ab78bd33197e1b1695e5c2a8d36c50047bcad9133c2ae863a1eab646e4f4ba70

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab78bd33197e1b1695e5c2a8d36c50047bcad9133c2ae863a1eab646e4f4ba70.exe
Size

488KB
MD5

4590d64a0cbd827da2ecc186924865ea
SHA1

4c24dd46417cc9f6d6c2f5f79a55091b852eb492
SHA256

ab78bd33197e1b1695e5c2a8d36c50047bcad9133c2ae863a1eab646e4f4ba70
SHA512

d07866e9ac513d6fb84ad166da9b79cd373f81a4439261406ea0852a7fca4efbf198913482a97a48d8db290166ba220a52a1e0ba226fe05cf5fd5103e10b4cd1
SSDEEP

6144:dFJ0Pf4J5lAmVzjRmfcRB5edIMsnIzmw/nGWiYjXvhFuzj+h7DJL5qZ4Z+3pZ2yU:4g2cRXYJzm4nGWXLvLufCxA3p1dy77T

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
316	befacajhdg_P.exe

Loads dropped DLL 2 IoCs

pid	Process
1572	ab78bd33197e1b1695e5c2a8d36c50047bcad9133c2ae863a1eab646e4f4ba70.exe
1572	ab78bd33197e1b1695e5c2a8d36c50047bcad9133c2ae863a1eab646e4f4ba70.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1952	wmic.exe
Token: SeSecurityPrivilege	1952	wmic.exe
Token: SeTakeOwnershipPrivilege	1952	wmic.exe
Token: SeLoadDriverPrivilege	1952	wmic.exe
Token: SeSystemProfilePrivilege	1952	wmic.exe
Token: SeSystemtimePrivilege	1952	wmic.exe
Token: SeProfSingleProcessPrivilege	1952	wmic.exe
Token: SeIncBasePriorityPrivilege	1952	wmic.exe
Token: SeCreatePagefilePrivilege	1952	wmic.exe
Token: SeBackupPrivilege	1952	wmic.exe
Token: SeRestorePrivilege	1952	wmic.exe
Token: SeShutdownPrivilege	1952	wmic.exe
Token: SeDebugPrivilege	1952	wmic.exe
Token: SeSystemEnvironmentPrivilege	1952	wmic.exe
Token: SeRemoteShutdownPrivilege	1952	wmic.exe
Token: SeUndockPrivilege	1952	wmic.exe
Token: SeManageVolumePrivilege	1952	wmic.exe
Token: 33	1952	wmic.exe
Token: 34	1952	wmic.exe
Token: 35	1952	wmic.exe
Token: SeIncreaseQuotaPrivilege	1952	wmic.exe
Token: SeSecurityPrivilege	1952	wmic.exe
Token: SeTakeOwnershipPrivilege	1952	wmic.exe
Token: SeLoadDriverPrivilege	1952	wmic.exe
Token: SeSystemProfilePrivilege	1952	wmic.exe
Token: SeSystemtimePrivilege	1952	wmic.exe
Token: SeProfSingleProcessPrivilege	1952	wmic.exe
Token: SeIncBasePriorityPrivilege	1952	wmic.exe
Token: SeCreatePagefilePrivilege	1952	wmic.exe
Token: SeBackupPrivilege	1952	wmic.exe
Token: SeRestorePrivilege	1952	wmic.exe
Token: SeShutdownPrivilege	1952	wmic.exe
Token: SeDebugPrivilege	1952	wmic.exe
Token: SeSystemEnvironmentPrivilege	1952	wmic.exe
Token: SeRemoteShutdownPrivilege	1952	wmic.exe
Token: SeUndockPrivilege	1952	wmic.exe
Token: SeManageVolumePrivilege	1952	wmic.exe
Token: 33	1952	wmic.exe
Token: 34	1952	wmic.exe
Token: 35	1952	wmic.exe
Token: SeIncreaseQuotaPrivilege	1668	wmic.exe
Token: SeSecurityPrivilege	1668	wmic.exe
Token: SeTakeOwnershipPrivilege	1668	wmic.exe
Token: SeLoadDriverPrivilege	1668	wmic.exe
Token: SeSystemProfilePrivilege	1668	wmic.exe
Token: SeSystemtimePrivilege	1668	wmic.exe
Token: SeProfSingleProcessPrivilege	1668	wmic.exe
Token: SeIncBasePriorityPrivilege	1668	wmic.exe
Token: SeCreatePagefilePrivilege	1668	wmic.exe
Token: SeBackupPrivilege	1668	wmic.exe
Token: SeRestorePrivilege	1668	wmic.exe
Token: SeShutdownPrivilege	1668	wmic.exe
Token: SeDebugPrivilege	1668	wmic.exe
Token: SeSystemEnvironmentPrivilege	1668	wmic.exe
Token: SeRemoteShutdownPrivilege	1668	wmic.exe
Token: SeUndockPrivilege	1668	wmic.exe
Token: SeManageVolumePrivilege	1668	wmic.exe
Token: 33	1668	wmic.exe
Token: 34	1668	wmic.exe
Token: 35	1668	wmic.exe
Token: SeIncreaseQuotaPrivilege	1668	wmic.exe
Token: SeSecurityPrivilege	1668	wmic.exe
Token: SeTakeOwnershipPrivilege	1668	wmic.exe
Token: SeLoadDriverPrivilege	1668	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 316	1572	ab78bd33197e1b1695e5c2a8d36c50047bcad9133c2ae863a1eab646e4f4ba70.exe	27
PID 1572 wrote to memory of 316	1572	ab78bd33197e1b1695e5c2a8d36c50047bcad9133c2ae863a1eab646e4f4ba70.exe	27
PID 1572 wrote to memory of 316	1572	ab78bd33197e1b1695e5c2a8d36c50047bcad9133c2ae863a1eab646e4f4ba70.exe	27
PID 1572 wrote to memory of 316	1572	ab78bd33197e1b1695e5c2a8d36c50047bcad9133c2ae863a1eab646e4f4ba70.exe	27
PID 316 wrote to memory of 1952	316	befacajhdg_P.exe	28
PID 316 wrote to memory of 1952	316	befacajhdg_P.exe	28
PID 316 wrote to memory of 1952	316	befacajhdg_P.exe	28
PID 316 wrote to memory of 1952	316	befacajhdg_P.exe	28
PID 316 wrote to memory of 1668	316	befacajhdg_P.exe	31
PID 316 wrote to memory of 1668	316	befacajhdg_P.exe	31
PID 316 wrote to memory of 1668	316	befacajhdg_P.exe	31
PID 316 wrote to memory of 1668	316	befacajhdg_P.exe	31
PID 316 wrote to memory of 1692	316	befacajhdg_P.exe	33
PID 316 wrote to memory of 1692	316	befacajhdg_P.exe	33
PID 316 wrote to memory of 1692	316	befacajhdg_P.exe	33
PID 316 wrote to memory of 1692	316	befacajhdg_P.exe	33
PID 316 wrote to memory of 2044	316	befacajhdg_P.exe	35
PID 316 wrote to memory of 2044	316	befacajhdg_P.exe	35
PID 316 wrote to memory of 2044	316	befacajhdg_P.exe	35
PID 316 wrote to memory of 2044	316	befacajhdg_P.exe	35
PID 316 wrote to memory of 588	316	befacajhdg_P.exe	37
PID 316 wrote to memory of 588	316	befacajhdg_P.exe	37
PID 316 wrote to memory of 588	316	befacajhdg_P.exe	37
PID 316 wrote to memory of 588	316	befacajhdg_P.exe	37

C:\Users\Admin\AppData\Local\Temp\ab78bd33197e1b1695e5c2a8d36c50047bcad9133c2ae863a1eab646e4f4ba70.exe
"C:\Users\Admin\AppData\Local\Temp\ab78bd33197e1b1695e5c2a8d36c50047bcad9133c2ae863a1eab646e4f4ba70.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\befacajhdg_P.exe
  C:\Users\Admin\AppData\Local\Temp\befacajhdg_P.exe 4/7/4/5/6/7/1/2/2/5/0 K0lFPzcqODYyLSArTFE9SkJDOy4bL0o+UFJJS0pHQjgxHChARE1NSEI7LTkyKiwbKTxIQjsrICtJTko+TkJSXUREOSs0MzAuHy1RQFJSPk5aT0tLO2ZvdGwzKypta3UsQkBTRyZQSkomQE5OKUlKP0sbKTxLR0FGSUA2HCo+KjwrLxsvQCs5KCsZLkIxOC0tGSs/LjYsLx4qRDE2KSwaKE9QTT9VP01bS0xCVT9BVD0cKExNST1UQVJaRVFFPTgaKE9QTT9VP01bSTtGRDtubWVyXmpvHysvcGNudGtrYSAsKTMsLywlLikhLSoeMS5hbWFfZBwqP1FEXVNNTDlbYW5uLW9hLF5vaShvYG5ubyxjc2UcKEFTP1hCS0JHSUo+ORspQU5RUlpCTkhTTj9LPDMeKlREOkpGU0hUXVNNTDkZK1FHNjEeLT9TLTYcKkxOTVJHSEVbUEFHPUhMQ0dIQUM+UU1GNh8tR05fTk5KT0NGRDtybXVhGStNP01UUExETkNYUU4/S15CP1RTOSscKkJCQ0NWODEcKEVOWT1YTD9IST9YQUk9S1hOUkBEOV9dZ21eHy1CSldKRUs8PlhITjstMDQnLSwqJzgxLCwyLhkrSztLQEpKQExbQkpOTjpLSjtvcnFeHCpOQkxDOyw0MSkuLiwuODceKkRLUEpHSTpDXVJETUE2LS0pKjUtMCsxMSMuNSwsOS83JUFJ
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81667863286.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81667863286.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81667863286.txt bios get version
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81667863286.txt bios get version
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81667863286.txt bios get version
    3⤵
    PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81667863286.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81667863286.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81667863286.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81667863286.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81667863286.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\befacajhdg_P.exe

Filesize
674KB

MD5
fa589ac7920c04eff43238d6cd6068ec

SHA1
3a3896dbf780c8af638d2fb47b8c6f6d877b293c

SHA256
e150aac75f5a442eefca075cc815e7baa1ade1a4559834e0f643ccc6baceda1f

SHA512
b251f959de836c768b7eb35c5f5d7128bd490015da09039f2131fda73b343aa0b586a6f97cd622bf9f57627987c21661b619087b89ccf3c4c5e88add3f5be0be

Download Submit
\Users\Admin\AppData\Local\Temp\befacajhdg_P.exe

Filesize
674KB

MD5
fa589ac7920c04eff43238d6cd6068ec

SHA1
3a3896dbf780c8af638d2fb47b8c6f6d877b293c

SHA256
e150aac75f5a442eefca075cc815e7baa1ade1a4559834e0f643ccc6baceda1f

SHA512
b251f959de836c768b7eb35c5f5d7128bd490015da09039f2131fda73b343aa0b586a6f97cd622bf9f57627987c21661b619087b89ccf3c4c5e88add3f5be0be

Download Submit
\Users\Admin\AppData\Local\Temp\befacajhdg_P.exe

Filesize
674KB

MD5
fa589ac7920c04eff43238d6cd6068ec

SHA1
3a3896dbf780c8af638d2fb47b8c6f6d877b293c

SHA256
e150aac75f5a442eefca075cc815e7baa1ade1a4559834e0f643ccc6baceda1f

SHA512
b251f959de836c768b7eb35c5f5d7128bd490015da09039f2131fda73b343aa0b586a6f97cd622bf9f57627987c21661b619087b89ccf3c4c5e88add3f5be0be

Download Submit
memory/316-61-0x0000000000710000-0x00000000007B3000-memory.dmp

Filesize
652KB

Download
memory/316-71-0x0000000000710000-0x00000000007B3000-memory.dmp

Filesize
652KB

Download
memory/1572-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download