211fd2c8b55e5e54803a31a896ec02be8e9069cd409ab23394269163c574c445

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 02:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4ddfd1c0c9106b7ea7e2bc795f11aebd.exe
Size

648KB
MD5

4ddfd1c0c9106b7ea7e2bc795f11aebd
SHA1

d037679416515d183c43ab376b693821bad86e9a
SHA256

211fd2c8b55e5e54803a31a896ec02be8e9069cd409ab23394269163c574c445
SHA512

f9d62642c3705486b5652ee9998100b6fd23aa84f0a41d0862b54510fc815cc6f487f475b12fff7256d9244064032bd2d2fa9e2c8af33311651315168b62f9ba
SSDEEP

12288:uqQlkqusypbvVixhHQNMyTjApD4izvymAGtMa5cyUaBavn7UCnafc8vy4hl:uqjtsypbdVMyT0OiSUc4G386c

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2204	bedhefifca.exe

Loads dropped DLL 11 IoCs

pid	Process
1720	4ddfd1c0c9106b7ea7e2bc795f11aebd.exe
1720	4ddfd1c0c9106b7ea7e2bc795f11aebd.exe
1720	4ddfd1c0c9106b7ea7e2bc795f11aebd.exe
1720	4ddfd1c0c9106b7ea7e2bc795f11aebd.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2608	2204	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2844	wmic.exe
Token: SeSecurityPrivilege	2844	wmic.exe
Token: SeTakeOwnershipPrivilege	2844	wmic.exe
Token: SeLoadDriverPrivilege	2844	wmic.exe
Token: SeSystemProfilePrivilege	2844	wmic.exe
Token: SeSystemtimePrivilege	2844	wmic.exe
Token: SeProfSingleProcessPrivilege	2844	wmic.exe
Token: SeIncBasePriorityPrivilege	2844	wmic.exe
Token: SeCreatePagefilePrivilege	2844	wmic.exe
Token: SeBackupPrivilege	2844	wmic.exe
Token: SeRestorePrivilege	2844	wmic.exe
Token: SeShutdownPrivilege	2844	wmic.exe
Token: SeDebugPrivilege	2844	wmic.exe
Token: SeSystemEnvironmentPrivilege	2844	wmic.exe
Token: SeRemoteShutdownPrivilege	2844	wmic.exe
Token: SeUndockPrivilege	2844	wmic.exe
Token: SeManageVolumePrivilege	2844	wmic.exe
Token: 33	2844	wmic.exe
Token: 34	2844	wmic.exe
Token: 35	2844	wmic.exe
Token: SeIncreaseQuotaPrivilege	2844	wmic.exe
Token: SeSecurityPrivilege	2844	wmic.exe
Token: SeTakeOwnershipPrivilege	2844	wmic.exe
Token: SeLoadDriverPrivilege	2844	wmic.exe
Token: SeSystemProfilePrivilege	2844	wmic.exe
Token: SeSystemtimePrivilege	2844	wmic.exe
Token: SeProfSingleProcessPrivilege	2844	wmic.exe
Token: SeIncBasePriorityPrivilege	2844	wmic.exe
Token: SeCreatePagefilePrivilege	2844	wmic.exe
Token: SeBackupPrivilege	2844	wmic.exe
Token: SeRestorePrivilege	2844	wmic.exe
Token: SeShutdownPrivilege	2844	wmic.exe
Token: SeDebugPrivilege	2844	wmic.exe
Token: SeSystemEnvironmentPrivilege	2844	wmic.exe
Token: SeRemoteShutdownPrivilege	2844	wmic.exe
Token: SeUndockPrivilege	2844	wmic.exe
Token: SeManageVolumePrivilege	2844	wmic.exe
Token: 33	2844	wmic.exe
Token: 34	2844	wmic.exe
Token: 35	2844	wmic.exe
Token: SeIncreaseQuotaPrivilege	2760	wmic.exe
Token: SeSecurityPrivilege	2760	wmic.exe
Token: SeTakeOwnershipPrivilege	2760	wmic.exe
Token: SeLoadDriverPrivilege	2760	wmic.exe
Token: SeSystemProfilePrivilege	2760	wmic.exe
Token: SeSystemtimePrivilege	2760	wmic.exe
Token: SeProfSingleProcessPrivilege	2760	wmic.exe
Token: SeIncBasePriorityPrivilege	2760	wmic.exe
Token: SeCreatePagefilePrivilege	2760	wmic.exe
Token: SeBackupPrivilege	2760	wmic.exe
Token: SeRestorePrivilege	2760	wmic.exe
Token: SeShutdownPrivilege	2760	wmic.exe
Token: SeDebugPrivilege	2760	wmic.exe
Token: SeSystemEnvironmentPrivilege	2760	wmic.exe
Token: SeRemoteShutdownPrivilege	2760	wmic.exe
Token: SeUndockPrivilege	2760	wmic.exe
Token: SeManageVolumePrivilege	2760	wmic.exe
Token: 33	2760	wmic.exe
Token: 34	2760	wmic.exe
Token: 35	2760	wmic.exe
Token: SeIncreaseQuotaPrivilege	2920	wmic.exe
Token: SeSecurityPrivilege	2920	wmic.exe
Token: SeTakeOwnershipPrivilege	2920	wmic.exe
Token: SeLoadDriverPrivilege	2920	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2204	1720	4ddfd1c0c9106b7ea7e2bc795f11aebd.exe	28
PID 1720 wrote to memory of 2204	1720	4ddfd1c0c9106b7ea7e2bc795f11aebd.exe	28
PID 1720 wrote to memory of 2204	1720	4ddfd1c0c9106b7ea7e2bc795f11aebd.exe	28
PID 1720 wrote to memory of 2204	1720	4ddfd1c0c9106b7ea7e2bc795f11aebd.exe	28
PID 2204 wrote to memory of 2844	2204	bedhefifca.exe	29
PID 2204 wrote to memory of 2844	2204	bedhefifca.exe	29
PID 2204 wrote to memory of 2844	2204	bedhefifca.exe	29
PID 2204 wrote to memory of 2844	2204	bedhefifca.exe	29
PID 2204 wrote to memory of 2760	2204	bedhefifca.exe	32
PID 2204 wrote to memory of 2760	2204	bedhefifca.exe	32
PID 2204 wrote to memory of 2760	2204	bedhefifca.exe	32
PID 2204 wrote to memory of 2760	2204	bedhefifca.exe	32
PID 2204 wrote to memory of 2920	2204	bedhefifca.exe	34
PID 2204 wrote to memory of 2920	2204	bedhefifca.exe	34
PID 2204 wrote to memory of 2920	2204	bedhefifca.exe	34
PID 2204 wrote to memory of 2920	2204	bedhefifca.exe	34
PID 2204 wrote to memory of 2732	2204	bedhefifca.exe	36
PID 2204 wrote to memory of 2732	2204	bedhefifca.exe	36
PID 2204 wrote to memory of 2732	2204	bedhefifca.exe	36
PID 2204 wrote to memory of 2732	2204	bedhefifca.exe	36
PID 2204 wrote to memory of 2556	2204	bedhefifca.exe	38
PID 2204 wrote to memory of 2556	2204	bedhefifca.exe	38
PID 2204 wrote to memory of 2556	2204	bedhefifca.exe	38
PID 2204 wrote to memory of 2556	2204	bedhefifca.exe	38
PID 2204 wrote to memory of 2608	2204	bedhefifca.exe	40
PID 2204 wrote to memory of 2608	2204	bedhefifca.exe	40
PID 2204 wrote to memory of 2608	2204	bedhefifca.exe	40
PID 2204 wrote to memory of 2608	2204	bedhefifca.exe	40

C:\Users\Admin\AppData\Local\Temp\4ddfd1c0c9106b7ea7e2bc795f11aebd.exe
"C:\Users\Admin\AppData\Local\Temp\4ddfd1c0c9106b7ea7e2bc795f11aebd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\bedhefifca.exe
  C:\Users\Admin\AppData\Local\Temp\bedhefifca.exe 4*6*6*1*3*5*8*9*9*1*9 K0pDQzosMSotMhcrTU9BTUQ8NCcfJko/TlZMTUNAOzwoISwqb29qXGxac2VdZ188T2BhZFhmXBwpPkhQT0E7NDEuMyssHyw+QTs0LxcrSkxOQVA7S1ZIOzksMDgxLhgmSkRJUj9MXlJNRDRfc2tsNCkucG1uJTtESkcnTk5NKDlHRy1ASkBJHyw+REA6SkBANxouQSw1JCgfJkAsNywuGyc7KjwkLRopQzE4JSgXLjsxNycwHSpISUZDTD9OWU9PRE44Olg0HClKUUw/TTpLXjxRRjs8HSpISUZDTD9OWU0+SD00Fy48VD9ZVE9HNRcmRE9BWT1MQUdBRTw8FytCSVJRWjpJRlZKQUw3NB0qTD84TUJVSU9eUk1ENBcuTUk3LB8sP0soNB8mTk9IU0ZIPVZOREM/SUdERkg5PjxUSUg3Gi5GTldJTE1LRUc/PHFtbVwXLklBTk9RS0RGPlZUSkFMWUM+VEs0KR8mREM+RFU4KRcmSEpbPlNNPkhBOlZERT9MU09RQDw0XWBjb18aLkFKT0VDTjhAWUNPOjQtJSg0MCorMjArMCsXJk84TjtGS0JHV0BFUks9RkY8Y1xkalwfJlBDR0Q6LCwqLjMuLSoqMB0qPEZOTUNLOz5eUURFPDQ2Ji4rKTEtLC0hMDkqLDQqMCc8RQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704204907.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704204907.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704204907.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704204907.txt bios get version
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704204907.txt bios get version
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704204907.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\bedhefifca.exe

Filesize
789KB

MD5
58c46d2a2c0bb8f3536d53b4b92b1381

SHA1
a63c692af8b6d14973bb3a2d33615ee7a5f79a35

SHA256
b9ecb02a23a08866896568f5240aa1bf32c8e7efa42bf3ce6cab4ad49b1ad0fb

SHA512
91b86542f10c208771a60230d2c0395aef65252a560f25e6445a7df78a5689233e0af55820bd8e6c6776fa23f97276e6caf93f63d787e8c5564d72aebae67362

Download Submit
\Users\Admin\AppData\Local\Temp\nsj95FA.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsj95FA.tmp\avdhmtb.dll

Filesize
170KB

MD5
ef0bc3f40213605e1782dac17bb99c72

SHA1
b41c0855e721fdb31fc06486c8f6e3a6663da301

SHA256
a4036d8101263e9016a3bd2035d36db92d7e368cb0394531ef5cddc5193c47ff

SHA512
7bc20ce73d0db06de7f390cf6b757763b4ce27f8aaee71285e8b9590d62d1b281d996bbddbee5c493f23183384020a4804d4cdbfd11bc2fd45b9add282cfdafc

Download Submit