164a57eb0202d849e708cec5842fa600b5d0f962dfdaa0b99f495f2d73931ae3

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4389087212318ad958137505b0a01652.exe
Size

770KB
MD5

4389087212318ad958137505b0a01652
SHA1

e5c8e06567fc90246eb08ac21a361d698579a273
SHA256

164a57eb0202d849e708cec5842fa600b5d0f962dfdaa0b99f495f2d73931ae3
SHA512

9c02b185933f97c7bd03ef1e8ea87b930ca5ad5e327d4c9800f49ca8a0ad5c8ce5656a530969dd5acf1402e4a37bf0d85b745ee485ec1193b04571b6bb9bc264
SSDEEP

12288:32tX90TaR7SeeqDUaAOUr5OhLAsAu5wiQsaFKjlrWzy/9+gGuquIC7gQa7gMzfcU:GDGb0k5ruABJtFKWzykBuquPMv7Pg86

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	bedecahhdd.exe

Loads dropped DLL 11 IoCs

pid	Process
2516	4389087212318ad958137505b0a01652.exe
2516	4389087212318ad958137505b0a01652.exe
2516	4389087212318ad958137505b0a01652.exe
2516	4389087212318ad958137505b0a01652.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2780	2740	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2996	wmic.exe
Token: SeSecurityPrivilege	2996	wmic.exe
Token: SeTakeOwnershipPrivilege	2996	wmic.exe
Token: SeLoadDriverPrivilege	2996	wmic.exe
Token: SeSystemProfilePrivilege	2996	wmic.exe
Token: SeSystemtimePrivilege	2996	wmic.exe
Token: SeProfSingleProcessPrivilege	2996	wmic.exe
Token: SeIncBasePriorityPrivilege	2996	wmic.exe
Token: SeCreatePagefilePrivilege	2996	wmic.exe
Token: SeBackupPrivilege	2996	wmic.exe
Token: SeRestorePrivilege	2996	wmic.exe
Token: SeShutdownPrivilege	2996	wmic.exe
Token: SeDebugPrivilege	2996	wmic.exe
Token: SeSystemEnvironmentPrivilege	2996	wmic.exe
Token: SeRemoteShutdownPrivilege	2996	wmic.exe
Token: SeUndockPrivilege	2996	wmic.exe
Token: SeManageVolumePrivilege	2996	wmic.exe
Token: 33	2996	wmic.exe
Token: 34	2996	wmic.exe
Token: 35	2996	wmic.exe
Token: SeIncreaseQuotaPrivilege	2996	wmic.exe
Token: SeSecurityPrivilege	2996	wmic.exe
Token: SeTakeOwnershipPrivilege	2996	wmic.exe
Token: SeLoadDriverPrivilege	2996	wmic.exe
Token: SeSystemProfilePrivilege	2996	wmic.exe
Token: SeSystemtimePrivilege	2996	wmic.exe
Token: SeProfSingleProcessPrivilege	2996	wmic.exe
Token: SeIncBasePriorityPrivilege	2996	wmic.exe
Token: SeCreatePagefilePrivilege	2996	wmic.exe
Token: SeBackupPrivilege	2996	wmic.exe
Token: SeRestorePrivilege	2996	wmic.exe
Token: SeShutdownPrivilege	2996	wmic.exe
Token: SeDebugPrivilege	2996	wmic.exe
Token: SeSystemEnvironmentPrivilege	2996	wmic.exe
Token: SeRemoteShutdownPrivilege	2996	wmic.exe
Token: SeUndockPrivilege	2996	wmic.exe
Token: SeManageVolumePrivilege	2996	wmic.exe
Token: 33	2996	wmic.exe
Token: 34	2996	wmic.exe
Token: 35	2996	wmic.exe
Token: SeIncreaseQuotaPrivilege	2716	wmic.exe
Token: SeSecurityPrivilege	2716	wmic.exe
Token: SeTakeOwnershipPrivilege	2716	wmic.exe
Token: SeLoadDriverPrivilege	2716	wmic.exe
Token: SeSystemProfilePrivilege	2716	wmic.exe
Token: SeSystemtimePrivilege	2716	wmic.exe
Token: SeProfSingleProcessPrivilege	2716	wmic.exe
Token: SeIncBasePriorityPrivilege	2716	wmic.exe
Token: SeCreatePagefilePrivilege	2716	wmic.exe
Token: SeBackupPrivilege	2716	wmic.exe
Token: SeRestorePrivilege	2716	wmic.exe
Token: SeShutdownPrivilege	2716	wmic.exe
Token: SeDebugPrivilege	2716	wmic.exe
Token: SeSystemEnvironmentPrivilege	2716	wmic.exe
Token: SeRemoteShutdownPrivilege	2716	wmic.exe
Token: SeUndockPrivilege	2716	wmic.exe
Token: SeManageVolumePrivilege	2716	wmic.exe
Token: 33	2716	wmic.exe
Token: 34	2716	wmic.exe
Token: 35	2716	wmic.exe
Token: SeIncreaseQuotaPrivilege	2552	wmic.exe
Token: SeSecurityPrivilege	2552	wmic.exe
Token: SeTakeOwnershipPrivilege	2552	wmic.exe
Token: SeLoadDriverPrivilege	2552	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2740	2516	4389087212318ad958137505b0a01652.exe	29
PID 2516 wrote to memory of 2740	2516	4389087212318ad958137505b0a01652.exe	29
PID 2516 wrote to memory of 2740	2516	4389087212318ad958137505b0a01652.exe	29
PID 2516 wrote to memory of 2740	2516	4389087212318ad958137505b0a01652.exe	29
PID 2740 wrote to memory of 2996	2740	bedecahhdd.exe	28
PID 2740 wrote to memory of 2996	2740	bedecahhdd.exe	28
PID 2740 wrote to memory of 2996	2740	bedecahhdd.exe	28
PID 2740 wrote to memory of 2996	2740	bedecahhdd.exe	28
PID 2740 wrote to memory of 2716	2740	bedecahhdd.exe	27
PID 2740 wrote to memory of 2716	2740	bedecahhdd.exe	27
PID 2740 wrote to memory of 2716	2740	bedecahhdd.exe	27
PID 2740 wrote to memory of 2716	2740	bedecahhdd.exe	27
PID 2740 wrote to memory of 2552	2740	bedecahhdd.exe	26
PID 2740 wrote to memory of 2552	2740	bedecahhdd.exe	26
PID 2740 wrote to memory of 2552	2740	bedecahhdd.exe	26
PID 2740 wrote to memory of 2552	2740	bedecahhdd.exe	26
PID 2740 wrote to memory of 2672	2740	bedecahhdd.exe	24
PID 2740 wrote to memory of 2672	2740	bedecahhdd.exe	24
PID 2740 wrote to memory of 2672	2740	bedecahhdd.exe	24
PID 2740 wrote to memory of 2672	2740	bedecahhdd.exe	24
PID 2740 wrote to memory of 1880	2740	bedecahhdd.exe	23
PID 2740 wrote to memory of 1880	2740	bedecahhdd.exe	23
PID 2740 wrote to memory of 1880	2740	bedecahhdd.exe	23
PID 2740 wrote to memory of 1880	2740	bedecahhdd.exe	23
PID 2740 wrote to memory of 2780	2740	bedecahhdd.exe	22
PID 2740 wrote to memory of 2780	2740	bedecahhdd.exe	22
PID 2740 wrote to memory of 2780	2740	bedecahhdd.exe	22
PID 2740 wrote to memory of 2780	2740	bedecahhdd.exe	22

C:\Users\Admin\AppData\Local\Temp\4389087212318ad958137505b0a01652.exe
"C:\Users\Admin\AppData\Local\Temp\4389087212318ad958137505b0a01652.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\bedecahhdd.exe
  C:\Users\Admin\AppData\Local\Temp\bedecahhdd.exe 6,9,3,9,0,1,7,3,3,5,6 KUdGOz0xKjA0KxopSlI5UEg9OjAyMDMuMhcvTT5RVEpMRUBBNDAfKEFGTk5DOzopNzgpLR0qPUM7OicgLklPTD9PPUtcQEQ8KzMxMzEaJlA8UlU+T1xQTEY0ZWt0bzMsLG5scCVBPFNKJlFMSyc7R00lSU0/TB0qPUZAQEJJQzYwMjMvMywxLTkwKjEwLywrLTUtOR8oQS44LTEtNi41HyhBLzgnKxcsOzM8Ji4dKj4uNCooIC49MjooKxomTUlPQ05AUVpKTEBTOENYNh0sS0xJO1I6VF4+Ukk8NxomTUlPQ05AUVpIO0RCNCAuPlVCWk9MQzoXL0RRQlw+Rz5DRkVFPBksRUpNTlY/SU9WTEJPOCwaJlE/QU1EVkxQWU9JSTQgLk9KOi0aKTtQKD11aHNeYWZbaXJpZWYZLE9QSE5ASjxfVj5JQEpHP0BKOEdETk9JOBopQFBWUlRHUUZIPzdrb2xlHyhPQk9PTEVGRUdeTlBCTVk+OFZKPTEZLEVEPj9POiggLkJQXD9TSDhKQENePktATVNKS0I7PWVaaXBgGik7TE5OS0g+QVpDSjQvKDMtKjU2KTItJS4qMR8oUUZIPzcoMSo0MSozNissGiZBRldNRUw+P1lOQEo8PTUoLjAqLCooMiE1OSwyNyssJEdK
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:2780

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704453235.txt bios get version
1⤵
PID:1880

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704453235.txt bios get version
1⤵
PID:2672

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704453235.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704453235.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704453235.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704453235.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedecahhdd.exe

Filesize
81KB

MD5
2ce240ac126ebdf4b18e9b0960d88707

SHA1
57f84c636e5487d2a3f90bf7a849b25be7152e7a

SHA256
19aed3b30ca54a726fbbd763a013ee659dba367c9e8f43f9175dbfecf9920e60

SHA512
30e431102778c5907d29e568fe5a0d034b2b307ac05517de7f91f27e5b8bc4d636d40119139472149870290a2824db9ae0cbe13b9e0038d30dae933cfdd6b7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedecahhdd.exe

Filesize
32KB

MD5
7e3dbfbf019a93c64b3bfb3aff2e3c78

SHA1
703a846cb5efd99ad55bdd4046d6b12b3f112ff1

SHA256
0b8b35a731add5bba06b99b91c5f8d2103d041e8d7f5c7c75ce74218f83e1445

SHA512
e628a2d2052ffd53e17917b86c12a08eacb09654c7279c0c43f1d6d604c487a12a69c9611d7f46e1a81c68e7dd1d21bad9f132a6f995a52852e2f2a552b5a657

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1B10.tmp\apdowrt.dll

Filesize
69KB

MD5
0a09151fd9a05632c99b9de4feaaa140

SHA1
33152328ebde1062d0cfad1d127045bb15052ce4

SHA256
a27d48657d5e125f34cfce0e3b935eaa4b0a5626a54f72cc7c5d695e0dd89c8e

SHA512
8a7d6e5e6c04d929ca0c18b99433c761c01c57e125f5be39357436db3b90cd42336b255cfcbadaf111370f21202c53469c229563cac99da15212b4eec15e4ffe

Download Submit
\Users\Admin\AppData\Local\Temp\bedecahhdd.exe

Filesize
80KB

MD5
48645ac11744b3e421dc331a09b235e6

SHA1
dc7be2a2b8bc38d3d458ddf1f367162f6877c79d

SHA256
d6371b6713ef668be02491eabc44e0f120604bfbd54757860632bebde4847ee0

SHA512
c838d72bd89a2efe9ce5e87b6a8c1b26f4c0c8cf09ef4f333143cd52734bd9586913c5ad90890dee00c60d320eafc271658e2f208cbeda3577b0f18cc1b576e3

Download Submit
\Users\Admin\AppData\Local\Temp\bedecahhdd.exe

Filesize
34KB

MD5
b87c9b6ac5eba0e1b6fab363741ff086

SHA1
bdc64e37eb548cff84324f4e54f8cc42e6dcd490

SHA256
66bf6ec356aa4b6d948da351ad0ec3b4658c334f5c6fad264ca2dffbcbcdef80

SHA512
e550fe7614ebc507f3e5a9633c7c39ef8b9265b4294d036002a68b61067ff08d5b6cace4924fd7a48ef3ee50e7e3d73160431435e76ab1bd94ab36d0888d348c

Download Submit
\Users\Admin\AppData\Local\Temp\bedecahhdd.exe

Filesize
95KB

MD5
aa089caa160f01fb9232e9afc5e67778

SHA1
1e0a2b214c6485de475a161f4d4626b519688eb6

SHA256
3e46ad464bf6be4ec8c4c5ffa1553e2e05fb08b3d2434a74ef6cd026cacc608e

SHA512
4db5aae1e2cfb697675f359cd44ac93d892d2279ef65663b7cc96b0526318600d853ed401277d990b13dc48458e49248562baca4824e267aded13a80ca54d003

