cd2f3660422663ff389622595412a630482f1a060de398d68bfb8061dda9dc91

Analysis

max time kernel
117s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20a9caa0e47e0307c4accdce258ffc8d.exe
Size

684KB
MD5

20a9caa0e47e0307c4accdce258ffc8d
SHA1

07943683978e976af495c9f151d2813438f66505
SHA256

cd2f3660422663ff389622595412a630482f1a060de398d68bfb8061dda9dc91
SHA512

6af329c0521b3f2d1f0cc788eb09b8c0899cc54786259a4d7ccdcde2ca43d5f66fc01bab541575afc53b7ea779906bdff7cec349cce5174bf838de429ce8f62e
SSDEEP

12288:RigVvVugSVWvoEnG+C+0hTNUzSnz+I0XYZenxSzotpvWz3fc8vy4hi:RiyvkSV+TNySzaoZqxSEtRWQ86L

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2768	bedffhgjja.exe

Loads dropped DLL 11 IoCs

pid	Process
2864	20a9caa0e47e0307c4accdce258ffc8d.exe
2864	20a9caa0e47e0307c4accdce258ffc8d.exe
2864	20a9caa0e47e0307c4accdce258ffc8d.exe
2864	20a9caa0e47e0307c4accdce258ffc8d.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2604	2768	WerFault.exe	20

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2988	wmic.exe
Token: SeSecurityPrivilege	2988	wmic.exe
Token: SeTakeOwnershipPrivilege	2988	wmic.exe
Token: SeLoadDriverPrivilege	2988	wmic.exe
Token: SeSystemProfilePrivilege	2988	wmic.exe
Token: SeSystemtimePrivilege	2988	wmic.exe
Token: SeProfSingleProcessPrivilege	2988	wmic.exe
Token: SeIncBasePriorityPrivilege	2988	wmic.exe
Token: SeCreatePagefilePrivilege	2988	wmic.exe
Token: SeBackupPrivilege	2988	wmic.exe
Token: SeRestorePrivilege	2988	wmic.exe
Token: SeShutdownPrivilege	2988	wmic.exe
Token: SeDebugPrivilege	2988	wmic.exe
Token: SeSystemEnvironmentPrivilege	2988	wmic.exe
Token: SeRemoteShutdownPrivilege	2988	wmic.exe
Token: SeUndockPrivilege	2988	wmic.exe
Token: SeManageVolumePrivilege	2988	wmic.exe
Token: 33	2988	wmic.exe
Token: 34	2988	wmic.exe
Token: 35	2988	wmic.exe
Token: SeIncreaseQuotaPrivilege	2988	wmic.exe
Token: SeSecurityPrivilege	2988	wmic.exe
Token: SeTakeOwnershipPrivilege	2988	wmic.exe
Token: SeLoadDriverPrivilege	2988	wmic.exe
Token: SeSystemProfilePrivilege	2988	wmic.exe
Token: SeSystemtimePrivilege	2988	wmic.exe
Token: SeProfSingleProcessPrivilege	2988	wmic.exe
Token: SeIncBasePriorityPrivilege	2988	wmic.exe
Token: SeCreatePagefilePrivilege	2988	wmic.exe
Token: SeBackupPrivilege	2988	wmic.exe
Token: SeRestorePrivilege	2988	wmic.exe
Token: SeShutdownPrivilege	2988	wmic.exe
Token: SeDebugPrivilege	2988	wmic.exe
Token: SeSystemEnvironmentPrivilege	2988	wmic.exe
Token: SeRemoteShutdownPrivilege	2988	wmic.exe
Token: SeUndockPrivilege	2988	wmic.exe
Token: SeManageVolumePrivilege	2988	wmic.exe
Token: 33	2988	wmic.exe
Token: 34	2988	wmic.exe
Token: 35	2988	wmic.exe
Token: SeIncreaseQuotaPrivilege	2580	wmic.exe
Token: SeSecurityPrivilege	2580	wmic.exe
Token: SeTakeOwnershipPrivilege	2580	wmic.exe
Token: SeLoadDriverPrivilege	2580	wmic.exe
Token: SeSystemProfilePrivilege	2580	wmic.exe
Token: SeSystemtimePrivilege	2580	wmic.exe
Token: SeProfSingleProcessPrivilege	2580	wmic.exe
Token: SeIncBasePriorityPrivilege	2580	wmic.exe
Token: SeCreatePagefilePrivilege	2580	wmic.exe
Token: SeBackupPrivilege	2580	wmic.exe
Token: SeRestorePrivilege	2580	wmic.exe
Token: SeShutdownPrivilege	2580	wmic.exe
Token: SeDebugPrivilege	2580	wmic.exe
Token: SeSystemEnvironmentPrivilege	2580	wmic.exe
Token: SeRemoteShutdownPrivilege	2580	wmic.exe
Token: SeUndockPrivilege	2580	wmic.exe
Token: SeManageVolumePrivilege	2580	wmic.exe
Token: 33	2580	wmic.exe
Token: 34	2580	wmic.exe
Token: 35	2580	wmic.exe
Token: SeIncreaseQuotaPrivilege	2520	wmic.exe
Token: SeSecurityPrivilege	2520	wmic.exe
Token: SeTakeOwnershipPrivilege	2520	wmic.exe
Token: SeLoadDriverPrivilege	2520	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2768	2864	20a9caa0e47e0307c4accdce258ffc8d.exe	20
PID 2864 wrote to memory of 2768	2864	20a9caa0e47e0307c4accdce258ffc8d.exe	20
PID 2864 wrote to memory of 2768	2864	20a9caa0e47e0307c4accdce258ffc8d.exe	20
PID 2864 wrote to memory of 2768	2864	20a9caa0e47e0307c4accdce258ffc8d.exe	20
PID 2768 wrote to memory of 2988	2768	bedffhgjja.exe	18
PID 2768 wrote to memory of 2988	2768	bedffhgjja.exe	18
PID 2768 wrote to memory of 2988	2768	bedffhgjja.exe	18
PID 2768 wrote to memory of 2988	2768	bedffhgjja.exe	18
PID 2768 wrote to memory of 2580	2768	bedffhgjja.exe	32
PID 2768 wrote to memory of 2580	2768	bedffhgjja.exe	32
PID 2768 wrote to memory of 2580	2768	bedffhgjja.exe	32
PID 2768 wrote to memory of 2580	2768	bedffhgjja.exe	32
PID 2768 wrote to memory of 2520	2768	bedffhgjja.exe	27
PID 2768 wrote to memory of 2520	2768	bedffhgjja.exe	27
PID 2768 wrote to memory of 2520	2768	bedffhgjja.exe	27
PID 2768 wrote to memory of 2520	2768	bedffhgjja.exe	27
PID 2768 wrote to memory of 2476	2768	bedffhgjja.exe	31
PID 2768 wrote to memory of 2476	2768	bedffhgjja.exe	31
PID 2768 wrote to memory of 2476	2768	bedffhgjja.exe	31
PID 2768 wrote to memory of 2476	2768	bedffhgjja.exe	31
PID 2768 wrote to memory of 2828	2768	bedffhgjja.exe	30
PID 2768 wrote to memory of 2828	2768	bedffhgjja.exe	30
PID 2768 wrote to memory of 2828	2768	bedffhgjja.exe	30
PID 2768 wrote to memory of 2828	2768	bedffhgjja.exe	30
PID 2768 wrote to memory of 2604	2768	bedffhgjja.exe	39
PID 2768 wrote to memory of 2604	2768	bedffhgjja.exe	39
PID 2768 wrote to memory of 2604	2768	bedffhgjja.exe	39
PID 2768 wrote to memory of 2604	2768	bedffhgjja.exe	39

C:\Users\Admin\AppData\Local\Temp\20a9caa0e47e0307c4accdce258ffc8d.exe
"C:\Users\Admin\AppData\Local\Temp\20a9caa0e47e0307c4accdce258ffc8d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\bedffhgjja.exe
  C:\Users\Admin\AppData\Local\Temp\bedffhgjja.exe 3,9,4,6,8,7,6,6,4,9,7 LEdFPjUrLCwtMBksSlE8SEI+NywXKEs8UFFHS0VDQDQqHSZAQ0tNQz45KTE2Ky8aJzxDPjknGSxHTkk8Tj1OW0A9Oik0LCkyGilPPEtTPE5ZTUtGN2RrbW0xKylra3AoQDxMSCRQSUgmO0pMJUJLPUsaJzxGQz9CQkE0HCk8KjcnLRcoQSk5JykZKT4vNCYuFys+LDYnKxwmPTI0KSsYKEpMSztOQEtbSkpCUDs/UDYdJkxMRz1PPVBWPlJDPTcYKEpMSztOQEtbSDlGPzc9TUBcRz9ZTG5oX1FnWC8nLS9XTF9ucWcZLDxUP1dOTEY5R2tsW3FdbFhPTEglcXVvHCk9UT9ZP0Q9SUBKPzUZKUJLSk1cOU5JT0w/TDkoGSxLRDtGRFNJUVZOT0M5GidPRzcuFyhBSi03GChMT0pLQko8W1E9RT1JSTxCSjhDP01LRjccJkJQVk5PRk1DR0E0bW9sYRonSz9OUUlHRkVDWU1MP0xbOzpWSjksGChCQ0A8UTooHClBTFk+VUU6SkA/WT1HPUxVR01COzlgWWVtXxwmPUxOSkZHOj5ZRUc2NioqKzAqKDAsJSoyFytOQUY/Ny0rLDIsNCwsKjEaKztIVEVISTk9WU5FRD46LSssMSgsKi0sIy4pNi8rMy0xJkdG
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703756254.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703756254.txt bios get version
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703756254.txt bios get version
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703756254.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2604

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703756254.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703756254.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedffhgjja.exe

Filesize
29KB

MD5
7c17367510dada48954fdc7fe87b1f6f

SHA1
ec790afdfa7b8282feb370d708a3a65177412e53

SHA256
152a912b796f4a9e2c53087558df140a5c187d4cb16c6e7dd4b742008dde4104

SHA512
2e0ad23242191a8b6956f14f9b649aaec7fde6ef96330fed55c755ac62db1df0237099c12f3532597544139415b964a9a7bea7666d5f0109118039c53c53d681

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedffhgjja.exe

Filesize
35KB

MD5
a5a7410e42d266a56a779bd329a26602

SHA1
474bb9d07034a59e2557728679abe5db376f2ec5

SHA256
95f5eabb459701d97088c4cca811aacf6f0437bb19735ded3508736c3c66cb67

SHA512
9d8da430bcc187531b70088c81e8fee3cf91183118be3d4dbe034c72647bf4ed71674944cb0b94790f1b321e8881fef6bb9a38768cc8d283db4bb2b8f4186f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstBAC8.tmp\eynttqz.dll

Filesize
23KB

MD5
dd2b286f2930351d36ea9b07df998a6d

SHA1
1e6136e598cf5c586966484e8a962e0ed6f2b6b9

SHA256
4c0e98e2ce7cda5df234c7a765f710b0135ecf225d6a209924e358cdcf827a90

SHA512
a2ed51c984f7c37a5efb2fe93e0c1893119a193db242c989b52a9511e0f6f8fed881bae411b3073775a5fec95bf9b9b4ac35b835ce57ae41414bc6e45aea6f41

Download Submit
\Users\Admin\AppData\Local\Temp\bedffhgjja.exe

Filesize
29KB

MD5
792b7a2f961d98091e2fa9574745a0c8

SHA1
9cd8bf0a34ce899c73f083657f3b72fc0b03fbfd

SHA256
c9fbc57e7ecc853cace19d0014586018626eec716f96e0e6aae76ee926212b04

SHA512
843a4ad3b9d669c866584e11ff3cebd07b1105ef7d390b638cdc722ac58ab657a82971ec7ed79a6a7a844abf25843333de372c2ffaf7bedd7935510ff2ad34bb

Download Submit
\Users\Admin\AppData\Local\Temp\bedffhgjja.exe

Filesize
28KB

MD5
e7df5080f4ad554509dfad9f51001775

SHA1
c7693da8a274bf5809db60c3522df99f883ca720

SHA256
1f7082452cf6567f9a3147b7820be06b8f90074f966a6dd7349dce4387ea2bf6

SHA512
69a989eb15d9fafa4eaa46ee7eec1291dda5940c9a52276a36b88e3b980acad3d1e4d9072fd32a1a41ce8c60bcd5c80c2eb20e9963b7fece670284f852684ee9

Download Submit
\Users\Admin\AppData\Local\Temp\bedffhgjja.exe

Filesize
77KB

MD5
79d6bc2ccf0879f8842fac33e8cd49b0

SHA1
6cee867a2352a7fb5c9bd90cac4d43dc90334f21

SHA256
ff99aa584651883829b7d0918bcd2b42298050bf1fb5ea705f6d63df3fa3a3c2

SHA512
473ee108028970953b4cd78d6a3353030e5b5c1698c0143bed963d46e1c323bbe003eeea30b85eb41d1c86e38d259ba5738e0048a45385d6959b366919504c9a

Download Submit
\Users\Admin\AppData\Local\Temp\bedffhgjja.exe

Filesize
36KB

MD5
dc874009e7cb2799a03d631bb1590352

SHA1
e62385d0719b16f6a04658018788c629b8633243

SHA256
d943f671adcb5b9dbf66cb6b6c7a16173ec05d7c5c4666d8d5e72a0f76f9c20b

SHA512
915a0cba5be6a83307b35a57a629dfc5b6db6b60213ee6575fc267528e8d842f86d026ddf601127a569650bc27b512d0da3d2a3fe6afc383eeec6d623c9519d1

Download Submit
\Users\Admin\AppData\Local\Temp\bedffhgjja.exe

Filesize
45KB

MD5
5239d0bc455dabf39832315f7d60a211

SHA1
7d9272bac7778254c8474fe91439941da9c8c74b

SHA256
c167ad6856b3774da8592f3b1645aac2c11a17283e37d80cacd34cf1d90e1ce4

SHA512
20289595c535a53f00326954c19cb2376fea39ab8286ad6f7ce8aa9d71bff5c0e63ac779727fbb63097d0fd49e65c8681781ffae7af5c4a60dc7e38e549c2fe2

Download Submit
\Users\Admin\AppData\Local\Temp\bedffhgjja.exe

Filesize
67KB

MD5
406998deca460e07248ee977b71eb4e4

SHA1
7990dc11097883cfd3b19b7a4010484f789cd759

SHA256
5f4339be5c2bb9b257f8882e7439abd3902622237c197716822e099885a2e24d

SHA512
6710e70396dbf6108cfc6f017509161547d86e3fdfacd1e6dd5ed7c105e6876fdbe72b11419933405c407ddff79a588881fc1ba0c4881015dbafb05ef350d1c1

Download Submit
\Users\Admin\AppData\Local\Temp\bedffhgjja.exe

Filesize
77KB

MD5
c9310d498d79aaa798bcc879b227fa64

SHA1
96e21b0a5d464e6e8f61792b383556a38b7bd09e

SHA256
a0d8f7e5af1582c9a2d68b802f5decb307999230683933a68ce317ceef3a0de2

SHA512
ad146d7e6e6e2db960111aa3888e26f410b839ba3ae2be8bd1ab71fde865ae23111dd065453cb6f5ab7755c7e74e2e4055b37d1fe447f473a85aeaef4add2f8b

Download Submit
\Users\Admin\AppData\Local\Temp\bedffhgjja.exe

Filesize
50KB

MD5
ef3bee6b4413192117c07708bff22b69

SHA1
dffe30ae8c5ec176ff0a1e2e96d462835b9a5972

SHA256
65ca5c96aa583bb745a6b96a6dc7b431e20f0b26952dfa4bb4fe1c5e805663a9

SHA512
31080bae58144c4f307b31d010e4a99f0bf9f8348da1c2db796e3acc8ff0134a0cf312b2faf053aa65a8d5a93ffaf74eda3f2259adea3e7d1eed10ea0091fb14

Download Submit
\Users\Admin\AppData\Local\Temp\bedffhgjja.exe

Filesize
104KB

MD5
ff47d8f3ff8d8999a0afcd4198a326a5

SHA1
ecdf234b1c8610b7098378406af8d1a635b4e7f1

SHA256
fce1bd385fdc35eb5d7d33e66c1603fa25551020b756b90fab52911538902100

SHA512
a19c7f1286fb97021ff37c74dc87e1aa97cbb3ef8387abbd72221ecb4d6a4686443940d1f93d02ddc6b58e1187d375d77a18753beb92a2a81693add341ad6b35

Download Submit
\Users\Admin\AppData\Local\Temp\nstBAC8.tmp\ZipDLL.dll

Filesize
10KB

MD5
e83a6856f6207cf05f26023791888c53

SHA1
d296bcf6f52257f1926d60f407539bf03bd0ea3d

SHA256
9bbc0ae06937fbe7d09c23f822fcb39914f23b0dc5a4abbffce4267979a3ddef

SHA512
f37ef5958e4e5dd78347366815d43fbdf63e835f2c7e10b66a663231ce01afc6188de4418df1a4f6834b62d5de2b5e327698da0121dc54aa7294a2b4227e0d38

Download Submit
\Users\Admin\AppData\Local\Temp\nstBAC8.tmp\eynttqz.dll

Filesize
28KB

MD5
8380906ef7de0d384c63b6521f8ec54d

SHA1
3864ab542ff3dcde3bd3048f621deef0348a8cd7

SHA256
0d8e34b358df69e7398b658ba616a02c43289e220800a1813131b42673acf856

SHA512
13d29d8cfe3165286b5cdbffb82b29adb6900a828b749ffcc7ab9d6ec5f5a9db7685f4d226aeda252210cd985d9e2c950467c46c6ee7b6d6ca824ba8d1a75035

Download Submit