ac1645a485107015f4c1d95b37dcbac719b44ce92a4f6af9754134e96cde1f6c

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1645a485107015f4c1d95b37dcbac719b44ce92a4f6af9754134e96cde1f6c.exe
Size

344KB
MD5

16bbfbb876a1d342bf70f57b35c4c4f0
SHA1

ce5f6e0e6085908af1c7191cd256f16374cd21d8
SHA256

ac1645a485107015f4c1d95b37dcbac719b44ce92a4f6af9754134e96cde1f6c
SHA512

8ce05fe86fd4fb6cb73715fe1d2fe03fec4b5294cccfa235e6dda8dd00888fb7ad43e9dd2d818f605b838c4bfe0052ebdb79d6c7486e42d2a050a8c6512242df
SSDEEP

6144:FFJ0lxACZfll1rwGS7A+C7G0Vk27Klg56dMQD:AxNZflrafQ37Km52

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1680	beehehdghd.exe

Loads dropped DLL 5 IoCs

pid	Process
1660	ac1645a485107015f4c1d95b37dcbac719b44ce92a4f6af9754134e96cde1f6c.exe
368	WerFault.exe
368	WerFault.exe
368	WerFault.exe
368	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
368	1680	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1400	wmic.exe
Token: SeSecurityPrivilege	1400	wmic.exe
Token: SeTakeOwnershipPrivilege	1400	wmic.exe
Token: SeLoadDriverPrivilege	1400	wmic.exe
Token: SeSystemProfilePrivilege	1400	wmic.exe
Token: SeSystemtimePrivilege	1400	wmic.exe
Token: SeProfSingleProcessPrivilege	1400	wmic.exe
Token: SeIncBasePriorityPrivilege	1400	wmic.exe
Token: SeCreatePagefilePrivilege	1400	wmic.exe
Token: SeBackupPrivilege	1400	wmic.exe
Token: SeRestorePrivilege	1400	wmic.exe
Token: SeShutdownPrivilege	1400	wmic.exe
Token: SeDebugPrivilege	1400	wmic.exe
Token: SeSystemEnvironmentPrivilege	1400	wmic.exe
Token: SeRemoteShutdownPrivilege	1400	wmic.exe
Token: SeUndockPrivilege	1400	wmic.exe
Token: SeManageVolumePrivilege	1400	wmic.exe
Token: 33	1400	wmic.exe
Token: 34	1400	wmic.exe
Token: 35	1400	wmic.exe
Token: SeIncreaseQuotaPrivilege	1400	wmic.exe
Token: SeSecurityPrivilege	1400	wmic.exe
Token: SeTakeOwnershipPrivilege	1400	wmic.exe
Token: SeLoadDriverPrivilege	1400	wmic.exe
Token: SeSystemProfilePrivilege	1400	wmic.exe
Token: SeSystemtimePrivilege	1400	wmic.exe
Token: SeProfSingleProcessPrivilege	1400	wmic.exe
Token: SeIncBasePriorityPrivilege	1400	wmic.exe
Token: SeCreatePagefilePrivilege	1400	wmic.exe
Token: SeBackupPrivilege	1400	wmic.exe
Token: SeRestorePrivilege	1400	wmic.exe
Token: SeShutdownPrivilege	1400	wmic.exe
Token: SeDebugPrivilege	1400	wmic.exe
Token: SeSystemEnvironmentPrivilege	1400	wmic.exe
Token: SeRemoteShutdownPrivilege	1400	wmic.exe
Token: SeUndockPrivilege	1400	wmic.exe
Token: SeManageVolumePrivilege	1400	wmic.exe
Token: 33	1400	wmic.exe
Token: 34	1400	wmic.exe
Token: 35	1400	wmic.exe
Token: SeIncreaseQuotaPrivilege	1984	wmic.exe
Token: SeSecurityPrivilege	1984	wmic.exe
Token: SeTakeOwnershipPrivilege	1984	wmic.exe
Token: SeLoadDriverPrivilege	1984	wmic.exe
Token: SeSystemProfilePrivilege	1984	wmic.exe
Token: SeSystemtimePrivilege	1984	wmic.exe
Token: SeProfSingleProcessPrivilege	1984	wmic.exe
Token: SeIncBasePriorityPrivilege	1984	wmic.exe
Token: SeCreatePagefilePrivilege	1984	wmic.exe
Token: SeBackupPrivilege	1984	wmic.exe
Token: SeRestorePrivilege	1984	wmic.exe
Token: SeShutdownPrivilege	1984	wmic.exe
Token: SeDebugPrivilege	1984	wmic.exe
Token: SeSystemEnvironmentPrivilege	1984	wmic.exe
Token: SeRemoteShutdownPrivilege	1984	wmic.exe
Token: SeUndockPrivilege	1984	wmic.exe
Token: SeManageVolumePrivilege	1984	wmic.exe
Token: 33	1984	wmic.exe
Token: 34	1984	wmic.exe
Token: 35	1984	wmic.exe
Token: SeIncreaseQuotaPrivilege	1984	wmic.exe
Token: SeSecurityPrivilege	1984	wmic.exe
Token: SeTakeOwnershipPrivilege	1984	wmic.exe
Token: SeLoadDriverPrivilege	1984	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1680	1660	ac1645a485107015f4c1d95b37dcbac719b44ce92a4f6af9754134e96cde1f6c.exe	28
PID 1660 wrote to memory of 1680	1660	ac1645a485107015f4c1d95b37dcbac719b44ce92a4f6af9754134e96cde1f6c.exe	28
PID 1660 wrote to memory of 1680	1660	ac1645a485107015f4c1d95b37dcbac719b44ce92a4f6af9754134e96cde1f6c.exe	28
PID 1660 wrote to memory of 1680	1660	ac1645a485107015f4c1d95b37dcbac719b44ce92a4f6af9754134e96cde1f6c.exe	28
PID 1680 wrote to memory of 1400	1680	beehehdghd.exe	29
PID 1680 wrote to memory of 1400	1680	beehehdghd.exe	29
PID 1680 wrote to memory of 1400	1680	beehehdghd.exe	29
PID 1680 wrote to memory of 1400	1680	beehehdghd.exe	29
PID 1680 wrote to memory of 1984	1680	beehehdghd.exe	32
PID 1680 wrote to memory of 1984	1680	beehehdghd.exe	32
PID 1680 wrote to memory of 1984	1680	beehehdghd.exe	32
PID 1680 wrote to memory of 1984	1680	beehehdghd.exe	32
PID 1680 wrote to memory of 1488	1680	beehehdghd.exe	34
PID 1680 wrote to memory of 1488	1680	beehehdghd.exe	34
PID 1680 wrote to memory of 1488	1680	beehehdghd.exe	34
PID 1680 wrote to memory of 1488	1680	beehehdghd.exe	34
PID 1680 wrote to memory of 1756	1680	beehehdghd.exe	36
PID 1680 wrote to memory of 1756	1680	beehehdghd.exe	36
PID 1680 wrote to memory of 1756	1680	beehehdghd.exe	36
PID 1680 wrote to memory of 1756	1680	beehehdghd.exe	36
PID 1680 wrote to memory of 364	1680	beehehdghd.exe	38
PID 1680 wrote to memory of 364	1680	beehehdghd.exe	38
PID 1680 wrote to memory of 364	1680	beehehdghd.exe	38
PID 1680 wrote to memory of 364	1680	beehehdghd.exe	38
PID 1680 wrote to memory of 368	1680	beehehdghd.exe	40
PID 1680 wrote to memory of 368	1680	beehehdghd.exe	40
PID 1680 wrote to memory of 368	1680	beehehdghd.exe	40
PID 1680 wrote to memory of 368	1680	beehehdghd.exe	40

C:\Users\Admin\AppData\Local\Temp\ac1645a485107015f4c1d95b37dcbac719b44ce92a4f6af9754134e96cde1f6c.exe
"C:\Users\Admin\AppData\Local\Temp\ac1645a485107015f4c1d95b37dcbac719b44ce92a4f6af9754134e96cde1f6c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\beehehdghd.exe
  C:\Users\Admin\AppData\Local\Temp\beehehdghd.exe 9,9,0,5,1,7,6,4,9,9,9 JkdJPzwrLS8cJ1gXJlNQQUlDQDQnFyZFRU9WSExHQDs0JxcvP0hMTkU7NCcXJkNEQzYqHCZHSUY7VT5TWENANCcXJkpFTVU+TFtMSUM0X3RvbzMpK2ppbSU7RU5KJk5LRyQ4R0cuRE0/SRwmOkNAOktEQzYaKzsoNCQoICpDKzcpKBcmOyo9KDAZKUArNCQoFy8/NDYnLRcmR0lGRFBCTVlMSUBNODpZOB8oSk5GO0w6S19AVEU7ORcmR0lGRFBCTVlKOEQ8NBcvQFc+WVFJQzQXJkVTRFg9STtDQEU8PRsuQUlPS1Y5SUZXTkRLNzEXJks/OE5GWEhPW0xJQzQXL1FMNiwcJjtKKDQgKlFOSFBARDxWTkVHQkhHQUBEOD48VU1LNhorQEpWSUxOT0hGPzlraWxcFy9NRE1PTkVART5WVU5ES1lAOFBKNCkgKkdCPkFPNCgXJklOXj1TSjhEQDpWRUlCS1NMSzw7NF1hZ3JeGis7Rk5FQ088Q1hDTDQpJy8lMSwvJzMvJSgpKRcvS0BLO0hDPENWQE5OUzpGSDRraWxcICpTQkdBNCgrKy40My8tMDQXJjtGTk5HTjo+W0tARDw0MSwuKi4rKScoLCE1NTQtNC4vIThE
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81669273097.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81669273097.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81669273097.txt bios get version
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81669273097.txt bios get version
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81669273097.txt bios get version
    3⤵
    PID:364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81669273097.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81669273097.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81669273097.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81669273097.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81669273097.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\beehehdghd.exe

