135f9a21bcb1c20a344012ce67832c27297dce024c5c740b055d66581d93a163

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

117cb1613232d4b0596ca99894027a0f.exe
Size

740KB
MD5

117cb1613232d4b0596ca99894027a0f
SHA1

2f0205bcc48d59f6d416810f2d9eeda9193a766c
SHA256

135f9a21bcb1c20a344012ce67832c27297dce024c5c740b055d66581d93a163
SHA512

18b53fae4a569fd353a3840b476ca21de90d4953c1a554450c99cbd94340595f67e28cfb54ca7ed5e95cc009b21fecc0ae8ba8a29fba08ed75fc2b9569713acb
SSDEEP

12288:qnyfd2UhZ1g/2eD3s41xN2z5WKYmhUH+G9lTPzrSYDstP7kQXC8fc8vy4hn:qwr6/F3xDIz5WKIV1Pvk7kQXCR86Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	bedhfiibca.exe

Loads dropped DLL 11 IoCs

pid	Process
2128	117cb1613232d4b0596ca99894027a0f.exe
2128	117cb1613232d4b0596ca99894027a0f.exe
2128	117cb1613232d4b0596ca99894027a0f.exe
2128	117cb1613232d4b0596ca99894027a0f.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1584	2700	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2764	wmic.exe
Token: SeSecurityPrivilege	2764	wmic.exe
Token: SeTakeOwnershipPrivilege	2764	wmic.exe
Token: SeLoadDriverPrivilege	2764	wmic.exe
Token: SeSystemProfilePrivilege	2764	wmic.exe
Token: SeSystemtimePrivilege	2764	wmic.exe
Token: SeProfSingleProcessPrivilege	2764	wmic.exe
Token: SeIncBasePriorityPrivilege	2764	wmic.exe
Token: SeCreatePagefilePrivilege	2764	wmic.exe
Token: SeBackupPrivilege	2764	wmic.exe
Token: SeRestorePrivilege	2764	wmic.exe
Token: SeShutdownPrivilege	2764	wmic.exe
Token: SeDebugPrivilege	2764	wmic.exe
Token: SeSystemEnvironmentPrivilege	2764	wmic.exe
Token: SeRemoteShutdownPrivilege	2764	wmic.exe
Token: SeUndockPrivilege	2764	wmic.exe
Token: SeManageVolumePrivilege	2764	wmic.exe
Token: 33	2764	wmic.exe
Token: 34	2764	wmic.exe
Token: 35	2764	wmic.exe
Token: SeIncreaseQuotaPrivilege	2764	wmic.exe
Token: SeSecurityPrivilege	2764	wmic.exe
Token: SeTakeOwnershipPrivilege	2764	wmic.exe
Token: SeLoadDriverPrivilege	2764	wmic.exe
Token: SeSystemProfilePrivilege	2764	wmic.exe
Token: SeSystemtimePrivilege	2764	wmic.exe
Token: SeProfSingleProcessPrivilege	2764	wmic.exe
Token: SeIncBasePriorityPrivilege	2764	wmic.exe
Token: SeCreatePagefilePrivilege	2764	wmic.exe
Token: SeBackupPrivilege	2764	wmic.exe
Token: SeRestorePrivilege	2764	wmic.exe
Token: SeShutdownPrivilege	2764	wmic.exe
Token: SeDebugPrivilege	2764	wmic.exe
Token: SeSystemEnvironmentPrivilege	2764	wmic.exe
Token: SeRemoteShutdownPrivilege	2764	wmic.exe
Token: SeUndockPrivilege	2764	wmic.exe
Token: SeManageVolumePrivilege	2764	wmic.exe
Token: 33	2764	wmic.exe
Token: 34	2764	wmic.exe
Token: 35	2764	wmic.exe
Token: SeIncreaseQuotaPrivilege	2728	wmic.exe
Token: SeSecurityPrivilege	2728	wmic.exe
Token: SeTakeOwnershipPrivilege	2728	wmic.exe
Token: SeLoadDriverPrivilege	2728	wmic.exe
Token: SeSystemProfilePrivilege	2728	wmic.exe
Token: SeSystemtimePrivilege	2728	wmic.exe
Token: SeProfSingleProcessPrivilege	2728	wmic.exe
Token: SeIncBasePriorityPrivilege	2728	wmic.exe
Token: SeCreatePagefilePrivilege	2728	wmic.exe
Token: SeBackupPrivilege	2728	wmic.exe
Token: SeRestorePrivilege	2728	wmic.exe
Token: SeShutdownPrivilege	2728	wmic.exe
Token: SeDebugPrivilege	2728	wmic.exe
Token: SeSystemEnvironmentPrivilege	2728	wmic.exe
Token: SeRemoteShutdownPrivilege	2728	wmic.exe
Token: SeUndockPrivilege	2728	wmic.exe
Token: SeManageVolumePrivilege	2728	wmic.exe
Token: 33	2728	wmic.exe
Token: 34	2728	wmic.exe
Token: 35	2728	wmic.exe
Token: SeIncreaseQuotaPrivilege	2576	wmic.exe
Token: SeSecurityPrivilege	2576	wmic.exe
Token: SeTakeOwnershipPrivilege	2576	wmic.exe
Token: SeLoadDriverPrivilege	2576	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2700	2128	117cb1613232d4b0596ca99894027a0f.exe	28
PID 2128 wrote to memory of 2700	2128	117cb1613232d4b0596ca99894027a0f.exe	28
PID 2128 wrote to memory of 2700	2128	117cb1613232d4b0596ca99894027a0f.exe	28
PID 2128 wrote to memory of 2700	2128	117cb1613232d4b0596ca99894027a0f.exe	28
PID 2700 wrote to memory of 2764	2700	bedhfiibca.exe	29
PID 2700 wrote to memory of 2764	2700	bedhfiibca.exe	29
PID 2700 wrote to memory of 2764	2700	bedhfiibca.exe	29
PID 2700 wrote to memory of 2764	2700	bedhfiibca.exe	29
PID 2700 wrote to memory of 2728	2700	bedhfiibca.exe	32
PID 2700 wrote to memory of 2728	2700	bedhfiibca.exe	32
PID 2700 wrote to memory of 2728	2700	bedhfiibca.exe	32
PID 2700 wrote to memory of 2728	2700	bedhfiibca.exe	32
PID 2700 wrote to memory of 2576	2700	bedhfiibca.exe	34
PID 2700 wrote to memory of 2576	2700	bedhfiibca.exe	34
PID 2700 wrote to memory of 2576	2700	bedhfiibca.exe	34
PID 2700 wrote to memory of 2576	2700	bedhfiibca.exe	34
PID 2700 wrote to memory of 3020	2700	bedhfiibca.exe	36
PID 2700 wrote to memory of 3020	2700	bedhfiibca.exe	36
PID 2700 wrote to memory of 3020	2700	bedhfiibca.exe	36
PID 2700 wrote to memory of 3020	2700	bedhfiibca.exe	36
PID 2700 wrote to memory of 2540	2700	bedhfiibca.exe	38
PID 2700 wrote to memory of 2540	2700	bedhfiibca.exe	38
PID 2700 wrote to memory of 2540	2700	bedhfiibca.exe	38
PID 2700 wrote to memory of 2540	2700	bedhfiibca.exe	38
PID 2700 wrote to memory of 1584	2700	bedhfiibca.exe	40
PID 2700 wrote to memory of 1584	2700	bedhfiibca.exe	40
PID 2700 wrote to memory of 1584	2700	bedhfiibca.exe	40
PID 2700 wrote to memory of 1584	2700	bedhfiibca.exe	40

C:\Users\Admin\AppData\Local\Temp\117cb1613232d4b0596ca99894027a0f.exe
"C:\Users\Admin\AppData\Local\Temp\117cb1613232d4b0596ca99894027a0f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\bedhfiibca.exe
  C:\Users\Admin\AppData\Local\Temp\bedhfiibca.exe 0!0!7!2!0!0!9!8!7!6!5 L1BCQj0xMCsvLRsvU05AUEk7NSkaKk5FTVVPUkJBPTcsJTIpbnJvW21cbmlhbV47UmVgZVphYCAvPUdTVEA8NiwyNzErHi9DQDw2KhsvUEtNRFU6TFhDPz0yLzc0MxcnTD9NVkVLXVVSQzVhbm9wOigtc3JtJj0/TkstTU1QLThISShETkZIHi9DQ0E8RUREPRktRDE0JSoaKkQyNisxICY8LDcoMSAoQjQ9JCkZKT81PSYvIC9HSkg+UENUWE5SSU05PFM4IC9JUE9ETDtNWUBVTDo7IC9HSkg+UENUWExBTTw1GSlAWEVYU1JMNBgoP1NFXzxLRExARj43Gy9ISFFUXzlKSFFORVI2MyAvS0A6SEZZT05dVVJDNRkpUU09Kx4vREopNhoqUlVHUklNPFdQP0dDT0ZDSU04Pz5PTUw9GS1JU1ZKTkhPSU0+O3RybF0ZKU1FVE5QTklFP1hPTkVSWEJBWUo1KxoqSEk9Q1g9KBgoQ05fRFJMQU1AO1g/SUNSUk5URTs1X1tnc2UZLURPTkZFSTxEX0JOPTEuLiczMS42LSwxNC4YKEo8UkFFSkVMVkFHTU9BTEU7ZmFja14aKlRJRkM9MSsrMC80NjMsMCAvO0dQSEdPQT1dVElEPTYxKjIyKDAwMSwiMTQsODouMCpQRA==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704091620.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704091620.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704091620.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704091620.txt bios get version
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704091620.txt bios get version
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704091620.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5523.tmp\mowjtkb.dll

Filesize
170KB

MD5
2f7ef2c1e98e766d783e05b63656e661

SHA1
4b1a833d267f61b63835c0aa7c63d2b7e2ab222a

SHA256
7da5ec9a7c1fe811b2ef03aba08728201ebc6494c14e34df12dcaf4a1b5e3587

SHA512
359727c28580486e47ed08a7fbd7a5461fbe75b3cf1de8124e6a18e12cf5eca7e2d898575aa2ebc6511b47ebfbfa6fdd77c6a622044c9f05352ad3da5d31670b

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
1008KB

MD5
7764db5466ecca47968d527b163905e8

SHA1
4e804b2577fffd0ceb6ec3092d252d446557d3b5

SHA256
dc4368eb0604153dab14a4709ac0e125c0068786a8d7972d5fcde86974f2204f

SHA512
e376187e8b31ca1c6804e115793179fff8a9f8d251c0dac3a995d15e160bf169a779d74e52ad764952a6e69028f7f35f91019658bbb362e8b4863a16dd07e657

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
136KB

MD5
2ceb1b5b36f586e24f02e680e24bfd91

SHA1
825e2e9b3eae0c57407f7ffc2d984eebb474e4d0

SHA256
0f48e4d51faf944afea9986e97d31fe40c331477d7479d08d3859df3d9fd26ce

SHA512
0dbfcb1e0efccfbef1563804d3ec1feec00ed5b3c653bc9aa699e169a8484df6cded55efdd392e0c1152263c60b76c2bf6387a22bdd193aa382c705da329b9f7

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
965KB

MD5
38971b441ecfda73a977a80cef17c4b2

SHA1
a7c2334b0314cd1acff5c1b806cc73ccc4023e66

SHA256
9be4db70f4627ab2d4b92c6bb3f44ca211f4cef2a0b7db579aa663858f313128

SHA512
1bf7b45bb92130025f5b7853c1eda74e54fefc9f0e45a5e31a976c0ec9418a2d298c72555fd5719645555ec15cc4c20a4efaa0b4bb77bd075f1a79695406eae6

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
646KB

MD5
2ac2842ad1236a8187d0ddcd619e502d

SHA1
325a86e59f7f154b725dba5c2098a377d8a4f3ce

SHA256
e21e2a92d2e99e3127889ff115e9b8340175472968d2541fb1f69ebc0d38a65a

SHA512
9378a8bfe2bfe95da2877baba8add6a49b9fd73911dfec7b24735c881db4c4b6168084557245af4a399092b01f5e423be22ca97c9008bc05c974e06f3420070f

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
702KB

MD5
86aeab1869bcd4f74a261ccd3f1a6736

SHA1
c2a509d237787a3b1e8b6168015640d6c6481230

SHA256
d126ad292ecd4982ed9d5c8a90ccb6fe92ceaebcdc4a47ca1f3f652db8090bdf

SHA512
a1a78046397851b12296cc51fe4943b3b50cd9f74d73c4c5cd65a354ef19eac5eaec3d6ab930f5fdb4d969f00611f7fe7ae84ab11334607e6f39c0d3d3f38dc4

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
695KB

MD5
4034d86c8f08330f2145ee0c17e8a1dd

SHA1
fcb9d3ca6c57bd913ab40ae5bcd6bb2b5ee07688

SHA256
825f439aa888a659759b196473c0bc2c679c3fc7ae9070ad2299e9c6da67b7b4

SHA512
8b443fd14da71a344c23164d1031f2a8289fdc0c36e70c81d2aed330076ef476b3ec81308f55993e6205611cd684f7bdfc5f9cf75ba29bc16b312e5eaeb35f55

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
923KB

MD5
76b68eaea1a82a285e7c7f21c7c6fd16

SHA1
15af22c44c61c5d67344988ec052611147019b53

SHA256
ba9402f7ad7d0d46d8191720ba361ae10c3e862b0f8cc8470b709a767e619e79

SHA512
06713cc8c9a0587c9406e4e0039d017dd06530f51fed2c008aed74d513517bff5cafbcdce145ac8c920079977ce01776ba48e6c6794a30da726a307cbdfe68cf

Download Submit
\Users\Admin\AppData\Local\Temp\bedhfiibca.exe

Filesize
623KB

MD5
f5449a571f2a865c85e37bc30110c192

SHA1
034a3c799458b0649cf7407f6cb8baa81b40e552

SHA256
a23aa6441f731c7d7526ec1d5f4e17f2b6736129fae97b1fa582cee4ab05f87b

SHA512
b18563a941805d0e451fccc3bc404a692e7c959c60d22c275c244b1638b8d4ba84bb41e7a81ea42f44d9bd3eef57d7d78c827fa38679911c464d12e70610996e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5523.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit