1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
Size

3.9MB
MD5

af58c0932b4f8dc9d5b42d082e54a1c4
SHA1

0e08f0ed47bfba13b331760558d5729563e02bee
SHA256

1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d
SHA512

fd27a582e1949138d1f20c666da8efcd5bf80d92dc02409c61c2677564f09aa6acd381103a38b359e73fe1f497787b587a9a23c9f30e5ea58984b087a594fedc
SSDEEP

98304:W8REG2CFkZenqAd2JwB3hVzcpm13KI2qmKuLlly:FREcSZ+td2JLpi6I2qYy

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

pid	Process
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe
Token: SeTakeOwnershipPrivilege	1496	WMIC.exe
Token: SeLoadDriverPrivilege	1496	WMIC.exe
Token: SeSystemProfilePrivilege	1496	WMIC.exe
Token: SeSystemtimePrivilege	1496	WMIC.exe
Token: SeProfSingleProcessPrivilege	1496	WMIC.exe
Token: SeIncBasePriorityPrivilege	1496	WMIC.exe
Token: SeCreatePagefilePrivilege	1496	WMIC.exe
Token: SeBackupPrivilege	1496	WMIC.exe
Token: SeRestorePrivilege	1496	WMIC.exe
Token: SeShutdownPrivilege	1496	WMIC.exe
Token: SeDebugPrivilege	1496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1496	WMIC.exe
Token: SeRemoteShutdownPrivilege	1496	WMIC.exe
Token: SeUndockPrivilege	1496	WMIC.exe
Token: SeManageVolumePrivilege	1496	WMIC.exe
Token: 33	1496	WMIC.exe
Token: 34	1496	WMIC.exe
Token: 35	1496	WMIC.exe
Token: 36	1496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe
Token: SeTakeOwnershipPrivilege	1496	WMIC.exe
Token: SeLoadDriverPrivilege	1496	WMIC.exe
Token: SeSystemProfilePrivilege	1496	WMIC.exe
Token: SeSystemtimePrivilege	1496	WMIC.exe
Token: SeProfSingleProcessPrivilege	1496	WMIC.exe
Token: SeIncBasePriorityPrivilege	1496	WMIC.exe
Token: SeCreatePagefilePrivilege	1496	WMIC.exe
Token: SeBackupPrivilege	1496	WMIC.exe
Token: SeRestorePrivilege	1496	WMIC.exe
Token: SeShutdownPrivilege	1496	WMIC.exe
Token: SeDebugPrivilege	1496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1496	WMIC.exe
Token: SeRemoteShutdownPrivilege	1496	WMIC.exe
Token: SeUndockPrivilege	1496	WMIC.exe
Token: SeManageVolumePrivilege	1496	WMIC.exe
Token: 33	1496	WMIC.exe
Token: 34	1496	WMIC.exe
Token: 35	1496	WMIC.exe
Token: 36	1496	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 4772	4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe	90
PID 4240 wrote to memory of 4772	4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe	90
PID 4240 wrote to memory of 4772	4240	1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe	90

C:\Users\Admin\AppData\Local\Temp\1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe
"C:\Users\Admin\AppData\Local\Temp\1bed47ad74390ce8a0851540d51dff6f0ab4ece886fa498caa46dba19472e33d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\SysWOW64\cmd.exe
  /c wmic diskdrive get serialnumber
  2⤵
  PID:4772
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll

Filesize
2.1MB

MD5
c091a823c41bb5bc6c5a1ab6c926504c

SHA1
7b358a9211f8f5e3ce22f38075caf605fc4d2032

SHA256
c58334cb8bd8e7a2c998d0717fff8bacbd873ab949e40a0e5f053dd51b67cca4

SHA512
742ea0c78115f602c16a793d6d34ea97f0ff8bd4fc1ab28b90b7b7a3dc6fe6b921615ce97c0b23839e18f632d8e09f4319052de532dd9d31b70a22f12b7cc68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll

Filesize
2.1MB

MD5
c091a823c41bb5bc6c5a1ab6c926504c

SHA1
7b358a9211f8f5e3ce22f38075caf605fc4d2032

SHA256
c58334cb8bd8e7a2c998d0717fff8bacbd873ab949e40a0e5f053dd51b67cca4

SHA512
742ea0c78115f602c16a793d6d34ea97f0ff8bd4fc1ab28b90b7b7a3dc6fe6b921615ce97c0b23839e18f632d8e09f4319052de532dd9d31b70a22f12b7cc68d

Download Submit
C:\seerdll\GCE.dll

Filesize
67KB

MD5
3b8cc8eaaca02cb308c85c7280852ade

SHA1
5813f4d3f28c00e744856860e2fdda1818f60680

SHA256
cb22ff7b7dc5235a7d749499dcbcbac10047f2fc9568ecdbafefe7b8f7f760c1

SHA512
e1a2b1e595f1099f0b141e33905f050104924c5a6f87b6bb4fc77274441926d826bda035bbfae51bd75d22a207415aca35526270c7005b5545ead636a80e82b0

Download Submit
C:\seerdll\GCE.dll

Filesize
67KB

MD5
3b8cc8eaaca02cb308c85c7280852ade

SHA1
5813f4d3f28c00e744856860e2fdda1818f60680

SHA256
cb22ff7b7dc5235a7d749499dcbcbac10047f2fc9568ecdbafefe7b8f7f760c1

SHA512
e1a2b1e595f1099f0b141e33905f050104924c5a6f87b6bb4fc77274441926d826bda035bbfae51bd75d22a207415aca35526270c7005b5545ead636a80e82b0

Download Submit
C:\seerdll\GCE.dll

Filesize
67KB

MD5
3b8cc8eaaca02cb308c85c7280852ade

SHA1
5813f4d3f28c00e744856860e2fdda1818f60680

SHA256
cb22ff7b7dc5235a7d749499dcbcbac10047f2fc9568ecdbafefe7b8f7f760c1

SHA512
e1a2b1e595f1099f0b141e33905f050104924c5a6f87b6bb4fc77274441926d826bda035bbfae51bd75d22a207415aca35526270c7005b5545ead636a80e82b0

Download Submit
C:\seerdll\GCE.dll

Filesize
67KB

MD5
3b8cc8eaaca02cb308c85c7280852ade

SHA1
5813f4d3f28c00e744856860e2fdda1818f60680

SHA256
cb22ff7b7dc5235a7d749499dcbcbac10047f2fc9568ecdbafefe7b8f7f760c1

SHA512
e1a2b1e595f1099f0b141e33905f050104924c5a6f87b6bb4fc77274441926d826bda035bbfae51bd75d22a207415aca35526270c7005b5545ead636a80e82b0

Download Submit
memory/4240-13232-0x0000000072D10000-0x00000000734C0000-memory.dmp

Filesize
7.7MB

Download
memory/4240-13247-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13207-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13208-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13204-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13210-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/4240-13203-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13202-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13227-0x0000000003A30000-0x0000000003A40000-memory.dmp

Filesize
64KB

Download
memory/4240-6017-0x0000000075FE0000-0x000000007605A000-memory.dmp

Filesize
488KB

Download
memory/4240-4008-0x0000000076420000-0x00000000765C0000-memory.dmp

Filesize
1.6MB

Download
memory/4240-13231-0x0000000073670000-0x0000000073688000-memory.dmp

Filesize
96KB

Download
memory/4240-133-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13233-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-134-0x0000000076C50000-0x0000000076E65000-memory.dmp

Filesize
2.1MB

Download
memory/4240-13205-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13248-0x0000000003A30000-0x0000000003A40000-memory.dmp

Filesize
64KB

Download
memory/4240-13249-0x0000000072D10000-0x00000000734C0000-memory.dmp

Filesize
7.7MB

Download
memory/4240-13250-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13279-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13281-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13283-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13284-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13285-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13286-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13287-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13288-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13289-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13290-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13291-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/4240-13292-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download