164a57eb0202d849e708cec5842fa600b5d0f962dfdaa0b99f495f2d73931ae3

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4389087212318ad958137505b0a01652.exe
Size

770KB
MD5

4389087212318ad958137505b0a01652
SHA1

e5c8e06567fc90246eb08ac21a361d698579a273
SHA256

164a57eb0202d849e708cec5842fa600b5d0f962dfdaa0b99f495f2d73931ae3
SHA512

9c02b185933f97c7bd03ef1e8ea87b930ca5ad5e327d4c9800f49ca8a0ad5c8ce5656a530969dd5acf1402e4a37bf0d85b745ee485ec1193b04571b6bb9bc264
SSDEEP

12288:32tX90TaR7SeeqDUaAOUr5OhLAsAu5wiQsaFKjlrWzy/9+gGuquIC7gQa7gMzfcU:GDGb0k5ruABJtFKWzykBuquPMv7Pg86

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
364	bedecahhdd.exe

Loads dropped DLL 2 IoCs

pid	Process
2424	4389087212318ad958137505b0a01652.exe
2424	4389087212318ad958137505b0a01652.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	364	WerFault.exe	32

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2136	wmic.exe
Token: SeSecurityPrivilege	2136	wmic.exe
Token: SeTakeOwnershipPrivilege	2136	wmic.exe
Token: SeLoadDriverPrivilege	2136	wmic.exe
Token: SeSystemProfilePrivilege	2136	wmic.exe
Token: SeSystemtimePrivilege	2136	wmic.exe
Token: SeProfSingleProcessPrivilege	2136	wmic.exe
Token: SeIncBasePriorityPrivilege	2136	wmic.exe
Token: SeCreatePagefilePrivilege	2136	wmic.exe
Token: SeBackupPrivilege	2136	wmic.exe
Token: SeRestorePrivilege	2136	wmic.exe
Token: SeShutdownPrivilege	2136	wmic.exe
Token: SeDebugPrivilege	2136	wmic.exe
Token: SeSystemEnvironmentPrivilege	2136	wmic.exe
Token: SeRemoteShutdownPrivilege	2136	wmic.exe
Token: SeUndockPrivilege	2136	wmic.exe
Token: SeManageVolumePrivilege	2136	wmic.exe
Token: 33	2136	wmic.exe
Token: 34	2136	wmic.exe
Token: 35	2136	wmic.exe
Token: 36	2136	wmic.exe
Token: SeIncreaseQuotaPrivilege	2136	wmic.exe
Token: SeSecurityPrivilege	2136	wmic.exe
Token: SeTakeOwnershipPrivilege	2136	wmic.exe
Token: SeLoadDriverPrivilege	2136	wmic.exe
Token: SeSystemProfilePrivilege	2136	wmic.exe
Token: SeSystemtimePrivilege	2136	wmic.exe
Token: SeProfSingleProcessPrivilege	2136	wmic.exe
Token: SeIncBasePriorityPrivilege	2136	wmic.exe
Token: SeCreatePagefilePrivilege	2136	wmic.exe
Token: SeBackupPrivilege	2136	wmic.exe
Token: SeRestorePrivilege	2136	wmic.exe
Token: SeShutdownPrivilege	2136	wmic.exe
Token: SeDebugPrivilege	2136	wmic.exe
Token: SeSystemEnvironmentPrivilege	2136	wmic.exe
Token: SeRemoteShutdownPrivilege	2136	wmic.exe
Token: SeUndockPrivilege	2136	wmic.exe
Token: SeManageVolumePrivilege	2136	wmic.exe
Token: 33	2136	wmic.exe
Token: 34	2136	wmic.exe
Token: 35	2136	wmic.exe
Token: 36	2136	wmic.exe
Token: SeIncreaseQuotaPrivilege	4824	wmic.exe
Token: SeSecurityPrivilege	4824	wmic.exe
Token: SeTakeOwnershipPrivilege	4824	wmic.exe
Token: SeLoadDriverPrivilege	4824	wmic.exe
Token: SeSystemProfilePrivilege	4824	wmic.exe
Token: SeSystemtimePrivilege	4824	wmic.exe
Token: SeProfSingleProcessPrivilege	4824	wmic.exe
Token: SeIncBasePriorityPrivilege	4824	wmic.exe
Token: SeCreatePagefilePrivilege	4824	wmic.exe
Token: SeBackupPrivilege	4824	wmic.exe
Token: SeRestorePrivilege	4824	wmic.exe
Token: SeShutdownPrivilege	4824	wmic.exe
Token: SeDebugPrivilege	4824	wmic.exe
Token: SeSystemEnvironmentPrivilege	4824	wmic.exe
Token: SeRemoteShutdownPrivilege	4824	wmic.exe
Token: SeUndockPrivilege	4824	wmic.exe
Token: SeManageVolumePrivilege	4824	wmic.exe
Token: 33	4824	wmic.exe
Token: 34	4824	wmic.exe
Token: 35	4824	wmic.exe
Token: 36	4824	wmic.exe
Token: SeIncreaseQuotaPrivilege	4824	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 364	2424	4389087212318ad958137505b0a01652.exe	32
PID 2424 wrote to memory of 364	2424	4389087212318ad958137505b0a01652.exe	32
PID 2424 wrote to memory of 364	2424	4389087212318ad958137505b0a01652.exe	32
PID 364 wrote to memory of 2136	364	bedecahhdd.exe	22
PID 364 wrote to memory of 2136	364	bedecahhdd.exe	22
PID 364 wrote to memory of 2136	364	bedecahhdd.exe	22
PID 364 wrote to memory of 4824	364	bedecahhdd.exe	31
PID 364 wrote to memory of 4824	364	bedecahhdd.exe	31
PID 364 wrote to memory of 4824	364	bedecahhdd.exe	31
PID 364 wrote to memory of 972	364	bedecahhdd.exe	30
PID 364 wrote to memory of 972	364	bedecahhdd.exe	30
PID 364 wrote to memory of 972	364	bedecahhdd.exe	30
PID 364 wrote to memory of 1688	364	bedecahhdd.exe	27
PID 364 wrote to memory of 1688	364	bedecahhdd.exe	27
PID 364 wrote to memory of 1688	364	bedecahhdd.exe	27
PID 364 wrote to memory of 1672	364	bedecahhdd.exe	29
PID 364 wrote to memory of 1672	364	bedecahhdd.exe	29
PID 364 wrote to memory of 1672	364	bedecahhdd.exe	29

