12ea49282f82fbbf912cf875c9b8df49d443be249fe4072b75928f0b56f90878

Analysis

max time kernel
10s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

165f8c4b3810f96985680d0eecdf7e2b.exe
Size

752KB
MD5

165f8c4b3810f96985680d0eecdf7e2b
SHA1

8892f50d971ef7199de3143a011035665a995af5
SHA256

12ea49282f82fbbf912cf875c9b8df49d443be249fe4072b75928f0b56f90878
SHA512

7459a190a4925969a739b248959e6c249438e1c3f42716b1e99053517d3a5110d4e6df208d00df893fc6469b9210ea0c6e18fa172ebf274e03d6b1fbb50e1872
SSDEEP

12288:AsNIUQuI8//HRvSxRa3XYTTf2ez8DNil9mRa59ESCXdmM+BKE6vKqQ71VBUEGjzh:AqIUQuT/H8xRa3oTTrGNyQaPt8oPKV57

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2692	bedghiijca.exe

Loads dropped DLL 4 IoCs

pid	Process
812	165f8c4b3810f96985680d0eecdf7e2b.exe
812	165f8c4b3810f96985680d0eecdf7e2b.exe
812	165f8c4b3810f96985680d0eecdf7e2b.exe
812	165f8c4b3810f96985680d0eecdf7e2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2192	2692	WerFault.exe	29

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2672	wmic.exe
Token: SeSecurityPrivilege	2672	wmic.exe
Token: SeTakeOwnershipPrivilege	2672	wmic.exe
Token: SeLoadDriverPrivilege	2672	wmic.exe
Token: SeSystemProfilePrivilege	2672	wmic.exe
Token: SeSystemtimePrivilege	2672	wmic.exe
Token: SeProfSingleProcessPrivilege	2672	wmic.exe
Token: SeIncBasePriorityPrivilege	2672	wmic.exe
Token: SeCreatePagefilePrivilege	2672	wmic.exe
Token: SeBackupPrivilege	2672	wmic.exe
Token: SeRestorePrivilege	2672	wmic.exe
Token: SeShutdownPrivilege	2672	wmic.exe
Token: SeDebugPrivilege	2672	wmic.exe
Token: SeSystemEnvironmentPrivilege	2672	wmic.exe
Token: SeRemoteShutdownPrivilege	2672	wmic.exe
Token: SeUndockPrivilege	2672	wmic.exe
Token: SeManageVolumePrivilege	2672	wmic.exe
Token: 33	2672	wmic.exe
Token: 34	2672	wmic.exe
Token: 35	2672	wmic.exe
Token: SeIncreaseQuotaPrivilege	2672	wmic.exe
Token: SeSecurityPrivilege	2672	wmic.exe
Token: SeTakeOwnershipPrivilege	2672	wmic.exe
Token: SeLoadDriverPrivilege	2672	wmic.exe
Token: SeSystemProfilePrivilege	2672	wmic.exe
Token: SeSystemtimePrivilege	2672	wmic.exe
Token: SeProfSingleProcessPrivilege	2672	wmic.exe
Token: SeIncBasePriorityPrivilege	2672	wmic.exe
Token: SeCreatePagefilePrivilege	2672	wmic.exe
Token: SeBackupPrivilege	2672	wmic.exe
Token: SeRestorePrivilege	2672	wmic.exe
Token: SeShutdownPrivilege	2672	wmic.exe
Token: SeDebugPrivilege	2672	wmic.exe
Token: SeSystemEnvironmentPrivilege	2672	wmic.exe
Token: SeRemoteShutdownPrivilege	2672	wmic.exe
Token: SeUndockPrivilege	2672	wmic.exe
Token: SeManageVolumePrivilege	2672	wmic.exe
Token: 33	2672	wmic.exe
Token: 34	2672	wmic.exe
Token: 35	2672	wmic.exe
Token: SeIncreaseQuotaPrivilege	2784	wmic.exe
Token: SeSecurityPrivilege	2784	wmic.exe
Token: SeTakeOwnershipPrivilege	2784	wmic.exe
Token: SeLoadDriverPrivilege	2784	wmic.exe
Token: SeSystemProfilePrivilege	2784	wmic.exe
Token: SeSystemtimePrivilege	2784	wmic.exe
Token: SeProfSingleProcessPrivilege	2784	wmic.exe
Token: SeIncBasePriorityPrivilege	2784	wmic.exe
Token: SeCreatePagefilePrivilege	2784	wmic.exe
Token: SeBackupPrivilege	2784	wmic.exe
Token: SeRestorePrivilege	2784	wmic.exe
Token: SeShutdownPrivilege	2784	wmic.exe
Token: SeDebugPrivilege	2784	wmic.exe
Token: SeSystemEnvironmentPrivilege	2784	wmic.exe
Token: SeRemoteShutdownPrivilege	2784	wmic.exe
Token: SeUndockPrivilege	2784	wmic.exe
Token: SeManageVolumePrivilege	2784	wmic.exe
Token: 33	2784	wmic.exe
Token: 34	2784	wmic.exe
Token: 35	2784	wmic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 2692	812	165f8c4b3810f96985680d0eecdf7e2b.exe	29
PID 812 wrote to memory of 2692	812	165f8c4b3810f96985680d0eecdf7e2b.exe	29
PID 812 wrote to memory of 2692	812	165f8c4b3810f96985680d0eecdf7e2b.exe	29
PID 812 wrote to memory of 2692	812	165f8c4b3810f96985680d0eecdf7e2b.exe	29
PID 2692 wrote to memory of 2672	2692	bedghiijca.exe	28
PID 2692 wrote to memory of 2672	2692	bedghiijca.exe	28
PID 2692 wrote to memory of 2672	2692	bedghiijca.exe	28
PID 2692 wrote to memory of 2672	2692	bedghiijca.exe	28
PID 2692 wrote to memory of 2784	2692	bedghiijca.exe	38
PID 2692 wrote to memory of 2784	2692	bedghiijca.exe	38
PID 2692 wrote to memory of 2784	2692	bedghiijca.exe	38
PID 2692 wrote to memory of 2784	2692	bedghiijca.exe	38

C:\Users\Admin\AppData\Local\Temp\165f8c4b3810f96985680d0eecdf7e2b.exe
"C:\Users\Admin\AppData\Local\Temp\165f8c4b3810f96985680d0eecdf7e2b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812
- C:\Users\Admin\AppData\Local\Temp\bedghiijca.exe
  C:\Users\Admin\AppData\Local\Temp\bedghiijca.exe 4]3]1]0]5]3]5]2]4]8]2 K01IRDguNDEyKx4rUFRCS0Y/OywYLUpCU1dKT0ZHQDUvIS8vcG1sX3NfbGxdamQ9TWJka11fYxwsQ0lOUURCOSo1My4xICpAREI5KB4rTVFPP1I+UltBQjkvNTkvMBstTz1QUkJRX1BPRztkbHJsNy4vbm9xLEA9UUcqU09LKjxOTCZHSkNOICpAR0c/Q0dAOh8vPy44Ky0YLUAvPC0sHSpCLzUrLR0uRC86KC8cJ0IxOiwxGyxLUEs8Uz9RXlBNRlE/P1E7HCxPUkpBUEFQV0NRSUA9GyxLUEs8Uz9RXk48SkA7HCdDVEJeVU1JOB4rPVZBXEJNP0lETEE1HitFTlNPXD1QS09RQU88NRssT0Y9RklVTFRfUE9HOxwnVEk6MSAqQU4vORgtTlJNVERKQF1TPUo/TExFREo8RUFNUEg6Hy9EUFpQUUZSRUpEPW9vcGMcJ1BBUVRSSUZJRVtNUUFPXkQ8Vk47LhgtREZDRVM6LB4rQVFbQVhOPEpEQVs9TD9PWFBPQj87Yllqb2IfLz9MUkxIRz9AXEhQODQzLDIuLC4uMy4zMhstTDlQPUlLRUdcRExPTD9ISTxmXGluYxwnUkVKRD0sMS40NCgzMjExICpBSlVKRE09QV5UREpAOzMnLy8sMTAsMiUyNiwuNjExKktK
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703480629.txt bios get version
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703480629.txt bios get version
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703480629.txt bios get version
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703480629.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 372
    3⤵
    - Program crash
    PID:2192

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703480629.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst7B1A.tmp\cqzeykv.dll

Filesize
47KB

MD5
2f156789ae066198b3aa9514333c3f59

SHA1
8eda792426f74f335ceed3c7b3b64ac06ac490f4

SHA256
b1eb2b6b0c94529eb5ac483b13159eb61818ae454595a818892bd3e690996c95

SHA512
ba3f5bcb481751571eb6b9a023ed371412474bfa5337a20c9419578e988e9e510e3df816749e93abc60de549fb815614ffc808635a829ada9e1b48588c3f8230

Download Submit
\Users\Admin\AppData\Local\Temp\bedghiijca.exe

Filesize
8KB

MD5
0290ba3f8527ac43725e8ac05cedc521

SHA1
823d238c7253c9f84f434e292515472635831c0f

SHA256
e2a4f1935272f8179e54dad3af3d36638ca1dc591e6de8eea3ebe1738378ca15

SHA512
57c203e95b8c6b3af23cb15b56055fe0aa23d2ffdd998c9de9d210f1338fcbe3c5971c24f4d9054c04f5afc8369ef809694787c6c9dd21c4e365d5f5594dabc3

Download Submit
\Users\Admin\AppData\Local\Temp\bedghiijca.exe

Filesize
5KB

MD5
bc043ee9073627b9ed74f2ffddfa2f76

SHA1
a369a8b361c26ec2e56a106aff78082d731840c9

SHA256
70e02592a0b60e7e8478b5a2435dfebb01b04d491f04208dd6b8e2974fdcbeb7

SHA512
a41bb7248bf1cf2a6d4d5f5f722476ecf9b3d79a315ea4668ad3ea77578c4353a4c6af7dec9271bbf3957954f66ca0bbe0279bc9bd05eb6515a3fd635792040b

Download Submit
\Users\Admin\AppData\Local\Temp\nst7B1A.tmp\ZipDLL.dll

Filesize
4KB

MD5
392c6915a27582239d5aa50f9b6fc8b9

SHA1
82400225e98050417c6ffb3adfa4c3b4e7e3cfff

SHA256
0e6aa6994eca43872262ae3c91e005a6319a8e53f06da5d0e5a3fbb8518e6b3b

SHA512
c82ac19050139f8b0549bd40a9a078397bd7700c16dcaf8c9d7bef9ac01c09e7d13a8b414bbc4d3b007916df8c42a15947f038012f77dd50ccb23a8648695da3

Download Submit
\Users\Admin\AppData\Local\Temp\nst7B1A.tmp\cqzeykv.dll

Filesize
11KB

MD5
92c46fb9aaff9fe5fa60ce411ad7eba2

SHA1
6779168c9683f59efd141d7f9f959d4bc41ffb51

SHA256
03dca39f30b587842840a2bf3d2ec85b556a0b218101f159b95b4f95bc55e8cf

SHA512
f0ba272b907fd19dc635c00cd04b9f25e457c72a92fdbfef1522733de9d3c585bf052880366e8aceb310cf88a90ba39cf64329d032a08e35d4cb2d11b151a700

Download Submit