Download Submit
\Users\Admin\AppData\Local\Temp\bedecahhdd.exe

Filesize
6KB

MD5
70592f16e28061d8f81cc36801dadc7f

SHA1
2bd4f39bbbfed9c08022e0d8ced3c690d423209a

SHA256
cbc078dad2643aef836ad188dfd6e03dfdd94d8ba432c63e35dc811678eaff37

SHA512
ac6821fea35cafc1128ee7394ad606d33ee8d2e38d49533b607804d5f8741188f9c86860bbb5f1b9131241a21a2a833c3e88c6ed32d9b9f14fdfdf5081176d30

Download Submit
\Users\Admin\AppData\Local\Temp\bedecahhdd.exe

Filesize
34KB

MD5
5dd6ea178ba7d0905f9ce01f7b897d22

SHA1
63298edeb16a90fe63c9096a543f0d15696d9727

SHA256
1b6edef70f9d061046c7d2efa457dc20ed565150871c9e2c94a17a1ec9115927

SHA512
378364f60ce5dde7fcff66f2e1be99ae82fadb66e65b2a59ccadbc0e617f2a9c76d5edc0777170e608b1d3e2e21108f8df40a3740fc288fce6bc6ad7dce7e4fb

Download Submit
\Users\Admin\AppData\Local\Temp\bedecahhdd.exe

Filesize
15KB

MD5
23f4745470ed619abf4512792f95387e

SHA1
85dcd230e239409303f5c9604ffb8500e5245a39

SHA256
6e5e4985262f1925b9babb39595961374b95cb6a0e3371616c99f4b514522905

SHA512
cc4ec5df9b61f498bd274b658da8df2e7b453110d0a04f6d4a5c65617d8ac05f81be7c55366352405831806610a9e2799dc3421c4d76eeb37d2419f2d6e977b2

Download Submit
\Users\Admin\AppData\Local\Temp\bedecahhdd.exe

Filesize
53KB

MD5
298ca203a0e436fe962b48f50a999115

SHA1
78d8ae1305ed119e996bbf746c953fadca5bde89

SHA256
96c925e5678e5bf6fef778a89b01a9a74e9182214bbc8d4267213c7d7b0f2c50

SHA512
1883e536f5f32e2e897582d04bd05a918283f2e33658ce1af4c2942b4b9974de85e94183f69782b804e280636c824ae74752d10fc701a0f3b4d41f8e0777fe72

Download Submit
\Users\Admin\AppData\Local\Temp\bedecahhdd.exe

Filesize
1KB

MD5
8c4ba5ea00b3449042619b3ecc9cbc65

SHA1
7163360f298518a7bbe941068434aeb3da34ccc4

SHA256
857acb07ebe354f4fd31b1dff94d34aff7fe334b4e9b692867b3803b1f7ebc22

SHA512
60b4fb65bf6146cc2aa7f7a31909794b805f2b4b67d755759d0a5b68ae6d3de0468c47eada073c558d7ffdd085104c69619cd56867e95aa386d3b32182fe69ed

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1B10.tmp\ZipDLL.dll

Filesize
67KB

MD5
53b4de68b455ad77a9c7905c05a03af1

SHA1
3a4c9da1d978e0fcde66e5cefa2a885bdadd693d

SHA256
4ab22ba729025a1b61df0e52f399b7f1c54ec29a64933c556a8bec0d3d6d464b

SHA512
94654614f1d3b6fc78df91ef4d61b768d23812d9999c34744e48bc452a24411b3d303bb7512fa7529d55e566457262566231bfbed5fc767a5945c8f064bb9535

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1B10.tmp\apdowrt.dll

Filesize
47KB

MD5
d600d84605afdc3ce5fe32edf3b84033

SHA1
1995f52f85ee0b4dcff84f607cb1fd149dc48f25

SHA256
341b24f6a5e2b9ee04594f049743db71e150e47d5fe1ea34579f8a8700ab0414

SHA512
0a8d3d063a16c2e3bafa83f68021d11e7031f55918c55e864c15d373f0bbc37a3df398006270b8c0ab081911fba4dcf147633ea1e5a8ef6ac0da00d775eb29c8

Download Submit