135f9a21bcb1c20a344012ce67832c27297dce024c5c740b055d66581d93a163

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

117cb1613232d4b0596ca99894027a0f.exe
Size

740KB
MD5

117cb1613232d4b0596ca99894027a0f
SHA1

2f0205bcc48d59f6d416810f2d9eeda9193a766c
SHA256

135f9a21bcb1c20a344012ce67832c27297dce024c5c740b055d66581d93a163
SHA512

18b53fae4a569fd353a3840b476ca21de90d4953c1a554450c99cbd94340595f67e28cfb54ca7ed5e95cc009b21fecc0ae8ba8a29fba08ed75fc2b9569713acb
SSDEEP

12288:qnyfd2UhZ1g/2eD3s41xN2z5WKYmhUH+G9lTPzrSYDstP7kQXC8fc8vy4hn:qwr6/F3xDIz5WKIV1Pvk7kQXCR86Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1124	bedhfiibca.exe

Loads dropped DLL 11 IoCs

pid	Process
2356	117cb1613232d4b0596ca99894027a0f.exe
2356	117cb1613232d4b0596ca99894027a0f.exe
2356	117cb1613232d4b0596ca99894027a0f.exe
2356	117cb1613232d4b0596ca99894027a0f.exe
2308	WerFault.exe
2308	WerFault.exe
2308	WerFault.exe
2308	WerFault.exe
2308	WerFault.exe
2308	WerFault.exe
2308	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2308	1124	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3016	wmic.exe
Token: SeSecurityPrivilege	3016	wmic.exe
Token: SeTakeOwnershipPrivilege	3016	wmic.exe
Token: SeLoadDriverPrivilege	3016	wmic.exe
Token: SeSystemProfilePrivilege	3016	wmic.exe
Token: SeSystemtimePrivilege	3016	wmic.exe
Token: SeProfSingleProcessPrivilege	3016	wmic.exe
Token: SeIncBasePriorityPrivilege	3016	wmic.exe
Token: SeCreatePagefilePrivilege	3016	wmic.exe
Token: SeBackupPrivilege	3016	wmic.exe
Token: SeRestorePrivilege	3016	wmic.exe
Token: SeShutdownPrivilege	3016	wmic.exe
Token: SeDebugPrivilege	3016	wmic.exe
Token: SeSystemEnvironmentPrivilege	3016	wmic.exe
Token: SeRemoteShutdownPrivilege	3016	wmic.exe
Token: SeUndockPrivilege	3016	wmic.exe
Token: SeManageVolumePrivilege	3016	wmic.exe
Token: 33	3016	wmic.exe
Token: 34	3016	wmic.exe
Token: 35	3016	wmic.exe
Token: SeIncreaseQuotaPrivilege	3016	wmic.exe
Token: SeSecurityPrivilege	3016	wmic.exe
Token: SeTakeOwnershipPrivilege	3016	wmic.exe
Token: SeLoadDriverPrivilege	3016	wmic.exe
Token: SeSystemProfilePrivilege	3016	wmic.exe
Token: SeSystemtimePrivilege	3016	wmic.exe
Token: SeProfSingleProcessPrivilege	3016	wmic.exe
Token: SeIncBasePriorityPrivilege	3016	wmic.exe
Token: SeCreatePagefilePrivilege	3016	wmic.exe
Token: SeBackupPrivilege	3016	wmic.exe
Token: SeRestorePrivilege	3016	wmic.exe
Token: SeShutdownPrivilege	3016	wmic.exe
Token: SeDebugPrivilege	3016	wmic.exe
Token: SeSystemEnvironmentPrivilege	3016	wmic.exe
Token: SeRemoteShutdownPrivilege	3016	wmic.exe
Token: SeUndockPrivilege	3016	wmic.exe
Token: SeManageVolumePrivilege	3016	wmic.exe
Token: 33	3016	wmic.exe
Token: 34	3016	wmic.exe
Token: 35	3016	wmic.exe
