229a60d8f80ea98b04b9d2df04b1b01f1df236d38f2123ad800b5bc77c79b97f

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 02:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4b3be28e033e5d9a33c455f74ccd0b4d.exe
Size

744KB
MD5

4b3be28e033e5d9a33c455f74ccd0b4d
SHA1

05b07221bac2a18a149e235342eb7ed34393e475
SHA256

229a60d8f80ea98b04b9d2df04b1b01f1df236d38f2123ad800b5bc77c79b97f
SHA512

0de8935eff78d7fed07d50b141d586d629a494632ebefb7e13ce236c435312f1c59179a457fbcdeb652a4e6d61dd7c02a9467c9c908f309ed25607061b2267d7
SSDEEP

12288:bsT9IUVzaoahymzBe2Bb85G+43RKYuFFbREEsWbnXrg6mjTAzr8O03GVs4sqtFa8:bhUVtiBZ85G+4hKTFT2unIcaN4Rh86d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
684	bedcjhgejb.exe

Loads dropped DLL 2 IoCs

pid	Process
3724	4b3be28e033e5d9a33c455f74ccd0b4d.exe
3724	4b3be28e033e5d9a33c455f74ccd0b4d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3336	684	WerFault.exe	22

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2256	wmic.exe
Token: SeSecurityPrivilege	2256	wmic.exe
Token: SeTakeOwnershipPrivilege	2256	wmic.exe
Token: SeLoadDriverPrivilege	2256	wmic.exe
Token: SeSystemProfilePrivilege	2256	wmic.exe
Token: SeSystemtimePrivilege	2256	wmic.exe
Token: SeProfSingleProcessPrivilege	2256	wmic.exe
Token: SeIncBasePriorityPrivilege	2256	wmic.exe
Token: SeCreatePagefilePrivilege	2256	wmic.exe
Token: SeBackupPrivilege	2256	wmic.exe
Token: SeRestorePrivilege	2256	wmic.exe
Token: SeShutdownPrivilege	2256	wmic.exe
Token: SeDebugPrivilege	2256	wmic.exe
Token: SeSystemEnvironmentPrivilege	2256	wmic.exe
Token: SeRemoteShutdownPrivilege	2256	wmic.exe
Token: SeUndockPrivilege	2256	wmic.exe
Token: SeManageVolumePrivilege	2256	wmic.exe
Token: 33	2256	wmic.exe
Token: 34	2256	wmic.exe
Token: 35	2256	wmic.exe
Token: 36	2256	wmic.exe
Token: SeIncreaseQuotaPrivilege	2256	wmic.exe
Token: SeSecurityPrivilege	2256	wmic.exe
Token: SeTakeOwnershipPrivilege	2256	wmic.exe
Token: SeLoadDriverPrivilege	2256	wmic.exe
Token: SeSystemProfilePrivilege	2256	wmic.exe
Token: SeSystemtimePrivilege	2256	wmic.exe
Token: SeProfSingleProcessPrivilege	2256	wmic.exe
Token: SeIncBasePriorityPrivilege	2256	wmic.exe
Token: SeCreatePagefilePrivilege	2256	wmic.exe
Token: SeBackupPrivilege	2256	wmic.exe
Token: SeRestorePrivilege	2256	wmic.exe
Token: SeShutdownPrivilege	2256	wmic.exe
Token: SeDebugPrivilege	2256	wmic.exe
Token: SeSystemEnvironmentPrivilege	2256	wmic.exe
Token: SeRemoteShutdownPrivilege	2256	wmic.exe
Token: SeUndockPrivilege	2256	wmic.exe
Token: SeManageVolumePrivilege	2256	wmic.exe
Token: 33	2256	wmic.exe
Token: 34	2256	wmic.exe
Token: 35	2256	wmic.exe
Token: 36	2256	wmic.exe
Token: SeIncreaseQuotaPrivilege	1744	wmic.exe
Token: SeSecurityPrivilege	1744	wmic.exe
Token: SeTakeOwnershipPrivilege	1744	wmic.exe
Token: SeLoadDriverPrivilege	1744	wmic.exe
Token: SeSystemProfilePrivilege	1744	wmic.exe
Token: SeSystemtimePrivilege	1744	wmic.exe
Token: SeProfSingleProcessPrivilege	1744	wmic.exe
Token: SeIncBasePriorityPrivilege	1744	wmic.exe
Token: SeCreatePagefilePrivilege	1744	wmic.exe
Token: SeBackupPrivilege	1744	wmic.exe
Token: SeRestorePrivilege	1744	wmic.exe
Token: SeShutdownPrivilege	1744	wmic.exe
Token: SeDebugPrivilege	1744	wmic.exe
Token: SeSystemEnvironmentPrivilege	1744	wmic.exe
Token: SeRemoteShutdownPrivilege	1744	wmic.exe
Token: SeUndockPrivilege	1744	wmic.exe
Token: SeManageVolumePrivilege	1744	wmic.exe
Token: 33	1744	wmic.exe
Token: 34	1744	wmic.exe
Token: 35	1744	wmic.exe
Token: 36	1744	wmic.exe
Token: SeIncreaseQuotaPrivilege	1744	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 684	3724	4b3be28e033e5d9a33c455f74ccd0b4d.exe	22
PID 3724 wrote to memory of 684	3724	4b3be28e033e5d9a33c455f74ccd0b4d.exe	22
PID 3724 wrote to memory of 684	3724	4b3be28e033e5d9a33c455f74ccd0b4d.exe	22
PID 684 wrote to memory of 2256	684	bedcjhgejb.exe	24
PID 684 wrote to memory of 2256	684	bedcjhgejb.exe	24
PID 684 wrote to memory of 2256	684	bedcjhgejb.exe	24
PID 684 wrote to memory of 1744	684	bedcjhgejb.exe	39
PID 684 wrote to memory of 1744	684	bedcjhgejb.exe	39
PID 684 wrote to memory of 1744	684	bedcjhgejb.exe	39
PID 684 wrote to memory of 4600	684	bedcjhgejb.exe	38
PID 684 wrote to memory of 4600	684	bedcjhgejb.exe	38
PID 684 wrote to memory of 4600	684	bedcjhgejb.exe	38
PID 684 wrote to memory of 1580	684	bedcjhgejb.exe	37
PID 684 wrote to memory of 1580	684	bedcjhgejb.exe	37
PID 684 wrote to memory of 1580	684	bedcjhgejb.exe	37
PID 684 wrote to memory of 1724	684	bedcjhgejb.exe	36
PID 684 wrote to memory of 1724	684	bedcjhgejb.exe	36
PID 684 wrote to memory of 1724	684	bedcjhgejb.exe	36

