Analysis
-
max time kernel
37s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 04:09
Static task
static1
Behavioral task
behavioral1
Sample
abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe
Resource
win10v2004-20221111-en
General
-
Target
abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe
-
Size
339KB
-
MD5
5e8513a5d356e18ac9bac2be6e6d96a6
-
SHA1
1aba883515cae99bad2d305c923f425b72536f6d
-
SHA256
abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789
-
SHA512
9b626a8a576990ea1b0f345fe20d4aae744af263fbb2b7306937c2baeb0fba4d9c56a7a79d67efd132a74d8e8c851afa8e7dfc208c256daf6eb8eecdc18f2588
-
SSDEEP
6144:lFJ0N1AxhYwEVCehxVZW/5liWQhag0twPIkMFcBZHpUpaBYg0sABV/zck:A1VZW/SW8ZtIkLauYP9pr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
beeiheibea.exepid process 860 beeiheibea.exe -
Loads dropped DLL 5 IoCs
Processes:
abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exeWerFault.exepid process 1112 abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1324 860 WerFault.exe beeiheibea.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 628 wmic.exe Token: SeSecurityPrivilege 628 wmic.exe Token: SeTakeOwnershipPrivilege 628 wmic.exe Token: SeLoadDriverPrivilege 628 wmic.exe Token: SeSystemProfilePrivilege 628 wmic.exe Token: SeSystemtimePrivilege 628 wmic.exe Token: SeProfSingleProcessPrivilege 628 wmic.exe Token: SeIncBasePriorityPrivilege 628 wmic.exe Token: SeCreatePagefilePrivilege 628 wmic.exe Token: SeBackupPrivilege 628 wmic.exe Token: SeRestorePrivilege 628 wmic.exe Token: SeShutdownPrivilege 628 wmic.exe Token: SeDebugPrivilege 628 wmic.exe Token: SeSystemEnvironmentPrivilege 628 wmic.exe Token: SeRemoteShutdownPrivilege 628 wmic.exe Token: SeUndockPrivilege 628 wmic.exe Token: SeManageVolumePrivilege 628 wmic.exe Token: 33 628 wmic.exe Token: 34 628 wmic.exe Token: 35 628 wmic.exe Token: SeIncreaseQuotaPrivilege 628 wmic.exe Token: SeSecurityPrivilege 628 wmic.exe Token: SeTakeOwnershipPrivilege 628 wmic.exe Token: SeLoadDriverPrivilege 628 wmic.exe Token: SeSystemProfilePrivilege 628 wmic.exe Token: SeSystemtimePrivilege 628 wmic.exe Token: SeProfSingleProcessPrivilege 628 wmic.exe Token: SeIncBasePriorityPrivilege 628 wmic.exe Token: SeCreatePagefilePrivilege 628 wmic.exe Token: SeBackupPrivilege 628 wmic.exe Token: SeRestorePrivilege 628 wmic.exe Token: SeShutdownPrivilege 628 wmic.exe Token: SeDebugPrivilege 628 wmic.exe Token: SeSystemEnvironmentPrivilege 628 wmic.exe Token: SeRemoteShutdownPrivilege 628 wmic.exe Token: SeUndockPrivilege 628 wmic.exe Token: SeManageVolumePrivilege 628 wmic.exe Token: 33 628 wmic.exe Token: 34 628 wmic.exe Token: 35 628 wmic.exe Token: SeIncreaseQuotaPrivilege 1660 wmic.exe Token: SeSecurityPrivilege 1660 wmic.exe Token: SeTakeOwnershipPrivilege 1660 wmic.exe Token: SeLoadDriverPrivilege 1660 wmic.exe Token: SeSystemProfilePrivilege 1660 wmic.exe Token: SeSystemtimePrivilege 1660 wmic.exe Token: SeProfSingleProcessPrivilege 1660 wmic.exe Token: SeIncBasePriorityPrivilege 1660 wmic.exe Token: SeCreatePagefilePrivilege 1660 wmic.exe Token: SeBackupPrivilege 1660 wmic.exe Token: SeRestorePrivilege 1660 wmic.exe Token: SeShutdownPrivilege 1660 wmic.exe Token: SeDebugPrivilege 1660 wmic.exe Token: SeSystemEnvironmentPrivilege 1660 wmic.exe Token: SeRemoteShutdownPrivilege 1660 wmic.exe Token: SeUndockPrivilege 1660 wmic.exe Token: SeManageVolumePrivilege 