21f8c57f7b987e665d400ff7542c34528aac712b6a1c45d18c336b22940478fd

Analysis

max time kernel
122s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7df6ebac28de20ebbdf09f570d5c6b3.exe
Size

642KB
MD5

c7df6ebac28de20ebbdf09f570d5c6b3
SHA1

cbe182de2a56a8d84d0aa80e37e1331ef1961422
SHA256

21f8c57f7b987e665d400ff7542c34528aac712b6a1c45d18c336b22940478fd
SHA512

33fc619f95f2832de08d7f0304dec588f3e1bacc9369316ca302bbd52c781a5d2130d20bf4450ae98cfd92035777739dce95105b10e798f082689729c4eb11c9
SSDEEP

12288:c6ARp+7TjVtM3JvOT7MqYiTVMrLTn6sJIvPJTfUn6D8tExkrJ0mTQPT3RZTafc8Y:cBRpEOJvOTiwm6AI5bdw/Z8P7RZT386x

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2556	bedfhegfae.exe

Loads dropped DLL 11 IoCs

pid	Process
1352	c7df6ebac28de20ebbdf09f570d5c6b3.exe
1352	c7df6ebac28de20ebbdf09f570d5c6b3.exe
1352	c7df6ebac28de20ebbdf09f570d5c6b3.exe
1352	c7df6ebac28de20ebbdf09f570d5c6b3.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
332	2556	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2844	wmic.exe
Token: SeSecurityPrivilege	2844	wmic.exe
Token: SeTakeOwnershipPrivilege	2844	wmic.exe
Token: SeLoadDriverPrivilege	2844	wmic.exe
Token: SeSystemProfilePrivilege	2844	wmic.exe
Token: SeSystemtimePrivilege	2844	wmic.exe
Token: SeProfSingleProcessPrivilege	2844	wmic.exe
Token: SeIncBasePriorityPrivilege	2844	wmic.exe
Token: SeCreatePagefilePrivilege	2844	wmic.exe
Token: SeBackupPrivilege	2844	wmic.exe
Token: SeRestorePrivilege	2844	wmic.exe
Token: SeShutdownPrivilege	2844	wmic.exe
Token: SeDebugPrivilege	2844	wmic.exe
Token: SeSystemEnvironmentPrivilege	2844	wmic.exe
Token: SeRemoteShutdownPrivilege	2844	wmic.exe
Token: SeUndockPrivilege	2844	wmic.exe
Token: SeManageVolumePrivilege	2844	wmic.exe
Token: 33	2844	wmic.exe
Token: 34	2844	wmic.exe
Token: 35	2844	wmic.exe
Token: SeIncreaseQuotaPrivilege	2844	wmic.exe
Token: SeSecurityPrivilege	2844	wmic.exe
Token: SeTakeOwnershipPrivilege	2844	wmic.exe
Token: SeLoadDriverPrivilege	2844	wmic.exe
Token: SeSystemProfilePrivilege	2844	wmic.exe
Token: SeSystemtimePrivilege	2844	wmic.exe
Token: SeProfSingleProcessPrivilege	2844	wmic.exe
Token: SeIncBasePriorityPrivilege	2844	wmic.exe
Token: SeCreatePagefilePrivilege	2844	wmic.exe
Token: SeBackupPrivilege	2844	wmic.exe
Token: SeRestorePrivilege	2844	wmic.exe
Token: SeShutdownPrivilege	2844	wmic.exe
Token: SeDebugPrivilege	2844	wmic.exe
Token: SeSystemEnvironmentPrivilege	2844	wmic.exe
Token: SeRemoteShutdownPrivilege	2844	wmic.exe
Token: SeUndockPrivilege	2844	wmic.exe
Token: SeManageVolumePrivilege	2844	wmic.exe
Token: 33	2844	wmic.exe
Token: 34	2844	wmic.exe
Token: 35	2844	wmic.exe
Token: SeIncreaseQuotaPrivilege	2332	wmic.exe