C:\Users\Admin\AppData\Local\Temp\4b3be28e033e5d9a33c455f74ccd0b4d.exe
"C:\Users\Admin\AppData\Local\Temp\4b3be28e033e5d9a33c455f74ccd0b4d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Users\Admin\AppData\Local\Temp\bedcjhgejb.exe
  C:\Users\Admin\AppData\Local\Temp\bedcjhgejb.exe 0)1)0)2)4)0)6)6)8)0)4 L09JQjk1MC8sICtTVEJORUQ3KhgvSkVTV01OS0M+NTEcL0NJUVBJPjcwNywxHy9BRUQ3KhgvTFJORFM/VFlDPD00MTcxHitTP0xORU5fVFJKOWhubmg6Ky9ycnQqRD9NQy1QT08tP0xQKENGRksgLkNKRUNFQzw9HC9DMTsuNSwqKDAsIC5EMDkxMxonRC89LDEeK0QuNyUxHC9DNTspMRopSFJLRFRDUltQTENOQT9ZPCAtTFJJPk1DUF9EVUo9PRopSFJLRFRDUltOO0c9PRwvRFhDW1VMRjUgK0VXRV0/TT5GQU5BPR8vRktTTlk6UktXUkVQOTUaKUxIPU5KWU1RX09MRD0cL1VNOy4gKT5LMTkgLlJTSlRDRz1fU0VLQ01JRUNHOUdBVVFMOxwvQ01XUlFOU0lLQT1ubG1lHC9RRVJRUkhDRkdbVVJFUFtEO1NLPS4gLkhHQEVSNykgK0lSX0JVTjtHQUNbRU1DUFVQTj88PWJha3NjHC8+SU9OSE9ARF1FUDcrKTgqNzAuMS4uKy8pICtUSE1DOTEuLSo5NDA1MzccLz5JT05IT0BEXVBJRz81NSszLy8wLDEvJCkwNjEvOjE1KjtH
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704194991.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 852
    3⤵
    - Program crash
    PID:3336
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704194991.txt bios get version
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704194991.txt bios get version
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704194991.txt bios get version
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704194991.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 684 -ip 684
1⤵
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bedcjhgejb.exe

Filesize
2KB

MD5
5d2194c153384617f4ca6e315ed0682e

SHA1
47b2f224d2f7a8700aea5d1fa7a74b6ef5273ff7

SHA256
720f9d5b26ba16920a5ce3842a147e575716ce102af2b0183b5b00a37d8f8bcb

SHA512
be0f05397dddcf3899de364f5817f64975536d5ad6771934ad1f96b2f40f45b5b2b9a43845f1437727650852369e202188f944f910d0b25d4991a6e4d2784fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz518C.tmp\ZipDLL.dll

Filesize
92KB

MD5
411bb9971a3aa2923e60176c49c0e892

SHA1
97b00e65b22c877f29d82ae22f49a90b1e16eb67

SHA256
ef661aa6cbe0ab3e33e263a372e78db93b79386d2b08d08b0809a474b7b4f4b0

SHA512
0a2f9c5ec38d08a4bc48a0d1b78ab623d4aa10854287496ded4720035e5714a592d72967a870ab2efaa914e4f4875b57cc8652d89882e4e7194efcd3072e088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz518C.tmp\ewvnxvu.dll

Filesize
93KB

MD5
496cf738290c1a0db8dc94d671b1f9f9

SHA1
8d79136e22524f41bc5f5cf16666869fa5093393

SHA256
0fbbeb791432ec99c9bb52dcd10f0b9d000ae75151580590553e3febdd649078

SHA512
f5bddf3d927dac3cdf105d724def6c7b0db1fe6fadc6e2db67867925a6e03d267ddf850468d4499e34cad4b8cf81b8f3b885205760d40c3d35a0753c07921fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz518C.tmp\ewvnxvu.dll

Filesize
92KB

MD5
a5135958c80b1d1b8fa6567c713a92a3

SHA1
71b138310450323d4575cf30635724f6913c3848

SHA256
216afaaeff1f1ae967b20a845491e6fb2439a8c8c3335fbd56860034a0b86fee

SHA512
c5e169f8fc52407429ee0a16d074e5e5586438f4770711e8ee8a6c567e5b81f6dbecd8f46068c8d2ed2000b3a76cb5c14a6ec3a2e16f587e6200c9eaf876bdae

Download Submit