203e913133a2a5ed772fb174022bbaed1083422f5a5a57c9a128cfe037b54062

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21670430db8b367994434c0cd43d7eb6.exe
Size

752KB
MD5

21670430db8b367994434c0cd43d7eb6
SHA1

37532ead43a92c440a7e5746e0e977bc3037d329
SHA256

203e913133a2a5ed772fb174022bbaed1083422f5a5a57c9a128cfe037b54062
SHA512

04deb195e2aa0ddf49efe3a4b90e07b704bf5a2bcfbd57c9e99f4350ae03d8f3e3625183a4cd3adb3db11dd7c2431acfaede696bd0465033c21f722ea0e563f1
SSDEEP

12288:OUNIUQuI8//HRvSxRa3XYTTf2ez8DNil9mRa59ESCXdmM+BKE6vKqQ71VBUEGjz7:OSIUQuT/H8xRa3oTTrGNyQaPt8oPKV5h

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	bedghiijca.exe

Loads dropped DLL 11 IoCs

pid	Process
1320	21670430db8b367994434c0cd43d7eb6.exe
1320	21670430db8b367994434c0cd43d7eb6.exe
1320	21670430db8b367994434c0cd43d7eb6.exe
1320	21670430db8b367994434c0cd43d7eb6.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2328	2484	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2884	wmic.exe
Token: SeSecurityPrivilege	2884	wmic.exe
Token: SeTakeOwnershipPrivilege	2884	wmic.exe
Token: SeLoadDriverPrivilege	2884	wmic.exe
Token: SeSystemProfilePrivilege	2884	wmic.exe
Token: SeSystemtimePrivilege	2884	wmic.exe
Token: SeProfSingleProcessPrivilege	2884	wmic.exe
Token: SeIncBasePriorityPrivilege	2884	wmic.exe
Token: SeCreatePagefilePrivilege	2884	wmic.exe
Token: SeBackupPrivilege	2884	wmic.exe
Token: SeRestorePrivilege	2884	wmic.exe
Token: SeShutdownPrivilege	2884	wmic.exe
Token: SeDebugPrivilege	2884	wmic.exe
Token: SeSystemEnvironmentPrivilege	2884	wmic.exe
Token: SeRemoteShutdownPrivilege	2884	wmic.exe
Token: SeUndockPrivilege	2884	wmic.exe
Token: SeManageVolumePrivilege	2884	wmic.exe
Token: 33	2884	wmic.exe
Token: 34	2884	wmic.exe
Token: 35	2884	wmic.exe
Token: SeIncreaseQuotaPrivilege	2884	wmic.exe
Token: SeSecurityPrivilege	2884	wmic.exe
Token: SeTakeOwnershipPrivilege	2884	wmic.exe
Token: SeLoadDriverPrivilege	2884	wmic.exe
Token: SeSystemProfilePrivilege	2884	wmic.exe
Token: SeSystemtimePrivilege	2884	wmic.exe
Token: SeProfSingleProcessPrivilege	2884	wmic.exe
Token: SeIncBasePriorityPrivilege	2884	wmic.exe
Token: SeCreatePagefilePrivilege	2884	wmic.exe
Token: SeBackupPrivilege	2884	wmic.exe
Token: SeRestorePrivilege	2884	wmic.exe
Token: SeShutdownPrivilege	2884	wmic.exe
Token: SeDebugPrivilege	2884	wmic.exe
Token: SeSystemEnvironmentPrivilege	2884	wmic.exe
Token: SeRemoteShutdownPrivilege	2884	wmic.exe
Token: SeUndockPrivilege	2884	wmic.exe
Token: SeManageVolumePrivilege	2884	wmic.exe
Token: 33	2884	wmic.exe
Token: 34	2884	wmic.exe
