abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789

Analysis

max time kernel
37s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe
Size

339KB
MD5

5e8513a5d356e18ac9bac2be6e6d96a6
SHA1

1aba883515cae99bad2d305c923f425b72536f6d
SHA256

abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789
SHA512

9b626a8a576990ea1b0f345fe20d4aae744af263fbb2b7306937c2baeb0fba4d9c56a7a79d67efd132a74d8e8c851afa8e7dfc208c256daf6eb8eecdc18f2588
SSDEEP

6144:lFJ0N1AxhYwEVCehxVZW/5liWQhag0twPIkMFcBZHpUpaBYg0sABV/zck:A1VZW/SW8ZtIkLauYP9pr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

beeiheibea.exe

pid process

860 beeiheibea.exe
Loads dropped DLL 5 IoCs

Processes:

abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exeWerFault.exe

pid process

1112 abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe
1324 WerFault.exe
1324 WerFault.exe
1324 WerFault.exe
1324 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1324 860 WerFault.exe beeiheibea.exe

pid	process
860	beeiheibea.exe

pid	process
1112	abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe

pid	pid_target	process	target process
1324	860	WerFault.exe	beeiheibea.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	628	wmic.exe
Token: SeSecurityPrivilege	628	wmic.exe
Token: SeTakeOwnershipPrivilege	628	wmic.exe
Token: SeLoadDriverPrivilege	628	wmic.exe
Token: SeSystemProfilePrivilege	628	wmic.exe
Token: SeSystemtimePrivilege	628	wmic.exe
Token: SeProfSingleProcessPrivilege	628	wmic.exe
Token: SeIncBasePriorityPrivilege	628	wmic.exe
Token: SeCreatePagefilePrivilege	628	wmic.exe
Token: SeBackupPrivilege	628	wmic.exe
Token: SeRestorePrivilege	628	wmic.exe
Token: SeShutdownPrivilege	628	wmic.exe
Token: SeDebugPrivilege	628	wmic.exe
Token: SeSystemEnvironmentPrivilege	628	wmic.exe
Token: SeRemoteShutdownPrivilege	628	wmic.exe
Token: SeUndockPrivilege	628	wmic.exe
Token: SeManageVolumePrivilege	628	wmic.exe
Token: 33	628	wmic.exe
Token: 34	628	wmic.exe
Token: 35	628	wmic.exe
Token: SeIncreaseQuotaPrivilege	628	wmic.exe
Token: SeSecurityPrivilege	628	wmic.exe
Token: SeTakeOwnershipPrivilege	628	wmic.exe
Token: SeLoadDriverPrivilege	628	wmic.exe
Token: SeSystemProfilePrivilege	628	wmic.exe
Token: SeSystemtimePrivilege	628	wmic.exe
Token: SeProfSingleProcessPrivilege	628	wmic.exe
Token: SeIncBasePriorityPrivilege	628	wmic.exe
Token: SeCreatePagefilePrivilege	628	wmic.exe
Token: SeBackupPrivilege	628	wmic.exe
Token: SeRestorePrivilege	628	wmic.exe
Token: SeShutdownPrivilege	628	wmic.exe
Token: SeDebugPrivilege	628	wmic.exe
Token: SeSystemEnvironmentPrivilege	628	wmic.exe
Token: SeRemoteShutdownPrivilege	628	wmic.exe
Token: SeUndockPrivilege	628	wmic.exe
Token: SeManageVolumePrivilege	628	wmic.exe
Token: 33	628	wmic.exe
Token: 34	628	wmic.exe
Token: 35	628	wmic.exe
Token: SeIncreaseQuotaPrivilege	1660	wmic.exe
Token: SeSecurityPrivilege	1660	wmic.exe
Token: SeTakeOwnershipPrivilege	1660	wmic.exe
Token: SeLoadDriverPrivilege	1660	wmic.exe
Token: SeSystemProfilePrivilege	1660	wmic.exe
Token: SeSystemtimePrivilege	1660	wmic.exe
Token: SeProfSingleProcessPrivilege	1660	wmic.exe
Token: SeIncBasePriorityPrivilege	1660	wmic.exe
Token: SeCreatePagefilePrivilege	1660	wmic.exe
Token: SeBackupPrivilege	1660	wmic.exe
Token: SeRestorePrivilege	1660	wmic.exe
Token: SeShutdownPrivilege	1660	wmic.exe
Token: SeDebugPrivilege	1660	wmic.exe
Token: SeSystemEnvironmentPrivilege	1660	wmic.exe
Token: SeRemoteShutdownPrivilege	1660	wmic.exe
Token: SeUndockPrivilege	1660	wmic.exe
Token: SeManageVolumePrivilege	1660	wmic.exe
Token: 33	1660	wmic.exe
Token: 34	1660	wmic.exe
Token: 35	1660	wmic.exe
Token: SeIncreaseQuotaPrivilege	1660	wmic.exe
Token: SeSecurityPrivilege	1660	wmic.exe
Token: SeTakeOwnershipPrivilege	1660	wmic.exe
Token: SeLoadDriverPrivilege	1660	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exebeeiheibea.exe

description	pid	process	target process
PID 1112 wrote to memory of 860	1112	abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe	beeiheibea.exe
PID 1112 wrote to memory of 860	1112	abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe	beeiheibea.exe
PID 1112 wrote to memory of 860	1112	abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe	beeiheibea.exe
PID 1112 wrote to memory of 860	1112	abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe	beeiheibea.exe
PID 860 wrote to memory of 628	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 628	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 628	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 628	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1660	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1660	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1660	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1660	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1116	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1116	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1116	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1116	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 776	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 776	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 776	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 776	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1772	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1772	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1772	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1772	860	beeiheibea.exe	wmic.exe
PID 860 wrote to memory of 1324	860	beeiheibea.exe	WerFault.exe
PID 860 wrote to memory of 1324	860	beeiheibea.exe	WerFault.exe
PID 860 wrote to memory of 1324	860	beeiheibea.exe	WerFault.exe
PID 860 wrote to memory of 1324	860	beeiheibea.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe
"C:\Users\Admin\AppData\Local\Temp\abe959c1a29e0ce3d2620ac54a21c512811b24ab6292454aa1f8aa31ea2d6789.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\beeiheibea.exe
C:\Users\Admin\AppData\Local\Temp\beeiheibea.exe 8|8|3|3|1|2|9|4|5|0|8 J0hGQTwwKi8tNxgnS1I/T0c7OSsgJ0Y9UVROUEJFPz0pGCdBRlJSQEA4MjEvLi0dLkFAQDgwGCdIT0xDUzpQWkk8NSo2LS8uFytORUpOPU9cVFBDOWN0bGgyLCxycG0qP0VLQyVRTE8rOExLLkFGPkwdLkFDRT5LQTw1bkZlSThrLHZlPihiQkhfVkpRcVolRWdLWUQoaU41MF5QU0RxLmxnZ2xQP1AzP2BXOlF1YWpRKkJpSlNrZTNkTmloZCovdkNEQVJPazFzdGQzSk5Kb2dwW0M+WEVua3FLaUslRm0xa0pdZFU/UkQyLXUzbzIbLzwpNSouHy07LjgtKRgnQTA8KygcKkQsNSUuHS5CLDkoMRgnSE9MQ1M6UFpQSkFOPkBYOxcrS1JHPE1AUV5DTEg8PRgnSE9MQ1M6UFpOOUU9OmhiZlxvbi1dZGFxYh8tPFRAX01KRDohelNJSHggJz1QQlxCSztIRE49NRgsRU5RS1s9UkdPS0JPPDMXK09IOUZDVkxUXUxORz1gbGxtNy4tWF9naVtjJl5hZ21aLSluXWwncXJOdS9IMUNDcXJsUk9VSjJjb2YxZTxxczspInFhaik1I3NgcCk5IXZZais6LzUvLCJLQ0xQNSNqPGlaZGBzayVdaWZzYxcrUU01KhgsQVIvNC4xMS0YJ09STVJASUBfTz1EQExMQ0BJPEc9TUpJOh8tQE9aUk1GTEZKRDtrbnBlGCdKQlFUUEVFSUdXTUtCT15COFVOPSoYJ0VGQ0NPOSwgJ0FLXEFYTDhJRENXPUZAT1hOS0E/PV5ZZHBiHy07S1JOREc5QVxITjQuKzgmKSktKzgxJS0tMhgnSD5PQEpDQUdfQUZLUT5LSjRwbXVdGCdRRkxDNC0vNDAvLTEtLzQXKz9PT0ZETD5DXUtFSEU1KSksLzctKSwsNSIpKTcxLzgnMiVQRQ==
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81669280265.txt bios get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81669280265.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81669280265.txt bios get version
3⤵
PID:1116

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81669280265.txt bios get version
3⤵
PID:776

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81669280265.txt bios get version
3⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 372
3⤵
- Loads dropped DLL
- Program crash
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81669280265.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81669280265.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81669280265.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81669280265.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81669280265.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\beeiheibea.exe

Filesize
538KB

MD5
2f54c13ef20b0d9c2437926590c07379

SHA1
00b05b4fe7304f3e496095837816f2d58763bd6b

SHA256
3d479b7f877f62634262092d4fd855e0e5c11c7e2b90f11a986d9d40066f2bab

SHA512
0b408b17e0edd586882c74325acdc905d40ebec1f13c1686f1d54fca1a00e94bb898664ced246a45866f81fb86d02b19273dd3a88ae1fac9ff32ffb61c807c17

Download Submit
\Users\Admin\AppData\Local\Temp\beeiheibea.exe

Filesize
538KB

MD5
2f54c13ef20b0d9c2437926590c07379

SHA1
00b05b4fe7304f3e496095837816f2d58763bd6b

SHA256
3d479b7f877f62634262092d4fd855e0e5c11c7e2b90f11a986d9d40066f2bab

SHA512
0b408b17e0edd586882c74325acdc905d40ebec1f13c1686f1d54fca1a00e94bb898664ced246a45866f81fb86d02b19273dd3a88ae1fac9ff32ffb61c807c17

Download Submit
\Users\Admin\AppData\Local\Temp\beeiheibea.exe

Filesize
538KB

MD5
2f54c13ef20b0d9c2437926590c07379

SHA1
00b05b4fe7304f3e496095837816f2d58763bd6b

SHA256
3d479b7f877f62634262092d4fd855e0e5c11c7e2b90f11a986d9d40066f2bab

SHA512
0b408b17e0edd586882c74325acdc905d40ebec1f13c1686f1d54fca1a00e94bb898664ced246a45866f81fb86d02b19273dd3a88ae1fac9ff32ffb61c807c17

Download Submit
\Users\Admin\AppData\Local\Temp\beeiheibea.exe

Filesize
538KB

MD5
2f54c13ef20b0d9c2437926590c07379

SHA1
00b05b4fe7304f3e496095837816f2d58763bd6b

SHA256
3d479b7f877f62634262092d4fd855e0e5c11c7e2b90f11a986d9d40066f2bab

SHA512
0b408b17e0edd586882c74325acdc905d40ebec1f13c1686f1d54fca1a00e94bb898664ced246a45866f81fb86d02b19273dd3a88ae1fac9ff32ffb61c807c17

Download Submit
\Users\Admin\AppData\Local\Temp\beeiheibea.exe

Filesize
538KB

MD5
2f54c13ef20b0d9c2437926590c07379

SHA1
00b05b4fe7304f3e496095837816f2d58763bd6b

SHA256
3d479b7f877f62634262092d4fd855e0e5c11c7e2b90f11a986d9d40066f2bab

SHA512
0b408b17e0edd586882c74325acdc905d40ebec1f13c1686f1d54fca1a00e94bb898664ced246a45866f81fb86d02b19273dd3a88ae1fac9ff32ffb61c807c17

Download Submit
\Users\Admin\AppData\Local\Temp\beeiheibea.exe

Filesize
538KB

MD5
2f54c13ef20b0d9c2437926590c07379

SHA1
00b05b4fe7304f3e496095837816f2d58763bd6b

SHA256
3d479b7f877f62634262092d4fd855e0e5c11c7e2b90f11a986d9d40066f2bab

SHA512
0b408b17e0edd586882c74325acdc905d40ebec1f13c1686f1d54fca1a00e94bb898664ced246a45866f81fb86d02b19273dd3a88ae1fac9ff32ffb61c807c17

Download Submit
memory/628-59-0x0000000000000000-mapping.dmp

Download
memory/776-65-0x0000000000000000-mapping.dmp

Download
memory/860-56-0x0000000000000000-mapping.dmp

Download
memory/1112-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1116-63-0x0000000000000000-mapping.dmp

Download
memory/1324-69-0x0000000000000000-mapping.dmp

Download
memory/1660-61-0x0000000000000000-mapping.dmp

Download
memory/1772-67-0x0000000000000000-mapping.dmp

Download