16d681be14d8f00afc7acde622c3b43bf6ac03721c08e10e9fdec3f20c3e9ca9

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

901672e22b3f6af676f091440e476b74.exe
Size

698KB
MD5

901672e22b3f6af676f091440e476b74
SHA1

234655b78c106187be3ea19f02c7a3b1651543f7
SHA256

16d681be14d8f00afc7acde622c3b43bf6ac03721c08e10e9fdec3f20c3e9ca9
SHA512

a27b8c21a93ca1a8087f62b77ac4604c66c5f31953eeacea4258828dc07cab76f9d3c0490b39c5583f8a7276582fe9149fecd318d53b592d3c9ae202dedad001
SSDEEP

12288:bzOOpk1rTckqYbk+edxab7SOXgjSTGiZHal0tZNDZfBvQfc8vy4ha:bzO/vXyrdi7XyG/LVfdl86F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2144	bedhgjgbdh.exe

Loads dropped DLL 11 IoCs

pid	Process
1272	901672e22b3f6af676f091440e476b74.exe
1272	901672e22b3f6af676f091440e476b74.exe
1272	901672e22b3f6af676f091440e476b74.exe
1272	901672e22b3f6af676f091440e476b74.exe
1892	WerFault.exe
1892	WerFault.exe
1892	WerFault.exe
1892	WerFault.exe
1892	WerFault.exe
1892	WerFault.exe
1892	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	2144	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2828	wmic.exe
Token: SeSecurityPrivilege	2828	wmic.exe
Token: SeTakeOwnershipPrivilege	2828	wmic.exe
Token: SeLoadDriverPrivilege	2828	wmic.exe
Token: SeSystemProfilePrivilege	2828	wmic.exe
Token: SeSystemtimePrivilege	2828	wmic.exe
Token: SeProfSingleProcessPrivilege	2828	wmic.exe
Token: SeIncBasePriorityPrivilege	2828	wmic.exe
Token: SeCreatePagefilePrivilege	2828	wmic.exe
Token: SeBackupPrivilege	2828	wmic.exe
Token: SeRestorePrivilege	2828	wmic.exe
Token: SeShutdownPrivilege	2828	wmic.exe
Token: SeDebugPrivilege	2828	wmic.exe
Token: SeSystemEnvironmentPrivilege	2828	wmic.exe
Token: SeRemoteShutdownPrivilege	2828	wmic.exe
Token: SeUndockPrivilege	2828	wmic.exe
Token: SeManageVolumePrivilege	2828	wmic.exe
Token: 33	2828	wmic.exe
Token: 34	2828	wmic.exe
Token: 35	2828	wmic.exe
Token: SeIncreaseQuotaPrivilege	2828	wmic.exe
Token: SeSecurityPrivilege	2828	wmic.exe
Token: SeTakeOwnershipPrivilege	2828	wmic.exe
Token: SeLoadDriverPrivilege	2828	wmic.exe
Token: SeSystemProfilePrivilege	2828	wmic.exe
Token: SeSystemtimePrivilege	2828	wmic.exe
Token: SeProfSingleProcessPrivilege	2828	wmic.exe
Token: SeIncBasePriorityPrivilege	2828	wmic.exe
Token: SeCreatePagefilePrivilege	2828	wmic.exe
Token: SeBackupPrivilege	2828	wmic.exe
Token: SeRestorePrivilege	2828	wmic.exe
Token: SeShutdownPrivilege	2828	wmic.exe
Token: SeDebugPrivilege	2828	wmic.exe
Token: SeSystemEnvironmentPrivilege	2828	wmic.exe
Token: SeRemoteShutdownPrivilege	2828	wmic.exe
Token: SeUndockPrivilege	2828	wmic.exe
Token: SeManageVolumePrivilege	2828	wmic.exe
Token: 33	2828	wmic.exe
Token: 34	2828	wmic.exe
Token: 35	2828	wmic.exe
Token: SeIncreaseQuotaPrivilege	2888	wmic.exe
Token: SeSecurityPrivilege	2888	wmic.exe
Token: SeTakeOwnershipPrivilege	2888	wmic.exe
Token: SeLoadDriverPrivilege	2888	wmic.exe
Token: SeSystemProfilePrivilege	2888	wmic.exe
Token: SeSystemtimePrivilege	2888	wmic.exe
Token: SeProfSingleProcessPrivilege	2888	wmic.exe
Token: SeIncBasePriorityPrivilege	2888	wmic.exe
Token: SeCreatePagefilePrivilege	2888	wmic.exe
Token: SeBackupPrivilege	2888	wmic.exe
Token: SeRestorePrivilege	2888	wmic.exe
Token: SeShutdownPrivilege	2888	wmic.exe
Token: SeDebugPrivilege	2888	wmic.exe
Token: SeSystemEnvironmentPrivilege	2888	wmic.exe
Token: SeRemoteShutdownPrivilege	2888	wmic.exe
Token: SeUndockPrivilege	2888	wmic.exe
Token: SeManageVolumePrivilege	2888	wmic.exe
Token: 33	2888	wmic.exe
Token: 34	2888	wmic.exe
Token: 35	2888	wmic.exe
Token: SeIncreaseQuotaPrivilege	2884	wmic.exe
Token: SeSecurityPrivilege	2884	wmic.exe
Token: SeTakeOwnershipPrivilege	2884	wmic.exe
Token: SeLoadDriverPrivilege	2884	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2144	1272	901672e22b3f6af676f091440e476b74.exe	30
PID 1272 wrote to memory of 2144	1272	901672e22b3f6af676f091440e476b74.exe	30
PID 1272 wrote to memory of 2144	1272	901672e22b3f6af676f091440e476b74.exe	30
PID 1272 wrote to memory of 2144	1272	901672e22b3f6af676f091440e476b74.exe	30
PID 2144 wrote to memory of 2828	2144	bedhgjgbdh.exe	28
PID 2144 wrote to memory of 2828	2144	bedhgjgbdh.exe	28
PID 2144 wrote to memory of 2828	2144	bedhgjgbdh.exe	28
PID 2144 wrote to memory of 2828	2144	bedhgjgbdh.exe	28
PID 2144 wrote to memory of 2888	2144	bedhgjgbdh.exe	33
PID 2144 wrote to memory of 2888	2144	bedhgjgbdh.exe	33
PID 2144 wrote to memory of 2888	2144	bedhgjgbdh.exe	33
PID 2144 wrote to memory of 2888	2144	bedhgjgbdh.exe	33
PID 2144 wrote to memory of 2884	2144	bedhgjgbdh.exe	35
PID 2144 wrote to memory of 2884	2144	bedhgjgbdh.exe	35
PID 2144 wrote to memory of 2884	2144	bedhgjgbdh.exe	35
PID 2144 wrote to memory of 2884	2144	bedhgjgbdh.exe	35
PID 2144 wrote to memory of 2632	2144	bedhgjgbdh.exe	38
PID 2144 wrote to memory of 2632	2144	bedhgjgbdh.exe	38
PID 2144 wrote to memory of 2632	2144	bedhgjgbdh.exe	38
PID 2144 wrote to memory of 2632	2144	bedhgjgbdh.exe	38
PID 2144 wrote to memory of 2548	2144	bedhgjgbdh.exe	36
PID 2144 wrote to memory of 2548	2144	bedhgjgbdh.exe	36
PID 2144 wrote to memory of 2548	2144	bedhgjgbdh.exe	36
PID 2144 wrote to memory of 2548	2144	bedhgjgbdh.exe	36
PID 2144 wrote to memory of 1892	2144	bedhgjgbdh.exe	40
PID 2144 wrote to memory of 1892	2144	bedhgjgbdh.exe	40
PID 2144 wrote to memory of 1892	2144	bedhgjgbdh.exe	40
PID 2144 wrote to memory of 1892	2144	bedhgjgbdh.exe	40

C:\Users\Admin\AppData\Local\Temp\901672e22b3f6af676f091440e476b74.exe
"C:\Users\Admin\AppData\Local\Temp\901672e22b3f6af676f091440e476b74.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe
  C:\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe 6|8|0|3|6|9|7|7|1|6|3 KUhJQTcpKy81GixNTUJNQzs2KR8pSz9MV0xMQkI9PCsdKTxJUE5APTYxMzErKSAsPUA9Ni8aLEpKT0FPOk1YSD46LDA2MzEXKExETFM/Sl9STEM2YXNubTQnL3BsbSc9RE1IJ0xPTSc4SUktQ0tARyAsPUNCPEpDQTcYL0ErNCYqHylBLDUtLhomPSw8Jy4aJ0QxNyQqGS4+MjclMR0pR0tIQ09ATldQT0NNOjxYNx0pSFJMPkw8TV4/UkY5PR0pR0tIQ09ATldOPkc8Nk5HHy8qQGFgZRwrKVJfcW9oICw/Tz5YVExJNxgvQlI8WDxMPklDRkU6GiZBSFJOXDxKT1RNPEs2LxosTkBBS0VQSE5eT09GNSAsUEQ2Kx8pQU0pPR0pSU5HU0NKP1dXQkY6SEZEQ0o7P0VSTEM2GS5DUFlKVUtOQEY+PG5vb10gLEw8TU5RSEZIP19STTxLWEM7Vk01Mh0pP0I9RFI6KxgvRk1WPVJNO0pDO19CSDpLUk9OQj41Zl5mal4ZLj5MUUZMTDs7WEJPNy4qLy4uMS8nKjgvKywqNR0pRzpLQEZJP0RfRkhKTTpLRjpuanViGiZNQkw/OissMzQxJyoyNjAdKTxPVEhDSDpDWVFDRUU6MSYrLS4sLSstKi40KjIzMjAnO0U=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81707078734.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81707078734.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81707078734.txt bios get version
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81707078734.txt bios get version
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1892

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81707078734.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81707078734.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe

Filesize
725KB

MD5
ff3a544011b7d7544b3b89e67ab67f59

SHA1
b1f9c9f635a71bd955319e6f609f205014de81c5

SHA256
7fd5e0093df338e0a86b701ac75799445b71467d25ff94b9702eeaadc33db47d

SHA512
c6d6facd9473f53a8a675232a4095ca9a616c93c21111022b07fb1cc40a044e69395913aa98af9fe9596fee2476ba23e722176e3be70943aba3654d545d6c677

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe

Filesize
685KB

MD5
777ec694bdd16acbae6718ba5a927c00

SHA1
1232ddf622bf3d966bdded7264617c8ccb55c661

SHA256
123ed0588c9a61ab61e364de3933300dcbb88161dda2b0d99e11a0054e031642

SHA512
200d0d90fe15e363d2ff2a45982224032a142535b697b4d86cdfac35eb565a214568e6bf0c34ce3623aa53ef9704cf8f77b4e4159d35df55288b32e0562eed8a

Download Submit
\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe

Filesize
737KB

MD5
677b90d24892304645ed4e4c0ec9aa6b

SHA1
809d576e6b7e61bdbad692509406c91019a15598

SHA256
8476d4dcf751f67b9675dd28e7504581ff844ad31cf718a21b2c34f1c476be9d

SHA512
0c3603695a95306dad31c642a21c315da5aa606c910af0be346b4f0de2a122e1406014510c9c7c2d4664bc81eacc1b9c356219369547d1cea2a4696315c59599

Download Submit
\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe

Filesize
616KB

MD5
83a426d725cbebe9d26deeb8addfe39d

SHA1
f082739fa4e434c50e5227479f0a8c64f76ea4d3

SHA256
6d916326757ff0230dcd72560236b95242cb153064cff0c4b8865e71491afd58

SHA512
534d7c332471a23ee5069d4371bada1c80b0bb6f1c6ed56cd89dbf6e268234ee6c225bf660294c825902cd695c86ef3c6e525135c5a4f0d33f87bc84ca7a1960

Download Submit
\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe

Filesize
516KB

MD5
10c5742aa4f53c97ac4cd4ce0c49377b

SHA1
8b496652a58af85e6592c452fac91a3bff9b034f

SHA256
ca7d28f638190c9ca749c9de57512bb42e0242611338dd320fc2a66cfe5c3c5f

SHA512
3340f7ed6de43ead59a7c94498cb9628b138144aa8e46ac5c7208300becf3795b9b8996a083b44f045ecb1cb87c736a3bd74c822327b30c2cbeed1b123057e05

Download Submit
\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe

Filesize
591KB

MD5
e258213671115d99baf6b983260eb67a

SHA1
1e4c555329c1cc928c48e6d2c9fa0b6a210912c3

SHA256
c758bd9bf70613758320b5ee3862bd8785e335a5a2842b923d44a6cb9f157fc6

SHA512
7ff6052b33e7882794886132d1f777b62467e1eafcf7f91dfadbdbedfab4722318081ff3dfd4c84aaa6a9edacc4e7631b883b229e7dd6c7420cfbeaef991872a

Download Submit
\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe

Filesize
535KB

MD5
f66ed1ad295a1a63df14363d20c97c4a

SHA1
071327916e6cc806246b35a67a403708f02473ae

SHA256
cbf9166a756b086fa43cd352b3ae4c377ca39617590515ef75b30bff439333b8

SHA512
d326a7fca6907ab759cfd491dde26ea3b83f041d17750c54a4cdff73e3aecab11358f9bd69ec9ed828e1795a7ad56fe13800df0a31ccac4bb715359d46caf46e

Download Submit
\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe

Filesize
442KB

MD5
f2681b6f5b05db9ff0904e6a3b7da1b4

SHA1
1e05681b9fdf04e979cb0d1d66e2e913b5a253c6

SHA256
152e7199c4861dab80478713e680636ba22e2776361908fa2515d0b70dc99b78

SHA512
2953e12741e5ed1c73c26d73efacca9288cda72e280a0a534bffbc78203d6214b702509f3ca56a900453af4d44753f45e20f4ab442a9f57a29bedcce11e30bab

Download Submit
\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe

Filesize
446KB

MD5
e57f11d16ab21101deb844f98eae8631

SHA1
d21d14adc0c9824a79ea007412c7e1c932322c24

SHA256
6cdc027d15026d2de27ba3eb8f71892d30b18d017012ef0233a55ba277abc8d2

SHA512
c347e7f600ed28e6ece6ba1c58790064cfeb20a22da1afb800d30a3e997eea8cc50b5d1be4ac532f6dc3d0ec6d0e0767f66686e4a4f61f2e54b311d0c9053f43

Download Submit
\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe

Filesize
374KB

MD5
c061957bf6f6ab7f5c5bd40596b4d00f

SHA1
9f56ce4c425b5aae846f9e1276e8e6683fc62666

SHA256
cea7bddd428df94b73997970ad383b51d41c1a22a6bc83c9d5a6647239782a37

SHA512
8ac6a0ae9302ae5bac133c0678d7ce7225fd0a5f91897c69033c683711c8c3e3dd4da8c964c10418a0f8a03a1df3569bfe0c4e7d44dbc2fd4255d813fa5d6682

Download Submit
\Users\Admin\AppData\Local\Temp\bedhgjgbdh.exe

Filesize
512KB

MD5
33a3b8589cd03291eabf87eebeadbd63

SHA1
751a19168984b70158beb11d71f1f5596f878ccb

SHA256
d3f28adfe7012d0a9e51c84ed93f4f13af97ea59884502dd4fb895000904ca19

SHA512
9e8496ae2044e3fbcf1015d8820a362910d1f58ab82e739cd3325879425899027c9d124fa3a4245e5f1553764b49ef07775cf2f43a5bccbbcfd0e46af587596b

Download Submit
\Users\Admin\AppData\Local\Temp\nst8D8.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nst8D8.tmp\jqhaleu.dll

Filesize
113KB

MD5
105593c85784013c15e983a018119cb1

SHA1
9a671c268fc471a4aee1b8a1176aef32c7004230

SHA256
351314f3de356a91a8b8a6917642f50eb855593e8e60633d91c27fec9c846a28

SHA512
dd42ea80377795d26b547cd9d7a26b2f1268c1d00bc827e620a30363087feabbd669c7904be3dfb34dad7d45a0a091c214dff8c8f6d7a92049bcd4408c18d089

Download Submit