1660 wmic.exe Token: 33 1660 wmic.exe Token: 34 1660 wmic.exe Token: 35 1660 wmic.exe Token: SeIncreaseQuotaPrivilege 1660 wmic.exe Token: SeSecurityPrivilege 1660 wmic.exe Token: SeTakeOwnershipPrivilege 1660 wmic.exe Token: SeLoadDriverPrivilege 1660 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exebeeiheibea.exedescription pid process target process PID 1112 wrote to memory of 860 1112 abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe beeiheibea.exe PID 1112 wrote to memory of 860 1112 abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe beeiheibea.exe PID 1112 wrote to memory of 860 1112 abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe beeiheibea.exe PID 1112 wrote to memory of 860 1112 abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe beeiheibea.exe PID 860 wrote to memory of 628 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 628 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 628 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 628 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1660 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1660 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1660 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1660 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1116 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1116 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1116 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1116 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 776 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 776 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 776 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 776 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1772 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1772 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1772 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1772 860 beeiheibea.exe wmic.exe PID 860 wrote to memory of 1324 860 beeiheibea.exe WerFault.exe PID 860 wrote to memory of 1324 860 beeiheibea.exe WerFault.exe PID 860 wrote to memory of 1324 860 beeiheibea.exe WerFault.exe PID 860 wrote to memory of 1324 860 beeiheibea.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe"C:\Users\Admin\AppData\Local\Temp\abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\beeiheibea.exeC:\Users\Admin\AppData\Local\Temp\beeiheibea.exe 8|8|3|3|1|2|9|4|5|0|8 J0hGQTwwKi8tNxgnS1I/T0c7OSsgJ0Y9UVROUEJFPz0pGCdBRlJSQEA4MjEvLi0dLkFAQDgwGCdIT0xDUzpQWkk8NSo2LS8uFytORUpOPU9cVFBDOWN0bGgyLCxycG0qP0VLQyVRTE8rOExLLkFGPkwdLkFDRT5LQTw1bkZlSThrLHZlPihiQkhfVkpRcVolRWdLWUQoaU41MF5QU0RxLmxnZ2xQP1AzP2BXOlF1YWpRKkJpSlNrZTNkTmloZCovdkNEQVJPazFzdGQzSk5Kb2dwW0M+WEVua3FLaUslRm0xa0pdZFU/UkQyLXUzbzIbLzwpNSouHy07LjgtKRgnQTA8KygcKkQsNSUuHS5CLDkoMRgnSE9MQ1M6UFpQSkFOPkBYOxcrS1JHPE1AUV5DTEg8PRgnSE9MQ1M6UFpOOUU9OmhiZlxvbi1dZGFxYh8tPFRAX01KRDohelNJSHggJz1QQlxCSztIRE49NRgsRU5RS1s9UkdPS0JPPDMXK09IOUZDVkxUXUxORz1gbGxtNy4tWF9naVtjJl5hZ21aLSluXWwncXJOdS9IMUNDcXJsUk9VSjJjb2YxZTxxczspInFhaik1I3NgcCk5IXZZais6LzUvLCJLQ0xQNSNqPGlaZGBzayVdaWZzYxcrUU01KhgsQVIvNC4xMS0YJ09STVJASUBfTz1EQExMQ0BJPEc9TUpJOh8tQE9aUk1GTEZKRDtrbnBlGCdKQlFUUEVFSUdXTUtCT15COFVOPSoYJ0VGQ0NPOSwgJ0FLXEFYTDhJRENXPUZAT1hOS0E/PV5ZZHBiHy07S1JOREc5QVxITjQuKzgmKSktKzgxJS0tMhgnSD5PQEpDQUdfQUZLUT5LSjRwbXVdGCdRRkxDNC0vNDAvLTEtLzQXKz9PT0ZETD5DXUtFSEU1KSksLzctKSwsNSIpKTcxLzgnMiVQRQ==2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81669280265.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:628 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81669280265.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81669280265.txt bios get version3⤵PID:1116
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81669280265.txt bios get version3⤵PID:776
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81669280265.txt bios get version3⤵PID:1772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 3723⤵
- Loads dropped DLL
- Program crash
PID:1324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
58B
MD5dd876faf0fd44a5fab3e82368e2e8b15
SHA101b04083fa278dda3a81705ca5abcfee487a3c90
SHA2565602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9
SHA512e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b
-
Filesize
58B
MD5dd876faf0fd44a5fab3e82368e2e8b15
SHA101b04083fa278dda3a81705ca5abcfee487a3c90
SHA2565602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9
SHA512e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b
-
Filesize
58B
MD5dd876faf0fd44a5fab3e82368e2e8b15
SHA101b04083fa278dda3a81705ca5abcfee487a3c90
SHA2565602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9
SHA512e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b
-
Filesize
58B
MD5dd876faf0fd44a5fab3e82368e2e8b15
SHA101b04083fa278dda3a81705ca5abcfee487a3c90
SHA2565602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9
SHA512e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b
-
Filesize
538KB
MD52f54c13ef20b0d9c2437926590c07379
SHA100b05b4fe7304f3e496095837816f2d58763bd6b
SHA2563d479b7f877f62634262092d4fd855e0e5c11c7e2b90f11a986d9d40066f2bab
SHA5120b408b17e0edd586882c74325acdc905d40ebec1f13c1686f1d54fca1a00e94bb898664ced246a45866f81fb86d02b19273dd3a88ae1fac9ff32ffb61c807c17
-
Filesize
538KB
MD52f54c13ef20b0d9c2437926590c07379
SHA100b05b4fe7304f3e496095837816f2d58763bd6b
SHA2563d479b7f877f62634262092d4fd855e0e5c11c7e2b90f11a986d9d40066f2bab
SHA5120b408b17e0edd586882c74325acdc905d40ebec1f13c1686f1d54fca1a00e94bb898664ced246a45866f81fb86d02b19273dd3a88ae1fac9ff32ffb61c807c17
-
Filesize
538KB
MD52f54c13ef20b0d9c2437926590c07379
SHA100b05b4fe7304f3e496095837816f2d58763bd6b
SHA2563d479b7f877f62634262092d4fd855e0e5c11c7e2b90f11a986d9d40066f2bab
SHA5120b408b17e0edd586882c74325acdc905d40ebec1f13c1686f1d54fca1a00e94bb898664ced246a45866f81fb86d02b19273dd3a88ae1fac9ff32ffb61c807c17
-
Filesize
538KB
MD52f54c13ef20b0d9c2437926590c07379
SHA100b05b4fe7304f3e496095837816f2d58763bd6b
SHA2563d479b7f877f62634262092d4fd855e0e5c11c7e2b90f11a986d9d40066f2bab
SHA5120b408b17e0edd586882c74325acdc905d40ebec1f13c1686f1d54fca1a00e94bb898664ced246a45866f81fb86d02b19273dd3a88ae1fac9ff32ffb61c807c17
-
Filesize
538KB
MD52f54c13ef20b0d9c2437926590c07379
SHA100b05b4fe7304f3e496095837816f2d58763bd6b
SHA2563d479b7f877f62634262092d4fd855e0e5c11c7e2b90f11a986d9d40066f2bab
SHA5120b408b17e0edd586882c74325acdc905d40ebec1f13c1686f1d54fca1a00e94bb898664ced246a45866f81fb86d02b19273dd3a88ae1fac9ff32ffb61c807c17
-
Filesize
538KB
MD52f54c13ef20b0d9c2437926590c07379
SHA100b05b4fe7304f3e496095837816f2d58763bd6b
SHA2563d479b7f877f62634262092d4fd855e0e5c11c7e2b90f11a986d9d40066f2bab
SHA5120b408b17e0edd586882c74325acdc905d40ebec1f13c1686f1d54fca1a00e94bb898664ced246a45866f81fb86d02b19273dd3a88ae1fac9ff32ffb61c807c17