11c54cc60e0de653c55a2e88b52ef84963ef36ea5d41013601acfeffda230cfd

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03d3cf02bca0a9fa774b644570e28dee.exe
Size

706KB
MD5

03d3cf02bca0a9fa774b644570e28dee
SHA1

438a76c74bd179c91ede53d2370656b1dea084dc
SHA256

11c54cc60e0de653c55a2e88b52ef84963ef36ea5d41013601acfeffda230cfd
SHA512

04a5b9101b8f7b311e8b1271fac317bfc366dffdd4adc8ba3ef49f16eab9620f18825e1086dcb6a148881b23bbd4e8d62ee9a81c0f61fe559b5f93ce921f36c9
SSDEEP

12288:wMrs/u2hrOejpg0UiyBuG1kvUr00+8UBKp2k2u8llbFoKFwe/bSfc8vy4hK:wBprny0G1Pu7dbFLtbf86J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2068	bedhhhbhdh.exe

Loads dropped DLL 2 IoCs

pid	Process
4412	03d3cf02bca0a9fa774b644570e28dee.exe
4412	03d3cf02bca0a9fa774b644570e28dee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3340	2068	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	908	wmic.exe
Token: SeSecurityPrivilege	908	wmic.exe
Token: SeTakeOwnershipPrivilege	908	wmic.exe
Token: SeLoadDriverPrivilege	908	wmic.exe
Token: SeSystemProfilePrivilege	908	wmic.exe
Token: SeSystemtimePrivilege	908	wmic.exe
Token: SeProfSingleProcessPrivilege	908	wmic.exe
Token: SeIncBasePriorityPrivilege	908	wmic.exe
Token: SeCreatePagefilePrivilege	908	wmic.exe
Token: SeBackupPrivilege	908	wmic.exe
Token: SeRestorePrivilege	908	wmic.exe
Token: SeShutdownPrivilege	908	wmic.exe
Token: SeDebugPrivilege	908	wmic.exe
Token: SeSystemEnvironmentPrivilege	908	wmic.exe
Token: SeRemoteShutdownPrivilege	908	wmic.exe
Token: SeUndockPrivilege	908	wmic.exe
Token: SeManageVolumePrivilege	908	wmic.exe
Token: 33	908	wmic.exe
Token: 34	908	wmic.exe
Token: 35	908	wmic.exe
Token: 36	908	wmic.exe
Token: SeIncreaseQuotaPrivilege	908	wmic.exe
Token: SeSecurityPrivilege	908	wmic.exe
Token: SeTakeOwnershipPrivilege	908	wmic.exe
Token: SeLoadDriverPrivilege	908	wmic.exe
Token: SeSystemProfilePrivilege	908	wmic.exe
Token: SeSystemtimePrivilege	908	wmic.exe
Token: SeProfSingleProcessPrivilege	908	wmic.exe
Token: SeIncBasePriorityPrivilege	908	wmic.exe
Token: SeCreatePagefilePrivilege	908	wmic.exe
Token: SeBackupPrivilege	908	wmic.exe
Token: SeRestorePrivilege	908	wmic.exe
Token: SeShutdownPrivilege	908	wmic.exe
Token: SeDebugPrivilege	908	wmic.exe
Token: SeSystemEnvironmentPrivilege	908	wmic.exe
Token: SeRemoteShutdownPrivilege	908	wmic.exe
Token: SeUndockPrivilege	908	wmic.exe
Token: SeManageVolumePrivilege	908	wmic.exe
Token: 33	908	wmic.exe
Token: 34	908	wmic.exe
Token: 35	908	wmic.exe
Token: 36	908	wmic.exe
Token: SeIncreaseQuotaPrivilege	4724	wmic.exe
Token: SeSecurityPrivilege	4724	wmic.exe
Token: SeTakeOwnershipPrivilege	4724	wmic.exe
Token: SeLoadDriverPrivilege	4724	wmic.exe
Token: SeSystemProfilePrivilege	4724	wmic.exe
Token: SeSystemtimePrivilege	4724	wmic.exe
Token: SeProfSingleProcessPrivilege	4724	wmic.exe
Token: SeIncBasePriorityPrivilege	4724	wmic.exe
Token: SeCreatePagefilePrivilege	4724	wmic.exe
Token: SeBackupPrivilege	4724	wmic.exe
Token: SeRestorePrivilege	4724	wmic.exe
Token: SeShutdownPrivilege	4724	wmic.exe
Token: SeDebugPrivilege	4724	wmic.exe
Token: SeSystemEnvironmentPrivilege	4724	wmic.exe
Token: SeRemoteShutdownPrivilege	4724	wmic.exe
Token: SeUndockPrivilege	4724	wmic.exe
Token: SeManageVolumePrivilege	4724	wmic.exe
Token: 33	4724	wmic.exe
Token: 34	4724	wmic.exe
Token: 35	4724	wmic.exe
Token: 36	4724	wmic.exe
Token: SeIncreaseQuotaPrivilege	4724	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 2068	4412	03d3cf02bca0a9fa774b644570e28dee.exe	39
PID 4412 wrote to memory of 2068	4412	03d3cf02bca0a9fa774b644570e28dee.exe	39
PID 4412 wrote to memory of 2068	4412	03d3cf02bca0a9fa774b644570e28dee.exe	39
PID 2068 wrote to memory of 908	2068	bedhhhbhdh.exe	22
PID 2068 wrote to memory of 908	2068	bedhhhbhdh.exe	22
PID 2068 wrote to memory of 908	2068	bedhhhbhdh.exe	22
PID 2068 wrote to memory of 4724	2068	bedhhhbhdh.exe	38
PID 2068 wrote to memory of 4724	2068	bedhhhbhdh.exe	38
PID 2068 wrote to memory of 4724	2068	bedhhhbhdh.exe	38
PID 2068 wrote to memory of 464	2068	bedhhhbhdh.exe	37
PID 2068 wrote to memory of 464	2068	bedhhhbhdh.exe	37
PID 2068 wrote to memory of 464	2068	bedhhhbhdh.exe	37
PID 2068 wrote to memory of 4464	2068	bedhhhbhdh.exe	31
PID 2068 wrote to memory of 4464	2068	bedhhhbhdh.exe	31
PID 2068 wrote to memory of 4464	2068	bedhhhbhdh.exe	31
PID 2068 wrote to memory of 2232	2068	bedhhhbhdh.exe	36
PID 2068 wrote to memory of 2232	2068	bedhhhbhdh.exe	36
PID 2068 wrote to memory of 2232	2068	bedhhhbhdh.exe	36

C:\Users\Admin\AppData\Local\Temp\03d3cf02bca0a9fa774b644570e28dee.exe
"C:\Users\Admin\AppData\Local\Temp\03d3cf02bca0a9fa774b644570e28dee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe
  C:\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe 3|8|6|4|0|2|3|8|2|4|9 LEhDQD0vMCo0MRcsS08+UEdBNS4cJks9TlNPUEhBQjkoHSc+RVNSRjw7LS82LyocL0FGPDssFyxITEtEU0BMXUU7OikyLTI3HSdRQUlTPUxbVVBJNWZwa20yKStzcHMmQkFKSCVOS1ArPkhOKkBLPkkcL0FJQUFHQEE1GitELzoqMBwmQSo3KTEeLDwxOSQuGClANDsqKR4rOzI1Jy0gLU1KTUBMQExZTFJHUzlBVTQdJ0pOT0JSO1JbPFJEOzkgLU1KTUBMQExZSkFLQjVEXVpiWmlra05ea3FzZm9cQl1jaWJqVC4lLhgpQVhDXE1QSDQdJz9URV1ARUJIQEs9NxwvRkxLUls5T0dRT0VQOigeK0tFOUhHWU1SV1NOQzoYKVJNOy8YLUBKLjUaK1JTS0xHSTxcTz9IQ01KPUdJOEQ9T05MOx0nR09WT01IUElLQjVybmxiGClORVJSSkxFRURXT09FUFw8P1VKOioaK0hHQT1WOSgdJ0NPX0JWRj9JQEBXP0pDUFZIUkE7Ol5baHNjHSdCS05LREk9RF1GSDsxJTAxKDUzLC8oLxwmTTlMPUxKQkRdRUVQTDtITDtxanNhFyxMQ0lFOy4sMTMuNSowLzgeLDxNU0VJRztAX1JGRUM5LiwqLysyLi4tKC0pNygtNjU2JzlL
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2068

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908030.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908030.txt bios get version
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2068 -ip 2068
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 960
1⤵
- Program crash
PID:3340

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908030.txt bios get version
1⤵
PID:2232

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908030.txt bios get version
1⤵
PID:464

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703908030.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703908030.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703908030.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703908030.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
157KB

MD5
eb35e144188bdc459b6a67b4c70bb929

SHA1
533c383c8009b951b8701b283bd4196b7fcc89c4

SHA256
cf5beb6517b0ec9ac94f3f46f34cafdb4b84316c76490aa5ad881626d814d9fa

SHA512
4493005406dcb34d561fc579b308c769b5e3a37ce0f51a46d14fb58a83412b12825d489258fbc58627f6487e043ea5f9e7f0f1538918b2af8b3c17c9610cc6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedhhhbhdh.exe

Filesize
150KB

MD5
109d4152df00229d7793a0f9f0cf3080

SHA1
de4a0f2eff4c868496895e2cdec2d12e6430bf2c

SHA256
2204655f8ed28447334be54eb99589c05e12d0ae6edc234721b80005c53379c5

SHA512
e670337f9ebf5ff5775173b4e927cdc9382ab6c1ecacedbad1f7d23a9a03a9b9ff970e4adbd551c2deed0b37aebdeca746984d524cf5c579622bde5a33ac1df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4E7F.tmp\ZipDLL.dll

Filesize
2KB

MD5
c9576104c41b451977eb081769a8d2f3

SHA1
b25394874a98b6d1bcdeda492c0d4f90d03685a5

SHA256
ad09d57221e35597352e7b7182248fd9c81477a13280378e9b0a2eae84a3f6db

SHA512
337f51a59da0272c50670b38a9eb7ac2fa79f0b2e7c3ba7eee566ad813cf4f44d965ec3c22f0cd1b3b4d141a6a6df414e75d506324e4179f7e28632a77cc58f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4E7F.tmp\ZipDLL.dll

Filesize
21KB

MD5
75c4ca6a0d741f5f6b4dd3360dfbee6e

SHA1
77ba6a2a99852a4bc92011829a06c5a72878d7f3

SHA256
dd010e787be4d6f4c63030e99fe6cfb8803dafa4ebef13643a44ad8818f1125b

SHA512
9877377f8960a5afee94e40441c67ca192f42f4e0326d3d58a91593c7782390c04ce55954515be69066694cd20d8cd33b3b03dcee9af0237fb0b70f6982cb14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4E7F.tmp\lwfjcty.dll

Filesize
126KB

MD5
a77085a022d4b6a27aa6b74357ebcea0

SHA1
f5b399f6c2ba1d68032b7151e3a78d9b777eacbc

SHA256
1a768313c24a1ff31304e27006c8a1b5cf26554b14a46f8117b2e7b83b9a621f

SHA512
54fade649409ed7f03aaa19b5de9cc65670e7e9b8c5933854a935500504ed0b15dc122179e343f4570f9811c46d3202001f69685290e02aa9ec55f14eeaab4fa

Download Submit