d71c4cf97c8ab7bc7224b978c949858e180cb8683d750d9ac212c5957feedeea

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11c0d69ad738509cff0fdb246a39ed34.exe
Size

641KB
MD5

11c0d69ad738509cff0fdb246a39ed34
SHA1

b2ae3e69e3b8a7e5b0044ffb71acf48549d0b7d5
SHA256

d71c4cf97c8ab7bc7224b978c949858e180cb8683d750d9ac212c5957feedeea
SHA512

6e833e48fdb9793fb0a2bf58967700868a92e12f1d42b7ecd725976f01739a51d1500200e96561ab897f3483d3a5da6711a7c80099af006af358e19ca757a76c
SSDEEP

12288:rAvRNj1tU3Gh/RlhHqz0+sGNmQ9BUfPPf//uY4XKw8fTQPT3RZTafc8vy4hj:rA5l3UWh1KA+D8YBUfPHuY4XKw8f8P7C

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2860	bedfhegfah.exe

Loads dropped DLL 11 IoCs

pid	Process
2888	11c0d69ad738509cff0fdb246a39ed34.exe
2888	11c0d69ad738509cff0fdb246a39ed34.exe
2888	11c0d69ad738509cff0fdb246a39ed34.exe
2888	11c0d69ad738509cff0fdb246a39ed34.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2628	2860	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2404	wmic.exe
Token: SeSecurityPrivilege	2404	wmic.exe
Token: SeTakeOwnershipPrivilege	2404	wmic.exe
Token: SeLoadDriverPrivilege	2404	wmic.exe
Token: SeSystemProfilePrivilege	2404	wmic.exe
Token: SeSystemtimePrivilege	2404	wmic.exe
Token: SeProfSingleProcessPrivilege	2404	wmic.exe
Token: SeIncBasePriorityPrivilege	2404	wmic.exe
Token: SeCreatePagefilePrivilege	2404	wmic.exe
Token: SeBackupPrivilege	2404	wmic.exe
Token: SeRestorePrivilege	2404	wmic.exe
Token: SeShutdownPrivilege	2404	wmic.exe
Token: SeDebugPrivilege	2404	wmic.exe
Token: SeSystemEnvironmentPrivilege	2404	wmic.exe
Token: SeRemoteShutdownPrivilege	2404	wmic.exe
Token: SeUndockPrivilege	2404	wmic.exe
Token: SeManageVolumePrivilege	2404	wmic.exe
Token: 33	2404	wmic.exe
Token: 34	2404	wmic.exe
Token: 35	2404	wmic.exe
Token: SeIncreaseQuotaPrivilege	2404	wmic.exe
Token: SeSecurityPrivilege	2404	wmic.exe
Token: SeTakeOwnershipPrivilege	2404	wmic.exe
Token: SeLoadDriverPrivilege	2404	wmic.exe
Token: SeSystemProfilePrivilege	2404	wmic.exe
Token: SeSystemtimePrivilege	2404	wmic.exe
Token: SeProfSingleProcessPrivilege	2404	wmic.exe
Token: SeIncBasePriorityPrivilege	2404	wmic.exe
Token: SeCreatePagefilePrivilege	2404	wmic.exe
Token: SeBackupPrivilege	2404	wmic.exe
Token: SeRestorePrivilege	2404	wmic.exe
Token: SeShutdownPrivilege	2404	wmic.exe
Token: SeDebugPrivilege	2404	wmic.exe
Token: SeSystemEnvironmentPrivilege	2404	wmic.exe
Token: SeRemoteShutdownPrivilege	2404	wmic.exe
Token: SeUndockPrivilege	2404	wmic.exe
Token: SeManageVolumePrivilege	2404	wmic.exe
Token: 33	2404	wmic.exe
Token: 34	2404	wmic.exe
Token: 35	2404	wmic.exe
Token: SeIncreaseQuotaPrivilege	2600	wmic.exe
Token: SeSecurityPrivilege	2600	wmic.exe
Token: SeTakeOwnershipPrivilege	2600	wmic.exe
Token: SeLoadDriverPrivilege	2600	wmic.exe
Token: SeSystemProfilePrivilege	2600	wmic.exe
Token: SeSystemtimePrivilege	2600	wmic.exe
Token: SeProfSingleProcessPrivilege	2600	wmic.exe
Token: SeIncBasePriorityPrivilege	2600	wmic.exe
Token: SeCreatePagefilePrivilege	2600	wmic.exe
Token: SeBackupPrivilege	2600	wmic.exe
Token: SeRestorePrivilege	2600	wmic.exe
Token: SeShutdownPrivilege	2600	wmic.exe
Token: SeDebugPrivilege	2600	wmic.exe
Token: SeSystemEnvironmentPrivilege	2600	wmic.exe
Token: SeRemoteShutdownPrivilege	2600	wmic.exe
Token: SeUndockPrivilege	2600	wmic.exe
Token: SeManageVolumePrivilege	2600	wmic.exe
Token: 33	2600	wmic.exe
Token: 34	2600	wmic.exe
Token: 35	2600	wmic.exe
Token: SeIncreaseQuotaPrivilege	2576	wmic.exe
Token: SeSecurityPrivilege	2576	wmic.exe
Token: SeTakeOwnershipPrivilege	2576	wmic.exe
Token: SeLoadDriverPrivilege	2576	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2860	2888	11c0d69ad738509cff0fdb246a39ed34.exe	28
PID 2888 wrote to memory of 2860	2888	11c0d69ad738509cff0fdb246a39ed34.exe	28
PID 2888 wrote to memory of 2860	2888	11c0d69ad738509cff0fdb246a39ed34.exe	28
PID 2888 wrote to memory of 2860	2888	11c0d69ad738509cff0fdb246a39ed34.exe	28
PID 2860 wrote to memory of 2404	2860	bedfhegfah.exe	17
PID 2860 wrote to memory of 2404	2860	bedfhegfah.exe	17
PID 2860 wrote to memory of 2404	2860	bedfhegfah.exe	17
PID 2860 wrote to memory of 2404	2860	bedfhegfah.exe	17
PID 2860 wrote to memory of 2600	2860	bedfhegfah.exe	27
PID 2860 wrote to memory of 2600	2860	bedfhegfah.exe	27
PID 2860 wrote to memory of 2600	2860	bedfhegfah.exe	27
PID 2860 wrote to memory of 2600	2860	bedfhegfah.exe	27
PID 2860 wrote to memory of 2576	2860	bedfhegfah.exe	26
PID 2860 wrote to memory of 2576	2860	bedfhegfah.exe	26
PID 2860 wrote to memory of 2576	2860	bedfhegfah.exe	26
PID 2860 wrote to memory of 2576	2860	bedfhegfah.exe	26
PID 2860 wrote to memory of 2484	2860	bedfhegfah.exe	24
PID 2860 wrote to memory of 2484	2860	bedfhegfah.exe	24
PID 2860 wrote to memory of 2484	2860	bedfhegfah.exe	24
PID 2860 wrote to memory of 2484	2860	bedfhegfah.exe	24
PID 2860 wrote to memory of 2516	2860	bedfhegfah.exe	23
PID 2860 wrote to memory of 2516	2860	bedfhegfah.exe	23
PID 2860 wrote to memory of 2516	2860	bedfhegfah.exe	23
PID 2860 wrote to memory of 2516	2860	bedfhegfah.exe	23
PID 2860 wrote to memory of 2628	2860	bedfhegfah.exe	22
PID 2860 wrote to memory of 2628	2860	bedfhegfah.exe	22
PID 2860 wrote to memory of 2628	2860	bedfhegfah.exe	22
PID 2860 wrote to memory of 2628	2860	bedfhegfah.exe	22

