14aeb92c4d95858c6246f3ac9a9b68170b03c6288813feb5959584ea0c494234

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0d155ea3127c462a0aed8cc6c5cf3c8.exe
Size

758KB
MD5

c0d155ea3127c462a0aed8cc6c5cf3c8
SHA1

01d9a77bb58b0d6fc49c20be29a9543bc2c6d6ff
SHA256

14aeb92c4d95858c6246f3ac9a9b68170b03c6288813feb5959584ea0c494234
SHA512

3d21fd900979586da97460d7f25d7e65239a07a068e8a73f5475d029bc06b9dc681031e7154454f8a43bdf1ff0c64cd61dc7bc653d222f2c109413b12d045d5e
SSDEEP

12288:xsGGqZL5j2kPtFcThfUVTNRcz4qpz7f8YWxKVSkMbLtZPHoVGEOvHVzJoc8MtiSq:xsGGqZ9yctFUsBcz4qp3f8YOkwLtWGE/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2564	bedeiffhca.exe

Loads dropped DLL 11 IoCs

pid	Process
460	c0d155ea3127c462a0aed8cc6c5cf3c8.exe
460	c0d155ea3127c462a0aed8cc6c5cf3c8.exe
460	c0d155ea3127c462a0aed8cc6c5cf3c8.exe
460	c0d155ea3127c462a0aed8cc6c5cf3c8.exe
528	WerFault.exe
528	WerFault.exe
528	WerFault.exe
528	WerFault.exe
528	WerFault.exe
528	WerFault.exe
528	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
528	2564	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2848	wmic.exe
Token: SeSecurityPrivilege	2848	wmic.exe
Token: SeTakeOwnershipPrivilege	2848	wmic.exe
Token: SeLoadDriverPrivilege	2848	wmic.exe
Token: SeSystemProfilePrivilege	2848	wmic.exe
Token: SeSystemtimePrivilege	2848	wmic.exe
Token: SeProfSingleProcessPrivilege	2848	wmic.exe
Token: SeIncBasePriorityPrivilege	2848	wmic.exe
Token: SeCreatePagefilePrivilege	2848	wmic.exe
Token: SeBackupPrivilege	2848	wmic.exe
Token: SeRestorePrivilege	2848	wmic.exe
Token: SeShutdownPrivilege	2848	wmic.exe
Token: SeDebugPrivilege	2848	wmic.exe
Token: SeSystemEnvironmentPrivilege	2848	wmic.exe
Token: SeRemoteShutdownPrivilege	2848	wmic.exe
Token: SeUndockPrivilege	2848	wmic.exe
Token: SeManageVolumePrivilege	2848	wmic.exe
Token: 33	2848	wmic.exe
Token: 34	2848	wmic.exe
Token: 35	2848	wmic.exe
Token: SeIncreaseQuotaPrivilege	2848	wmic.exe
Token: SeSecurityPrivilege	2848	wmic.exe
Token: SeTakeOwnershipPrivilege	2848	wmic.exe
Token: SeLoadDriverPrivilege	2848	wmic.exe
Token: SeSystemProfilePrivilege	2848	wmic.exe
Token: SeSystemtimePrivilege	2848	wmic.exe
Token: SeProfSingleProcessPrivilege	2848	wmic.exe
Token: SeIncBasePriorityPrivilege	2848	wmic.exe
Token: SeCreatePagefilePrivilege	2848	wmic.exe
Token: SeBackupPrivilege	2848	wmic.exe
Token: SeRestorePrivilege	2848	wmic.exe
Token: SeShutdownPrivilege	2848	wmic.exe
Token: SeDebugPrivilege	2848	wmic.exe
Token: SeSystemEnvironmentPrivilege	2848	wmic.exe
Token: SeRemoteShutdownPrivilege	2848	wmic.exe
Token: SeUndockPrivilege	2848	wmic.exe
Token: SeManageVolumePrivilege	2848	wmic.exe
Token: 33	2848	wmic.exe
Token: 34	2848	wmic.exe
Token: 35	2848	wmic.exe
