11c54cc60e0de653c55a2e88b52ef84963ef36ea5d41013601acfeffda230cfd

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03d3cf02bca0a9fa774b644570e28dee.exe
Size

706KB
MD5

03d3cf02bca0a9fa774b644570e28dee
SHA1

438a76c74bd179c91ede53d2370656b1dea084dc
SHA256

11c54cc60e0de653c55a2e88b52ef84963ef36ea5d41013601acfeffda230cfd
SHA512

04a5b9101b8f7b311e8b1271fac317bfc366dffdd4adc8ba3ef49f16eab9620f18825e1086dcb6a148881b23bbd4e8d62ee9a81c0f61fe559b5f93ce921f36c9
SSDEEP

12288:wMrs/u2hrOejpg0UiyBuG1kvUr00+8UBKp2k2u8llbFoKFwe/bSfc8vy4hK:wBprny0G1Pu7dbFLtbf86J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	bedhhhbhdh.exe

Loads dropped DLL 11 IoCs

pid	Process
1672	03d3cf02bca0a9fa774b644570e28dee.exe
1672	03d3cf02bca0a9fa774b644570e28dee.exe
1672	03d3cf02bca0a9fa774b644570e28dee.exe
1672	03d3cf02bca0a9fa774b644570e28dee.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	2740	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2896	wmic.exe
Token: SeSecurityPrivilege	2896	wmic.exe
Token: SeTakeOwnershipPrivilege	2896	wmic.exe
Token: SeLoadDriverPrivilege	2896	wmic.exe
Token: SeSystemProfilePrivilege	2896	wmic.exe
Token: SeSystemtimePrivilege	2896	wmic.exe
Token: SeProfSingleProcessPrivilege	2896	wmic.exe
Token: SeIncBasePriorityPrivilege	2896	wmic.exe
Token: SeCreatePagefilePrivilege	2896	wmic.exe
Token: SeBackupPrivilege	2896	wmic.exe
Token: SeRestorePrivilege	2896	wmic.exe
Token: SeShutdownPrivilege	2896	wmic.exe
Token: SeDebugPrivilege	2896	wmic.exe
Token: SeSystemEnvironmentPrivilege	2896	wmic.exe
Token: SeRemoteShutdownPrivilege	2896	wmic.exe
Token: SeUndockPrivilege	2896	wmic.exe
Token: SeManageVolumePrivilege	2896	wmic.exe
Token: 33	2896	wmic.exe
Token: 34	2896	wmic.exe
Token: 35	2896	wmic.exe
Token: SeIncreaseQuotaPrivilege	2896	wmic.exe
Token: SeSecurityPrivilege	2896	wmic.exe
Token: SeTakeOwnershipPrivilege	2896	wmic.exe
Token: SeLoadDriverPrivilege	2896	wmic.exe
Token: SeSystemProfilePrivilege	2896	wmic.exe
Token: SeSystemtimePrivilege	2896	wmic.exe
Token: SeProfSingleProcessPrivilege	2896	wmic.exe
Token: SeIncBasePriorityPrivilege	2896	wmic.exe
Token: SeCreatePagefilePrivilege	2896	wmic.exe
Token: SeBackupPrivilege	2896	wmic.exe
Token: SeRestorePrivilege	2896	wmic.exe
Token: SeShutdownPrivilege	2896	wmic.exe
Token: SeDebugPrivilege	2896	wmic.exe
Token: SeSystemEnvironmentPrivilege	2896	wmic.exe
Token: SeRemoteShutdownPrivilege	2896	wmic.exe
Token: SeUndockPrivilege	2896	wmic.exe
Token: SeManageVolumePrivilege	2896	wmic.exe
Token: 33	2896	wmic.exe
Token: 34	2896	wmic.exe
Token: 35	2896	wmic.exe
Token: SeIncreaseQuotaPrivilege	2824	wmic.exe
Token: SeSecurityPrivilege	2824	wmic.exe
Token: SeTakeOwnershipPrivilege	2824	wmic.exe
Token: SeLoadDriverPrivilege	2824	wmic.exe
Token: SeSystemProfilePrivilege	2824	wmic.exe
Token: SeSystemtimePrivilege	2824	wmic.exe
Token: SeProfSingleProcessPrivilege	2824	wmic.exe
Token: SeIncBasePriorityPrivilege	2824	wmic.exe
Token: SeCreatePagefilePrivilege	2824	wmic.exe
Token: SeBackupPrivilege	2824	wmic.exe
Token: SeRestorePrivilege	2824	wmic.exe
Token: SeShutdownPrivilege	2824	wmic.exe
Token: SeDebugPrivilege	2824	wmic.exe
Token: SeSystemEnvironmentPrivilege	2824	wmic.exe
Token: SeRemoteShutdownPrivilege	2824	wmic.exe
Token: SeUndockPrivilege	2824	wmic.exe
Token: SeManageVolumePrivilege	2824	wmic.exe
Token: 33	2824	wmic.exe
Token: 34	2824	wmic.exe
Token: 35	2824	wmic.exe
Token: SeIncreaseQuotaPrivilege	2548	wmic.exe
Token: SeSecurityPrivilege	2548	wmic.exe
Token: SeTakeOwnershipPrivilege	2548	wmic.exe
Token: SeLoadDriverPrivilege	2548	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2740	1672	03d3cf02bca0a9fa774b644570e28dee.exe	28
PID 1672 wrote to memory of 2740	1672	03d3cf02bca0a9fa774b644570e28dee.exe	28
PID 1672 wrote to memory of 2740	1672	03d3cf02bca0a9fa774b644570e28dee.exe	28
PID 1672 wrote to memory of 2740	1672	03d3cf02bca0a9fa774b644570e28dee.exe	28
PID 2740 wrote to memory of 2896	2740	bedhhhbhdh.exe	30
PID 2740 wrote to memory of 2896	2740	bedhhhbhdh.exe	30
PID 2740 wrote to memory of 2896	2740	bedhhhbhdh.exe	30
PID 2740 wrote to memory of 2896	2740	bedhhhbhdh.exe	30
PID 2740 wrote to memory of 2824	2740	bedhhhbhdh.exe	32
PID 2740 wrote to memory of 2824	2740	bedhhhbhdh.exe	32
PID 2740 wrote to memory of 2824	2740	bedhhhbhdh.exe	32
PID 2740 wrote to memory of 2824	2740	bedhhhbhdh.exe	32
PID 2740 wrote to memory of 2548	2740	bedhhhbhdh.exe	34
PID 2740 wrote to memory of 2548	2740	bedhhhbhdh.exe	34
PID 2740 wrote to memory of 2548	2740	bedhhhbhdh.exe	34
PID 2740 wrote to memory of 2548	2740	bedhhhbhdh.exe	34
PID 2740 wrote to memory of 2716	2740	bedhhhbhdh.exe	38
PID 2740 wrote to memory of 2716	2740	bedhhhbhdh.exe	38
PID 2740 wrote to memory of 2716	2740	bedhhhbhdh.exe	38
PID 2740 wrote to memory of 2716	2740	bedhhhbhdh.exe	38
PID 2740 wrote to memory of 2988	2740	bedhhhbhdh.exe	36
PID 2740 wrote to memory of 2988	2740	bedhhhbhdh.exe	36
PID 2740 wrote to memory of 2988	2740	bedhhhbhdh.exe	36
PID 2740 wrote to memory of 2988	2740	bedhhhbhdh.exe	36
PID 2740 wrote to memory of 2852	2740	bedhhhbhdh.exe	40
PID 2740 wrote to memory of 2852	2740	bedhhhbhdh.exe	40
PID 2740 wrote to memory of 2852	2740	bedhhhbhdh.exe	40
PID 2740 wrote to memory of 2852	2740	bedhhhbhdh.exe	40

C:\Users\Admin\AppData\Local\Temp\03d3cf02bca0a9fa774b644570e28dee.exe
"C:\Users\Admin\AppData\Local\Temp\03d3cf02bca0a9fa774b644570e28dee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe
  C:\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe 3|8|6|4|0|2|3|8|2|4|9 LEhDQD0vMCo0MRcsS08+UEdBNS4cJks9TlNPUEhBQjkoHSc+RVNSRjw7LS82LyocL0FGPDssFyxITEtEU0BMXUU7OikyLTI3HSdRQUlTPUxbVVBJNWZwa20yKStzcHMmQkFKSCVOS1ArPkhOKkBLPkkcL0FJQUFHQEE1GitELzoqMBwmQSo3KTEeLDwxOSQuGClANDsqKR4rOzI1Jy0gLU1KTUBMQExZTFJHUzlBVTQdJ0pOT0JSO1JbPFJEOzkgLU1KTUBMQExZSkFLQjVEXVpiWmlra05ea3FzZm9cQl1jaWJqVC4lLhgpQVhDXE1QSDQdJz9URV1ARUJIQEs9NxwvRkxLUls5T0dRT0VQOigeK0tFOUhHWU1SV1NOQzoYKVJNOy8YLUBKLjUaK1JTS0xHSTxcTz9IQ01KPUdJOEQ9T05MOx0nR09WT01IUElLQjVybmxiGClORVJSSkxFRURXT09FUFw8P1VKOioaK0hHQT1WOSgdJ0NPX0JWRj9JQEBXP0pDUFZIUkE7Ol5baHNjHSdCS05LREk9RF1GSDsxJTAxKDUzLC8oLxwmTTlMPUxKQkRdRUVQTDtITDtxanNhFyxMQ0lFOy4sMTMuNSowLzgeLDxNU0VJRztAX1JGRUM5LiwqLysyLi4tKC0pNygtNjU2JzlL
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908024.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908024.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908024.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908024.txt bios get version
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908024.txt bios get version
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703908024.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
179KB

MD5
ef6e1e296ea116572e8f17cb0a69e955

SHA1
7fcf24863e15d95bdffe8184a651dd3efecb4120

SHA256
3d2d83a59860f0903ddc2e689c146b9656c2e664b0296386f2e37fe24a52a050

SHA512
a21dfb3354cc0a31735c05e9e95db478fdee35276766e91e1a7f431931905c9a0fb5305d18e88f658a870d3fdbe206a0464c16d017fcde648a41e2d4a68fae38

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
217KB

MD5
03b8feec8679caf0dff482ba6aa20502

SHA1
4187f0e54c7def7bc135611fc39b7ae04b1b4862

SHA256
52074dc53ce6b41158136d970164712987233450809c59b6120b408d20c32286

SHA512
f8f893880e0a48cecf1240e6d0124910b96b49310f422b51b0947cf3c18020ff1f68c423bdf2560a7ae8441bfbf455e3812f2bc1c19bb2a0cbdcd37bbc4238cf

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
1024KB

MD5
4174bc4683049b4beebd81fbaf240bda

SHA1
0215e6c4be2db244e2912f64b13e546072db131a

SHA256
075568c0af58c1aba95efa7d07a0c9bae2ba9f9b685e9bd5bbd19bb7f25fed7b

SHA512
8b254cd46abe8dd07dcb5dac609d988fb9a5537b78e1eb69c97c23ca5900536051bffba247acb553e2b18611ce7a81590c71e42002c7f311ebaf8c9de6858f9e

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
397KB

MD5
40433d86e5d99590dccaab0b5de4c616

SHA1
4ad6ac0f85bd3192af75760d806354881bdad059

SHA256
43f91270f69806ccdd90441ffd471c7728b727cdbac0bbcadf2874a4ab6e73c9

SHA512
c36168f2080d3e9bbac7882c00e91a037dfcc67237657372598c1840eb41137788aacee8e29883a5414b57a967e8d1eb7690f010f44e93d7198819fce67992f1

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
163KB

MD5
1e0dc8533e4e20ece950adee3b5cf35c

SHA1
088d9093489b29bc7a587ee075d2812af76a8e84

SHA256
83806c97df262d7017307159b43bc40bc0403db7e625868b2855d7a63ff3722b

SHA512
10d0aaf9ba47ed4d7c2816498cbabf0119bc933c69d13e44465ac819e09fad04363e5f6251a4c2629a4223414730a2172d8589c0f6f429b1754b599ad3399110

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
341KB

MD5
b6a7cd82529ac697ca1ff3259b6ed276

SHA1
1ea4ff5d7cda67f3cd59785c3d34f603bf9c7c37

SHA256
58cd0a0ddd5ce51b0c38de82f3f280b089231381c4a26bbd831e3f56dd2c374f

SHA512
fc05abc10ffef44b4314d1c46ba76198753b808028c38c812f99565a952736e24a66bfa95cc5cfe6f0e544fc73500a606a959affe843b2a4a6ddad96dfcba758

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
398KB

MD5
01ce1f3adbf67c311236ab0c44e85f88

SHA1
c1460be5705d8085352ba0413ce7c0bf2b1c37fe

SHA256
73df8abcde0282d798c85db35526fb682b062700fbbf61146b5e6a123af517ac

SHA512
3489b0a61dc0281624bf900ba48c0ccaa7d9bb7ea6fb117e9530037befcfc5c9d9f3b03e0aee009a5b70f045136c16f40a386942db82c3f68e7d757008a3d48f

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
161KB

MD5
371ebf29e240546fa4ff99d8ba0ee140

SHA1
9be435253544a09f27d1f495d86c72cb47f2673f

SHA256
cba990f99aa02a0fe22071a9daad6af26a7b9366309fe5921320380ee9744648

SHA512
1d7e7665bc59dd904a7be731872b8fe618cd4d6ac1b4cfa933413c352b98ca39f91063e435fa452328aa09b854e15a9136f6a43363564b12d7bdc3d116d29b19

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
91KB

MD5
e009fcb060ce4c89420d174a5abe3193

SHA1
ea982f01250ff6e6da9e598deca616b981739b10

SHA256
f1736777397ab02ed5ae39be401f9ee18be59c7a3012fa21ecd6a8237eb10b34

SHA512
7304d82d0c9017a97132ca68cedecb073fa611bc35cff38a0b3e64c87d5273d65e6a536d6c353479bcc31e528de82e575b070fc6e0a577aa41edc8d5d16eede7

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
101KB

MD5
69f70ff042bc8e004a63398bd9a5a64f

SHA1
d45c5cfceb1d7804f3582cf38d80da3448fa7d46

SHA256
64bdfd4d3c5bf2584c28ad3231d942d4f656f08ab1bac36925bc5ecbbd7dd44b

SHA512
8fa04a379501fec964ed7dc458aff655d66b53dacf249f7ddaefbec079573af30b1105edf588088d7bc6384ccebaa00e0bd415e78a9ce9f8c55be245283946f4

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
101KB

MD5
ec596afad24062e85c4ae7209e8a80b4

SHA1
3999fb8f32be32c4318baa68d52f01ddb0f13439

SHA256
f0af5e91c09f4e878accd1ec4fa25b8901c903b14351663cd8575fed9a3d47e1

SHA512
f5e09eda6c8b4d0aa7b2e2cfff2123c8e7e51549609af7b3e7690523e8dc840b31f0dd1e670d511cce03e6f3312f7e3d542b5544da8e543af2035154667784e7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd916.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsd916.tmp\lwfjcty.dll

Filesize
126KB

MD5
a77085a022d4b6a27aa6b74357ebcea0

SHA1
f5b399f6c2ba1d68032b7151e3a78d9b777eacbc

SHA256
1a768313c24a1ff31304e27006c8a1b5cf26554b14a46f8117b2e7b83b9a621f

SHA512
54fade649409ed7f03aaa19b5de9cc65670e7e9b8c5933854a935500504ed0b15dc122179e343f4570f9811c46d3202001f69685290e02aa9ec55f14eeaab4fa

Download Submit