20b3143b5a15458fd2ad00c57b0ac3396b66343e6d20fc1ffe1c4b15dc71a7f5

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

550f334594409643ec19d7f10d38b7a0.exe
Size

641KB
MD5

550f334594409643ec19d7f10d38b7a0
SHA1

ad194cee03aca02b47ffbdb45c4527603404efac
SHA256

20b3143b5a15458fd2ad00c57b0ac3396b66343e6d20fc1ffe1c4b15dc71a7f5
SHA512

47e5e805b8cedeed49ed16a24956cf2692f50c0ba7d829ad16b5fab5a141b1e6aada509c06fecd15cb46ef907cdae523e8bb4fe4b27bed5e67b96ab315456c2a
SSDEEP

12288:ukoINtLdqJanU7tQ84ytYyJi/R1cSFQ1RtVEpGrKhcfbtqoVmAfc8vy4hFN:ukohMKm8z2yi/7SLVEpwER86e

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2708	beddddcjca.exe

Loads dropped DLL 11 IoCs

pid	Process
3016	550f334594409643ec19d7f10d38b7a0.exe
3016	550f334594409643ec19d7f10d38b7a0.exe
3016	550f334594409643ec19d7f10d38b7a0.exe
3016	550f334594409643ec19d7f10d38b7a0.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2656	2708	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2812	wmic.exe
Token: SeSecurityPrivilege	2812	wmic.exe
Token: SeTakeOwnershipPrivilege	2812	wmic.exe
Token: SeLoadDriverPrivilege	2812	wmic.exe
Token: SeSystemProfilePrivilege	2812	wmic.exe
Token: SeSystemtimePrivilege	2812	wmic.exe
Token: SeProfSingleProcessPrivilege	2812	wmic.exe
Token: SeIncBasePriorityPrivilege	2812	wmic.exe
Token: SeCreatePagefilePrivilege	2812	wmic.exe
Token: SeBackupPrivilege	2812	wmic.exe
Token: SeRestorePrivilege	2812	wmic.exe
Token: SeShutdownPrivilege	2812	wmic.exe
Token: SeDebugPrivilege	2812	wmic.exe
Token: SeSystemEnvironmentPrivilege	2812	wmic.exe
Token: SeRemoteShutdownPrivilege	2812	wmic.exe
Token: SeUndockPrivilege	2812	wmic.exe
Token: SeManageVolumePrivilege	2812	wmic.exe
Token: 33	2812	wmic.exe
Token: 34	2812	wmic.exe
Token: 35	2812	wmic.exe
Token: SeIncreaseQuotaPrivilege	2812	wmic.exe
Token: SeSecurityPrivilege	2812	wmic.exe
Token: SeTakeOwnershipPrivilege	2812	wmic.exe
Token: SeLoadDriverPrivilege	2812	wmic.exe
Token: SeSystemProfilePrivilege	2812	wmic.exe
Token: SeSystemtimePrivilege	2812	wmic.exe
Token: SeProfSingleProcessPrivilege	2812	wmic.exe
Token: SeIncBasePriorityPrivilege	2812	wmic.exe
Token: SeCreatePagefilePrivilege	2812	wmic.exe
Token: SeBackupPrivilege	2812	wmic.exe
Token: SeRestorePrivilege	2812	wmic.exe
Token: SeShutdownPrivilege	2812	wmic.exe
Token: SeDebugPrivilege	2812	wmic.exe
Token: SeSystemEnvironmentPrivilege	2812	wmic.exe
Token: SeRemoteShutdownPrivilege	2812	wmic.exe
Token: SeUndockPrivilege	2812	wmic.exe
Token: SeManageVolumePrivilege	2812	wmic.exe
Token: 33	2812	wmic.exe
Token: 34	2812	wmic.exe
Token: 35	2812	wmic.exe
Token: SeIncreaseQuotaPrivilege	2588	wmic.exe
Token: SeSecurityPrivilege	2588	wmic.exe
Token: SeTakeOwnershipPrivilege	2588	wmic.exe
Token: SeLoadDriverPrivilege	2588	wmic.exe
Token: SeSystemProfilePrivilege	2588	wmic.exe
Token: SeSystemtimePrivilege	2588	wmic.exe
Token: SeProfSingleProcessPrivilege	2588	wmic.exe
Token: SeIncBasePriorityPrivilege	2588	wmic.exe
Token: SeCreatePagefilePrivilege	2588	wmic.exe
Token: SeBackupPrivilege	2588	wmic.exe
Token: SeRestorePrivilege	2588	wmic.exe
Token: SeShutdownPrivilege	2588	wmic.exe
Token: SeDebugPrivilege	2588	wmic.exe
Token: SeSystemEnvironmentPrivilege	2588	wmic.exe
Token: SeRemoteShutdownPrivilege	2588	wmic.exe
Token: SeUndockPrivilege	2588	wmic.exe
Token: SeManageVolumePrivilege	2588	wmic.exe
Token: 33	2588	wmic.exe
Token: 34	2588	wmic.exe
Token: 35	2588	wmic.exe
Token: SeIncreaseQuotaPrivilege	2820	wmic.exe
Token: SeSecurityPrivilege	2820	wmic.exe
Token: SeTakeOwnershipPrivilege	2820	wmic.exe
Token: SeLoadDriverPrivilege	2820	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2708	3016	550f334594409643ec19d7f10d38b7a0.exe	28
PID 3016 wrote to memory of 2708	3016	550f334594409643ec19d7f10d38b7a0.exe	28
PID 3016 wrote to memory of 2708	3016	550f334594409643ec19d7f10d38b7a0.exe	28
PID 3016 wrote to memory of 2708	3016	550f334594409643ec19d7f10d38b7a0.exe	28
PID 2708 wrote to memory of 2812	2708	beddddcjca.exe	30
PID 2708 wrote to memory of 2812	2708	beddddcjca.exe	30
PID 2708 wrote to memory of 2812	2708	beddddcjca.exe	30
PID 2708 wrote to memory of 2812	2708	beddddcjca.exe	30
PID 2708 wrote to memory of 2588	2708	beddddcjca.exe	35
PID 2708 wrote to memory of 2588	2708	beddddcjca.exe	35
PID 2708 wrote to memory of 2588	2708	beddddcjca.exe	35
PID 2708 wrote to memory of 2588	2708	beddddcjca.exe	35
PID 2708 wrote to memory of 2820	2708	beddddcjca.exe	33
PID 2708 wrote to memory of 2820	2708	beddddcjca.exe	33
PID 2708 wrote to memory of 2820	2708	beddddcjca.exe	33
PID 2708 wrote to memory of 2820	2708	beddddcjca.exe	33
PID 2708 wrote to memory of 2632	2708	beddddcjca.exe	37
PID 2708 wrote to memory of 2632	2708	beddddcjca.exe	37
PID 2708 wrote to memory of 2632	2708	beddddcjca.exe	37
PID 2708 wrote to memory of 2632	2708	beddddcjca.exe	37
PID 2708 wrote to memory of 1888	2708	beddddcjca.exe	39
PID 2708 wrote to memory of 1888	2708	beddddcjca.exe	39
PID 2708 wrote to memory of 1888	2708	beddddcjca.exe	39
PID 2708 wrote to memory of 1888	2708	beddddcjca.exe	39
PID 2708 wrote to memory of 2656	2708	beddddcjca.exe	40
PID 2708 wrote to memory of 2656	2708	beddddcjca.exe	40
PID 2708 wrote to memory of 2656	2708	beddddcjca.exe	40
PID 2708 wrote to memory of 2656	2708	beddddcjca.exe	40

C:\Users\Admin\AppData\Local\Temp\550f334594409643ec19d7f10d38b7a0.exe
"C:\Users\Admin\AppData\Local\Temp\550f334594409643ec19d7f10d38b7a0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\beddddcjca.exe
  C:\Users\Admin\AppData\Local\Temp\beddddcjca.exe 5!0!3!4!5!4!8!3!1!6!4 KlBGQDgtMTA1LRwqU1I+S0U8Oi8aK0lFUVNKTkNGQzctIDItbG1rXHJibmpcbWI5TWFhamBhYRsvQUVOUEFBPCwzMjEvHCo/QUE8KhwqUE9LP1E7UV5DQDgyMzUvLxgsUj9OUUVPW1BORDpnbnBrOiwrbm5uK0M/T0YtUUtLKTlNTyhFSUZMHCo/REZCRUU/PR0rPy01KjAaKz8yOiksHCdBMjcpLCAsQC85JS4fKUAwPSotGytIT04+UT5UXExNRU4+QlM5Gy9NTkpATUBTWUFQTD45GytIT04+UT5UXEo8ST06HylBU0VcUU1INR0uP1RAX0BJP0hBS0Q3HCpITE9PWzpPTlFPQFI6MRsrTEVASEdUT1JbUE5EOh8pUkg9LxwqQEsuPBorTVVLUERJPVxWP0g+T0pBREk5RERPTkc9HStET1dPVEhQRE1COW9ubWIfKU5AVFJOSUVGRF5PT0BSXEA8VUs6MRorQ0lBQVM5KR0uQ09aRFZKPElBQF4/Sj5SVkxPQTw6ZVtobmUdKz9LT0tLST0/X0ZMODAxKy8oLTA1Ky0wLRgsU0NJQD0uMC4vKzA3LS0sICxASlNGSU47QFpURklAOS4sMikuKzEyJiw2Ky45Ly0lUEo=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705021237.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705021237.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705021237.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705021237.txt bios get version
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705021237.txt bios get version
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81705021237.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy406B.tmp\bgmerfu.dll

Filesize
41KB

MD5
55998724e9cf95fb0c3f7b81d8105cda

SHA1
f382789dd6c66ee5843c5bda4c6e1e81821e3519

SHA256
bc5939fee9ac8b9d5036bd37b51e46714aee7a19fa7d21006676b66cdbedeebc

SHA512
68e3569281d6bed2c54f38219321f326d5981c2c1b59bbf46427b111a692770ca338b9410e4090546e08eaeb5b390faa5d91934bd1cd4131a527b9e30ea5507d

Download Submit
\Users\Admin\AppData\Local\Temp\beddddcjca.exe

Filesize
763KB

MD5
4de23a38cc70c86ace4feb8d1cf0ecea

SHA1
3523e50679f2db330fec6192897a906cf7788dbe

SHA256
f3904d329072529639690a0c98371a7e99f3b1fafd6230406ca7706367292713

SHA512
91979ecc56220b11574d81eaead02228f8226d01b19a140ff5d7e5abc4dfca8ace30b961a556b66e94fd87a3ceaa6d3916393a6748e0c9bdd17b48f84e16528a

Download Submit
\Users\Admin\AppData\Local\Temp\beddddcjca.exe

Filesize
381KB

MD5
cf8f9dcf1ae86852dfbe3927db86256f

SHA1
9f9f5198cf8cfcd4dd92b6d49adb3908864126e3

SHA256
8465fd96b5ad330c3caff89e34cd50d80c036c781314329e36e00e7d002cb9d5

SHA512
636fd7b5cf91a8711706d55c2d457b27784be7929b7e1cc4679a2689542a30769f0a522552f609eaeaa16f0c07e9f18183e508c828d36c4f14978007d92fe04d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy406B.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsy406B.tmp\bgmerfu.dll

Filesize
112KB

MD5
4e67a114449d9a6f96d121a2b192a0e3

SHA1
fdb2e21ee71be04264582f66e9162168c29719a0

SHA256
d7382375104421594a4edae629df645874d32646e6afa55fe6dff451ce9ea66a

SHA512
c05f7dcad74756ec5bbee61a67a2913e8aec8f0c4f74ab6a90c67c218158349b906a1d539d405a911499ad32944ff9a3b0a0ea04a191e4f872b801c2fbe443d8

Download Submit