Token: SeIncreaseQuotaPrivilege	2448	wmic.exe
Token: SeSecurityPrivilege	2448	wmic.exe
Token: SeTakeOwnershipPrivilege	2448	wmic.exe
Token: SeLoadDriverPrivilege	2448	wmic.exe
Token: SeSystemProfilePrivilege	2448	wmic.exe
Token: SeSystemtimePrivilege	2448	wmic.exe
Token: SeProfSingleProcessPrivilege	2448	wmic.exe
Token: SeIncBasePriorityPrivilege	2448	wmic.exe
Token: SeCreatePagefilePrivilege	2448	wmic.exe
Token: SeBackupPrivilege	2448	wmic.exe
Token: SeRestorePrivilege	2448	wmic.exe
Token: SeShutdownPrivilege	2448	wmic.exe
Token: SeDebugPrivilege	2448	wmic.exe
Token: SeSystemEnvironmentPrivilege	2448	wmic.exe
Token: SeRemoteShutdownPrivilege	2448	wmic.exe
Token: SeUndockPrivilege	2448	wmic.exe
Token: SeManageVolumePrivilege	2448	wmic.exe
Token: 33	2448	wmic.exe
Token: 34	2448	wmic.exe
Token: 35	2448	wmic.exe
Token: SeIncreaseQuotaPrivilege	2448	wmic.exe
Token: SeSecurityPrivilege	2448	wmic.exe
Token: SeTakeOwnershipPrivilege	2448	wmic.exe
Token: SeLoadDriverPrivilege	2448	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 2564	460	c0d155ea3127c462a0aed8cc6c5cf3c8.exe	28
PID 460 wrote to memory of 2564	460	c0d155ea3127c462a0aed8cc6c5cf3c8.exe	28
PID 460 wrote to memory of 2564	460	c0d155ea3127c462a0aed8cc6c5cf3c8.exe	28
PID 460 wrote to memory of 2564	460	c0d155ea3127c462a0aed8cc6c5cf3c8.exe	28
PID 2564 wrote to memory of 2848	2564	bedeiffhca.exe	29
PID 2564 wrote to memory of 2848	2564	bedeiffhca.exe	29
PID 2564 wrote to memory of 2848	2564	bedeiffhca.exe	29
PID 2564 wrote to memory of 2848	2564	bedeiffhca.exe	29
PID 2564 wrote to memory of 2448	2564	bedeiffhca.exe	32
PID 2564 wrote to memory of 2448	2564	bedeiffhca.exe	32
PID 2564 wrote to memory of 2448	2564	bedeiffhca.exe	32
PID 2564 wrote to memory of 2448	2564	bedeiffhca.exe	32
PID 2564 wrote to memory of 2332	2564	bedeiffhca.exe	34
PID 2564 wrote to memory of 2332	2564	bedeiffhca.exe	34
PID 2564 wrote to memory of 2332	2564	bedeiffhca.exe	34
PID 2564 wrote to memory of 2332	2564	bedeiffhca.exe	34
PID 2564 wrote to memory of 2920	2564	bedeiffhca.exe	36
PID 2564 wrote to memory of 2920	2564	bedeiffhca.exe	36
PID 2564 wrote to memory of 2920	2564	bedeiffhca.exe	36
PID 2564 wrote to memory of 2920	2564	bedeiffhca.exe	36
PID 2564 wrote to memory of 2656	2564	bedeiffhca.exe	38
PID 2564 wrote to memory of 2656	2564	bedeiffhca.exe	38
PID 2564 wrote to memory of 2656	2564	bedeiffhca.exe	38
PID 2564 wrote to memory of 2656	2564	bedeiffhca.exe	38
PID 2564 wrote to memory of 528	2564	bedeiffhca.exe	40
PID 2564 wrote to memory of 528	2564	bedeiffhca.exe	40
PID 2564 wrote to memory of 528	2564	bedeiffhca.exe	40
PID 2564 wrote to memory of 528	2564	bedeiffhca.exe	40

C:\Users\Admin\AppData\Local\Temp\c0d155ea3127c462a0aed8cc6c5cf3c8.exe
"C:\Users\Admin\AppData\Local\Temp\c0d155ea3127c462a0aed8cc6c5cf3c8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:460
- C:\Users\Admin\AppData\Local\Temp\bedeiffhca.exe
  C:\Users\Admin\AppData\Local\Temp\bedeiffhca.exe 7|8|7|1|8|7|8|0|2|2|4 KEhCQzUqMTM0MRwoS05BSEI8PS4eK0c9TVZHS0NJQjstHiopb2poXHVhcmpaZV48Sl5hbV9lYRknPUhLTUFEOzAzMCkrHyc8QUQ7LhwoSEtOPE47VF1HQDYqLzgsLBgvUUNOTz1LXk1LRD1mcnBpMigua2tuLkJDT0QlTU5IJjlQTixFRz5IHyc8RElBSUU9NRkuPCo1LS8eKz0qNiwpGSdEMTspKhgoQyw2JTEeLUAuNSYwGChIUk1CUTxMWE9KQk5BQVc5GSdJUUc9TUNSXUFORDo8GChIUk1CUTxMWE05Rj09Hi1BUT1YVEpFNSAtQ1Q+VzxMPEVBTkM7HChASFJMWDpSTVVPPko2NBgoTEg/TEdSR05eTUtEPR4tUkY1Kx8nPUsxOx4rS01HU0FGPV9VQ0g8R0ZEQUY5R0NTTkU1GS5BTFdSU0xQQkU+PGxrbWUeLU4+TE5RRkJGR11TTz5KWEM5Uks9MB4rQUE9RFA2KSAtR09YPFJNOUZBQ11DSjxKUk9MPjw9ZF9obF0ZLjxIT05KTT09V0JPNSoxMCwwMS4mKjUtJy02Hi1QQkU+PCktKzQ2NDAxLC0fJz1HV0xKSzo8WFNBRj09NC0uKicrLykuIjU4MTAzKC0pOUY=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710167232.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710167232.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710167232.txt bios get version
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710167232.txt bios get version
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710167232.txt bios get version
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81710167232.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81710167232.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81710167232.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedeiffhca.exe

Filesize
1.2MB

MD5
ce754e41cd9f64755907d64bca5fdb35

SHA1
d16165dd2707e90c4148da68d8e58c7c4478a82a

SHA256
cf23a829bfc4a05a9b62deab9ffea152c4161fa65e0f3bb192dd6dcf14b24630

SHA512
5962ccc26ed643e1b27c7a4055889e516a7d8bd25ce6627611ef8a47df10f242cff86c4c5c79b040ebe12dca9bfea00c102a8ac76bf073676a1aaed771cae4d7

Download Submit
\Users\Admin\AppData\Local\Temp\bedeiffhca.exe

Filesize
384KB

MD5
009318bb9eb710121a7bb35950fc25e6

SHA1
f241b2a812c8c72a5c05f5e19b3e15f3eee182b7

SHA256
8d337edc5760f8b0469a9bd0e513734c80f1cd7a2d4dca908876c6e3a87b9824

SHA512
ff8c0a716e5c79bd7f8e7e7fb95d923529e4370848695290d4aaf597d1222a5496bc35fca565b8205ff89d187a16d77cd6d5ec99de133001b101fd62567059de

Download Submit
\Users\Admin\AppData\Local\Temp\bedeiffhca.exe

Filesize
192KB

MD5
80a19ed2e81201d6891b24436f7154f8

SHA1
21fc093ae52d82b7c4a3a3c2b91fba97c77778ac

SHA256
3a8d793eba9192f57d538b3ccc3d1c7c8400e4bdef3918e754ba27ec216b0096

SHA512
dcea4f3cbb79daf64559620ea148269af97f51b0494b377ecec2e5229e93857d01fa0e1a9ff4c7c54419204dfc88d42501e1c5aed9ae5824d04ddafda9e92bd5

Download Submit
\Users\Admin\AppData\Local\Temp\bedeiffhca.exe

Filesize
128KB

MD5
b78741ed7b06f0c677dcb6b23f8593a7

SHA1
82b0e74522150a75b886a4e00cfacbf10f157002

SHA256
18d35ded29b7aaa66ad0f9d983d094e0268f029290e1434367978a6ad371876f

SHA512
33e76ac4634cec42686eeac462e8b8013935bdf3dcf333c925307f2ea3e62d532e6330ec4f23d9c43ac529dddb5dc2c3dd80e7dc0d20c78da19c26c698cdf73c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4683.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4683.tmp\nfedklh.dll

Filesize
169KB

MD5
e928cc193e96a40f53a6a55a16a4dad6

SHA1
548016510f804e052f604dbe60992468cbaf1f42

SHA256
0d0b40ea9235dd0efd58dbcb276e7e80c5243bd3da32ae66c7adbcebaf81389d

SHA512
91e35a0a0b2e9783561b3b23d235e01a8cf019fa656866f353ed1814b94fe2cee3a6d7061171d022a34f9d0f9d875ff69c37012c6d62646b604490d535a3f1cc

Download Submit