ff8074793b7d8f0197ef25355e46de02f30a7bd77653e70513bc248b13690ac0

Analysis

max time kernel
122s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 09:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14b9402997b398941fea4f498f713a00.exe
Size

641KB
MD5

14b9402997b398941fea4f498f713a00
SHA1

6be08f536454ccfe8374a61470b2d1b3cc7a0dbc
SHA256

ff8074793b7d8f0197ef25355e46de02f30a7bd77653e70513bc248b13690ac0
SHA512

5e4a048377b4b35e13ef0d894a2a5cdb134a08ce92314ea1bf3b8695427d5e359628f13279b4fa7325e78a2efe677696b06237d513fd5c1a01eee159b1987808
SSDEEP

12288:FXqsurkuC80WRxeZ98RLQsK528dnZtvJrjfi/fc8vy4htJ:FahQuFaSRM5rl9jb86mJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3004	bedfibgjeb.exe

Loads dropped DLL 11 IoCs

pid	Process
2920	14b9402997b398941fea4f498f713a00.exe
2920	14b9402997b398941fea4f498f713a00.exe
2920	14b9402997b398941fea4f498f713a00.exe
2920	14b9402997b398941fea4f498f713a00.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2680	3004	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2884	wmic.exe
Token: SeSecurityPrivilege	2884	wmic.exe
Token: SeTakeOwnershipPrivilege	2884	wmic.exe
Token: SeLoadDriverPrivilege	2884	wmic.exe
Token: SeSystemProfilePrivilege	2884	wmic.exe
Token: SeSystemtimePrivilege	2884	wmic.exe
Token: SeProfSingleProcessPrivilege	2884	wmic.exe
Token: SeIncBasePriorityPrivilege	2884	wmic.exe
Token: SeCreatePagefilePrivilege	2884	wmic.exe
Token: SeBackupPrivilege	2884	wmic.exe
Token: SeRestorePrivilege	2884	wmic.exe
Token: SeShutdownPrivilege	2884	wmic.exe
Token: SeDebugPrivilege	2884	wmic.exe
Token: SeSystemEnvironmentPrivilege	2884	wmic.exe
Token: SeRemoteShutdownPrivilege	2884	wmic.exe
Token: SeUndockPrivilege	2884	wmic.exe
Token: SeManageVolumePrivilege	2884	wmic.exe
Token: 33	2884	wmic.exe
Token: 34	2884	wmic.exe
Token: 35	2884	wmic.exe
Token: SeIncreaseQuotaPrivilege	2884	wmic.exe
Token: SeSecurityPrivilege	2884	wmic.exe
Token: SeTakeOwnershipPrivilege	2884	wmic.exe
Token: SeLoadDriverPrivilege	2884	wmic.exe
Token: SeSystemProfilePrivilege	2884	wmic.exe
Token: SeSystemtimePrivilege	2884	wmic.exe
Token: SeProfSingleProcessPrivilege	2884	wmic.exe
Token: SeIncBasePriorityPrivilege	2884	wmic.exe
Token: SeCreatePagefilePrivilege	2884	wmic.exe
Token: SeBackupPrivilege	2884	wmic.exe
Token: SeRestorePrivilege	2884	wmic.exe
Token: SeShutdownPrivilege	2884	wmic.exe
Token: SeDebugPrivilege	2884	wmic.exe
Token: SeSystemEnvironmentPrivilege	2884	wmic.exe
Token: SeRemoteShutdownPrivilege	2884	wmic.exe
Token: SeUndockPrivilege	2884	wmic.exe
Token: SeManageVolumePrivilege	2884	wmic.exe
Token: 33	2884	wmic.exe
Token: 34	2884	wmic.exe
Token: 35	2884	wmic.exe
Token: SeIncreaseQuotaPrivilege	2640	wmic.exe
Token: SeSecurityPrivilege	2640	wmic.exe
Token: SeTakeOwnershipPrivilege	2640	wmic.exe
Token: SeLoadDriverPrivilege	2640	wmic.exe
Token: SeSystemProfilePrivilege	2640	wmic.exe
Token: SeSystemtimePrivilege	2640	wmic.exe
Token: SeProfSingleProcessPrivilege	2640	wmic.exe
Token: SeIncBasePriorityPrivilege	2640	wmic.exe
Token: SeCreatePagefilePrivilege	2640	wmic.exe
Token: SeBackupPrivilege	2640	wmic.exe
Token: SeRestorePrivilege	2640	wmic.exe
Token: SeShutdownPrivilege	2640	wmic.exe
Token: SeDebugPrivilege	2640	wmic.exe
Token: SeSystemEnvironmentPrivilege	2640	wmic.exe
Token: SeRemoteShutdownPrivilege	2640	wmic.exe
Token: SeUndockPrivilege	2640	wmic.exe
Token: SeManageVolumePrivilege	2640	wmic.exe
Token: 33	2640	wmic.exe
Token: 34	2640	wmic.exe
Token: 35	2640	wmic.exe
Token: SeIncreaseQuotaPrivilege	2624	wmic.exe
Token: SeSecurityPrivilege	2624	wmic.exe
Token: SeTakeOwnershipPrivilege	2624	wmic.exe
Token: SeLoadDriverPrivilege	2624	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 3004	2920	14b9402997b398941fea4f498f713a00.exe	27
PID 2920 wrote to memory of 3004	2920	14b9402997b398941fea4f498f713a00.exe	27
PID 2920 wrote to memory of 3004	2920	14b9402997b398941fea4f498f713a00.exe	27
PID 2920 wrote to memory of 3004	2920	14b9402997b398941fea4f498f713a00.exe	27
PID 3004 wrote to memory of 2884	3004	bedfibgjeb.exe	28
PID 3004 wrote to memory of 2884	3004	bedfibgjeb.exe	28
PID 3004 wrote to memory of 2884	3004	bedfibgjeb.exe	28
PID 3004 wrote to memory of 2884	3004	bedfibgjeb.exe	28
PID 3004 wrote to memory of 2640	3004	bedfibgjeb.exe	32
PID 3004 wrote to memory of 2640	3004	bedfibgjeb.exe	32
PID 3004 wrote to memory of 2640	3004	bedfibgjeb.exe	32
PID 3004 wrote to memory of 2640	3004	bedfibgjeb.exe	32
PID 3004 wrote to memory of 2624	3004	bedfibgjeb.exe	33
PID 3004 wrote to memory of 2624	3004	bedfibgjeb.exe	33
PID 3004 wrote to memory of 2624	3004	bedfibgjeb.exe	33
PID 3004 wrote to memory of 2624	3004	bedfibgjeb.exe	33
PID 3004 wrote to memory of 1676	3004	bedfibgjeb.exe	35
PID 3004 wrote to memory of 1676	3004	bedfibgjeb.exe	35
PID 3004 wrote to memory of 1676	3004	bedfibgjeb.exe	35
PID 3004 wrote to memory of 1676	3004	bedfibgjeb.exe	35
PID 3004 wrote to memory of 1268	3004	bedfibgjeb.exe	37
PID 3004 wrote to memory of 1268	3004	bedfibgjeb.exe	37
PID 3004 wrote to memory of 1268	3004	bedfibgjeb.exe	37
PID 3004 wrote to memory of 1268	3004	bedfibgjeb.exe	37
PID 3004 wrote to memory of 2680	3004	bedfibgjeb.exe	39
PID 3004 wrote to memory of 2680	3004	bedfibgjeb.exe	39
PID 3004 wrote to memory of 2680	3004	bedfibgjeb.exe	39
PID 3004 wrote to memory of 2680	3004	bedfibgjeb.exe	39

C:\Users\Admin\AppData\Local\Temp\14b9402997b398941fea4f498f713a00.exe
"C:\Users\Admin\AppData\Local\Temp\14b9402997b398941fea4f498f713a00.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\bedfibgjeb.exe
  C:\Users\Admin\AppData\Local\Temp\bedfibgjeb.exe 5\5\9\0\8\5\1\0\5\1\6 KktARDUsNjEvNxoqTkxCSERDPSsfKUlAS1dHTUpJPzwrGyo7SUtPSEQ4MS0rMicgJz5IRDgvGipLSU88UEJUWkg+OC0pMi4rHy9ORExRQElfTU1LPWNzbms1Ji9rbXUuP0RNRihLT0goQFBLLUNJQUYgJz5LST5KQz84Fy88LDwtLB8pPy00LSkbLkQuPCcsGyZELDgsMRsuPjA4JDEYKk9SSkNPPk9WUEpEVUE+WDcbKkdSRz9UQ09eP1BHOD0YKk9SSkNPPk9WTjlIRD1LUUk/UDpUV0lATUAfKUBTPF9NTUs9Gy4/U0BWQ0U/S0lJRDcbKj9PS09eQk1OUU5AST0oGy5UQ0BIRlRGVVdQUUw4HylRSDQyGCpDUyw8GipNTE5MRExFWlY/Rz5GTT1ETEFCRE9NRzQgJ0RSX01USE9EREU1b3F1YB8pTUBLVUpJSE5CXk9OQElfPDxYUzgxGipDQEQ9UzwxGy5DTlo7WUY8TEk+Xj9JPklZSE9ERDhlW2duXCAnP05XSUtJPD9WSUg4MTExLSsyKTA5JjQ2ICpTQ0hANDEsLjQ4LjIqKy0XLzxKVk5HTjs/WktJRUA8NyoxKS0rKDUiLC86Li80Ky0hQUU=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703709731.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703709731.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703709731.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703709731.txt bios get version
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703709731.txt bios get version
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703709731.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\bedfibgjeb.exe

Filesize
763KB

MD5
b9e319f299db3b67004506127a3d91a6

SHA1
a86e2e9099ea5f77445f41fafe92a7567413d4e2

SHA256
4680a7c84e58af3bb7f694bf98262309db81006bc697294ebba1dfa39c879ef1

SHA512
42661f44379063ba81b52b37ac12ff1bf3fcb0d261d9380e1894975d10d7f6208a53cb19c9f385d123d50557d38054e355f01a5f1083f71aab9a376fac8321b5

Download Submit
\Users\Admin\AppData\Local\Temp\bedfibgjeb.exe

Filesize
707KB

MD5
b58a6e9fe0415a5e164ada969f0c8e9a

SHA1
2c068687dd2374ae606688097a77c068e51911aa

SHA256
215013b403ad6e45dc13c600d6ba2197d89b9515f74f061458377e9e8342242e

SHA512
4b80900e978e90496da032e563c6991a5bb46356876eb8299f78616319905358b85b5528d2f63a61fccfa5c1ecbf4e62a03a7ed93cdd67f040e6429eaec3d255

Download Submit
\Users\Admin\AppData\Local\Temp\bedfibgjeb.exe

Filesize
272KB

MD5
562afa962d196c545d3f172f85dafda6

SHA1
0fa8d1f389317fa78eaaa5f17308c6a1ee271ed3

SHA256
360b27c408e80e4c8f2e57cee7ac3e6f6843a7a32ecc6eb6c2aa08634997d877

SHA512
d976b9e6452e7a02ad668bfb48790ae8f613edeb9e4de82a63d969bc822c15cd54494d12ce2d4bdb640af43b7cd6f972933690e558adf8a8e740485c5af8de89

Download Submit
\Users\Admin\AppData\Local\Temp\bedfibgjeb.exe

Filesize
248KB

MD5
e702bdb94a234c8af7af82d6d7eef124

SHA1
c646c7e505f7351e34d174f7479fa3de6dd327fa

SHA256
dc024303a6438a4abab69880cabd65f697ac73bc68c1db5e5368d6ca5f9d33dd

SHA512
c831475fbd20fc879248ea80399f6d58fd672d7873ae74ab881c687508ff0f11ddba5495d14fb23d3b817a036a0046b77d293b8253ad05d1241083cb3c42f473

Download Submit
\Users\Admin\AppData\Local\Temp\bedfibgjeb.exe

Filesize
234KB

MD5
193ffa7fc587fc172120ff355d441cbc

SHA1
b7f1f698cab890bd7aa07d245f2534028f9c494f

SHA256
25ffaa04b7139897b493d753ff6604f3993b352b312ab44e5a7146dd95a4f7db

SHA512
a3c33020301547295edd6cda0ca5291e250134c6b09f1ca6f18a510c574a713ada5965278d59975230e9dcd095cdc8d71bc02c0e4aee6152e4806eb511dfe1c3

Download Submit
\Users\Admin\AppData\Local\Temp\bedfibgjeb.exe

Filesize
139KB

MD5
fb5194b6f564916bc4deb4f8b21fb52d

SHA1
9be2ffd9ac3c108b0a6185c7e2826e61b318a38d

SHA256
d871e148b120cda543438846124d4e0b8512dae9c0379680cbd54b06dc405eef

SHA512
a86ec1fe2149c181a53a13532cbea8ff9715bf53f05b868677db2966a066b3594f0da6220f5c80cad91128a536de64c8893051bda89770ffd1640e50b396faff

Download Submit
\Users\Admin\AppData\Local\Temp\bedfibgjeb.exe

Filesize
66KB

MD5
513df013205131db4cc7add6506be9f1

SHA1
647d812b947b804cb8e0c51bba6f1d452826ccef

SHA256
0bcb782ac6131ed0da56e1f3d1a52ad4d920c79618ef642ea99eb9c4e070da46

SHA512
202ce00f74cef4c7635bdf344c51aa01e0d1778e01a8077405e53c0fed44a281b2bea40914319d1cf2910da901b4752f439ccbd5ded71219e95c348b23c12fb7

Download Submit
\Users\Admin\AppData\Local\Temp\nsj844E.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsj844E.tmp\bpcnrtp.dll

Filesize
166KB

MD5
250221a999b372a3d7318c388ad51fe2

SHA1
8fd2692d924b777e0146cfe4a57cfc03d07756f8

SHA256
433cd8268b8f94eb0393af2ab219ccc6b4cfe902d70e17a4d8d123582c156db2

SHA512
b38c368581231242f657c27394d28ddff12f347a81858228da23c19f797684a8d28fe3e0d0c0e853b3c6d719761974a309034db1db07451426b501d027edf3d9

Download Submit