8b00bbecc52caff3797ac005162bb62d94777c93fd09a6c3dee621754c2cfa1e

Analysis

max time kernel
117s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06bd1c63573a48a71310b959641d23bb.exe
Size

685KB
MD5

06bd1c63573a48a71310b959641d23bb
SHA1

fe02b7367cac1bfaee3d59fb0628219d007194a3
SHA256

8b00bbecc52caff3797ac005162bb62d94777c93fd09a6c3dee621754c2cfa1e
SHA512

8eed1a1fd94962fde1fcd3c3a0e8bc97ca9bd08f07f488d3eb0bdfe36405f1289d766aba77386b4fe61c004002df7339f9ca7aa50d6476bb6de135872e25ca3f
SSDEEP

12288:HT/Hi+J0ggApehPUVZ1Dh5Lqu7p9I+C2fw8K6B76G4KNfc8vy4hJ/:HrC+JNgINGCs248Kg4d86K/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2780	bedfiibheb.exe

Loads dropped DLL 11 IoCs

pid	Process
2520	06bd1c63573a48a71310b959641d23bb.exe
2520	06bd1c63573a48a71310b959641d23bb.exe
2520	06bd1c63573a48a71310b959641d23bb.exe
2520	06bd1c63573a48a71310b959641d23bb.exe
1240	WerFault.exe
1240	WerFault.exe
1240	WerFault.exe
1240	WerFault.exe
1240	WerFault.exe
1240	WerFault.exe
1240	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1240	2780	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2920	wmic.exe
Token: SeSecurityPrivilege	2920	wmic.exe
Token: SeTakeOwnershipPrivilege	2920	wmic.exe
Token: SeLoadDriverPrivilege	2920	wmic.exe
Token: SeSystemProfilePrivilege	2920	wmic.exe
Token: SeSystemtimePrivilege	2920	wmic.exe
Token: SeProfSingleProcessPrivilege	2920	wmic.exe
Token: SeIncBasePriorityPrivilege	2920	wmic.exe
Token: SeCreatePagefilePrivilege	2920	wmic.exe
Token: SeBackupPrivilege	2920	wmic.exe
Token: SeRestorePrivilege	2920	wmic.exe
Token: SeShutdownPrivilege	2920	wmic.exe
Token: SeDebugPrivilege	2920	wmic.exe
Token: SeSystemEnvironmentPrivilege	2920	wmic.exe
Token: SeRemoteShutdownPrivilege	2920	wmic.exe
Token: SeUndockPrivilege	2920	wmic.exe
Token: SeManageVolumePrivilege	2920	wmic.exe
Token: 33	2920	wmic.exe
Token: 34	2920	wmic.exe
Token: 35	2920	wmic.exe
Token: SeIncreaseQuotaPrivilege	2920	wmic.exe
Token: SeSecurityPrivilege	2920	wmic.exe
Token: SeTakeOwnershipPrivilege	2920	wmic.exe
Token: SeLoadDriverPrivilege	2920	wmic.exe
Token: SeSystemProfilePrivilege	2920	wmic.exe
Token: SeSystemtimePrivilege	2920	wmic.exe
Token: SeProfSingleProcessPrivilege	2920	wmic.exe
Token: SeIncBasePriorityPrivilege	2920	wmic.exe
Token: SeCreatePagefilePrivilege	2920	wmic.exe
Token: SeBackupPrivilege	2920	wmic.exe
Token: SeRestorePrivilege	2920	wmic.exe
Token: SeShutdownPrivilege	2920	wmic.exe
Token: SeDebugPrivilege	2920	wmic.exe
Token: SeSystemEnvironmentPrivilege	2920	wmic.exe
Token: SeRemoteShutdownPrivilege	2920	wmic.exe
Token: SeUndockPrivilege	2920	wmic.exe
Token: SeManageVolumePrivilege	2920	wmic.exe
Token: 33	2920	wmic.exe
Token: 34	2920	wmic.exe
Token: 35	2920	wmic.exe
Token: SeIncreaseQuotaPrivilege	2596	wmic.exe
Token: SeSecurityPrivilege	2596	wmic.exe
Token: SeTakeOwnershipPrivilege	2596	wmic.exe
Token: SeLoadDriverPrivilege	2596	wmic.exe
Token: SeSystemProfilePrivilege	2596	wmic.exe
Token: SeSystemtimePrivilege	2596	wmic.exe
Token: SeProfSingleProcessPrivilege	2596	wmic.exe
Token: SeIncBasePriorityPrivilege	2596	wmic.exe
Token: SeCreatePagefilePrivilege	2596	wmic.exe
Token: SeBackupPrivilege	2596	wmic.exe
Token: SeRestorePrivilege	2596	wmic.exe
Token: SeShutdownPrivilege	2596	wmic.exe
Token: SeDebugPrivilege	2596	wmic.exe
Token: SeSystemEnvironmentPrivilege	2596	wmic.exe
Token: SeRemoteShutdownPrivilege	2596	wmic.exe
Token: SeUndockPrivilege	2596	wmic.exe
Token: SeManageVolumePrivilege	2596	wmic.exe
Token: 33	2596	wmic.exe
Token: 34	2596	wmic.exe
Token: 35	2596	wmic.exe
Token: SeIncreaseQuotaPrivilege	2676	wmic.exe
Token: SeSecurityPrivilege	2676	wmic.exe
Token: SeTakeOwnershipPrivilege	2676	wmic.exe
Token: SeLoadDriverPrivilege	2676	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2780	2520	06bd1c63573a48a71310b959641d23bb.exe	28
PID 2520 wrote to memory of 2780	2520	06bd1c63573a48a71310b959641d23bb.exe	28
PID 2520 wrote to memory of 2780	2520	06bd1c63573a48a71310b959641d23bb.exe	28
PID 2520 wrote to memory of 2780	2520	06bd1c63573a48a71310b959641d23bb.exe	28
PID 2780 wrote to memory of 2920	2780	bedfiibheb.exe	29
PID 2780 wrote to memory of 2920	2780	bedfiibheb.exe	29
PID 2780 wrote to memory of 2920	2780	bedfiibheb.exe	29
PID 2780 wrote to memory of 2920	2780	bedfiibheb.exe	29
PID 2780 wrote to memory of 2596	2780	bedfiibheb.exe	32
PID 2780 wrote to memory of 2596	2780	bedfiibheb.exe	32
PID 2780 wrote to memory of 2596	2780	bedfiibheb.exe	32
PID 2780 wrote to memory of 2596	2780	bedfiibheb.exe	32
PID 2780 wrote to memory of 2676	2780	bedfiibheb.exe	34
PID 2780 wrote to memory of 2676	2780	bedfiibheb.exe	34
PID 2780 wrote to memory of 2676	2780	bedfiibheb.exe	34
PID 2780 wrote to memory of 2676	2780	bedfiibheb.exe	34
PID 2780 wrote to memory of 2180	2780	bedfiibheb.exe	36
PID 2780 wrote to memory of 2180	2780	bedfiibheb.exe	36
PID 2780 wrote to memory of 2180	2780	bedfiibheb.exe	36
PID 2780 wrote to memory of 2180	2780	bedfiibheb.exe	36
PID 2780 wrote to memory of 524	2780	bedfiibheb.exe	38
PID 2780 wrote to memory of 524	2780	bedfiibheb.exe	38
PID 2780 wrote to memory of 524	2780	bedfiibheb.exe	38
PID 2780 wrote to memory of 524	2780	bedfiibheb.exe	38
PID 2780 wrote to memory of 1240	2780	bedfiibheb.exe	40
PID 2780 wrote to memory of 1240	2780	bedfiibheb.exe	40
PID 2780 wrote to memory of 1240	2780	bedfiibheb.exe	40
PID 2780 wrote to memory of 1240	2780	bedfiibheb.exe	40

C:\Users\Admin\AppData\Local\Temp\06bd1c63573a48a71310b959641d23bb.exe
"C:\Users\Admin\AppData\Local\Temp\06bd1c63573a48a71310b959641d23bb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\bedfiibheb.exe
  C:\Users\Admin\AppData\Local\Temp\bedfiibheb.exe 8#2#1#5#0#0#4#4#3#0#1 J05IPz0zLC4vIC5LU0FLSUQ5LB0vTT1SVkpSS0VAOjAfJ0JITlRJQDkvNzMrLh8qQ0lAOS0gLkhQTj9VQ1BbRkQ8KTQ4LyAvT0FPVkRKXVRNTD1kcHFwOSctcm12LkBBUEssTE1PKEFQTCpGTkVHHi4+TEk/R0ZEPG9QT0JCTD9MPzI4QVFAQ0swPU8+QkguNB8qRDE5KS4gLjwwPCgxICtAMD0sKR4uPzQ9KS0dL0MtOywsIC9MTkxEVDtSXktSSVI9QFk8GC1PTU9EUT9RX0RNSkA4IC9MTkxEVDtSXklBTUE5HS9EUENeUFJMORwsRVc9XUJIRExFSkI9HydGTk5UXz5OTFdSPVA8KyAvUEQ+TkpRTVRaVVJIOR0vVUU7MRsvRE8tOiAuSlNNT0lNQVtURUs7TUxASU09Q0JVUUQ7HypJU1tOUk5TQUtEOHRycWEdL1E9UlRNTklKQ1xVUj1QXj9BWU85LyAuQEdDQFg9LRwsSVJXQlhJQU1FP1xFTTtQWEtURUA5Y2Fra2MfKkRPU0pJT0A8XUhLPTItMisxMigsMDQyLi0sHS9POVBAR0xFSFtGTlJMP0tHPWZdaHBlHydSSEhFPS0wMDU3MTA1NDUgK0BMV01ETUA/X1RFSUI9NicxLi0wMTEmMDovLDg0MCpBSQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get version
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get version
    3⤵
    PID:524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703919842.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedfiibheb.exe

Filesize
906KB

MD5
5f9f9b69e702f2923ee043d01d8700a4

SHA1
24efbfa22795945e302e6ca2a49ab3838818a3b1

SHA256
d3a47aae351ad22b7728e643a9baf1a123350da7eb2d24ad0205c825a3dc73c9

SHA512
1a35e31715ad4af2cfd4c15e81bf3d2942d639ef6add6346023f89c1325b6f96d45ad8bd154cf82bee397dc71c8d238dd3c51543f474807076cd8ca065410aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB04D.tmp\guivgig.dll

Filesize
161KB

MD5
4512019defa05ddabaf404bb9198c0d5

SHA1
11766c8aab95eab088817bc092668649be343081

SHA256
9d9098ab22edbe4a14e9f879a1e348c480752b49db07d3856874e5f3c53c86c5

SHA512
8d073a81c2314abce508664f1df2f2f3a6a1f88685ed0074832e78a3793da144d068ad82535d9c9008fa73a0fc44d8f9e7fb63ede0bc04fd05bdf0fa42802948

Download Submit
\Users\Admin\AppData\Local\Temp\bedfiibheb.exe

Filesize
709KB

MD5
3efe74a67d57c2abbf6c5a8f289d6f81

SHA1
3852cb98ce6aebbba64af5c14dcfdf6ac5bd2ef6

SHA256
5f8210bb63dacd1bea3256130c70aa28e74cd9ae95c64c90cfe7e7f055bc1518

SHA512
2bec6df117c0af059373f87371be75fe62ee5624db9c19b5a8c4a7f9de5f1df5c9e592645f6125281d169605ad44c16edcb22e033a9c0d84c17e6e7762be78a3

Download Submit
\Users\Admin\AppData\Local\Temp\bedfiibheb.exe

Filesize
846KB

MD5
3d9ff81479d0fbba6e875637ce3bfc45

SHA1
09ed13661778a45b6d1ea6d5c6ce66824f234b57

SHA256
93bfad19c88449900e2bcdaa33d121180c9c8ef97b87746ffd78468ef0ae9fd8

SHA512
6b7a2a770612c87199e6263bdb306b3c0be8d47ba59c893889491b1ebd3a76f651ecc949a33ecb91d91d428ba8b37c34231db4202d36f51237c6fa1f928ebe6d

Download Submit
\Users\Admin\AppData\Local\Temp\bedfiibheb.exe

Filesize
699KB

MD5
f7c1ffc682cc26f0d47423822b5c20f8

SHA1
e3316117c055dab15f467004acbd40f8beb5214e

SHA256
e72356ffa95c5fbc60aa1bfdf0202b149db0ca0c361ec7b0d941a31f13eae836

SHA512
60fe6356c20bfbcd14254a19bc8b85377390d5d4dbe548c61964d2dbad694a2dee8af10b957c4eb7e47cc1208489bdd5ec914a1cf6600bad76ff4bb6875759c5

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB04D.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit