215fc7bbb0233e556378a0bd514da9f9eaea0eb4c3407dd24ec3c4679bfce8bc

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27797b4706e10d607915d578471dab11.exe
Size

709KB
MD5

27797b4706e10d607915d578471dab11
SHA1

604ee5115f0f1d201be6c8d2cfed883dfa4544a5
SHA256

215fc7bbb0233e556378a0bd514da9f9eaea0eb4c3407dd24ec3c4679bfce8bc
SHA512

3580bb837e493c432fd02280ea74e7400e5bcf0888923044e14ec5ef38c606aa9475ae1f536780b82affbef0098506aaaf3cd63067c13239a247aa1f2492a9bd
SSDEEP

12288:YCp1CfADamlyuuDb6WAqhhmj6woqGPk335oCZ1gcZkZLElfc8vy4hMB:YCp1iYfyqMQroqG6mN86LB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2172	bedhbiifeb.exe

Loads dropped DLL 11 IoCs

pid	Process
2216	27797b4706e10d607915d578471dab11.exe
2216	27797b4706e10d607915d578471dab11.exe
2216	27797b4706e10d607915d578471dab11.exe
2216	27797b4706e10d607915d578471dab11.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2924	2172	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2556	wmic.exe
Token: SeSecurityPrivilege	2556	wmic.exe
Token: SeTakeOwnershipPrivilege	2556	wmic.exe
Token: SeLoadDriverPrivilege	2556	wmic.exe
Token: SeSystemProfilePrivilege	2556	wmic.exe
Token: SeSystemtimePrivilege	2556	wmic.exe
Token: SeProfSingleProcessPrivilege	2556	wmic.exe
Token: SeIncBasePriorityPrivilege	2556	wmic.exe
Token: SeCreatePagefilePrivilege	2556	wmic.exe
Token: SeBackupPrivilege	2556	wmic.exe
Token: SeRestorePrivilege	2556	wmic.exe
Token: SeShutdownPrivilege	2556	wmic.exe
Token: SeDebugPrivilege	2556	wmic.exe
Token: SeSystemEnvironmentPrivilege	2556	wmic.exe
Token: SeRemoteShutdownPrivilege	2556	wmic.exe
Token: SeUndockPrivilege	2556	wmic.exe
Token: SeManageVolumePrivilege	2556	wmic.exe
Token: 33	2556	wmic.exe
Token: 34	2556	wmic.exe
Token: 35	2556	wmic.exe
Token: SeIncreaseQuotaPrivilege	2556	wmic.exe
Token: SeSecurityPrivilege	2556	wmic.exe
Token: SeTakeOwnershipPrivilege	2556	wmic.exe
Token: SeLoadDriverPrivilege	2556	wmic.exe
Token: SeSystemProfilePrivilege	2556	wmic.exe
Token: SeSystemtimePrivilege	2556	wmic.exe
Token: SeProfSingleProcessPrivilege	2556	wmic.exe
Token: SeIncBasePriorityPrivilege	2556	wmic.exe
Token: SeCreatePagefilePrivilege	2556	wmic.exe
Token: SeBackupPrivilege	2556	wmic.exe
Token: SeRestorePrivilege	2556	wmic.exe
Token: SeShutdownPrivilege	2556	wmic.exe
Token: SeDebugPrivilege	2556	wmic.exe
Token: SeSystemEnvironmentPrivilege	2556	wmic.exe
Token: SeRemoteShutdownPrivilege	2556	wmic.exe
Token: SeUndockPrivilege	2556	wmic.exe
Token: SeManageVolumePrivilege	2556	wmic.exe
Token: 33	2556	wmic.exe
Token: 34	2556	wmic.exe
Token: 35	2556	wmic.exe
Token: SeIncreaseQuotaPrivilege	3024	wmic.exe
Token: SeSecurityPrivilege	3024	wmic.exe
Token: SeTakeOwnershipPrivilege	3024	wmic.exe
Token: SeLoadDriverPrivilege	3024	wmic.exe
Token: SeSystemProfilePrivilege	3024	wmic.exe
Token: SeSystemtimePrivilege	3024	wmic.exe
Token: SeProfSingleProcessPrivilege	3024	wmic.exe
Token: SeIncBasePriorityPrivilege	3024	wmic.exe
Token: SeCreatePagefilePrivilege	3024	wmic.exe
Token: SeBackupPrivilege	3024	wmic.exe
Token: SeRestorePrivilege	3024	wmic.exe
Token: SeShutdownPrivilege	3024	wmic.exe
Token: SeDebugPrivilege	3024	wmic.exe
Token: SeSystemEnvironmentPrivilege	3024	wmic.exe
Token: SeRemoteShutdownPrivilege	3024	wmic.exe
Token: SeUndockPrivilege	3024	wmic.exe
Token: SeManageVolumePrivilege	3024	wmic.exe
Token: 33	3024	wmic.exe
Token: 34	3024	wmic.exe
Token: 35	3024	wmic.exe
Token: SeIncreaseQuotaPrivilege	2712	wmic.exe
Token: SeSecurityPrivilege	2712	wmic.exe
Token: SeTakeOwnershipPrivilege	2712	wmic.exe
Token: SeLoadDriverPrivilege	2712	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2172	2216	27797b4706e10d607915d578471dab11.exe	27
PID 2216 wrote to memory of 2172	2216	27797b4706e10d607915d578471dab11.exe	27
PID 2216 wrote to memory of 2172	2216	27797b4706e10d607915d578471dab11.exe	27
PID 2216 wrote to memory of 2172	2216	27797b4706e10d607915d578471dab11.exe	27
PID 2172 wrote to memory of 2556	2172	bedhbiifeb.exe	26
PID 2172 wrote to memory of 2556	2172	bedhbiifeb.exe	26
PID 2172 wrote to memory of 2556	2172	bedhbiifeb.exe	26
PID 2172 wrote to memory of 2556	2172	bedhbiifeb.exe	26
PID 2172 wrote to memory of 3024	2172	bedhbiifeb.exe	25
PID 2172 wrote to memory of 3024	2172	bedhbiifeb.exe	25
PID 2172 wrote to memory of 3024	2172	bedhbiifeb.exe	25
PID 2172 wrote to memory of 3024	2172	bedhbiifeb.exe	25
PID 2172 wrote to memory of 2712	2172	bedhbiifeb.exe	24
PID 2172 wrote to memory of 2712	2172	bedhbiifeb.exe	24
PID 2172 wrote to memory of 2712	2172	bedhbiifeb.exe	24
PID 2172 wrote to memory of 2712	2172	bedhbiifeb.exe	24
PID 2172 wrote to memory of 2636	2172	bedhbiifeb.exe	22
PID 2172 wrote to memory of 2636	2172	bedhbiifeb.exe	22
PID 2172 wrote to memory of 2636	2172	bedhbiifeb.exe	22
PID 2172 wrote to memory of 2636	2172	bedhbiifeb.exe	22
PID 2172 wrote to memory of 2480	2172	bedhbiifeb.exe	21
PID 2172 wrote to memory of 2480	2172	bedhbiifeb.exe	21
PID 2172 wrote to memory of 2480	2172	bedhbiifeb.exe	21
PID 2172 wrote to memory of 2480	2172	bedhbiifeb.exe	21
PID 2172 wrote to memory of 2924	2172	bedhbiifeb.exe	20
PID 2172 wrote to memory of 2924	2172	bedhbiifeb.exe	20
PID 2172 wrote to memory of 2924	2172	bedhbiifeb.exe	20
PID 2172 wrote to memory of 2924	2172	bedhbiifeb.exe	20

