22cc8eacf24b79c4f65511afa63e761778ba04a18a3852a6578cf4830246e62b

Analysis

max time kernel
121s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 12:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

18eaa8a314df880122442b33d6e46378.exe
Size

758KB
MD5

18eaa8a314df880122442b33d6e46378
SHA1

bea1f09783c928dab583b438f16fcfc2bcce3918
SHA256

22cc8eacf24b79c4f65511afa63e761778ba04a18a3852a6578cf4830246e62b
SHA512

e5f3ba605fadce13c8c79b62d7c937e6e19a84cdad53d2cf4a8ba3c632526869abd1c70e2ff3a0fdbbbc31c5eb2d6a7937cb866cfb60d7349d56c9eec6298bff
SSDEEP

12288:NBTd+Z7imKDRNQOk+bvLJQI4aiBZywnOft5S6jHWoTSpcotQMa8hKdfc8vy4hu:NDiNKDTbv+nBs8Oi+qceQKL86d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2548	bedejajhca.exe

Loads dropped DLL 11 IoCs

pid	Process
2808	18eaa8a314df880122442b33d6e46378.exe
2808	18eaa8a314df880122442b33d6e46378.exe
2808	18eaa8a314df880122442b33d6e46378.exe
2808	18eaa8a314df880122442b33d6e46378.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2384	2548	WerFault.exe	29

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1076	wmic.exe
Token: SeSecurityPrivilege	1076	wmic.exe
Token: SeTakeOwnershipPrivilege	1076	wmic.exe
Token: SeLoadDriverPrivilege	1076	wmic.exe
Token: SeSystemProfilePrivilege	1076	wmic.exe
Token: SeSystemtimePrivilege	1076	wmic.exe
Token: SeProfSingleProcessPrivilege	1076	wmic.exe
Token: SeIncBasePriorityPrivilege	1076	wmic.exe
Token: SeCreatePagefilePrivilege	1076	wmic.exe
Token: SeBackupPrivilege	1076	wmic.exe
Token: SeRestorePrivilege	1076	wmic.exe
Token: SeShutdownPrivilege	1076	wmic.exe
Token: SeDebugPrivilege	1076	wmic.exe
Token: SeSystemEnvironmentPrivilege	1076	wmic.exe
Token: SeRemoteShutdownPrivilege	1076	wmic.exe
Token: SeUndockPrivilege	1076	wmic.exe
Token: SeManageVolumePrivilege	1076	wmic.exe
Token: 33	1076	wmic.exe
Token: 34	1076	wmic.exe
Token: 35	1076	wmic.exe
Token: SeIncreaseQuotaPrivilege	1076	wmic.exe
Token: SeSecurityPrivilege	1076	wmic.exe
Token: SeTakeOwnershipPrivilege	1076	wmic.exe
Token: SeLoadDriverPrivilege	1076	wmic.exe
Token: SeSystemProfilePrivilege	1076	wmic.exe
Token: SeSystemtimePrivilege	1076	wmic.exe
Token: SeProfSingleProcessPrivilege	1076	wmic.exe
Token: SeIncBasePriorityPrivilege	1076	wmic.exe
Token: SeCreatePagefilePrivilege	1076	wmic.exe
Token: SeBackupPrivilege	1076	wmic.exe
Token: SeRestorePrivilege	1076	wmic.exe
Token: SeShutdownPrivilege	1076	wmic.exe
Token: SeDebugPrivilege	1076	wmic.exe
Token: SeSystemEnvironmentPrivilege	1076	wmic.exe
Token: SeRemoteShutdownPrivilege	1076	wmic.exe
Token: SeUndockPrivilege	1076	wmic.exe
Token: SeManageVolumePrivilege	1076	wmic.exe
Token: 33	1076	wmic.exe
Token: 34	1076	wmic.exe
Token: 35	1076	wmic.exe
Token: SeIncreaseQuotaPrivilege	1944	wmic.exe
Token: SeSecurityPrivilege	1944	wmic.exe
Token: SeTakeOwnershipPrivilege	1944	wmic.exe
Token: SeLoadDriverPrivilege	1944	wmic.exe
Token: SeSystemProfilePrivilege	1944	wmic.exe
Token: SeSystemtimePrivilege	1944	wmic.exe
Token: SeProfSingleProcessPrivilege	1944	wmic.exe
Token: SeIncBasePriorityPrivilege	1944	wmic.exe
Token: SeCreatePagefilePrivilege	1944	wmic.exe
Token: SeBackupPrivilege	1944	wmic.exe
Token: SeRestorePrivilege	1944	wmic.exe
Token: SeShutdownPrivilege	1944	wmic.exe
Token: SeDebugPrivilege	1944	wmic.exe
Token: SeSystemEnvironmentPrivilege	1944	wmic.exe
Token: SeRemoteShutdownPrivilege	1944	wmic.exe
Token: SeUndockPrivilege	1944	wmic.exe
Token: SeManageVolumePrivilege	1944	wmic.exe
Token: 33	1944	wmic.exe
Token: 34	1944	wmic.exe
Token: 35	1944	wmic.exe
Token: SeIncreaseQuotaPrivilege	1944	wmic.exe
Token: SeSecurityPrivilege	1944	wmic.exe
Token: SeTakeOwnershipPrivilege	1944	wmic.exe
Token: SeLoadDriverPrivilege	1944	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2548	2808	18eaa8a314df880122442b33d6e46378.exe	29
PID 2808 wrote to memory of 2548	2808	18eaa8a314df880122442b33d6e46378.exe	29
PID 2808 wrote to memory of 2548	2808	18eaa8a314df880122442b33d6e46378.exe	29
PID 2808 wrote to memory of 2548	2808	18eaa8a314df880122442b33d6e46378.exe	29
PID 2548 wrote to memory of 1076	2548	bedejajhca.exe	30
PID 2548 wrote to memory of 1076	2548	bedejajhca.exe	30
PID 2548 wrote to memory of 1076	2548	bedejajhca.exe	30
PID 2548 wrote to memory of 1076	2548	bedejajhca.exe	30
PID 2548 wrote to memory of 1944	2548	bedejajhca.exe	33
PID 2548 wrote to memory of 1944	2548	bedejajhca.exe	33
PID 2548 wrote to memory of 1944	2548	bedejajhca.exe	33
PID 2548 wrote to memory of 1944	2548	bedejajhca.exe	33
PID 2548 wrote to memory of 1920	2548	bedejajhca.exe	35
PID 2548 wrote to memory of 1920	2548	bedejajhca.exe	35
PID 2548 wrote to memory of 1920	2548	bedejajhca.exe	35
PID 2548 wrote to memory of 1920	2548	bedejajhca.exe	35
PID 2548 wrote to memory of 568	2548	bedejajhca.exe	37
PID 2548 wrote to memory of 568	2548	bedejajhca.exe	37
PID 2548 wrote to memory of 568	2548	bedejajhca.exe	37
PID 2548 wrote to memory of 568	2548	bedejajhca.exe	37
PID 2548 wrote to memory of 772	2548	bedejajhca.exe	39
PID 2548 wrote to memory of 772	2548	bedejajhca.exe	39
PID 2548 wrote to memory of 772	2548	bedejajhca.exe	39
PID 2548 wrote to memory of 772	2548	bedejajhca.exe	39
PID 2548 wrote to memory of 2384	2548	bedejajhca.exe	41
PID 2548 wrote to memory of 2384	2548	bedejajhca.exe	41
PID 2548 wrote to memory of 2384	2548	bedejajhca.exe	41
PID 2548 wrote to memory of 2384	2548	bedejajhca.exe	41

C:\Users\Admin\AppData\Local\Temp\18eaa8a314df880122442b33d6e46378.exe
"C:\Users\Admin\AppData\Local\Temp\18eaa8a314df880122442b33d6e46378.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\bedejajhca.exe
  C:\Users\Admin\AppData\Local\Temp\bedejajhca.exe 9]3]4]7]2]0]6]6]0]4]8 Jk1FPTsxMy02LxgmUFE7Tkk+NzAcJ0VCUFBNUkVDRDkpHC8saXBvXm9jcGZYamE2UGVjZ2FjXRcsQEJRVEM+PS4vLi4uGS1DQz49LBgmTU5IQlU9Tl9FPDQvMjIyMxopU0FKTUJOWFNSRjdocGxnNysocXJwKERBS0IqUEhOLTtKUCpBRUNLGS1DRkNDR0E7OhwoQjE3JzEcJzsvOSYvICk+MzklKB0rPTI9JysgKzwsOikqHi9KTE9ATTpRW0lQSVA7Q1U1FyxMS01ETz1UWz1MST02Hi9KTE9ATTpRW0c/TT83ICs9T0JbTlBMNxovQVA8XD9GQkxDSEU5GCZFS0xSXzxMT1NLPE85Lh4vTkJBSkNQTFFYU1JGNyArTkQ6LhktRE0rPRwnSVJKTUdNP1lXQUQ6TEk+R007QUVRSkM6HChHU1lMVUpMQEpBNnJyb18gK0o8UVFLTElIQV9RSzxPWz0/WU03MhwnP0ZAPlY9KxovRUtWQVVHP01DPV9BRjpPVUlSRT43Zl1kamIcKEJPUUhMSzk7XEVJOzIrMS41MSUvLTIsNysaL1BBREI5KjIzLjMxMC4oMxwoQk9RSExLOTtcUEJLRTcwLy4pJi8sKjMqMTQyLzIqMyZJSw==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704285989.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704285989.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704285989.txt bios get version
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704285989.txt bios get version
    3⤵
    PID:568
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704285989.txt bios get version
    3⤵
    PID:772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704285989.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704285989.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704285989.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
\Users\Admin\AppData\Local\Temp\bedejajhca.exe

Filesize
1.2MB

MD5
2a8e0c5c1a3fecabdbeb05850ee6fe21

SHA1
4562d4e081e777c64362b843b3a41036c199c395

SHA256
ae2197c469069defde55f2b6273f8a8df7f83ff364e2e9b4668f10b8e6a973c8

SHA512
53c47c2d82ec69036dfff2a035593072eec8c77b1b0d41c92d9f259fdc78b15706219b3ee292f7f0f87f13b1cd8a7d97517dd183f1ad0e776e44fdb25cf3b89c

Download Submit
\Users\Admin\AppData\Local\Temp\nse5D1F.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nse5D1F.tmp\fvnmgsa.dll

Filesize
169KB

MD5
7681f1657f44a6fd03c880e3747e137e

SHA1
adea05730c670bbbecf94f9c8b8bf30c143395d8

SHA256
1555c90321b5f52e8ece84c5c4ece6d1d71446f2888ee1f815694f882eaf60b3

SHA512
62924ed4c196652ea29039e3b8d08bbdf7b30e2fed7958fd4ce68931f15bd021a8c1f9ca61fc76a2d995c3c12f54054f797cc752ecc55dedf0881af40061fd4a

Download Submit