13c88d64c0cd659b2ad901af2499b2ea05c3f8853dd3c349a879e0b71cff2e79

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d31fafe4a113de8eebfcc7d4afa3e54.exe
Size

705KB
MD5

1d31fafe4a113de8eebfcc7d4afa3e54
SHA1

6e7e5e535565af965780442aa5ea3fc475b739c0
SHA256

13c88d64c0cd659b2ad901af2499b2ea05c3f8853dd3c349a879e0b71cff2e79
SHA512

7ecbce15660c46730fed8cd30d62c4ba74a6cdc7fcadf5a8cc78992de2a4574246a0d05c039b020f105169538c9d6bb8365d162652442751c44cd3f986dcc11b
SSDEEP

12288:p3BaaC/veqVd8LdSYc13fv3v42RcCaerrYq4Q5biEK0LNdcIfc8vy4hH:p3KGqP8LFc13fv37ae3YtObiEK0yt86g

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2132	bedhhagjca.exe

Loads dropped DLL 11 IoCs

pid	Process
3064	1d31fafe4a113de8eebfcc7d4afa3e54.exe
3064	1d31fafe4a113de8eebfcc7d4afa3e54.exe
3064	1d31fafe4a113de8eebfcc7d4afa3e54.exe
3064	1d31fafe4a113de8eebfcc7d4afa3e54.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2608	2132	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2660	wmic.exe
Token: SeSecurityPrivilege	2660	wmic.exe
Token: SeTakeOwnershipPrivilege	2660	wmic.exe
Token: SeLoadDriverPrivilege	2660	wmic.exe
Token: SeSystemProfilePrivilege	2660	wmic.exe
Token: SeSystemtimePrivilege	2660	wmic.exe
Token: SeProfSingleProcessPrivilege	2660	wmic.exe
Token: SeIncBasePriorityPrivilege	2660	wmic.exe
Token: SeCreatePagefilePrivilege	2660	wmic.exe
Token: SeBackupPrivilege	2660	wmic.exe
Token: SeRestorePrivilege	2660	wmic.exe
Token: SeShutdownPrivilege	2660	wmic.exe
Token: SeDebugPrivilege	2660	wmic.exe
Token: SeSystemEnvironmentPrivilege	2660	wmic.exe
Token: SeRemoteShutdownPrivilege	2660	wmic.exe
Token: SeUndockPrivilege	2660	wmic.exe
Token: SeManageVolumePrivilege	2660	wmic.exe
Token: 33	2660	wmic.exe
Token: 34	2660	wmic.exe
Token: 35	2660	wmic.exe
Token: SeIncreaseQuotaPrivilege	2660	wmic.exe
Token: SeSecurityPrivilege	2660	wmic.exe
Token: SeTakeOwnershipPrivilege	2660	wmic.exe
Token: SeLoadDriverPrivilege	2660	wmic.exe
Token: SeSystemProfilePrivilege	2660	wmic.exe
Token: SeSystemtimePrivilege	2660	wmic.exe
Token: SeProfSingleProcessPrivilege	2660	wmic.exe
Token: SeIncBasePriorityPrivilege	2660	wmic.exe
Token: SeCreatePagefilePrivilege	2660	wmic.exe
Token: SeBackupPrivilege	2660	wmic.exe
Token: SeRestorePrivilege	2660	wmic.exe
Token: SeShutdownPrivilege	2660	wmic.exe
Token: SeDebugPrivilege	2660	wmic.exe
Token: SeSystemEnvironmentPrivilege	2660	wmic.exe
Token: SeRemoteShutdownPrivilege	2660	wmic.exe
Token: SeUndockPrivilege	2660	wmic.exe
Token: SeManageVolumePrivilege	2660	wmic.exe
Token: 33	2660	wmic.exe
Token: 34	2660	wmic.exe
Token: 35	2660	wmic.exe
Token: SeIncreaseQuotaPrivilege	2128	wmic.exe
Token: SeSecurityPrivilege	2128	wmic.exe
Token: SeTakeOwnershipPrivilege	2128	wmic.exe
Token: SeLoadDriverPrivilege	2128	wmic.exe
Token: SeSystemProfilePrivilege	2128	wmic.exe
Token: SeSystemtimePrivilege	2128	wmic.exe
Token: SeProfSingleProcessPrivilege	2128	wmic.exe
Token: SeIncBasePriorityPrivilege	2128	wmic.exe
Token: SeCreatePagefilePrivilege	2128	wmic.exe
Token: SeBackupPrivilege	2128	wmic.exe
Token: SeRestorePrivilege	2128	wmic.exe
Token: SeShutdownPrivilege	2128	wmic.exe
Token: SeDebugPrivilege	2128	wmic.exe
Token: SeSystemEnvironmentPrivilege	2128	wmic.exe
Token: SeRemoteShutdownPrivilege	2128	wmic.exe
Token: SeUndockPrivilege	2128	wmic.exe
Token: SeManageVolumePrivilege	2128	wmic.exe
Token: 33	2128	wmic.exe
Token: 34	2128	wmic.exe
Token: 35	2128	wmic.exe
Token: SeIncreaseQuotaPrivilege	2840	wmic.exe
Token: SeSecurityPrivilege	2840	wmic.exe
Token: SeTakeOwnershipPrivilege	2840	wmic.exe
Token: SeLoadDriverPrivilege	2840	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2132	3064	1d31fafe4a113de8eebfcc7d4afa3e54.exe	28
PID 3064 wrote to memory of 2132	3064	1d31fafe4a113de8eebfcc7d4afa3e54.exe	28
PID 3064 wrote to memory of 2132	3064	1d31fafe4a113de8eebfcc7d4afa3e54.exe	28
PID 3064 wrote to memory of 2132	3064	1d31fafe4a113de8eebfcc7d4afa3e54.exe	28
PID 2132 wrote to memory of 2660	2132	bedhhagjca.exe	29
PID 2132 wrote to memory of 2660	2132	bedhhagjca.exe	29
PID 2132 wrote to memory of 2660	2132	bedhhagjca.exe	29
PID 2132 wrote to memory of 2660	2132	bedhhagjca.exe	29
PID 2132 wrote to memory of 2128	2132	bedhhagjca.exe	32
PID 2132 wrote to memory of 2128	2132	bedhhagjca.exe	32
PID 2132 wrote to memory of 2128	2132	bedhhagjca.exe	32
PID 2132 wrote to memory of 2128	2132	bedhhagjca.exe	32
PID 2132 wrote to memory of 2840	2132	bedhhagjca.exe	34
PID 2132 wrote to memory of 2840	2132	bedhhagjca.exe	34
PID 2132 wrote to memory of 2840	2132	bedhhagjca.exe	34
PID 2132 wrote to memory of 2840	2132	bedhhagjca.exe	34
PID 2132 wrote to memory of 2824	2132	bedhhagjca.exe	36
PID 2132 wrote to memory of 2824	2132	bedhhagjca.exe	36
PID 2132 wrote to memory of 2824	2132	bedhhagjca.exe	36
PID 2132 wrote to memory of 2824	2132	bedhhagjca.exe	36
PID 2132 wrote to memory of 2544	2132	bedhhagjca.exe	38
PID 2132 wrote to memory of 2544	2132	bedhhagjca.exe	38
PID 2132 wrote to memory of 2544	2132	bedhhagjca.exe	38
PID 2132 wrote to memory of 2544	2132	bedhhagjca.exe	38
PID 2132 wrote to memory of 2608	2132	bedhhagjca.exe	40
PID 2132 wrote to memory of 2608	2132	bedhhagjca.exe	40
PID 2132 wrote to memory of 2608	2132	bedhhagjca.exe	40
PID 2132 wrote to memory of 2608	2132	bedhhagjca.exe	40

C:\Users\Admin\AppData\Local\Temp\1d31fafe4a113de8eebfcc7d4afa3e54.exe
"C:\Users\Admin\AppData\Local\Temp\1d31fafe4a113de8eebfcc7d4afa3e54.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\bedhhagjca.exe
  C:\Users\Admin\AppData\Local\Temp\bedhhagjca.exe 1^4^3^3^5^9^3^7^9^5^7 LkxGQTgoNiwtLhkuT1I/S0BBNicbKE1BUVRKSUhCOzgqJC4tbW1mYW5ab2dgaWI6TVxmZlhiXh8rQUZOS0Y9NC0wNi0vHSo6Rj00KxkuTE9MP0xATVZEPTwuMzYvKh0oSkBLVUFPXFBJSTZfb21vNiwsbmlzJztATEopUUxLJD5JRylCTUJMHSo6SUI6RkJDOR0sPyg6JigbKEMuOiosFyw9KjgmMBwsQS80KioXKj00OSouGyZNS0Y/TkJQXE1NQFM6OlQ2HytNT0o7UjxLWj5USD46GyZNS0Y/TkJQXEs8REI2Fyo+V0FcUk1DOhkmQFFEW0BKP0NGRzw4GS5ETFBPVj9LRlJMRE46MhsmUUE4SURYS1JcUElJNhcqT0w5Lx0qO1AqNBsoUVFLUUREQlhOQEVCS0pCREQ+QDxQS0s5HSxESlxLTElNSElCOm9pcl4XKktEUFJPSUBLQFZQTEROXEE8UFA2KRsoR0VBQlM0LhkmRExeQFZLPERGPFZAR0JOVk1PPEE2XVxlcmEdLD9GVEdDSjpDW0ZNOCg0MSUsMTYqMzYpKTArFypJQE4+SUc8SVhASUxTPUlJOF1eZWpgGS5QRkpANC4tKjIwLzQ1NjEXLD1GUkdLSz5BWktGRjw4MC4uMSwtJy4uIS4zMjA3MjEhPkY=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704091091.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704091091.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704091091.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704091091.txt bios get version
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704091091.txt bios get version
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704091091.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhagjca.exe

Filesize
1.1MB

MD5
1217e25b11f48c0ea9f2e880c606ab3b

SHA1
140f6762b3d32d560582aaf6a57b85839ae3f653

SHA256
b891c78da72f8b9f8d2d956a6b0d9a2702c3a4c0214f00faba0b1ad16ee2a00c

SHA512
1462de651e014d0db8ecad7249d6b3ec31250c7ae0e2a6737c78fb0939d4e3bde4162c31fc192920491a6f210c95a9a6b145b10617de4b281094332e0b0a5e23

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhagjca.exe

Filesize
625KB

MD5
db9d72fb47b5428abf8e22e2680fdd32

SHA1
13f3efe6c54ac341dd450888cf932379c247e9ea

SHA256
27ce873e10200d2b6287e96ad90577f5c55908161546119a0da1ef690738f787

SHA512
7ebcd58adb6ac94a42ea46eecca966ded06bd83da6c4ad41a5b02477297276e8d5ec677338095ed3144ec0d68a3668dce32a2dc7a41a3ce2904b1e6bb831b415

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhagjca.exe

Filesize
576KB

MD5
7d2a0cf9b542854ed733257baba71a50

SHA1
0c2939e02a6b2c8b8b501dc7f74f98daa55cb753

SHA256
a271add069902633f3be58ac6416330921dc9e9a1312087b5db6b3c0a0f7e279

SHA512
e6c5080ba3334e7d56d83a7a3c861847d7785145318388a004b030f0d3b91e77eeb94e05a88bc69c7c2a71aa971a0e56732864c407a0b36dd20bcf3a7a9e9a1b

Download Submit
\Users\Admin\AppData\Local\Temp\bedhhagjca.exe

Filesize
1006KB

MD5
b305088e3b186b70a30d1c2e7acc3786

SHA1
a03989560c097258797eac2eee7e3cd708dcb749

SHA256
72058921db0a395b0bf212aacb0eab07a04a86250108fc68e04740659e34e628

SHA512
a9fe64ac771ce58598d567ad770deb574c788e2d55244c2d267562566299ffdf050ca0fac5dfc9478eb73093bcaf2f4d890fdf42ca58f82c7aef470580bc8c7b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7206.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7206.tmp\auivxsj.dll

Filesize
126KB

MD5
7d8cb5facffd155a728cd10d196c95f2

SHA1
3c6a457601349aaf5f770ed1a5601ae032774de4

SHA256
43c686cc69e81ab75bc44cb788d9c13005280ac90beda122cf1ffa627649ae5c

SHA512
f2ea314caa6f92d128a8281400257378767a4342c77fafbe0a9715fe36ecea232c9e0aae29ff1d5469bd9f5c083cf4f4857aaaf67bd1ef58d8954b45ba91ff4d

Download Submit