22d501c01624d0bea021790f2a1a5373ade3cf9ee4dbea8baa7579173a292e22

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe
Size

706KB
MD5

6cf0c3e7c5c0bf6e7ca0f92b3f5094e6
SHA1

f8fa739e84bc4afb08a9fce258863e455e7de36c
SHA256

22d501c01624d0bea021790f2a1a5373ade3cf9ee4dbea8baa7579173a292e22
SHA512

40c9aa208942e185a9c24b3273402cae40d33fd252d4f233d55d7cc333c3298d84a95bd31c06dd516f8a4d1b13877b0ce71265163c5bc4de0cf9e1498f4a2966
SSDEEP

12288:L/0gKFs6xfcQO4QtpnWLDeequklDAiIxSVn5lBqd1wGfc8vy4hb:LcgKqMfciQtNaDeeqblciIx8n5id108T

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2912	bedhhjdddh.exe

Loads dropped DLL 11 IoCs

pid	Process
2936	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe
2936	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe
2936	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe
2936	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2888	2912	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2524	wmic.exe
Token: SeSecurityPrivilege	2524	wmic.exe
Token: SeTakeOwnershipPrivilege	2524	wmic.exe
Token: SeLoadDriverPrivilege	2524	wmic.exe
Token: SeSystemProfilePrivilege	2524	wmic.exe
Token: SeSystemtimePrivilege	2524	wmic.exe
Token: SeProfSingleProcessPrivilege	2524	wmic.exe
Token: SeIncBasePriorityPrivilege	2524	wmic.exe
Token: SeCreatePagefilePrivilege	2524	wmic.exe
Token: SeBackupPrivilege	2524	wmic.exe
Token: SeRestorePrivilege	2524	wmic.exe
Token: SeShutdownPrivilege	2524	wmic.exe
Token: SeDebugPrivilege	2524	wmic.exe
Token: SeSystemEnvironmentPrivilege	2524	wmic.exe
Token: SeRemoteShutdownPrivilege	2524	wmic.exe
Token: SeUndockPrivilege	2524	wmic.exe
Token: SeManageVolumePrivilege	2524	wmic.exe
Token: 33	2524	wmic.exe
Token: 34	2524	wmic.exe
Token: 35	2524	wmic.exe
Token: SeIncreaseQuotaPrivilege	2524	wmic.exe
Token: SeSecurityPrivilege	2524	wmic.exe
Token: SeTakeOwnershipPrivilege	2524	wmic.exe
Token: SeLoadDriverPrivilege	2524	wmic.exe
Token: SeSystemProfilePrivilege	2524	wmic.exe
Token: SeSystemtimePrivilege	2524	wmic.exe
Token: SeProfSingleProcessPrivilege	2524	wmic.exe
Token: SeIncBasePriorityPrivilege	2524	wmic.exe
Token: SeCreatePagefilePrivilege	2524	wmic.exe
Token: SeBackupPrivilege	2524	wmic.exe
Token: SeRestorePrivilege	2524	wmic.exe
Token: SeShutdownPrivilege	2524	wmic.exe
Token: SeDebugPrivilege	2524	wmic.exe
Token: SeSystemEnvironmentPrivilege	2524	wmic.exe
Token: SeRemoteShutdownPrivilege	2524	wmic.exe
Token: SeUndockPrivilege	2524	wmic.exe
Token: SeManageVolumePrivilege	2524	wmic.exe
Token: 33	2524	wmic.exe
Token: 34	2524	wmic.exe
Token: 35	2524	wmic.exe
Token: SeIncreaseQuotaPrivilege	2804	wmic.exe
Token: SeSecurityPrivilege	2804	wmic.exe