Token: SeIncreaseQuotaPrivilege	2460	wmic.exe
Token: SeSecurityPrivilege	2460	wmic.exe
Token: SeTakeOwnershipPrivilege	2460	wmic.exe
Token: SeLoadDriverPrivilege	2460	wmic.exe
Token: SeSystemProfilePrivilege	2460	wmic.exe
Token: SeSystemtimePrivilege	2460	wmic.exe
Token: SeProfSingleProcessPrivilege	2460	wmic.exe
Token: SeIncBasePriorityPrivilege	2460	wmic.exe
Token: SeCreatePagefilePrivilege	2460	wmic.exe
Token: SeBackupPrivilege	2460	wmic.exe
Token: SeRestorePrivilege	2460	wmic.exe
Token: SeShutdownPrivilege	2460	wmic.exe
Token: SeDebugPrivilege	2460	wmic.exe
Token: SeSystemEnvironmentPrivilege	2460	wmic.exe
Token: SeRemoteShutdownPrivilege	2460	wmic.exe
Token: SeUndockPrivilege	2460	wmic.exe
Token: SeManageVolumePrivilege	2460	wmic.exe
Token: 33	2460	wmic.exe
Token: 34	2460	wmic.exe
Token: 35	2460	wmic.exe
Token: SeIncreaseQuotaPrivilege	2100	wmic.exe
Token: SeSecurityPrivilege	2100	wmic.exe
Token: SeTakeOwnershipPrivilege	2100	wmic.exe
Token: SeLoadDriverPrivilege	2100	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1124	2356	117cb1613232d4b0596ca99894027a0f.exe	28
PID 2356 wrote to memory of 1124	2356	117cb1613232d4b0596ca99894027a0f.exe	28
PID 2356 wrote to memory of 1124	2356	117cb1613232d4b0596ca99894027a0f.exe	28
PID 2356 wrote to memory of 1124	2356	117cb1613232d4b0596ca99894027a0f.exe	28
PID 1124 wrote to memory of 3016	1124	bedhfiibca.exe	29
PID 1124 wrote to memory of 3016	1124	bedhfiibca.exe	29
PID 1124 wrote to memory of 3016	1124	bedhfiibca.exe	29
PID 1124 wrote to memory of 3016	1124	bedhfiibca.exe	29
PID 1124 wrote to memory of 2460	1124	bedhfiibca.exe	32
PID 1124 wrote to memory of 2460	1124	bedhfiibca.exe	32
PID 1124 wrote to memory of 2460	1124	bedhfiibca.exe	32
PID 1124 wrote to memory of 2460	1124	bedhfiibca.exe	32
PID 1124 wrote to memory of 2100	1124	bedhfiibca.exe	34
PID 1124 wrote to memory of 2100	1124	bedhfiibca.exe	34
PID 1124 wrote to memory of 2100	1124	bedhfiibca.exe	34
PID 1124 wrote to memory of 2100	1124	bedhfiibca.exe	34
PID 1124 wrote to memory of 2588	1124	bedhfiibca.exe	36
PID 1124 wrote to memory of 2588	1124	bedhfiibca.exe	36
PID 1124 wrote to memory of 2588	1124	bedhfiibca.exe	36
PID 1124 wrote to memory of 2588	1124	bedhfiibca.exe	36
PID 1124 wrote to memory of 2448	1124	bedhfiibca.exe	38
PID 1124 wrote to memory of 2448	1124	bedhfiibca.exe	38
PID 1124 wrote to memory of 2448	1124	bedhfiibca.exe	38
PID 1124 wrote to memory of 2448	1124	bedhfiibca.exe	38
PID 1124 wrote to memory of 2308	1124	bedhfiibca.exe	40
PID 1124 wrote to memory of 2308	1124	bedhfiibca.exe	40
PID 1124 wrote to memory of 2308	1124	bedhfiibca.exe	40
PID 1124 wrote to memory of 2308	1124	bedhfiibca.exe	40