Token: 35	2884	wmic.exe
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe
Token: SeSystemProfilePrivilege	2816	wmic.exe
Token: SeSystemtimePrivilege	2816	wmic.exe
Token: SeProfSingleProcessPrivilege	2816	wmic.exe
Token: SeIncBasePriorityPrivilege	2816	wmic.exe
Token: SeCreatePagefilePrivilege	2816	wmic.exe
Token: SeBackupPrivilege	2816	wmic.exe
Token: SeRestorePrivilege	2816	wmic.exe
Token: SeShutdownPrivilege	2816	wmic.exe
Token: SeDebugPrivilege	2816	wmic.exe
Token: SeSystemEnvironmentPrivilege	2816	wmic.exe
Token: SeRemoteShutdownPrivilege	2816	wmic.exe
Token: SeUndockPrivilege	2816	wmic.exe
Token: SeManageVolumePrivilege	2816	wmic.exe
Token: 33	2816	wmic.exe
Token: 34	2816	wmic.exe
Token: 35	2816	wmic.exe
Token: SeIncreaseQuotaPrivilege	2924	wmic.exe
Token: SeSecurityPrivilege	2924	wmic.exe
Token: SeTakeOwnershipPrivilege	2924	wmic.exe
Token: SeLoadDriverPrivilege	2924	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2484	1320	21670430db8b367994434c0cd43d7eb6.exe	28
PID 1320 wrote to memory of 2484	1320	21670430db8b367994434c0cd43d7eb6.exe	28
PID 1320 wrote to memory of 2484	1320	21670430db8b367994434c0cd43d7eb6.exe	28
PID 1320 wrote to memory of 2484	1320	21670430db8b367994434c0cd43d7eb6.exe	28
PID 2484 wrote to memory of 2884	2484	bedghiijca.exe	30
PID 2484 wrote to memory of 2884	2484	bedghiijca.exe	30
PID 2484 wrote to memory of 2884	2484	bedghiijca.exe	30
PID 2484 wrote to memory of 2884	2484	bedghiijca.exe	30
PID 2484 wrote to memory of 2816	2484	bedghiijca.exe	33
PID 2484 wrote to memory of 2816	2484	bedghiijca.exe	33
PID 2484 wrote to memory of 2816	2484	bedghiijca.exe	33
PID 2484 wrote to memory of 2816	2484	bedghiijca.exe	33
PID 2484 wrote to memory of 2924	2484	bedghiijca.exe	40
PID 2484 wrote to memory of 2924	2484	bedghiijca.exe	40
PID 2484 wrote to memory of 2924	2484	bedghiijca.exe	40
PID 2484 wrote to memory of 2924	2484	bedghiijca.exe	40
PID 2484 wrote to memory of 2620	2484	bedghiijca.exe	35
PID 2484 wrote to memory of 2620	2484	bedghiijca.exe	35
PID 2484 wrote to memory of 2620	2484	bedghiijca.exe	35
PID 2484 wrote to memory of 2620	2484	bedghiijca.exe	35
PID 2484 wrote to memory of 2140	2484	bedghiijca.exe	37
PID 2484 wrote to memory of 2140	2484	bedghiijca.exe	37
PID 2484 wrote to memory of 2140	2484	bedghiijca.exe	37
PID 2484 wrote to memory of 2140	2484	bedghiijca.exe	37
PID 2484 wrote to memory of 2328	2484	bedghiijca.exe	38
PID 2484 wrote to memory of 2328	2484	bedghiijca.exe	38
PID 2484 wrote to memory of 2328	2484	bedghiijca.exe	38
PID 2484 wrote to memory of 2328	2484	bedghiijca.exe	38

C:\Users\Admin\AppData\Local\Temp\21670430db8b367994434c0cd43d7eb6.exe
"C:\Users\Admin\AppData\Local\Temp\21670430db8b367994434c0cd43d7eb6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\bedghiijca.exe
  C:\Users\Admin\AppData\Local\Temp\bedghiijca.exe 0*6*5*3*2*1*4*7*1*0*1 L0pEQTswNSw1Mx8vTVA/TkhANi8gLk4/T1RNUUdCQz0wJSwrbXBuYG5idG1hZ2A6UGRlZmBnZCApP0ZRU0U9PDI2NystHS1CRT08MB8vSk1MQlQ/TV5JQz0sMTYyMhwoUkVRVj9NXFNRSDZndHNwNCoscXFyJ0NFUksnT0xOLD1JTy5ITkBKHS1CSEJCS0hENxssQjA5JjAgLkQsOCovHys9Mj0sMRoqQTI8KSofL0M1NyguHi5MS05EVENOWk1QSFI6Qlk8IClLT01DUTxTX0RVRjw6Hi5MS05EVENOWks/TEE2Hy9EWD9aUlBLORkuRVdFWT5KQktFR0Q9Hy9CSlBSXj5LTldSRUw4Mh4uUEFATkpZSVBcU1FINh8vVU03LR0tQ08qPCAuUk9JUUdMQVhWRUtDSUhCR0w9QERVUUw3GyxHUltLVE5TSUdAOnJxcV4fL1FFTlBPTEhKQF5VUkVMWkE/WE82MSAuSEM/QlY8LRkuSVJfPlRLP0xFPF5FTUNMVE1SREA2ZWFrc18bLEJOU0dLT0BEWURNOzA0MS0yMzQoLjMsMTEqHy9PQUw8SUpESFhITlJUO0dJO2VdZXJlHy9OREpDPC0tMjY2OS0wMDEfKz1OV01MSTxBXVNFRkQ9Ni8rLiwwLy0uKTE5MTI1MjEpTEY=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703759130.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703759130.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703759130.txt bios get version
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703759130.txt bios get version
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2328
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703759130.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703759130.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedghiijca.exe

Filesize
1024KB

MD5
2386fda3f5c55165c0b698b3d85547d8

SHA1
f2218789609ea0db236388f7c7e229ec3163c9b7

SHA256
1b6f4c599372038cc151573c4622a7642d3e715af693e4acc98e3819714248f8

SHA512
d49bc20ec935390d4be2c83d32458cf5f43e862acbdd23d3488e9ffa74ec853bb2c47d46c8376bff2a8aa02c6a2d78d352618e6e9797d8f38f1923fa6f9ae63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedghiijca.exe

Filesize
384KB

MD5
13b6bc703c46418814814b50744a2484

SHA1
997b81da84e29993f725383ef06261a1ae729682

SHA256
8bb534e3aa0aad57b03ab92468b12076b16da518a848d8f89a74cf2a67a8d69f

SHA512
0daeb800c1b9ae9c703b9700c3ff738004f8b3a14f806aa2391db8bd3322be3b1c71ed4ab874430cc23f4a0d24ee51ee6596531ad95d9c71e00e63be7142618a

Download Submit
\Users\Admin\AppData\Local\Temp\bedghiijca.exe

Filesize
1.0MB

MD5
d5a92adbcb6d41643e060f4ce3c31df1

SHA1
d73666fbc40c717f7d86e05ee9e943f5de1d9d54

SHA256
06741a8d627796d5cb8379472412ae26b4aaabbda5b2568e34ce1e2e0acd958e

SHA512
5758f61270061769943cfa4c7bc473cb9368ac87260a0684aa7c33bdfcadf17280c2d75c00281eca059c3eb86fdd5e4bcc2c11ddf90939d15ccabd190e058c38

Download Submit
\Users\Admin\AppData\Local\Temp\nsd916.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsd916.tmp\cqzeykv.dll

Filesize
158KB

MD5
ffcf49e7274141b243935bc0ca953422

SHA1
91f0c6105ccec1b69a170a1f42e821aab0289616

SHA256
af2ba9f235a043ba80098170a92e5ae256c2768a563e04f24c58234738587b74

SHA512
e23248f7f6e4d6ffdfbfd3dfbf37cb673497b1b3418f4ba0923861f86b3eff6c82c055b8f29f618afe0bc66a51a07cadbf237196645be8b428b8192b48cb8f36

Download Submit