Token: SeSecurityPrivilege	2332	wmic.exe
Token: SeTakeOwnershipPrivilege	2332	wmic.exe
Token: SeLoadDriverPrivilege	2332	wmic.exe
Token: SeSystemProfilePrivilege	2332	wmic.exe
Token: SeSystemtimePrivilege	2332	wmic.exe
Token: SeProfSingleProcessPrivilege	2332	wmic.exe
Token: SeIncBasePriorityPrivilege	2332	wmic.exe
Token: SeCreatePagefilePrivilege	2332	wmic.exe
Token: SeBackupPrivilege	2332	wmic.exe
Token: SeRestorePrivilege	2332	wmic.exe
Token: SeShutdownPrivilege	2332	wmic.exe
Token: SeDebugPrivilege	2332	wmic.exe
Token: SeSystemEnvironmentPrivilege	2332	wmic.exe
Token: SeRemoteShutdownPrivilege	2332	wmic.exe
Token: SeUndockPrivilege	2332	wmic.exe
Token: SeManageVolumePrivilege	2332	wmic.exe
Token: 33	2332	wmic.exe
Token: 34	2332	wmic.exe
Token: 35	2332	wmic.exe
Token: SeIncreaseQuotaPrivilege	2468	wmic.exe
Token: SeSecurityPrivilege	2468	wmic.exe
Token: SeTakeOwnershipPrivilege	2468	wmic.exe
Token: SeLoadDriverPrivilege	2468	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2556	1352	c7df6ebac28de20ebbdf09f570d5c6b3.exe	28
PID 1352 wrote to memory of 2556	1352	c7df6ebac28de20ebbdf09f570d5c6b3.exe	28
PID 1352 wrote to memory of 2556	1352	c7df6ebac28de20ebbdf09f570d5c6b3.exe	28
PID 1352 wrote to memory of 2556	1352	c7df6ebac28de20ebbdf09f570d5c6b3.exe	28
PID 2556 wrote to memory of 2844	2556	bedfhegfae.exe	29
PID 2556 wrote to memory of 2844	2556	bedfhegfae.exe	29
PID 2556 wrote to memory of 2844	2556	bedfhegfae.exe	29
PID 2556 wrote to memory of 2844	2556	bedfhegfae.exe	29
PID 2556 wrote to memory of 2332	2556	bedfhegfae.exe	32
PID 2556 wrote to memory of 2332	2556	bedfhegfae.exe	32
PID 2556 wrote to memory of 2332	2556	bedfhegfae.exe	32
PID 2556 wrote to memory of 2332	2556	bedfhegfae.exe	32
PID 2556 wrote to memory of 2468	2556	bedfhegfae.exe	34
PID 2556 wrote to memory of 2468	2556	bedfhegfae.exe	34
PID 2556 wrote to memory of 2468	2556	bedfhegfae.exe	34
PID 2556 wrote to memory of 2468	2556	bedfhegfae.exe	34
PID 2556 wrote to memory of 2116	2556	bedfhegfae.exe	36
PID 2556 wrote to memory of 2116	2556	bedfhegfae.exe	36
PID 2556 wrote to memory of 2116	2556	bedfhegfae.exe	36
PID 2556 wrote to memory of 2116	2556	bedfhegfae.exe	36
PID 2556 wrote to memory of 1412	2556	bedfhegfae.exe	38
PID 2556 wrote to memory of 1412	2556	bedfhegfae.exe	38
PID 2556 wrote to memory of 1412	2556	bedfhegfae.exe	38
PID 2556 wrote to memory of 1412	2556	bedfhegfae.exe	38
PID 2556 wrote to memory of 332	2556	bedfhegfae.exe	40
PID 2556 wrote to memory of 332	2556	bedfhegfae.exe	40
PID 2556 wrote to memory of 332	2556	bedfhegfae.exe	40
PID 2556 wrote to memory of 332	2556	bedfhegfae.exe	40