Token: SeTakeOwnershipPrivilege	2804	wmic.exe
Token: SeLoadDriverPrivilege	2804	wmic.exe
Token: SeSystemProfilePrivilege	2804	wmic.exe
Token: SeSystemtimePrivilege	2804	wmic.exe
Token: SeProfSingleProcessPrivilege	2804	wmic.exe
Token: SeIncBasePriorityPrivilege	2804	wmic.exe
Token: SeCreatePagefilePrivilege	2804	wmic.exe
Token: SeBackupPrivilege	2804	wmic.exe
Token: SeRestorePrivilege	2804	wmic.exe
Token: SeShutdownPrivilege	2804	wmic.exe
Token: SeDebugPrivilege	2804	wmic.exe
Token: SeSystemEnvironmentPrivilege	2804	wmic.exe
Token: SeRemoteShutdownPrivilege	2804	wmic.exe
Token: SeUndockPrivilege	2804	wmic.exe
Token: SeManageVolumePrivilege	2804	wmic.exe
Token: 33	2804	wmic.exe
Token: 34	2804	wmic.exe
Token: 35	2804	wmic.exe
Token: SeIncreaseQuotaPrivilege	2460	wmic.exe
Token: SeSecurityPrivilege	2460	wmic.exe
Token: SeTakeOwnershipPrivilege	2460	wmic.exe
Token: SeLoadDriverPrivilege	2460	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2912	2936	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe	29
PID 2936 wrote to memory of 2912	2936	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe	29
PID 2936 wrote to memory of 2912	2936	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe	29
PID 2936 wrote to memory of 2912	2936	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe	29
PID 2912 wrote to memory of 2524	2912	bedhhjdddh.exe	18
PID 2912 wrote to memory of 2524	2912	bedhhjdddh.exe	18
PID 2912 wrote to memory of 2524	2912	bedhhjdddh.exe	18
PID 2912 wrote to memory of 2524	2912	bedhhjdddh.exe	18
PID 2912 wrote to memory of 2804	2912	bedhhjdddh.exe	20
PID 2912 wrote to memory of 2804	2912	bedhhjdddh.exe	20
PID 2912 wrote to memory of 2804	2912	bedhhjdddh.exe	20
PID 2912 wrote to memory of 2804	2912	bedhhjdddh.exe	20
PID 2912 wrote to memory of 2460	2912	bedhhjdddh.exe	27
PID 2912 wrote to memory of 2460	2912	bedhhjdddh.exe	27
PID 2912 wrote to memory of 2460	2912	bedhhjdddh.exe	27
PID 2912 wrote to memory of 2460	2912	bedhhjdddh.exe	27
PID 2912 wrote to memory of 2544	2912	bedhhjdddh.exe	26
PID 2912 wrote to memory of 2544	2912	bedhhjdddh.exe	26
PID 2912 wrote to memory of 2544	2912	bedhhjdddh.exe	26
PID 2912 wrote to memory of 2544	2912	bedhhjdddh.exe	26
PID 2912 wrote to memory of 2452	2912	bedhhjdddh.exe	25
PID 2912 wrote to memory of 2452	2912	bedhhjdddh.exe	25
PID 2912 wrote to memory of 2452	2912	bedhhjdddh.exe	25
PID 2912 wrote to memory of 2452	2912	bedhhjdddh.exe	25
PID 2912 wrote to memory of 2888	2912	bedhhjdddh.exe	24
PID 2912 wrote to memory of 2888	2912	bedhhjdddh.exe	24
PID 2912 wrote to memory of 2888	2912	bedhhjdddh.exe	24
PID 2912 wrote to memory of 2888	2912	bedhhjdddh.exe	24

C:\Users\Admin\AppData\Local\Temp\6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe
"C:\Users\Admin\AppData\Local\Temp\6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\bedhhjdddh.exe
  C:\Users\Admin\AppData\Local\Temp\bedhhjdddh.exe 1)1)7)2)6)0)5)6)8)0)7 Lk9CQjcxNCssMRkuUk5ASkk/NyggKE1ETVVJUkZDPD0qHy49R01URD41Mi4xNTEeKUNEPjUwGS5PS00+VT5OV0k9PDEtMi0xGylLRUtVREtdT1JHN2B0bW85KC1tcnEoPEVMSixNTUotPEpILkJNRUgeKUNHQztLQkM8GS0+MTgnKSAoQzE2KysgKj4rPSYwHyhCLj0oKxgvPTQ8Ji8aL0tMR0ROQlNYTkxJUTs7WTYfLklQSURQPUxfPlRLOjsaL0tMR0ROQlNYTDtNQDcYLz5XRFhTTEw4GidFUURePEs+TERIPT0ZLkdIUU5fPUxHV0xEUTYuGi9PQjlORFhOTl1PUkc3GC9PTDwrHilETis1IChRVEdSQ01AWU9FRUJORkNDTTxBPVVLSzwZLUNTWkxNTk1ITD47bnJwXxgvS0RTTlBISUlBV1VMRFFYQjtZTjcqIChHSD1DUj0sGidJTF5DUkw7TUQ9V0VHQlFSTk5FPzdeYWVyZBktPk9SSERPOkNeQk43NDEoKTknMTAnLyo2GylIQUtAS0VDRl9ESEtUOktLNmRbbG5fGC9NSEw+Oys0LjEwMCkzODIeKURKUUZMSEBDWFJDTUA3Ly8rNC4rLis1JS8yMCo5MjIoO00=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2912

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704546250.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704546250.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:2888

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704546250.txt bios get version
1⤵
PID:2452

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704546250.txt bios get version
1⤵
PID:2544

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704546250.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bedhhjdddh.exe

Filesize
894KB

MD5
86c308a1ff5dea7ab0693c3e60dc7ffc

SHA1
25fee7faeff913ff0c1230ac53b58a41a3edbdf9

SHA256
7cd234b64b27ad4ee89208aaf0560de35e9fc143e92b2cc0dae481250ed11d53

SHA512
6982616a5cb2c49510b007dbc6438a23cf073c224d8ea03dc48764ab69ab13de954176656b82b6e1e5bb1400834e78923fb8a1bd6015514daeeef64c2e243188

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst17C6.tmp\khjayaz.dll

Filesize
126KB

MD5
657cccf5860731a4b415c61fd9dbc7d4

SHA1
fc8708638913092c237636b4f0b5e145daa5de59

SHA256
21f1fc7cc84f61bdd51ebfb124ffb379a683236cf050c617cda5d29adac936cf

SHA512
5a406fe3d5247e805ae488b9f32d839f4ca1b469b626b6c5f594639b3cdb0e8d82d65abf78fca0505a0a52ee981335660cae6c491447deaf6a6349966a7d871d

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhjdddh.exe

Filesize
1.1MB

MD5
73d642cffe809752ff760b08a32138bc

SHA1
cf639b2072d3781d9368c73fa32552004bcd6ad2

SHA256
2ff98e043c7abd6d501f3e020d7bf16426f1f230d34faf258f6029e1f0700eb0

SHA512
80c51a6b0d338356e1ec4475f931413f1e3132f9ce7b2072c534087b4051d4a5f6865d38f4da703b6f73724f5fdd8b238443c085f9edad266636be7420a33d2f

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhjdddh.exe

Filesize
92KB

MD5
de70de32d44b2a53342a477e66a427fb

SHA1
db93b159383c8122cf257ddb367748e4675852ab

SHA256
88a2d3af943ee09b4a519adbb15402da9f5a9cc27a4fe97f82beac5b362b8248

SHA512
e5cb22c5cdc8eb20db3dc30908db7d0c4860d40f870b20a0b28dee883e2ceaa57097afa4cf3d5f1da2babe153a76a8f6d93c2a6bdc93a924ca30eb4dc996c5af

Download Submit
\Users\Admin\AppData\Local\Temp\nst17C6.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nst17C6.tmp\khjayaz.dll

Filesize
115KB

MD5
b0f50553b069cc23e4387b290ae1db27

SHA1
76ed3a0e86dec022590479a6bcc46986397fb039

SHA256
f0093b08d75b88578dee9b776c21c04444759ca7dd1370892d77a81a8dac69a5

SHA512
2dfc78890bac640b33f0f6a5f7e2ac6293b74789555209ce5e333771e89754c59fcde2e6c490eb53ad442ecbc1736d525fde385128912a297f288a8839810d98

Download Submit