233be9731df9c1d6ef65bd984abf42d0ecaa64f47ad1adae2fd7ee97a6efeae6

Analysis

max time kernel
120s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49e7a82849587b871cd282dd39acac74.exe
Size

645KB
MD5

49e7a82849587b871cd282dd39acac74
SHA1

fff180cc6bea335918555f8f79987eb498514209
SHA256

233be9731df9c1d6ef65bd984abf42d0ecaa64f47ad1adae2fd7ee97a6efeae6
SHA512

3f1d72b58f9b385b7673988d6d9d4be012f82cd1f16f64a3fa1e1b39e0633084d1478e6c41686ebb637c521b7b1ea3ed8f867d6fa4da88c2c5ef73fbb0287e87
SSDEEP

12288:gYKHA0LWl6UiGE2yqss2OQ2PWXtnjwvyPPC5JVAnZonfc8vy4hX:gfzWcUiGdDR2OfWXtnjwvzf+nZoE86A

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2796	bedheghhic.exe

Loads dropped DLL 11 IoCs

pid	Process
2964	49e7a82849587b871cd282dd39acac74.exe
2964	49e7a82849587b871cd282dd39acac74.exe
2964	49e7a82849587b871cd282dd39acac74.exe
2964	49e7a82849587b871cd282dd39acac74.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2396	2796	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2688	wmic.exe
Token: SeSecurityPrivilege	2688	wmic.exe
Token: SeTakeOwnershipPrivilege	2688	wmic.exe
Token: SeLoadDriverPrivilege	2688	wmic.exe
Token: SeSystemProfilePrivilege	2688	wmic.exe
Token: SeSystemtimePrivilege	2688	wmic.exe
Token: SeProfSingleProcessPrivilege	2688	wmic.exe
Token: SeIncBasePriorityPrivilege	2688	wmic.exe
Token: SeCreatePagefilePrivilege	2688	wmic.exe
Token: SeBackupPrivilege	2688	wmic.exe
Token: SeRestorePrivilege	2688	wmic.exe
Token: SeShutdownPrivilege	2688	wmic.exe
Token: SeDebugPrivilege	2688	wmic.exe
Token: SeSystemEnvironmentPrivilege	2688	wmic.exe
Token: SeRemoteShutdownPrivilege	2688	wmic.exe
Token: SeUndockPrivilege	2688	wmic.exe
Token: SeManageVolumePrivilege	2688	wmic.exe
Token: 33	2688	wmic.exe
Token: 34	2688	wmic.exe
Token: 35	2688	wmic.exe
Token: SeIncreaseQuotaPrivilege	2688	wmic.exe
Token: SeSecurityPrivilege	2688	wmic.exe
Token: SeTakeOwnershipPrivilege	2688	wmic.exe
Token: SeLoadDriverPrivilege	2688	wmic.exe
Token: SeSystemProfilePrivilege	2688	wmic.exe
Token: SeSystemtimePrivilege	2688	wmic.exe
Token: SeProfSingleProcessPrivilege	2688	wmic.exe
Token: SeIncBasePriorityPrivilege	2688	wmic.exe
Token: SeCreatePagefilePrivilege	2688	wmic.exe
Token: SeBackupPrivilege	2688	wmic.exe
Token: SeRestorePrivilege	2688	wmic.exe
Token: SeShutdownPrivilege	2688	wmic.exe
Token: SeDebugPrivilege	2688	wmic.exe
Token: SeSystemEnvironmentPrivilege	2688	wmic.exe
Token: SeRemoteShutdownPrivilege	2688	wmic.exe
Token: SeUndockPrivilege	2688	wmic.exe
Token: SeManageVolumePrivilege	2688	wmic.exe
Token: 33	2688	wmic.exe
Token: 34	2688	wmic.exe
Token: 35	2688	wmic.exe
Token: SeIncreaseQuotaPrivilege	2736	wmic.exe
Token: SeSecurityPrivilege	2736	wmic.exe
Token: SeTakeOwnershipPrivilege	2736	wmic.exe
Token: SeLoadDriverPrivilege	2736	wmic.exe
Token: SeSystemProfilePrivilege	2736	wmic.exe
Token: SeSystemtimePrivilege	2736	wmic.exe
Token: SeProfSingleProcessPrivilege	2736	wmic.exe
Token: SeIncBasePriorityPrivilege	2736	wmic.exe
Token: SeCreatePagefilePrivilege	2736	wmic.exe
Token: SeBackupPrivilege	2736	wmic.exe
Token: SeRestorePrivilege	2736	wmic.exe
Token: SeShutdownPrivilege	2736	wmic.exe
Token: SeDebugPrivilege	2736	wmic.exe
Token: SeSystemEnvironmentPrivilege	2736	wmic.exe
Token: SeRemoteShutdownPrivilege	2736	wmic.exe
Token: SeUndockPrivilege	2736	wmic.exe
Token: SeManageVolumePrivilege	2736	wmic.exe
Token: 33	2736	wmic.exe
Token: 34	2736	wmic.exe
Token: 35	2736	wmic.exe
Token: SeIncreaseQuotaPrivilege	2580	wmic.exe
Token: SeSecurityPrivilege	2580	wmic.exe
Token: SeTakeOwnershipPrivilege	2580	wmic.exe
Token: SeLoadDriverPrivilege	2580	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2796	2964	49e7a82849587b871cd282dd39acac74.exe	28
PID 2964 wrote to memory of 2796	2964	49e7a82849587b871cd282dd39acac74.exe	28
PID 2964 wrote to memory of 2796	2964	49e7a82849587b871cd282dd39acac74.exe	28
PID 2964 wrote to memory of 2796	2964	49e7a82849587b871cd282dd39acac74.exe	28
PID 2796 wrote to memory of 2688	2796	bedheghhic.exe	29
PID 2796 wrote to memory of 2688	2796	bedheghhic.exe	29
PID 2796 wrote to memory of 2688	2796	bedheghhic.exe	29
PID 2796 wrote to memory of 2688	2796	bedheghhic.exe	29
PID 2796 wrote to memory of 2736	2796	bedheghhic.exe	33
PID 2796 wrote to memory of 2736	2796	bedheghhic.exe	33
PID 2796 wrote to memory of 2736	2796	bedheghhic.exe	33
PID 2796 wrote to memory of 2736	2796	bedheghhic.exe	33
PID 2796 wrote to memory of 2580	2796	bedheghhic.exe	34
PID 2796 wrote to memory of 2580	2796	bedheghhic.exe	34
PID 2796 wrote to memory of 2580	2796	bedheghhic.exe	34
PID 2796 wrote to memory of 2580	2796	bedheghhic.exe	34
PID 2796 wrote to memory of 3048	2796	bedheghhic.exe	37
PID 2796 wrote to memory of 3048	2796	bedheghhic.exe	37
PID 2796 wrote to memory of 3048	2796	bedheghhic.exe	37
PID 2796 wrote to memory of 3048	2796	bedheghhic.exe	37
PID 2796 wrote to memory of 2512	2796	bedheghhic.exe	39
PID 2796 wrote to memory of 2512	2796	bedheghhic.exe	39
PID 2796 wrote to memory of 2512	2796	bedheghhic.exe	39
PID 2796 wrote to memory of 2512	2796	bedheghhic.exe	39
PID 2796 wrote to memory of 2396	2796	bedheghhic.exe	40
PID 2796 wrote to memory of 2396	2796	bedheghhic.exe	40
PID 2796 wrote to memory of 2396	2796	bedheghhic.exe	40
PID 2796 wrote to memory of 2396	2796	bedheghhic.exe	40