C:\Users\Admin\AppData\Local\Temp\117cb1613232d4b0596ca99894027a0f.exe
"C:\Users\Admin\AppData\Local\Temp\117cb1613232d4b0596ca99894027a0f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\bedhfiibca.exe
  C:\Users\Admin\AppData\Local\Temp\bedhfiibca.exe 0!0!7!2!0!0!9!8!7!6!5 L1BCQj0xMCsvLRsvU05AUEk7NSkaKk5FTVVPUkJBPTcsJTIpbnJvW21cbmlhbV47UmVgZVphYCAvPUdTVEA8NiwyNzErHi9DQDw2KhsvUEtNRFU6TFhDPz0yLzc0MxcnTD9NVkVLXVVSQzVhbm9wOigtc3JtJj0/TkstTU1QLThISShETkZIHi9DQ0E8RUREPRktRDE0JSoaKkQyNisxICY8LDcoMSAoQjQ9JCkZKT81PSYvIC9HSkg+UENUWE5SSU05PFM4IC9JUE9ETDtNWUBVTDo7IC9HSkg+UENUWExBTTw1GSlAWEVYU1JMNBgoP1NFXzxLRExARj43Gy9ISFFUXzlKSFFORVI2MyAvS0A6SEZZT05dVVJDNRkpUU09Kx4vREopNhoqUlVHUklNPFdQP0dDT0ZDSU04Pz5PTUw9GS1JU1ZKTkhPSU0+O3RybF0ZKU1FVE5QTklFP1hPTkVSWEJBWUo1KxoqSEk9Q1g9KBgoQ05fRFJMQU1AO1g/SUNSUk5URTs1X1tnc2UZLURPTkZFSTxEX0JOPTEuLiczMS42LSwxNC4YKEo8UkFFSkVMVkFHTU9BTEU7ZmFja14aKlRJRkM9MSsrMC80NjMsMCAvO0dQSEdPQT1dVElEPTYxKjIyKDAwMSwiMTQsODouMCpQRA==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703694220.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703694220.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703694220.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703694220.txt bios get version
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703694220.txt bios get version
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703694220.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
376KB

MD5
d31aab8d8e9daa7fd65a117b879a99a3

SHA1
73f4836284fb18b04e46bb8f6e18e00870eb1fa4

SHA256
a5cc29ee179b4adf44c2a1b969ebf4adde0692255c813c3f438eae2205eda83b

SHA512
ab451cd24fe5118d5a703726fe82092ac4b83c5edc4d0c0f27902dc1fbc2f577a12dfbb44a50639a0b2bc3e31290720356c9f093bcaa40bbcc4ab93243b34242

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
240KB

MD5
5957363d1aab8463f71cdfba58cbfc94

SHA1
4a037de399322688bf60bedbc24b0661d984db48

SHA256
f65ba2bcd9ad8b457111e9231a4611308f7ae580516ba2d84b03086eae43b2a4

SHA512
c2ceb7fa7c804d9dd90c67991d0e64150bcb2f179f875975226e2f928da0dc4cf7a7e7920c636a9ec282206e1146ce127809ede02bd239e46c14195f2b9406a9

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
1008KB

MD5
7764db5466ecca47968d527b163905e8

SHA1
4e804b2577fffd0ceb6ec3092d252d446557d3b5

SHA256
dc4368eb0604153dab14a4709ac0e125c0068786a8d7972d5fcde86974f2204f

SHA512
e376187e8b31ca1c6804e115793179fff8a9f8d251c0dac3a995d15e160bf169a779d74e52ad764952a6e69028f7f35f91019658bbb362e8b4863a16dd07e657

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
385KB

MD5
f79069ab6dadab9e878b816c03cf35ec

SHA1
5d128bbdc0ab374cafe289e238aa016d94cb3e08

SHA256
819d15f535e8065dcd0e3fc72b3cf5272844e6baddc426c97a73cb6f0f55f45b

SHA512
03e6f3ffd5b53b167fd240e558adbdd7129f9297189b2bb425d3891d305bb90b144baf5276505ff61656365283805d44de8e23dbe1a6e19ab42fbd2671aef8db

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
625KB

MD5
fff84fd4f80cb9524751efb8bf2a2f6d

SHA1
9c89aa5d4205686db8124d52844a3317aaddbb7a

SHA256
abba012946c150b09f187ae45cb72d1d6259b2d6c474b47c1e2a4d214b80eca9

SHA512
97ffdde7eefda6d0b7f609f3be921ee73c253eed8093323afb8ff6378fdb59ffc379b1b4bdf377c4ad20a1189161e7e7dc34a2ac3698d41109f287ec99a29828

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
520KB

MD5
cbbffc7396230b70fcced67ab5eb595b

SHA1
f0a45d49dfa2806e9140807c0b8895b972a0925e

SHA256
6e9a4fb21f2302828c53962c116c9e6687e2a774d9f798f691a20e2b0b34b777

SHA512
324c6aa6875804bf6b529038d996b0f1fa3168158866792e01a88a6bb6cf5dc2006bf232411c63e19cf0ad627ad36163a1fcf9eb8af72670a80d90483ce598b5

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
588KB

MD5
2e202727766973dca164b48a21ac788d

SHA1
ffd184c4cb14e729e5b75431aa25f2e2e3854f10

SHA256
c488b23a062ed44d63865213492c2d0d14cb5d35b9358b628e1465cd5e6123d6

SHA512
21160425befd4313890c16d9b1fa235461774b57f8f6b2163076c30706ac94b9dc2e580ea007e84a91bb0623948ae35c2198340a3e98fc1867da388a5a8528b4

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
698KB

MD5
8d00fbf49fd60d0c2cd6bdd236a80176

SHA1
c4872bdb951c315c743750bb37ada50dce348a25

SHA256
f0c4f81e050d3900b5aceca86964a8b98b776b1ae454cd040e8c7049745fb0d0

SHA512
17f747cbb77fc4ea92baa4107cca0011930b1623732528a7e7c66944be221817b3076e361a224ad8e7c144e1efb0aa9b1f7308293a881d007f854f9377ee093c

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
500KB

MD5
a86f9d653127b025d89373d76aee356d

SHA1
4cbad058ce784868bcce983387abdeab9c6dd039

SHA256
034acb85e867228d7f981d3fa27e505e49ae3e1a16e59e1992749bd7dbb47793

SHA512
9e89f57cd0274e4126e0782cf168c7286e20d4a83e649270ab544a43f50fefe8b3f24d4105408f3ce24345f9aa3a76297fdbb76e415021830f14698a68a6a00f

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
475KB

MD5
1ab7895a91163d288a9a9bbe584c3896

SHA1
133cd83838d0b7fa16307733dccf2de047aa551b

SHA256
c9abaa2cb68ee7ffe1737c570da4ec43c99ec6bcc6241f9b607d0269a034fb72

SHA512
0920301feed34c649aa6e156d27687ffda0a6275206bcce8563bac96ba9ccff779048331c62b007be0b3a65b484cbaa1b9ce56f4bef7a25673d0912e6a94a9bf

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
404KB

MD5
63b40880e19d3d485666f8dcb6fe2d23

SHA1
8d60c10209f2e33997460717a228bc4e525af7b9

SHA256
8479eebd77a21966db0f10be6afc21f2cbd73abb7d1c09310a5a5c4027b2198d

SHA512
98c45e99e460c32e4089e14d1b996acdf734c7f55f6a1f5f99dcd88bf5b9414395fcb63e359d60ea067afac4b81dd91b3d87cb1dc305f3220d054ec31a490cca

Download Submit
\Users\Admin\AppData\Local\Temp\nst1640.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nst1640.tmp\mowjtkb.dll

Filesize
170KB

MD5
2f7ef2c1e98e766d783e05b63656e661

SHA1
4b1a833d267f61b63835c0aa7c63d2b7e2ab222a

SHA256
7da5ec9a7c1fe811b2ef03aba08728201ebc6494c14e34df12dcaf4a1b5e3587

SHA512
359727c28580486e47ed08a7fbd7a5461fbe75b3cf1de8124e6a18e12cf5eca7e2d898575aa2ebc6511b47ebfbfa6fdd77c6a622044c9f05352ad3da5d31670b

Download Submit