Filesize
563KB

MD5
f3eafd8c78d1c693c9f39fadd82638ac

SHA1
cab236a0998aad5a5706b1de1eb78e21ffac34bf

SHA256
57be8ea73fd31fa087518a8155480e88b77addca33c573a8ea6b081d1693be14

SHA512
4630b1d0f1534193b9b6f75f17c16f7ace4baee47a664cee94cdcbeb389dd02f7bf6f7cd51edfe5db7ab92a8bc16c9eea9f74ddba538b5a4ce7251dda2baef8e

Download Submit
\Users\Admin\AppData\Local\Temp\beehehdghd.exe

Filesize
563KB

MD5
f3eafd8c78d1c693c9f39fadd82638ac

SHA1
cab236a0998aad5a5706b1de1eb78e21ffac34bf

SHA256
57be8ea73fd31fa087518a8155480e88b77addca33c573a8ea6b081d1693be14

SHA512
4630b1d0f1534193b9b6f75f17c16f7ace4baee47a664cee94cdcbeb389dd02f7bf6f7cd51edfe5db7ab92a8bc16c9eea9f74ddba538b5a4ce7251dda2baef8e

Download Submit
\Users\Admin\AppData\Local\Temp\beehehdghd.exe

Filesize
563KB

MD5
f3eafd8c78d1c693c9f39fadd82638ac

SHA1
cab236a0998aad5a5706b1de1eb78e21ffac34bf

SHA256
57be8ea73fd31fa087518a8155480e88b77addca33c573a8ea6b081d1693be14

SHA512
4630b1d0f1534193b9b6f75f17c16f7ace4baee47a664cee94cdcbeb389dd02f7bf6f7cd51edfe5db7ab92a8bc16c9eea9f74ddba538b5a4ce7251dda2baef8e

Download Submit
\Users\Admin\AppData\Local\Temp\beehehdghd.exe

Filesize
563KB

MD5
f3eafd8c78d1c693c9f39fadd82638ac

SHA1
cab236a0998aad5a5706b1de1eb78e21ffac34bf

SHA256
57be8ea73fd31fa087518a8155480e88b77addca33c573a8ea6b081d1693be14

SHA512
4630b1d0f1534193b9b6f75f17c16f7ace4baee47a664cee94cdcbeb389dd02f7bf6f7cd51edfe5db7ab92a8bc16c9eea9f74ddba538b5a4ce7251dda2baef8e

Download Submit
\Users\Admin\AppData\Local\Temp\beehehdghd.exe

Filesize
563KB

MD5
f3eafd8c78d1c693c9f39fadd82638ac

SHA1
cab236a0998aad5a5706b1de1eb78e21ffac34bf

SHA256
57be8ea73fd31fa087518a8155480e88b77addca33c573a8ea6b081d1693be14

SHA512
4630b1d0f1534193b9b6f75f17c16f7ace4baee47a664cee94cdcbeb389dd02f7bf6f7cd51edfe5db7ab92a8bc16c9eea9f74ddba538b5a4ce7251dda2baef8e

Download Submit
\Users\Admin\AppData\Local\Temp\beehehdghd.exe

Filesize
563KB

MD5
f3eafd8c78d1c693c9f39fadd82638ac

SHA1
cab236a0998aad5a5706b1de1eb78e21ffac34bf

SHA256
57be8ea73fd31fa087518a8155480e88b77addca33c573a8ea6b081d1693be14

SHA512
4630b1d0f1534193b9b6f75f17c16f7ace4baee47a664cee94cdcbeb389dd02f7bf6f7cd51edfe5db7ab92a8bc16c9eea9f74ddba538b5a4ce7251dda2baef8e

Download Submit
memory/364-67-0x0000000000000000-mapping.dmp

Download
memory/368-69-0x0000000000000000-mapping.dmp

Download
memory/1400-59-0x0000000000000000-mapping.dmp

Download
memory/1488-63-0x0000000000000000-mapping.dmp

Download
memory/1660-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1680-56-0x0000000000000000-mapping.dmp

Download
memory/1756-65-0x0000000000000000-mapping.dmp

Download
memory/1984-61-0x0000000000000000-mapping.dmp

Download