA1
bd3a89276a59051a70fc24dae3cb3487b195765e

SHA256
a43a3d341e180debc241df4380765f0f8bd9d7d0871d6b64a73bbdc5d1332303

SHA512
eab299c20f8a35a25f1e9b86bbac6adc49f700ffef1958a8a66ad5a50575db5f243d3184f59319a947d8a0c95d0aeda732e281ccf8b81915c05d807d2decc7c5

Download Submit
\Users\Admin\AppData\Local\Temp\bedjjifhbj.exe

Filesize
807KB

MD5
a96bb402a3b15119fa0e849a04fef00a

SHA1
bd3a89276a59051a70fc24dae3cb3487b195765e

SHA256
a43a3d341e180debc241df4380765f0f8bd9d7d0871d6b64a73bbdc5d1332303

SHA512
eab299c20f8a35a25f1e9b86bbac6adc49f700ffef1958a8a66ad5a50575db5f243d3184f59319a947d8a0c95d0aeda732e281ccf8b81915c05d807d2decc7c5

Download Submit
\Users\Admin\AppData\Local\Temp\nst3130.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nst3130.tmp\poltzxi.dll

Filesize
125KB

MD5
054b01dbbc3bf5f5cad83d83d700d570

SHA1
8f465c5f7a7ef18c56b7be6ced3728a1d47489e3

SHA256
92d8330c451b2b9b181d71b82175e602f9ac4f9aa246a9c1cf1cfa4535c4a31c

SHA512
ccd0f773fb4ca2d7acf24206712b0cb0897a2b740cba9c6daa8d4008b8e9826e2f2cc0f9f453278ec16044037a120b562015e177f6508c9362a7aa786f6e1791

Download Submit
memory/852-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/940-59-0x0000000000000000-mapping.dmp

Download
memory/1020-62-0x0000000000000000-mapping.dmp

Download
memory/1744-66-0x0000000000000000-mapping.dmp

Download
memory/1768-64-0x0000000000000000-mapping.dmp

Download
memory/1876-72-0x0000000000000000-mapping.dmp

Download
memory/1912-68-0x0000000000000000-mapping.dmp

Download
memory/1940-70-0x0000000000000000-mapping.dmp

Download