C:\Users\Admin\AppData\Local\Temp\11c0d69ad738509cff0fdb246a39ed34.exe
"C:\Users\Admin\AppData\Local\Temp\11c0d69ad738509cff0fdb246a39ed34.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\bedfhegfah.exe
  C:\Users\Admin\AppData\Local\Temp\bedfhegfah.exe 2\5\6\2\6\1\7\7\5\2\7 LUtDQjcxKywyMRktTk9ASkg9NiseKExATlVJUURCPzsqHio+R01TQj04MDIuLzIeKUJCPTguGS1LTE0+VDxNWkc9Oy0yMSs4GShOQ0tUQExdT1FFNmNybW41KS1tcW8nP0NMSShOTUosOklLLEJMQUkeKUJFQj5JQkI4Gi0+MDYmLB4oQi03KysfKD0uOyYvGylCLjwmKhstPTM4Jy8aLklLSkJOQU9ZTkxITzo+VzYeKkpQSUNOPE9dPlNHOzsaLklLSkJOQU9ZTDtMPjZDeGV0YGBpX2tiME9wZGM/b2BmYGM/cGplZ2leZ2wfKD5TQ1hTTUY7Gi4+UUBdPEs/RkdIRDYZKkZIUU9ZQExOUExAUDYuGylSQkBHRFRNTl1QTEo3HyhPSDsrHio+USs8GShNU0dSREdDWVY+RT5NRkNERz9BRE5LRzsZLURNXUxUR01ESz47b2xzXx8oS0BSTlBJQ0xBXk5MQFBYQjxTUTcxGShDRz1DUzcvGi5CTFpCUkw8R0c9Xj5HPlBSTk8/QjdlWmVuYxktP0lVSEtIOj9dQk44MTAoMCcqNDQnLzMuHilTQkZAOyoyLi81LzYtLDMeKEJKUUxGTjo9WlJCS0A3NSkwKCsrLy4oLDQxKjksMSVORg==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2860

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703539740.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:2628

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703539740.txt bios get version
1⤵
PID:2516

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703539740.txt bios get version
1⤵
PID:2484

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703539740.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703539740.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst8D8.tmp\docqoul.dll

Filesize
92KB

MD5
8e9a99fb95a178ab584f77a604916493

SHA1
adb5c1ac8f74cc45562e3875367e70be19a360d4

SHA256
7662911c857dc45ff7b64eb8708a58001edf589d1d314df73a35d5c6180ae49d

SHA512
4ca1e811574db169d7ff4df15c0b88d0eddbcf36f41b2b5fbdbba6c71f51065d76051d9fab4ac0b997f83b237ffb5ba6548829cc20bbbddfbe4e89a4fd7b0e06

Download Submit