C:\Users\Admin\AppData\Local\Temp\27797b4706e10d607915d578471dab11.exe
"C:\Users\Admin\AppData\Local\Temp\27797b4706e10d607915d578471dab11.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\bedhbiifeb.exe
  C:\Users\Admin\AppData\Local\Temp\bedhbiifeb.exe 9\5\4\8\0\1\7\7\1\2\8 JktFPD0wLi0zNBgmTlE6UEg9Ni8eJ0VAUE9PUURCQzspFypAQVNTQj08MCoqMDAYL0JCPTwuGCZLTkdEVDxNXkc8NC0tLTM1GShSQ0pNQE5XVVFFNmdybGc1KydzcW8nQ0NLQihQR1AsOklPLEFFQUsYL0JFQkJJQTs4HCdEMDYmMB4nOy05JTEfKD0yOyUoGys8NDwmKh8tPCw4KSkgLklLTkJNOk9bSFJITzpCVzUXKkxKT0NOPFNdPUxHPTUgLklLTkJNOk9bRkFMPjYfLT1PQFtNUks2GS5DUDxaP0VES0JHRDsYJkNLS1ReO0tOVUs8TTkpIC5NQUBMQ1BKUVdVUUU2Hy1ORDguGC9DTCo8HidJUEpMSUw+WFZDRDpKST1JTDpARFNKQzgcJ0lSWEtUTExASEE1dHFuXh8tSjxPUUpOSEdAXlNLPE1bPEFYTDYxHic/REA9WDwqGS5HS1Y/VUZBTEI8XkNGOk1VSFREPTZlX2RqYBwnRE5QR0tNOTtaRUg9NCknNy4mLCkuLDAfKElAUDlDR0FEX0hHTFM/REM4cGp1ZBkoU0dFPDgtLDM2KjI0MiotGys8T1ZHRU4/PFZPRUVFPDAoMDYnKSstLSozMy42OCgtJT1F
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:2924

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703783376.txt bios get version
1⤵
PID:2480

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703783376.txt bios get version
1⤵
PID:2636

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703783376.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703783376.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703783376.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsiE63.tmp\fqocvfo.dll

Filesize
92KB

MD5
878e2b4ecd31b99039e1960ef6446ce2

SHA1
490e00e889a308a96a30df53fb91c91b9df8c361

SHA256
7445688b0450c469c581e05fcaefa72d533b9713ec8ec36bb1f83d8d372e2d78

SHA512
e5c1362f719f41c9c6a8874c863cb413b4db2ddb492f395072f5afaa748b24bc1732f7c0de7d5f3637073a7ac4a8d9b5bb8610d644d912362f3e54b5eb2bcdd5

Download Submit