C:\Users\Admin\AppData\Local\Temp\4389087212318ad958137505b0a01652.exe
"C:\Users\Admin\AppData\Local\Temp\4389087212318ad958137505b0a01652.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\bedecahhdd.exe
  C:\Users\Admin\AppData\Local\Temp\bedecahhdd.exe 6,9,3,9,0,1,7,3,3,5,6 KUdGOz0xKjA0KxopSlI5UEg9OjAyMDMuMhcvTT5RVEpMRUBBNDAfKEFGTk5DOzopNzgpLR0qPUM7OicgLklPTD9PPUtcQEQ8KzMxMzEaJlA8UlU+T1xQTEY0ZWt0bzMsLG5scCVBPFNKJlFMSyc7R00lSU0/TB0qPUZAQEJJQzYwMjMvMywxLTkwKjEwLywrLTUtOR8oQS44LTEtNi41HyhBLzgnKxcsOzM8Ji4dKj4uNCooIC49MjooKxomTUlPQ05AUVpKTEBTOENYNh0sS0xJO1I6VF4+Ukk8NxomTUlPQ05AUVpIO0RCNCAuPlVCWk9MQzoXL0RRQlw+Rz5DRkVFPBksRUpNTlY/SU9WTEJPOCwaJlE/QU1EVkxQWU9JSTQgLk9KOi0aKTtQKD11aHNeYWZbaXJpZWYZLE9QSE5ASjxfVj5JQEpHP0BKOEdETk9JOBopQFBWUlRHUUZIPzdrb2xlHyhPQk9PTEVGRUdeTlBCTVk+OFZKPTEZLEVEPj9POiggLkJQXD9TSDhKQENePktATVNKS0I7PWVaaXBgGik7TE5OS0g+QVpDSjQvKDMtKjU2KTItJS4qMR8oUUZIPzcoMSo0MSozNissGiZBRldNRUw+P1lOQEo8PTUoLjAqLCooMiE1OSwyNyssJEdK
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 948
    3⤵
    - Program crash
    PID:2852

