22d501c01624d0bea021790f2a1a5373ade3cf9ee4dbea8baa7579173a292e22

Analysis

max time kernel
148s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe
Size

706KB
MD5

6cf0c3e7c5c0bf6e7ca0f92b3f5094e6
SHA1

f8fa739e84bc4afb08a9fce258863e455e7de36c
SHA256

22d501c01624d0bea021790f2a1a5373ade3cf9ee4dbea8baa7579173a292e22
SHA512

40c9aa208942e185a9c24b3273402cae40d33fd252d4f233d55d7cc333c3298d84a95bd31c06dd516f8a4d1b13877b0ce71265163c5bc4de0cf9e1498f4a2966
SSDEEP

12288:L/0gKFs6xfcQO4QtpnWLDeequklDAiIxSVn5lBqd1wGfc8vy4hb:LcgKqMfciQtNaDeeqblciIx8n5id108T

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1348	bedhhjdddh.exe

Loads dropped DLL 2 IoCs

pid	Process
3556	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe
3556	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5012	1348	WerFault.exe	90

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1800	wmic.exe
Token: SeSecurityPrivilege	1800	wmic.exe
Token: SeTakeOwnershipPrivilege	1800	wmic.exe
Token: SeLoadDriverPrivilege	1800	wmic.exe
Token: SeSystemProfilePrivilege	1800	wmic.exe
Token: SeSystemtimePrivilege	1800	wmic.exe
Token: SeProfSingleProcessPrivilege	1800	wmic.exe
Token: SeIncBasePriorityPrivilege	1800	wmic.exe
Token: SeCreatePagefilePrivilege	1800	wmic.exe
Token: SeBackupPrivilege	1800	wmic.exe
Token: SeRestorePrivilege	1800	wmic.exe
Token: SeShutdownPrivilege	1800	wmic.exe
Token: SeDebugPrivilege	1800	wmic.exe
Token: SeSystemEnvironmentPrivilege	1800	wmic.exe
Token: SeRemoteShutdownPrivilege	1800	wmic.exe
Token: SeUndockPrivilege	1800	wmic.exe
Token: SeManageVolumePrivilege	1800	wmic.exe
Token: 33	1800	wmic.exe
Token: 34	1800	wmic.exe
Token: 35	1800	wmic.exe
Token: 36	1800	wmic.exe
Token: SeIncreaseQuotaPrivilege	1800	wmic.exe
Token: SeSecurityPrivilege	1800	wmic.exe
Token: SeTakeOwnershipPrivilege	1800	wmic.exe
Token: SeLoadDriverPrivilege	1800	wmic.exe
Token: SeSystemProfilePrivilege	1800	wmic.exe
Token: SeSystemtimePrivilege	1800	wmic.exe
Token: SeProfSingleProcessPrivilege	1800	wmic.exe
Token: SeIncBasePriorityPrivilege	1800	wmic.exe
Token: SeCreatePagefilePrivilege	1800	wmic.exe
Token: SeBackupPrivilege	1800	wmic.exe
Token: SeRestorePrivilege	1800	wmic.exe
Token: SeShutdownPrivilege	1800	wmic.exe
Token: SeDebugPrivilege	1800	wmic.exe
Token: SeSystemEnvironmentPrivilege	1800	wmic.exe
Token: SeRemoteShutdownPrivilege	1800	wmic.exe
Token: SeUndockPrivilege	1800	wmic.exe
Token: SeManageVolumePrivilege	1800	wmic.exe
Token: 33	1800	wmic.exe
Token: 34	1800	wmic.exe
Token: 35	1800	wmic.exe
Token: 36	1800	wmic.exe
Token: SeIncreaseQuotaPrivilege	500	wmic.exe
Token: SeSecurityPrivilege	500	wmic.exe
Token: SeTakeOwnershipPrivilege	500	wmic.exe
Token: SeLoadDriverPrivilege	500	wmic.exe
Token: SeSystemProfilePrivilege	500	wmic.exe
Token: SeSystemtimePrivilege	500	wmic.exe
Token: SeProfSingleProcessPrivilege	500	wmic.exe
Token: SeIncBasePriorityPrivilege	500	wmic.exe
Token: SeCreatePagefilePrivilege	500	wmic.exe
Token: SeBackupPrivilege	500	wmic.exe
Token: SeRestorePrivilege	500	wmic.exe
Token: SeShutdownPrivilege	500	wmic.exe
Token: SeDebugPrivilege	500	wmic.exe
Token: SeSystemEnvironmentPrivilege	500	wmic.exe
Token: SeRemoteShutdownPrivilege	500	wmic.exe
Token: SeUndockPrivilege	500	wmic.exe
Token: SeManageVolumePrivilege	500	wmic.exe
Token: 33	500	wmic.exe
Token: 34	500	wmic.exe
Token: 35	500	wmic.exe
Token: 36	500	wmic.exe
Token: SeIncreaseQuotaPrivilege	500	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 1348	3556	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe	90
PID 3556 wrote to memory of 1348	3556	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe	90
PID 3556 wrote to memory of 1348	3556	6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe	90
PID 1348 wrote to memory of 1800	1348	bedhhjdddh.exe	92
PID 1348 wrote to memory of 1800	1348	bedhhjdddh.exe	92
PID 1348 wrote to memory of 1800	1348	bedhhjdddh.exe	92
PID 1348 wrote to memory of 500	1348	bedhhjdddh.exe	95
PID 1348 wrote to memory of 500	1348	bedhhjdddh.exe	95
PID 1348 wrote to memory of 500	1348	bedhhjdddh.exe	95
PID 1348 wrote to memory of 3136	1348	bedhhjdddh.exe	97
PID 1348 wrote to memory of 3136	1348	bedhhjdddh.exe	97
PID 1348 wrote to memory of 3136	1348	bedhhjdddh.exe	97
PID 1348 wrote to memory of 2420	1348	bedhhjdddh.exe	99
PID 1348 wrote to memory of 2420	1348	bedhhjdddh.exe	99
PID 1348 wrote to memory of 2420	1348	bedhhjdddh.exe	99
PID 1348 wrote to memory of 1304	1348	bedhhjdddh.exe	101
PID 1348 wrote to memory of 1304	1348	bedhhjdddh.exe	101
PID 1348 wrote to memory of 1304	1348	bedhhjdddh.exe	101

