c17663b78f0beb44ce1d50d5385eb6d00712c8abce78942e0cfc4db77df4420f

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1263aeb7669544ba5c597427740fd55a.exe
Size

644KB
MD5

1263aeb7669544ba5c597427740fd55a
SHA1

5d046d9ba0f861fd9f968b2fff565497bd8c453a
SHA256

c17663b78f0beb44ce1d50d5385eb6d00712c8abce78942e0cfc4db77df4420f
SHA512

9b758e116b8b63b2595310bbfbd1af9a9b3600a8fa586cc256d8f12f68bd0cb29bad2f995b02b876fe1a1a154b4d3808fe45613c247f7442f7643746a80ed6dc
SSDEEP

12288:FPyQb80zXZWoqVAZ5qLAZvI5oazdlYGvK7y/nRleafc8vy4h3:FPN80zLfzq025oazw/7cn2386+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2676	bedfhaijcd.exe

Loads dropped DLL 11 IoCs

pid	Process
2076	1263aeb7669544ba5c597427740fd55a.exe
2076	1263aeb7669544ba5c597427740fd55a.exe
2076	1263aeb7669544ba5c597427740fd55a.exe
2076	1263aeb7669544ba5c597427740fd55a.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2176	2676	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2244	wmic.exe
Token: SeSecurityPrivilege	2244	wmic.exe
Token: SeTakeOwnershipPrivilege	2244	wmic.exe
Token: SeLoadDriverPrivilege	2244	wmic.exe
Token: SeSystemProfilePrivilege	2244	wmic.exe
Token: SeSystemtimePrivilege	2244	wmic.exe
Token: SeProfSingleProcessPrivilege	2244	wmic.exe
Token: SeIncBasePriorityPrivilege	2244	wmic.exe
Token: SeCreatePagefilePrivilege	2244	wmic.exe
Token: SeBackupPrivilege	2244	wmic.exe
Token: SeRestorePrivilege	2244	wmic.exe
Token: SeShutdownPrivilege	2244	wmic.exe
Token: SeDebugPrivilege	2244	wmic.exe
Token: SeSystemEnvironmentPrivilege	2244	wmic.exe
Token: SeRemoteShutdownPrivilege	2244	wmic.exe
Token: SeUndockPrivilege	2244	wmic.exe
Token: SeManageVolumePrivilege	2244	wmic.exe
Token: 33	2244	wmic.exe
Token: 34	2244	wmic.exe
Token: 35	2244	wmic.exe
Token: SeIncreaseQuotaPrivilege	2244	wmic.exe
Token: SeSecurityPrivilege	2244	wmic.exe
Token: SeTakeOwnershipPrivilege	2244	wmic.exe
Token: SeLoadDriverPrivilege	2244	wmic.exe
Token: SeSystemProfilePrivilege	2244	wmic.exe
Token: SeSystemtimePrivilege	2244	wmic.exe
Token: SeProfSingleProcessPrivilege	2244	wmic.exe
Token: SeIncBasePriorityPrivilege	2244	wmic.exe
Token: SeCreatePagefilePrivilege	2244	wmic.exe
Token: SeBackupPrivilege	2244	wmic.exe
Token: SeRestorePrivilege	2244	wmic.exe
Token: SeShutdownPrivilege	2244	wmic.exe
Token: SeDebugPrivilege	2244	wmic.exe
Token: SeSystemEnvironmentPrivilege	2244	wmic.exe
Token: SeRemoteShutdownPrivilege	2244	wmic.exe
Token: SeUndockPrivilege	2244	wmic.exe
Token: SeManageVolumePrivilege	2244	wmic.exe
Token: 33	2244	wmic.exe
Token: 34	2244	wmic.exe
Token: 35	2244	wmic.exe
Token: SeIncreaseQuotaPrivilege	2800	wmic.exe
Token: SeSecurityPrivilege	2800	wmic.exe
Token: SeTakeOwnershipPrivilege	2800	wmic.exe
Token: SeLoadDriverPrivilege	2800	wmic.exe
Token: SeSystemProfilePrivilege	2800	wmic.exe
Token: SeSystemtimePrivilege	2800	wmic.exe
Token: SeProfSingleProcessPrivilege	2800	wmic.exe
Token: SeIncBasePriorityPrivilege	2800	wmic.exe
Token: SeCreatePagefilePrivilege	2800	wmic.exe
Token: SeBackupPrivilege	2800	wmic.exe
Token: SeRestorePrivilege	2800	wmic.exe
Token: SeShutdownPrivilege	2800	wmic.exe
Token: SeDebugPrivilege	2800	wmic.exe
Token: SeSystemEnvironmentPrivilege	2800	wmic.exe
Token: SeRemoteShutdownPrivilege	2800	wmic.exe
Token: SeUndockPrivilege	2800	wmic.exe
Token: SeManageVolumePrivilege	2800	wmic.exe
Token: 33	2800	wmic.exe
Token: 34	2800	wmic.exe
Token: 35	2800	wmic.exe
Token: SeIncreaseQuotaPrivilege	2684	wmic.exe
Token: SeSecurityPrivilege	2684	wmic.exe
Token: SeTakeOwnershipPrivilege	2684	wmic.exe
Token: SeLoadDriverPrivilege	2684	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2676	2076	1263aeb7669544ba5c597427740fd55a.exe	28
PID 2076 wrote to memory of 2676	2076	1263aeb7669544ba5c597427740fd55a.exe	28
PID 2076 wrote to memory of 2676	2076	1263aeb7669544ba5c597427740fd55a.exe	28
PID 2076 wrote to memory of 2676	2076	1263aeb7669544ba5c597427740fd55a.exe	28
PID 2676 wrote to memory of 2244	2676	bedfhaijcd.exe	30
PID 2676 wrote to memory of 2244	2676	bedfhaijcd.exe	30
PID 2676 wrote to memory of 2244	2676	bedfhaijcd.exe	30
PID 2676 wrote to memory of 2244	2676	bedfhaijcd.exe	30
PID 2676 wrote to memory of 2800	2676	bedfhaijcd.exe	32
PID 2676 wrote to memory of 2800	2676	bedfhaijcd.exe	32
PID 2676 wrote to memory of 2800	2676	bedfhaijcd.exe	32
PID 2676 wrote to memory of 2800	2676	bedfhaijcd.exe	32
PID 2676 wrote to memory of 2684	2676	bedfhaijcd.exe	35
PID 2676 wrote to memory of 2684	2676	bedfhaijcd.exe	35
PID 2676 wrote to memory of 2684	2676	bedfhaijcd.exe	35
PID 2676 wrote to memory of 2684	2676	bedfhaijcd.exe	35
PID 2676 wrote to memory of 2548	2676	bedfhaijcd.exe	37
PID 2676 wrote to memory of 2548	2676	bedfhaijcd.exe	37
PID 2676 wrote to memory of 2548	2676	bedfhaijcd.exe	37
PID 2676 wrote to memory of 2548	2676	bedfhaijcd.exe	37
PID 2676 wrote to memory of 2668	2676	bedfhaijcd.exe	39
PID 2676 wrote to memory of 2668	2676	bedfhaijcd.exe	39
PID 2676 wrote to memory of 2668	2676	bedfhaijcd.exe	39
PID 2676 wrote to memory of 2668	2676	bedfhaijcd.exe	39
PID 2676 wrote to memory of 2176	2676	bedfhaijcd.exe	40
PID 2676 wrote to memory of 2176	2676	bedfhaijcd.exe	40
PID 2676 wrote to memory of 2176	2676	bedfhaijcd.exe	40
PID 2676 wrote to memory of 2176	2676	bedfhaijcd.exe	40

C:\Users\Admin\AppData\Local\Temp\1263aeb7669544ba5c597427740fd55a.exe
"C:\Users\Admin\AppData\Local\Temp\1263aeb7669544ba5c597427740fd55a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\bedfhaijcd.exe
  C:\Users\Admin\AppData\Local\Temp\bedfhaijcd.exe 9,9,1,1,6,5,8,4,3,2,0 JkdIQzcxKzQdLVNMOU9IPjgoHCxMRUtOTlFFRDw5Lh4vO0BSU0M/NTExMiAmOkhDNysYK01QTztMQlNZRDw5MTQxFyZSRExRPU5cU1JDNGdzbmsyKyxxcm0lQ0RNRiVQTE4tOEdPLUNJPksdLUNDQEJKQz81HCxCMTQrMTAuLSk0HS1EKTQwNCowGCtBMT0kKB8uPi81KS4eLzssPCwrGydMT01ETDpTXkpNQVI+QVk0Fy5PTEo8UUBSXzxMS0A3GydMT01ETDpTXkg8RUE6V29sa3RhXyAqLHNnZFxmJDEqX2dza2pvWFtkcR8tKGxvbSUpJ3UfKUBQQVxTUkM0Hy4/Uz1bQEtEQ0BNRDcbJ0RMUVRWOVFOUU49TjouICZLR0BIRlFLUl1VSUM8HylRRTkvHi87SjA8GipKUUtSSUQ8XlY/RztLSkNJRDhGRE9NRDkdLUlKVlFUSE9BSUI7dGlsZB8pTT1QUlBOQEVGXk9OPU5cQkFQSjwxGipARUFDWDQoHy5DTldAVkxBREBCXj9JO05WTlQ8OzxlW2drYR0tREZOTUtJPDxbRk49KCc2LSsyMCouNzUlKTI4GipMRUpDPSgrMjQxLC8yMzQgJjtOVkhHRz1BXVRAREQ8MSopKy8uMSwhMTksMjIwMyhBRA==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703526418.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703526418.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703526418.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703526418.txt bios get version
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703526418.txt bios get version
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703526418.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1B3F.tmp\egtabuw.dll