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704453220.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704453220.txt bios get version
1⤵
PID:1688

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704453220.txt bios get version
1⤵
PID:1672

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704453220.txt bios get version
1⤵
PID:972

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704453220.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 364 -ip 364
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704453220.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704453220.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704453220.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedecahhdd.exe

Filesize
73KB

MD5
59fb2fa113062b524b13fd1c26c607c4

SHA1
9c811f97057470bbe50b5f1b8f76abca6fe8d8d2

SHA256
562c51ed7f644b796947cdb7cd6c8a1febbda16acc07a57e3148168b337c7127

SHA512
4064c507b9d480b38e4c0f776609c5419ce8e982a8b205f56b1393ff7c1492ad3bbf17dfb322311936547ac2fd8eb963f81c302b71e02372a06d789804d5d451

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedecahhdd.exe

Filesize
37KB

MD5
13179146484fa624fb87f1e1528d4de4

SHA1
a64b7f07c1806c60cc05ec081fa20c6317b84873

SHA256
7d4c006be6927849762efdfafd5dd15efddbdb245d9b4457b0771b398a6235fb

SHA512
aecfeb53aab8b7e706b9dd7b82eb9bff768437264c466c7847ad92f75ec00966066e98e7cd7631cc260bb5a519eee22196748a77f1f92295e8477bbad72d271b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq47A9.tmp\ZipDLL.dll

Filesize
92KB

MD5
411bb9971a3aa2923e60176c49c0e892

SHA1
97b00e65b22c877f29d82ae22f49a90b1e16eb67

SHA256
ef661aa6cbe0ab3e33e263a372e78db93b79386d2b08d08b0809a474b7b4f4b0

SHA512
0a2f9c5ec38d08a4bc48a0d1b78ab623d4aa10854287496ded4720035e5714a592d72967a870ab2efaa914e4f4875b57cc8652d89882e4e7194efcd3072e088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq47A9.tmp\ZipDLL.dll

Filesize
27KB

MD5
61dfb4900e597315b5ba54f4c61116d3

SHA1
a5235973ee4ca5e1f3866c6653a98eebe53c2939

SHA256
65325eda697389e845caa2e8a5e872f89c923b442eb2fd51546fdf2b7d41e8f5

SHA512
3928a0963e1505a18c8ed2b881a1a415a5610bca1681e3533e36b356170d5121fc956cffb3e144f1eea4202aa6af4b4ab0346110fca60eff85cbde28d2070610

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq47A9.tmp\apdowrt.dll

Filesize
98KB

MD5
5bc4e879ee4cb35770e4056a9051a2ce

SHA1
e6dd8502b9c2a6148c7fe711faded4972db7cc1d

SHA256
0197cfd217ac6c1bcee56f313c50095569b35ec04181a6ebeb247ad44e7ef60f

SHA512
77ed156f3d0b07975db0805c94bca58ad652a4fda0e3adadd5bfe8bf01391d86eda5b7af789526935c62e83f4f23aaff45bba4dc0a2039df64eff60b28857ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq47A9.tmp\apdowrt.dll

Filesize
104KB

MD5
78bfa2e02046ff13f118a16984e2e207

SHA1
bd7fbf3aa950c2218f3f913be7b14b9df8fd7b99

SHA256
ec8d883834e429697469e7e587a45292d5c4a0a24319bd38cfcbb50022460240

SHA512
7ed68c022640cbccc5d935e33e00411d08f4edc936e878cab054b67ff857274a6f71f8427e398367ac945bb140d13f2f1f56dc0561285370165b0db865382289

Download Submit