22047a945f05b46c4c8629074f9e57b94510f05e417209e8d9c9ec14cc095b45

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 12:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b47d9bf6cf5411b19d3d8f9a9fd1e82.exe
Size

686KB
MD5

5b47d9bf6cf5411b19d3d8f9a9fd1e82
SHA1

b86dc8793521b252407542ff1fa1097dfc194516
SHA256

22047a945f05b46c4c8629074f9e57b94510f05e417209e8d9c9ec14cc095b45
SHA512

363643bdbc9d49edfed31d1627e5e2403b9a7f9c9418c7c1665410cc84e48e69e8f1b242b9317f803a682195eb13a20ab9d1e56c1ba3029d236c028f85e4d069
SSDEEP

12288:xz6FQBspIUyAOZmYrLVkV6T8PtyX76G4KNfc8vy4hp:xG2sGUyhnLY6oPtyP4d86Y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2780	bedfiibhca.exe

Loads dropped DLL 11 IoCs

pid	Process
2252	5b47d9bf6cf5411b19d3d8f9a9fd1e82.exe
2252	5b47d9bf6cf5411b19d3d8f9a9fd1e82.exe
2252	5b47d9bf6cf5411b19d3d8f9a9fd1e82.exe
2252	5b47d9bf6cf5411b19d3d8f9a9fd1e82.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
984	2780	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2688	wmic.exe
Token: SeSecurityPrivilege	2688	wmic.exe
Token: SeTakeOwnershipPrivilege	2688	wmic.exe
Token: SeLoadDriverPrivilege	2688	wmic.exe
Token: SeSystemProfilePrivilege	2688	wmic.exe
Token: SeSystemtimePrivilege	2688	wmic.exe
Token: SeProfSingleProcessPrivilege	2688	wmic.exe
Token: SeIncBasePriorityPrivilege	2688	wmic.exe
Token: SeCreatePagefilePrivilege	2688	wmic.exe
Token: SeBackupPrivilege	2688	wmic.exe
Token: SeRestorePrivilege	2688	wmic.exe
Token: SeShutdownPrivilege	2688	wmic.exe
Token: SeDebugPrivilege	2688	wmic.exe
Token: SeSystemEnvironmentPrivilege	2688	wmic.exe
Token: SeRemoteShutdownPrivilege	2688	wmic.exe
Token: SeUndockPrivilege	2688	wmic.exe
Token: SeManageVolumePrivilege	2688	wmic.exe
Token: 33	2688	wmic.exe
Token: 34	2688	wmic.exe
Token: 35	2688	wmic.exe
Token: SeIncreaseQuotaPrivilege	2688	wmic.exe
Token: SeSecurityPrivilege	2688	wmic.exe
Token: SeTakeOwnershipPrivilege	2688	wmic.exe
Token: SeLoadDriverPrivilege	2688	wmic.exe
Token: SeSystemProfilePrivilege	2688	wmic.exe
Token: SeSystemtimePrivilege	2688	wmic.exe
Token: SeProfSingleProcessPrivilege	2688	wmic.exe
Token: SeIncBasePriorityPrivilege	2688	wmic.exe
Token: SeCreatePagefilePrivilege	2688	wmic.exe
Token: SeBackupPrivilege	2688	wmic.exe
Token: SeRestorePrivilege	2688	wmic.exe
Token: SeShutdownPrivilege	2688	wmic.exe
Token: SeDebugPrivilege	2688	wmic.exe
Token: SeSystemEnvironmentPrivilege	2688	wmic.exe
Token: SeRemoteShutdownPrivilege	2688	wmic.exe
Token: SeUndockPrivilege	2688	wmic.exe
Token: SeManageVolumePrivilege	2688	wmic.exe
Token: 33	2688	wmic.exe
Token: 34	2688	wmic.exe
Token: 35	2688	wmic.exe
Token: SeIncreaseQuotaPrivilege	2240	wmic.exe
Token: SeSecurityPrivilege	2240	wmic.exe
Token: SeTakeOwnershipPrivilege	2240	wmic.exe
Token: SeLoadDriverPrivilege	2240	wmic.exe
Token: SeSystemProfilePrivilege	2240	wmic.exe
Token: SeSystemtimePrivilege	2240	wmic.exe
Token: SeProfSingleProcessPrivilege	2240	wmic.exe
Token: SeIncBasePriorityPrivilege	2240	wmic.exe
Token: SeCreatePagefilePrivilege	2240	wmic.exe
Token: SeBackupPrivilege	2240	wmic.exe
Token: SeRestorePrivilege	2240	wmic.exe
Token: SeShutdownPrivilege	2240	wmic.exe
Token: SeDebugPrivilege	2240	wmic.exe
Token: SeSystemEnvironmentPrivilege	2240	wmic.exe
Token: SeRemoteShutdownPrivilege	2240	wmic.exe
Token: SeUndockPrivilege	2240	wmic.exe
Token: SeManageVolumePrivilege	2240	wmic.exe
Token: 33	2240	wmic.exe
Token: 34	2240	wmic.exe
Token: 35	2240	wmic.exe
Token: SeIncreaseQuotaPrivilege	2240	wmic.exe
Token: SeSecurityPrivilege	2240	wmic.exe
Token: SeTakeOwnershipPrivilege	2240	wmic.exe
Token: SeLoadDriverPrivilege	2240	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2780	2252	5b47d9bf6cf5411b19d3d8f9a9fd1e82.exe	28
PID 2252 wrote to memory of 2780	2252	5b47d9bf6cf5411b19d3d8f9a9fd1e82.exe	28
PID 2252 wrote to memory of 2780	2252	5b47d9bf6cf5411b19d3d8f9a9fd1e82.exe	28
PID 2252 wrote to memory of 2780	2252	5b47d9bf6cf5411b19d3d8f9a9fd1e82.exe	28
PID 2780 wrote to memory of 2688	2780	bedfiibhca.exe	29
PID 2780 wrote to memory of 2688	2780	bedfiibhca.exe	29
PID 2780 wrote to memory of 2688	2780	bedfiibhca.exe	29
PID 2780 wrote to memory of 2688	2780	bedfiibhca.exe	29
PID 2780 wrote to memory of 2240	2780	bedfiibhca.exe	32
PID 2780 wrote to memory of 2240	2780	bedfiibhca.exe	32
PID 2780 wrote to memory of 2240	2780	bedfiibhca.exe	32
PID 2780 wrote to memory of 2240	2780	bedfiibhca.exe	32
PID 2780 wrote to memory of 2616	2780	bedfiibhca.exe	34
PID 2780 wrote to memory of 2616	2780	bedfiibhca.exe	34
PID 2780 wrote to memory of 2616	2780	bedfiibhca.exe	34
PID 2780 wrote to memory of 2616	2780	bedfiibhca.exe	34
PID 2780 wrote to memory of 2092	2780	bedfiibhca.exe	36
PID 2780 wrote to memory of 2092	2780	bedfiibhca.exe	36
PID 2780 wrote to memory of 2092	2780	bedfiibhca.exe	36
PID 2780 wrote to memory of 2092	2780	bedfiibhca.exe	36
PID 2780 wrote to memory of 564	2780	bedfiibhca.exe	38
PID 2780 wrote to memory of 564	2780	bedfiibhca.exe	38
PID 2780 wrote to memory of 564	2780	bedfiibhca.exe	38
PID 2780 wrote to memory of 564	2780	bedfiibhca.exe	38
PID 2780 wrote to memory of 984	2780	bedfiibhca.exe	40
PID 2780 wrote to memory of 984	2780	bedfiibhca.exe	40
PID 2780 wrote to memory of 984	2780	bedfiibhca.exe	40
PID 2780 wrote to memory of 984	2780	bedfiibhca.exe	40

C:\Users\Admin\AppData\Local\Temp\5b47d9bf6cf5411b19d3d8f9a9fd1e82.exe
"C:\Users\Admin\AppData\Local\Temp\5b47d9bf6cf5411b19d3d8f9a9fd1e82.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\bedfiibhca.exe
  C:\Users\Admin\AppData\Local\Temp\bedfiibhca.exe 7*6*4*8*6*7*8*9*1*9*3 KEpFPDcqMSo1Kh0oTVE6SkI8NC8XLEc/UE9JS0NAQzQuHiwsaGxoXGxia2taZ2E1TF5hZGBeYhkpQEFNTUE7PCk0MCsuGCk8QTs8Jx0oSk5HPk47S15AQTYsMjEuLBgmUjxPTz9OV09LRDRna3FpNCsnbWtuJUM8UEQnUEdKJjlHTyVGR0BLGCk8REBCQkY9NxwnPio1JDAXLD0sOSUrGSc7MjQqKhorPC42JSgfJkEuNykpGihISU47UjxOW0hMQk44QlA6GSlMSkk9TTpTVkJORj01GihISU47UjxOW0Y7Rj00HyZCUT9bTUxFNRcuPFU+WT9FPkVBRUQ0HShCS0tOWDpJTk5QPkw5LRooTD9ARUhSSVFXT0tENB8mU0Y3LhgpPUsoPBcsS09KTENGPVZWPEk8SUk9Q0Y5PkRMT0U3HCdDTFdJVEVRQkdBNW5rbVwfJk8+TlFKSEJGPl5MUD5MWzw7Uks0MRcsQUNAPVI2KRcuQFBYPlVGO0ZBOl48SzxMVUhOPjw0ZVhpbF8cJz5IT0VLRj49WUVINzAuJTEoKysuNCYsLCsXLkc+SztIRD9FV0BNSlE6Rkg1YFpkamQXLE1DST03KiwqNC81LjAvLhooPEZWRUlIO0BXTkJFPDwuLCwpLigrLiIoOSc0MysyIjtG
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705236641.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705236641.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705236641.txt bios get version
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705236641.txt bios get version
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705236641.txt bios get version
    3⤵
    PID:564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81705236641.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81705236641.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81705236641.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5793.tmp\guivgig.dll

Filesize
161KB

MD5
4512019defa05ddabaf404bb9198c0d5

SHA1
11766c8aab95eab088817bc092668649be343081

SHA256
9d9098ab22edbe4a14e9f879a1e348c480752b49db07d3856874e5f3c53c86c5

SHA512
8d073a81c2314abce508664f1df2f2f3a6a1f88685ed0074832e78a3793da144d068ad82535d9c9008fa73a0fc44d8f9e7fb63ede0bc04fd05bdf0fa42802948

Download Submit
\Users\Admin\AppData\Local\Temp\bedfiibhca.exe

Filesize
906KB

MD5
3aaaefc6817e0c8ae1fce64cd5f55827

SHA1
7ab0f49d2e1be9b6d9cb11e0c0b389377eee4306

SHA256
c8a41afa20f1dc0b2cc25c74d66093b842418ceb46e1932f36977848e0993788

SHA512
247ee530ad2b2326e28414bdc4861a5d652fdd2ac70c2a143740a89bfa5c5ce7cae44abe5ae2f8c88a067ce15d12f7bd5d76bea28f837ee6e492ac07c307dae5

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5793.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit