10b9879f3c5ff7f70d8fc4249da79de329cc69e0b7ccc0e97c4761e9723d9821

Analysis

max time kernel
0s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f789357931b6a490dfa352a3747a4c1d.exe
Size

665KB
MD5

f789357931b6a490dfa352a3747a4c1d
SHA1

e4ebe8b08a03906c38aa093869f913ca7c2a3e38
SHA256

10b9879f3c5ff7f70d8fc4249da79de329cc69e0b7ccc0e97c4761e9723d9821
SHA512

f37e60a9bc593d3481ac0a722467fca143977a54dc586f02e177148081dfbedf67100e6b8ac2a0bab7ab0221342ddef366460f09b8cc16f035d4508c3a705747
SSDEEP

12288:4ZVJObUVJfcUnznsGauOyjILjVIEJzvUobm/LBVh5Gfc8vy4hX:4ZVJiKhXQLyjaBIEJzvhmzBjt86c

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2356	bedfgaajca.exe

Loads dropped DLL 2 IoCs

pid	Process
5044	f789357931b6a490dfa352a3747a4c1d.exe
5044	f789357931b6a490dfa352a3747a4c1d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2584	2356	WerFault.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3408	wmic.exe
Token: SeSecurityPrivilege	3408	wmic.exe
Token: SeTakeOwnershipPrivilege	3408	wmic.exe
Token: SeLoadDriverPrivilege	3408	wmic.exe
Token: SeSystemProfilePrivilege	3408	wmic.exe
Token: SeSystemtimePrivilege	3408	wmic.exe
Token: SeProfSingleProcessPrivilege	3408	wmic.exe
Token: SeIncBasePriorityPrivilege	3408	wmic.exe
Token: SeCreatePagefilePrivilege	3408	wmic.exe
Token: SeBackupPrivilege	3408	wmic.exe
Token: SeRestorePrivilege	3408	wmic.exe
Token: SeShutdownPrivilege	3408	wmic.exe
Token: SeDebugPrivilege	3408	wmic.exe
Token: SeSystemEnvironmentPrivilege	3408	wmic.exe
Token: SeRemoteShutdownPrivilege	3408	wmic.exe
Token: SeUndockPrivilege	3408	wmic.exe
Token: SeManageVolumePrivilege	3408	wmic.exe
Token: 33	3408	wmic.exe
Token: 34	3408	wmic.exe
Token: 35	3408	wmic.exe
Token: 36	3408	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 2356	5044	f789357931b6a490dfa352a3747a4c1d.exe	37
PID 5044 wrote to memory of 2356	5044	f789357931b6a490dfa352a3747a4c1d.exe	37
PID 5044 wrote to memory of 2356	5044	f789357931b6a490dfa352a3747a4c1d.exe	37
PID 2356 wrote to memory of 3408	2356	bedfgaajca.exe	36
PID 2356 wrote to memory of 3408	2356	bedfgaajca.exe	36
PID 2356 wrote to memory of 3408	2356	bedfgaajca.exe	36

C:\Users\Admin\AppData\Local\Temp\f789357931b6a490dfa352a3747a4c1d.exe
"C:\Users\Admin\AppData\Local\Temp\f789357931b6a490dfa352a3747a4c1d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\bedfgaajca.exe
  C:\Users\Admin\AppData\Local\Temp\bedfgaajca.exe 6|8|8|5|7|4|4|8|1|9|0 KUhBPzYtNSs1KiApS009SUVANS8XL0g9TFJITkdBQzQxHyooa2trYG1ia25bZV04S2FlZWBeZRonPERMUEU8PCk3MSkqGyg/RTw8JyApSEpKPVE/TF5ARDcqLjQtLxwnUjxSUD1KWk5OSDVna3RqMicqbG5yJkM8U0UlTEpJKT1ITyVJSD5HGyg/SEFCQkk+NRgqPS05JTAXLz4qNSgqHCs8MjQtKxgnPy05KSkfJkQvNSUsGStMSk47VT1MV0tLRVI5QlA9GidITUhAUTtTVkVPRDk4GStMSk47VT1MV0k6SUE1HyZFUj1XUEtIORguPFg/VztIPUhFRkQ0IClAR05NWz5KTk5TP0o1MBkrUEBARUtTR01aTk5INR8mVkc1KhsoQE8pPBcvTE1GT0JJQVdWPEw9R0VAQkk9P0RMUkY1GCpCT1tKVEVUQ0U9OG1ucV0fJlI/TE1NR0VKP15MUz9KVz86VU81MRcvQkE8QFE5LRguQFNZPFFJOklFO148Tj1KUUtNQUA1ZVhsbV0YKj1LU0ZLRkE+V0FLNi0zLi0rMygqLC4nLi4tHyZUQ0U9OCowLy01KDIuKi4bKEBLT01DTzs8V09CSUE1NSYyMycqKyoxJjE5KDM0LC4lSUk=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2356 -ip 2356
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 960
1⤵
- Program crash
PID:2584

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704283441.txt bios get version
1⤵
PID:5628

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704283441.txt bios get version
1⤵
PID:2604

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704283441.txt bios get version
1⤵
PID:4208

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704283441.txt bios get version
1⤵
PID:2704

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704283441.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsr4AB6.tmp\ftwjyfv.dll

Filesize
92KB

MD5
e41e9cf89179d9ef2069d70ff8d994ef

SHA1
66fb45cd5a4e76cceac136836f57188c7946cdf1

SHA256
7fd4010b4c351366b26504c1b60dc57ab0c89cf43cf39bf130d6f62fcc8a5922

SHA512
4dc242568a4c6097d6188cc3882ca592b02899470a62712a4b9104b24f4394750bc0dc322d1909d9de392cef72afa87fd0c761c8fdec9910cc00311530282525

Download Submit