C:\Users\Admin\AppData\Local\Temp\49e7a82849587b871cd282dd39acac74.exe
"C:\Users\Admin\AppData\Local\Temp\49e7a82849587b871cd282dd39acac74.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\bedheghhic.exe
  C:\Users\Admin\AppData\Local\Temp\bedheghhic.exe 3|8|5|3|5|7|9|4|5|6|2 LEhEQTgqMC8xLR4sS1A/S0I7OSsaLUs9T1RKS0JFPzcvIiorbW1oW3FebmxeZWA6TV5gaVxhYx0nP0ZOTUBAOCw1NCktHSo8QEA4Kh4sSE1MP046UFpDQjoqMTYvLBcrTj9QUz1NXFBLQzljbnJtMiosbmttKj8/UUglT0xLJjhMSyhHSz5KHSo8Q0U+RUdBNRssPyo0KSwaLUEqOCosGSZALjcrLhgqQS82JC0bKUIyNSguGyhHTko+U0BMWk1NQk09PlM7HSdLT0o9TD9PWUNSRDw6GyhHTko+U0BMWks8Rjw5GylDVT1aUk1FNBwqP1ZCVz5KP0VASkA3HixASlBPWDlOSlFRQko4MhsoS0Q8SElWR1BcUEtDORspVEo1LR0qPUotOBotT01JUURGPFtSP0pAR0hCREY4Q0BPUEk1GyxETFZOUEhSRkVAOm9rbGEbKVBCTFBPSUJFQ1pPUUJKWkE8Uko5LRotRUE/QlM2KBwqQ1FcPFRLPEZAP1o/TEBKVE1PPjs5YVtqcF0bLD9ITkpHST9BV0RNOCsoMykrMC8mLDAzJzAzGylOPko8SUc+Q1tESFFROUdJOF9YaG5fHixMREpANigwLjEyNSktMCsZJkBKUUxJRzxBWk1ASUA3NSwqLCwtKSgxJSswNyorNy4pIUxI
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704190619.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704190619.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704190619.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704190619.txt bios get version
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704190619.txt bios get version
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704190619.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedheghhic.exe

Filesize
247KB

MD5
de2719ea77c43991d88c331caf06f88e

SHA1
51dbd2add630b65baeb423fd7d92b2fc981c65e4

SHA256
18199f6f1248098f19f39d63fc4c88018046c3dcef7dbf7d274d6fd81e61493a

SHA512
669a6a7555deb7ab8ebae18254f3c443f8edee9f16137946a78660164af2195da7a7fadb0a968a902958b067a3a1e05c03ed8c36cb45576cc8d2c23d7997e361

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedheghhic.exe

Filesize
247KB

MD5
da9f1eea2279cf5a8a55a81916c93033

SHA1
0463df9daa41df6a6daa847aa3c4763a18ee523b

SHA256
12fc8b3bf201861610ecc905a7f07ae6bbf677e454b9e6cc63b8959437d43760

SHA512
1f8849d3648e3d84abc6945af75f98e5f18a433f1284a119c60bfcc3ab706304a3e50e46382c2a461d1a07e71bb3c6153d3b9f3c0043b868da7d8c482369ae6f

Download Submit
\Users\Admin\AppData\Local\Temp\bedheghhic.exe

Filesize
576KB

MD5
69a51581a666cfa7faba079e754332a7

SHA1
9ad20c7dae20f432eedbf7e1b0088d0fd67e2c53

SHA256
2b2cab4bd2240e80022b6efe7029d6394709073b2143645180a775473b8475d9

SHA512
4018bbbd8009a1b97e2616ff013c7a95ce0c78210283edd65f3e066489c9ddd6c0ceca4a37b227dfab2c79517a0743fcf1995d914b6d6fddea969818477cbb69

Download Submit
\Users\Admin\AppData\Local\Temp\bedheghhic.exe

Filesize
321KB

MD5
42c7c88eaf84f105b0f44b5a9be655d9

SHA1
20dc30d5afdd8978d191770ff191873a273ef846

SHA256
950f3322ae8d47172d307266b4e306fab5de7f282fdfd3d6ae9be02ac56379f1

SHA512
49d1ab5ddff46ed65ca9399f9666d8e2e5353207679eea0e4c81ac337162c3abdbe0bdd44b36ae35462bb17c125207e04c8fc449e9b453acf4fa75ded09c4984

Download Submit
\Users\Admin\AppData\Local\Temp\bedheghhic.exe

Filesize
109KB

MD5
2e2ad36a40a4a17a8e9ead8d8ba6c93a

SHA1
1726c7c56ba78df6c9ad166b10e7727d77418a73

SHA256
2458237fe5a448190cc90963c6022cc6d164a3d4deaa66c6cec3f8b421ffa7ca

SHA512
06bd32e729a897cc20abd3044942db8493c557dbde96610c64c166bd7e8578c204564af257c6c283dc54baa40766a4da5e77693a6b30c93ac9628af754cf7acc

Download Submit
\Users\Admin\AppData\Local\Temp\bedheghhic.exe

Filesize
139KB

MD5
4e104e2fbcc88f8338a9242dddd1e470

SHA1
42814f6b1861b73fc9e27bbb3294a281c75aca30

SHA256
a121303f2996058a87fb9a5a128adc3f82a15b1c94ac4bbae44d11933d6eaba9

SHA512
634b08e937d747d6e2c2eb8f3c616dd60183888ac3ff07bcac0a54ba4ce0491986a11e2399331b858dc0d1eac0cbfb7404bdfee9fc55c9e0fc90301bb011d7db

Download Submit
\Users\Admin\AppData\Local\Temp\bedheghhic.exe

Filesize
15KB

MD5
0c6c8bfe10af2caac9997c3291018616

SHA1
97c9d1582785ec33512bacac3b9b1a8f28446a5f

SHA256
3628d6e16762bf4e167414ee1ae4e0254a9f31d8c5dab52eb43755d1906f963a

SHA512
aa9ef1b532b2d135c269a012b0c3f83ae5d0f9d415428b118944972a179ed9483cdca7d295d522a388ad4f6c34bb2742a433e82f3de0226183301bb4c0606322

Download Submit
\Users\Admin\AppData\Local\Temp\bedheghhic.exe

Filesize
11KB

MD5
8c0a129a3abf7130753b890f92c024b5

SHA1
05979c5eecc2d1f341989f16e13fe8494ae0f245

SHA256
2629f1cf3d4f78c0591d6f652ac9f230a81bc428dd4d8bffa604078a51ee9f40

SHA512
1b0f240288d0695b755215cd6d0c62a2ef655ffc5644669bbb0fa5bb98634130b879a91a9cc7133383f380e730555f97235868be24ecf064ec5b1491fdc49e30

Download Submit
\Users\Admin\AppData\Local\Temp\bedheghhic.exe

Filesize
27B

MD5
0a7cb17b70e64dcf35ed3a1781067a4a

SHA1
4a6f41e71fde1bd78c13b38ffb2d5e43a3eccdb3

SHA256
92ef783a913fcdbcab8bf11da4d7abf97d815ded9e64296f8a97e2b083eeea60

SHA512
aeedb8accc627f885291461441805c5fffa8ee191f62a69ac960ce0ae7c1def354fbf0c36bb537e1d2d081780ec81526d10078bba3494ddcb15d593b912f4441

Download Submit
\Users\Admin\AppData\Local\Temp\bedheghhic.exe

Filesize
5KB

MD5
c5460a0fe772971c47b0552a3e6b6f05

SHA1
480f103398220f3fc6563cd30b1748f69c6efc71

SHA256
9358d0c851222cac9abaea3d243666ea390ba7d6109e28495578f4dd226cea99

SHA512
565a5df74999f366fba64e141ec1556e2e5831347ede9e1b7575927b4728276fc04b93c9c29bbb9cf902aa8c22ed6fea5f68ae516ddb9b3e2b2f93fbe625644f

Download Submit
\Users\Admin\AppData\Local\Temp\bedheghhic.exe

Filesize
158KB

MD5
b8c3723f0b69a8acd0f5472b11c4a854

SHA1
915cd36a792b9d98fb744a647fda4e2adc846ce2

SHA256
4f76b769cbc6aa1324869f8d4b188c92735dc3564287f56b01e6f2c0008f2324

SHA512
65bfb6a6fbf59d044e28197d7e0881f0a5e55cd63387772aecc356ce8a366fafc9ec2353a47ffb0c423c920efc85d47fdc602ddc4262c6aa9d29cd610d156334

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8CD6.tmp\ZipDLL.dll

Filesize
128KB

MD5
c129b5fc6ed23f033b53fb485dc15ab0

SHA1
146395d6b811993e3cf579ea363deb44e54e06d1

SHA256
b4982e8c4c0e1869122ede8d8023db7b444756c5be9f83f0e5549d8a665bacc1

SHA512
3cc9a6228062a942ad118523233ae0905146f653ef373af1b65df3565b86641b6397453215c653df77b2de0da23d36114a68d89a8e7ca2e129afd6c5cd6540b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8CD6.tmp\pmkxbno.dll

Filesize
170KB

MD5
0ffe8e17f407165a0115a355f5657e98

SHA1
8fa75731788f4de926b10d097b93cecf3b8722ae

SHA256
e9252f11ca2874d428c8b83adc5f5cd022b5d879cd033acd0441ce134839d3b5

SHA512
fbc4b05176078783f2f8edcb5872cfb7ca6e731cdc8a9e43aa9413e0a5e95681b2ba58da6e853aa33fc37cd22e85753a34d475614f76adbf636e29a109ca1d3f

Download Submit