C:\Users\Admin\AppData\Local\Temp\6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe
"C:\Users\Admin\AppData\Local\Temp\6cf0c3e7c5c0bf6e7ca0f92b3f5094e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Users\Admin\AppData\Local\Temp\bedhhjdddh.exe
  C:\Users\Admin\AppData\Local\Temp\bedhhjdddh.exe 1)1)7)2)6)0)5)6)8)0)7 Lk9CQjcxNCssMRkuUk5ASkk/NyggKE1ETVVJUkZDPD0qHy49R01URD41Mi4xNTEeKUNEPjUwGS5PS00+VT5OV0k9PDEtMi0xGylLRUtVREtdT1JHN2B0bW85KC1tcnEoPEVMSixNTUotPEpILkJNRUgeKUNHQztLQkM8GS0+MTgnKSAoQzE2KysgKj4rPSYwHyhCLj0oKxgvPTQ8Ji8aL0tMR0ROQlNYTkxJUTs7WTYfLklQSURQPUxfPlRLOjsaL0tMR0ROQlNYTDtNQDcYLz5XRFhTTEw4GidFUURePEs+TERIPT0ZLkdIUU5fPUxHV0xEUTYuGi9PQjlORFhOTl1PUkc3GC9PTDwrHilETis1IChRVEdSQ01AWU9FRUJORkNDTTxBPVVLSzwZLUNTWkxNTk1ITD47bnJwXxgvS0RTTlBISUlBV1VMRFFYQjtZTjcqIChHSD1DUj0sGidJTF5DUkw7TUQ9V0VHQlFSTk5FPzdeYWVyZBktPk9SSERPOkNeQk43NDEoKTknMTAnLyo2GylIQUtAS0VDRl9ESEtUOktLNmRbbG5fGC9NSEw+Oys0LjEwMCkzODIeKURKUUZMSEBDWFJDTUA3Ly8rNC4rLis1JS8yMCo5MjIoO00=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704546280.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704546280.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:500
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704546280.txt bios get version
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704546280.txt bios get version
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704546280.txt bios get version
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 864
    3⤵
    - Program crash
    PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1348 -ip 1348
1⤵
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704546280.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704546280.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704546280.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedhhjdddh.exe

Filesize
1.1MB

MD5
73d642cffe809752ff760b08a32138bc

SHA1
cf639b2072d3781d9368c73fa32552004bcd6ad2

SHA256
2ff98e043c7abd6d501f3e020d7bf16426f1f230d34faf258f6029e1f0700eb0

SHA512
80c51a6b0d338356e1ec4475f931413f1e3132f9ce7b2072c534087b4051d4a5f6865d38f4da703b6f73724f5fdd8b238443c085f9edad266636be7420a33d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9DF6.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9DF6.tmp\khjayaz.dll

Filesize
126KB

MD5
657cccf5860731a4b415c61fd9dbc7d4

SHA1
fc8708638913092c237636b4f0b5e145daa5de59

SHA256
21f1fc7cc84f61bdd51ebfb124ffb379a683236cf050c617cda5d29adac936cf

SHA512
5a406fe3d5247e805ae488b9f32d839f4ca1b469b626b6c5f594639b3cdb0e8d82d65abf78fca0505a0a52ee981335660cae6c491447deaf6a6349966a7d871d

Download Submit