Filesize
166KB

MD5
ab2a34b351e64147a9e4e158d1641bcb

SHA1
2705c0b99f98e910ff6efe8b0dd9679fbeb46387

SHA256
6b4e91c163fb195a85c915ff0effd2083983e86a73551f580bf1f602fa9f9826

SHA512
19c790e834f217fdfc9733610fe8e6fbc5f912510158646fe37031354149336bfb176feb1ea72a6b0dfd0869ea75d0e47388007ac5c044899cbcb599d1c1441e

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhaijcd.exe

Filesize
765KB

MD5
e82290bcfe26d591c695ba0a97363ea1

SHA1
71373fe76f71bd683ac5b8e504e4930daec14a77

SHA256
cfaa48253219cd7628b8632d8c6c9e03ff37bb776d86c75dbb9afb6f2ef580b7

SHA512
7ce35e4086ad81f5b44c9a092ff6ff8fa06765c6fd81afca88bb669bba54b78cdbd2537cce0376592bda1a8bc5f0b4b58a756d1681a928442713f9945d1505ee

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhaijcd.exe

Filesize
672KB

MD5
defa2cd8d3ed7272eb21d93a91fb7787

SHA1
bbad913ec30876987e4bf2ab14b543cb5744356a

SHA256
cd5b3c817152e8633d35f78830da9010410e0a24ea71263804fc4cb216c37ce4

SHA512
87120d6126c5f0e6cb7020dc454395987bec89ad12faa4876ee12a07d66a4f57e533fddb8686e153699b91481955d862f2747c76ad85b54f5cfb1da1298c6a3e

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhaijcd.exe

Filesize
512KB

MD5
43fcda542ee5a67dcb33feeacd0c90e5

SHA1
357dc4d3f681aaa4651385971fb3c0550915f645

SHA256
a6ac9eab771361062c9204eb9c37e60f0e354b2decc6958585879184985fcddb

SHA512
3bdb36e521068ea3eda10d7589bf8c7d3a16948811aba8043f79541ae9e8ed07505041259625741fdd6f5654ba411edc9646d02d687acb3bc3dcbdb8b210b83e

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhaijcd.exe

Filesize
363KB

MD5
9d0249d691113dd0f590e8ef848b34f1

SHA1
a573eeb0edd13a9caa094b981c431e3a50f94919

SHA256
9b38e747f6dba38bd9fa45f4a45e95ebb116ff677d52a57768a91e0608076441

SHA512
1c6e478590d92cef38df67f74d5a3d8c51032bc904ec995edf918ce295e56d6fb781804d3adb38203e95677f21f8a82d2d2e5223bbff1b208e72719ddb7b5c4a

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhaijcd.exe

Filesize
552KB

MD5
c9fda832464d905c22881f9620ba9ef5

SHA1
c559d8ee757fb395afe9a2db9169f9e288a8aaf0

SHA256
4c10f9d0b209e688aac9ec0432a86060545cc0e946e58a8c5af16148ec1f80be

SHA512
71409b4187a829a5329a77f98edcd006c7cf979aada97de3f3f3494c845a6bf0d54aa36d92498ebddc7d66bf5daa9300880ea60888e18098a798b9c5bf0fad88

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhaijcd.exe

Filesize
584KB

MD5
ff0af95b8ed853f0247c8039c1c300a0

SHA1
6e7cff09e098e10353cc3d210c55ad1361a0ee9b

SHA256
2edc6ddd8376a3d920088ba1ae553097f4f60754b6af4f495d82dd1f445039e7

SHA512
e7789ce1e0ede88bb7ba1fd526348ff8a4686d0a4f3aa82891a67a76c16bac65102d770ffdb0b375dd21eadb658ed71a3fa34ecfe95d7255de252240f07011d5

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhaijcd.exe

Filesize
312KB

MD5
326187e7ede19f7ce65eaa562d96015b

SHA1
a816160d64a017516dde7f07e010ac1b018c7b6b

SHA256
5536a3a7e26bd9a55ec58ed60aaa29c61d9a57225f064d107c98668f770ce165

SHA512
006828e964f49b260b8ad878683b5749305ab63bd2d1af1145c4ea3de466a66317ae5ab3a583ec896be262cccfc0b0195c8f30a24bcf7138eb7bf5def01a6200

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhaijcd.exe

Filesize
556KB

MD5
9c2e4360e06a84c14eb80cefc0d6d93c

SHA1
e8485bbe70e49794c291c13e8f0524fb2a023d6f

SHA256
796f8446809fabc17944684ffebb0b87d98ee40c592691312a5b5290304f8b94

SHA512
497ff779d0d573278fbf5edf8736fe8c06ca9f0711b4c318d8c6b9ad6d3c3501a47bc8e06c69cdbc1c97fed28b579a905874108a373ba51fe27267bc71f02a16

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1B3F.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit