ff18bd17d818e81800acba7c65abef03e873d92aec882332468f4f66313b4804

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21539bc29b75eba7f203c6dfbad6f111.exe
Size

268KB
MD5

21539bc29b75eba7f203c6dfbad6f111
SHA1

ec7c4ffe8d1b749e721c749167bc89ec72776bfe
SHA256

ff18bd17d818e81800acba7c65abef03e873d92aec882332468f4f66313b4804
SHA512

32b0340174167cc77046e2a006038cb698595c805b2ea92cda32f2b7ec47e54e1ea1f8a1e67f50bc3e13fef69823f6bae7711da271ba6da874c07ee548582663
SSDEEP

6144:CRPpbZRml8z94sYxeTfXys6zlbG95POPHQ7TlSqSeiD4/uhHCA4ydSZb0ng:KPpbZRi8z94da64RyHQ7TlUJ4/uLng

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bexed.exe

Executes dropped EXE 1 IoCs

pid	Process
3028	bexed.exe

Loads dropped DLL 2 IoCs

pid	Process
2896	21539bc29b75eba7f203c6dfbad6f111.exe
2896	21539bc29b75eba7f203c6dfbad6f111.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /P"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /g"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /f"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /U"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /T"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /D"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /C"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /s"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /l"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /v"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /c"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /k"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /F"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /G"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /d"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /R"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /m"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /j"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /A"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /Y"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /B"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /n"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /t"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /K"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /X"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /W"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /H"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /Q"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /p"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /q"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /S"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /w"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /M"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /L"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /y"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /z"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /r"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /u"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /J"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /o"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /h"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /e"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /Z"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /i"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /E"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /x"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /a"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /V"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /I"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /O"	bexed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\bexed = "C:\\Users\\Admin\\bexed.exe /b"	bexed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe
3028	bexed.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2896	21539bc29b75eba7f203c6dfbad6f111.exe
3028	bexed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3028	2896	21539bc29b75eba7f203c6dfbad6f111.exe	28
PID 2896 wrote to memory of 3028	2896	21539bc29b75eba7f203c6dfbad6f111.exe	28
PID 2896 wrote to memory of 3028	2896	21539bc29b75eba7f203c6dfbad6f111.exe	28
PID 2896 wrote to memory of 3028	2896	21539bc29b75eba7f203c6dfbad6f111.exe	28

C:\Users\Admin\AppData\Local\Temp\21539bc29b75eba7f203c6dfbad6f111.exe
"C:\Users\Admin\AppData\Local\Temp\21539bc29b75eba7f203c6dfbad6f111.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\bexed.exe
  "C:\Users\Admin\bexed.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\bexed.exe

Filesize
128KB

MD5
38237afdb2a74f5ae9a214d184db36a5

SHA1
e97430cd378bc02a37d2b1c8e5846f6c0460fc84

SHA256
06d479097fb6d7d4470deb46a4e7ccf5d23eab791a9c9137b0ba10998ccbed1a

SHA512
717868b285b7a9384e4f8e18161abf7467c3857a52581fbce3797fd836db7d4032fd75fbaa4df3171c3c0260d8b5a02f83ea4bc33c20a050f31abd651b393f92

Download Submit
C:\Users\Admin\bexed.exe

Filesize
128KB

MD5
6d0ecba2682891ed3b9de967cabc4af8

SHA1
581dc53cfcc7a178a5d3617de032985692bd63e3

SHA256
63a0eb79863df5e294a5f7880046c6e26220da1079f86bd19dcee08b1f045ebf

SHA512
ee9cb54e7ba2f673926e86abc1566bf4b1b4dcefbade885ade4d9d75fbd68491b16be832f2e31e4e9fdfdcde0de2d2d7f946b437ed45fccc63fb0181908f0a8d

Download Submit
C:\Users\Admin\bexed.exe

Filesize
256KB

MD5
090927d4ee149207f89373c3f9fe569d

SHA1
02cb9981d2e65db960622e09300c3d3dae9b1779

SHA256
e6ebec6ec21f3ed00f985925ac2804fa5f525df8fb03d3e62c01219b451fffec

SHA512
b18f9e32e888940c8685556137f3e8f8a5bfdf353e3c3e70e2d93a5dee0de102a9acf9a5bc7e408f5db92515090bb1c2e49ba4d1f5a966ef657747a5236458e2

Download Submit
\Users\Admin\bexed.exe

Filesize
259KB

MD5
4b199ea3aa7aa7bd8d3eb400eed20b96

SHA1
334d0ee68b2cff33287e7bca9ac060f16307e239

SHA256
30bb3fb5e2453fa60fa76ecd6de490c8907c9323d6e66292054efd66cf000c88

SHA512
9cf4a896b44a0bc395924e5ab160de7eda800d10792100806fe460c2ff1c2fcd0281f718132cb2e05afff015394d6c76201c3034aeff7802d66c8280077fbd5f

Download Submit
\Users\Admin\bexed.exe

Filesize
161KB

MD5
cd35b6236cf5f2c8221b47c8b59c67c5

SHA1
5b193bea3db0a174ab50fda11431a89b5b77411d

SHA256
a91adc30ae63c5611c22fcd8e9e8c9160893885b1f9dd0abb89134cc643199f6

SHA512
a7077d0141e0a7f72132d3735ef2599caa9c0369bfedb6d4a42981c044db2bb0fd421bc165fb4d500638a1da3a0d67a0b0ca7b987827c5fff28d083ab6e6e534

Download Submit