cd2f3660422663ff389622595412a630482f1a060de398d68bfb8061dda9dc91

Analysis

max time kernel
155s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20a9caa0e47e0307c4accdce258ffc8d.exe
Size

684KB
MD5

20a9caa0e47e0307c4accdce258ffc8d
SHA1

07943683978e976af495c9f151d2813438f66505
SHA256

cd2f3660422663ff389622595412a630482f1a060de398d68bfb8061dda9dc91
SHA512

6af329c0521b3f2d1f0cc788eb09b8c0899cc54786259a4d7ccdcde2ca43d5f66fc01bab541575afc53b7ea779906bdff7cec349cce5174bf838de429ce8f62e
SSDEEP

12288:RigVvVugSVWvoEnG+C+0hTNUzSnz+I0XYZenxSzotpvWz3fc8vy4hi:RiyvkSV+TNySzaoZqxSEtRWQ86L

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4516	bedffhgjja.exe

Loads dropped DLL 2 IoCs

pid	Process
3544	20a9caa0e47e0307c4accdce258ffc8d.exe
3544	20a9caa0e47e0307c4accdce258ffc8d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4540	4516	WerFault.exe	89

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3984	wmic.exe
Token: SeSecurityPrivilege	3984	wmic.exe
Token: SeTakeOwnershipPrivilege	3984	wmic.exe
Token: SeLoadDriverPrivilege	3984	wmic.exe
Token: SeSystemProfilePrivilege	3984	wmic.exe
Token: SeSystemtimePrivilege	3984	wmic.exe
Token: SeProfSingleProcessPrivilege	3984	wmic.exe
Token: SeIncBasePriorityPrivilege	3984	wmic.exe
Token: SeCreatePagefilePrivilege	3984	wmic.exe
Token: SeBackupPrivilege	3984	wmic.exe
Token: SeRestorePrivilege	3984	wmic.exe
Token: SeShutdownPrivilege	3984	wmic.exe
Token: SeDebugPrivilege	3984	wmic.exe
Token: SeSystemEnvironmentPrivilege	3984	wmic.exe
Token: SeRemoteShutdownPrivilege	3984	wmic.exe
Token: SeUndockPrivilege	3984	wmic.exe
Token: SeManageVolumePrivilege	3984	wmic.exe
Token: 33	3984	wmic.exe
Token: 34	3984	wmic.exe
Token: 35	3984	wmic.exe
Token: 36	3984	wmic.exe
Token: SeIncreaseQuotaPrivilege	3984	wmic.exe
Token: SeSecurityPrivilege	3984	wmic.exe
Token: SeTakeOwnershipPrivilege	3984	wmic.exe
Token: SeLoadDriverPrivilege	3984	wmic.exe
Token: SeSystemProfilePrivilege	3984	wmic.exe
Token: SeSystemtimePrivilege	3984	wmic.exe
Token: SeProfSingleProcessPrivilege	3984	wmic.exe
Token: SeIncBasePriorityPrivilege	3984	wmic.exe
Token: SeCreatePagefilePrivilege	3984	wmic.exe
Token: SeBackupPrivilege	3984	wmic.exe
Token: SeRestorePrivilege	3984	wmic.exe
Token: SeShutdownPrivilege	3984	wmic.exe
Token: SeDebugPrivilege	3984	wmic.exe
Token: SeSystemEnvironmentPrivilege	3984	wmic.exe
Token: SeRemoteShutdownPrivilege	3984	wmic.exe
Token: SeUndockPrivilege	3984	wmic.exe
Token: SeManageVolumePrivilege	3984	wmic.exe
Token: 33	3984	wmic.exe
Token: 34	3984	wmic.exe
Token: 35	3984	wmic.exe
Token: 36	3984	wmic.exe
Token: SeIncreaseQuotaPrivilege	1152	wmic.exe
Token: SeSecurityPrivilege	1152	wmic.exe
Token: SeTakeOwnershipPrivilege	1152	wmic.exe
Token: SeLoadDriverPrivilege	1152	wmic.exe
Token: SeSystemProfilePrivilege	1152	wmic.exe
Token: SeSystemtimePrivilege	1152	wmic.exe
Token: SeProfSingleProcessPrivilege	1152	wmic.exe
Token: SeIncBasePriorityPrivilege	1152	wmic.exe
Token: SeCreatePagefilePrivilege	1152	wmic.exe
Token: SeBackupPrivilege	1152	wmic.exe
Token: SeRestorePrivilege	1152	wmic.exe
Token: SeShutdownPrivilege	1152	wmic.exe
Token: SeDebugPrivilege	1152	wmic.exe
Token: SeSystemEnvironmentPrivilege	1152	wmic.exe
Token: SeRemoteShutdownPrivilege	1152	wmic.exe
Token: SeUndockPrivilege	1152	wmic.exe
Token: SeManageVolumePrivilege	1152	wmic.exe
Token: 33	1152	wmic.exe
Token: 34	1152	wmic.exe
Token: 35	1152	wmic.exe
Token: 36	1152	wmic.exe
Token: SeIncreaseQuotaPrivilege	1152	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 4516	3544	20a9caa0e47e0307c4accdce258ffc8d.exe	89
PID 3544 wrote to memory of 4516	3544	20a9caa0e47e0307c4accdce258ffc8d.exe	89
PID 3544 wrote to memory of 4516	3544	20a9caa0e47e0307c4accdce258ffc8d.exe	89
PID 4516 wrote to memory of 3984	4516	bedffhgjja.exe	92
PID 4516 wrote to memory of 3984	4516	bedffhgjja.exe	92
PID 4516 wrote to memory of 3984	4516	bedffhgjja.exe	92
PID 4516 wrote to memory of 1152	4516	bedffhgjja.exe	95
PID 4516 wrote to memory of 1152	4516	bedffhgjja.exe	95
PID 4516 wrote to memory of 1152	4516	bedffhgjja.exe	95
PID 4516 wrote to memory of 4908	4516	bedffhgjja.exe	97
PID 4516 wrote to memory of 4908	4516	bedffhgjja.exe	97
PID 4516 wrote to memory of 4908	4516	bedffhgjja.exe	97
PID 4516 wrote to memory of 1376	4516	bedffhgjja.exe	99
PID 4516 wrote to memory of 1376	4516	bedffhgjja.exe	99
PID 4516 wrote to memory of 1376	4516	bedffhgjja.exe	99
PID 4516 wrote to memory of 1384	4516	bedffhgjja.exe	101
PID 4516 wrote to memory of 1384	4516	bedffhgjja.exe	101
PID 4516 wrote to memory of 1384	4516	bedffhgjja.exe	101

C:\Users\Admin\AppData\Local\Temp\20a9caa0e47e0307c4accdce258ffc8d.exe
"C:\Users\Admin\AppData\Local\Temp\20a9caa0e47e0307c4accdce258ffc8d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Temp\bedffhgjja.exe
  C:\Users\Admin\AppData\Local\Temp\bedffhgjja.exe 3,9,4,6,8,7,6,6,4,9,7 LEdFPjUrLCwtMBksSlE8SEI+NywXKEs8UFFHS0VDQDQqHSZAQ0tNQz45KTE2Ky8aJzxDPjknGSxHTkk8Tj1OW0A9Oik0LCkyGilPPEtTPE5ZTUtGN2RrbW0xKylra3AoQDxMSCRQSUgmO0pMJUJLPUsaJzxGQz9CQkE0HCk8KjcnLRcoQSk5JykZKT4vNCYuFys+LDYnKxwmPTI0KSsYKEpMSztOQEtbSkpCUDs/UDYdJkxMRz1PPVBWPlJDPTcYKEpMSztOQEtbSDlGPzc9TUBcRz9ZTG5oX1FnWC8nLS9XTF9ucWcZLDxUP1dOTEY5R2tsW3FdbFhPTEglcXVvHCk9UT9ZP0Q9SUBKPzUZKUJLSk1cOU5JT0w/TDkoGSxLRDtGRFNJUVZOT0M5GidPRzcuFyhBSi03GChMT0pLQko8W1E9RT1JSTxCSjhDP01LRjccJkJQVk5PRk1DR0E0bW9sYRonSz9OUUlHRkVDWU1MP0xbOzpWSjksGChCQ0A8UTooHClBTFk+VUU6SkA/WT1HPUxVR01COzlgWWVtXxwmPUxOSkZHOj5ZRUc2NioqKzAqKDAsJSoyFytOQUY/Ny0rLDIsNCwsKjEaKztIVEVISTk9WU5FRD46LSssMSgsKi0sIy4pNi8rMy0xJkdG
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703756300.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703756300.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703756300.txt bios get version
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703756300.txt bios get version
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703756300.txt bios get version
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 896
    3⤵
    - Program crash
    PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4516 -ip 4516
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703756300.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703756300.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703756300.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedffhgjja.exe

Filesize
837KB

MD5
59b022d8f4e92b9cef0fcab828fc7082

SHA1
0f6a874019452d88ab58cd4e17702a1fc36907a3

SHA256
3046746639c4dd8cf3b0c0b074f1b68386199d77a1d3ea23a9ee24ddb71646fb

SHA512
1affc6c571e40a2196a93d5c2fa760792182974d9dc4f6dc956996fd8c4e092b9ce1dc1eb94ca29cbd88a31529c24f3eebaad337072e6450908da5b634396290

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl13E2.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl13E2.tmp\ZipDLL.dll

Filesize
24KB

MD5
14222ab5e481f682d00fba13f538e8f6

SHA1
3725c52b8b4fb55aee476785bfd9c58eed3aa9fa

SHA256
85d07dd5b421f3b725a3bc73018cb48b35a936b30cb8a17d9f86adb92aeb6d33

SHA512
521ecd5a07b0af53ea569667bc5b45861b345635a963dd786891de318fa2a30979be1b6e019951ea594c596bb5368b7c48615714915f6e3c0ae723b5ae3b113e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl13E2.tmp\eynttqz.dll

Filesize
166KB

MD5
810438dd5bdc63518c90f5702033a51f

SHA1
2ebb336741c1427b5ae988d542efc48ca3fb05b2

SHA256
23da7fe20ea44d5aeedeb56283bfe1c64e3f139fef8de7534d193145ef1bdad9

SHA512
82c1458608444e2cbed7c96d8178f27da249a6aabc70840e51119a10726d51af979f606d02679d5a4937805adcc1c7356a28a71134cae5339f40a0f876ad47ba

Download Submit