C:\Users\Admin\AppData\Local\Temp\c7df6ebac28de20ebbdf09f570d5c6b3.exe
"C:\Users\Admin\AppData\Local\Temp\c7df6ebac28de20ebbdf09f570d5c6b3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\bedfhegfae.exe
  C:\Users\Admin\AppData\Local\Temp\bedfhegfae.exe 2^4^9^5^3^1^2^0^2^1^8 LUxAPzowNzM0MhgtT0w9TUhCPS4fJ0xBS1JMUUlJQjwpIy4na29uYnVhc2ZfaVw4T2RnbV9mXR4rO0RQU0dEOzEvNS0pGyxCR0Q7LxgtTElKQVRBVF1IPDsuLTQxMh4vUURKVEFJWlJRSj1mc2xuNiYqcHF0LkJES0kpS0pNLD9QTi1BTEJGGyxCSklBSkFCORcqQTA7LS8fJ0IuNCguHy1EMTwlLxwmPzE8KzEeLjwzOSQsHS5OUk1DTUFQVktPSFRBQVg1HitHTUxDU0NSXj1TSDg4HS5OUk1DTUFQVkk+TEM9Hi49VkFWUE9LOyAtRFBDWzpIQUtHTkM8GC1ERk5RXkBSTVZLQ040MB0uUkg/TUNXS0xaUlFKPR4uTks5KRssQ1ExOx8nUFFFT0ZMQ19VRERBS0RARkw/R0NUSko5FypGUl1SU01MR0k8OHFxc2UeLkpDUExNS0hMR11US0NOVj8+WFE9MB8nRkU7QFU8LyAtSEtdQFBJPkxHQ11ERkFOUEtRREI9ZGBkcWEXKkFOVU5KTjlCW0BLOjMvLjQ0Ji80KSkuODIgLVNBS0E0LDEyMzczMys0NBcqQU5VTkpOOUJbS0RKRDs3LTAnMCwoMCcwMDoxODIwNCFLSg==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396336.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396336.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396336.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396336.txt bios get version
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396336.txt bios get version
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81710396336.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedfhegfae.exe

Filesize
512KB

MD5
7e870f7eeb2bdbfd2d93d60706d6de34

SHA1
2e9aa01fe7366e67d054689560dee0078e7b1525

SHA256
92a0632e3615926e3c807b29ca76c6527729f9b43977a94f801a7c01970cb0f2

SHA512
ca32b084ae9146b9d25c67b74d7c51fd9d13c2075d79c8c9208f6f2532eef7d86bdaec09f9abcb490d5a50e476e336cd7a0cc810634dc1ca8789867b84015d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedfhegfae.exe

Filesize
475KB

MD5
5bb1dfe8c7b6dddbb88fa4ab02be2263

SHA1
e07fd89c08be6de39f79086d7a83255559d9229c

SHA256
b53cbe2fb6e03d379a8d83d49fea84aef649e0f042ef3e63ec7300b2cce92a31

SHA512
c89b17b5029acefc0638b362b4980f42842c1f39672705441e3bb9e99bf7cd6720654692ffe40dd8c5aa26962a882c1c8f8a49ac23755bd1f31aa5ab2c78643d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso7003.tmp\docqoul.dll

Filesize
166KB

MD5
53151bef33d66c48ac125453d985793f

SHA1
c7698b54280742fe8dc745ce736e8e4344c09477

SHA256
014565ad3a80d4767fbd327ea6b078fce2e80017cba355c302c91aa034984eaf

SHA512
b2f3e118573c037bf759d2b7fb5ee5278abc574244d635d21eef0018aa062429fe03ad0a4256b1a1b1f16070d3819f99d728442a74e02d4ece7ceec5ea4ec041

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhegfae.exe

Filesize
128KB

MD5
fe055e1aa8590beca826c6968e5bedb2

SHA1
3e692131e364a0d80458c54588f259e1658fdba9

SHA256
f6bc2c8357cd27cc90f8a51d2f719a8c124eb97bed7f274e80970ba5ba1928be

SHA512
58e82b4e1ea4e46348fe265cf7ad5d97caa1f47aa12f5c87b9b2e95374f7970327428c3752a5471668142ed11f2b55930f040ada629ea5d3dae9c73c68cc7c25

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhegfae.exe

Filesize
576KB

MD5
fba87f8ddb8f75b4af20347782cd4801

SHA1
30d3e2308c9f5f17f64938139aba15c365acd5f3

SHA256
cd4584dbc022a408c39252645e97b20629a20b3c7912553b80a7710bd41d525e

SHA512
752032db3df32dc42bba1ce457e7707241a45493ff6c06b497ac2215e0e5418a20ced5f84dcf45bc11831ff674491c6cb4428ca469ee50069fd9eeb03b8af862

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhegfae.exe

Filesize
64KB

MD5
21c1ed29945c195e5ebc785898cf7a51

SHA1
1dc5f9675c3208336b03ca9b8f85ac3228558b60

SHA256
799588a5a46b2723e230a722d25ef8cd1a02c1da58e493fd1888445b8e515b60

SHA512
c492858f6a844520449eb8352f3534797d09209665111f25c5f3f77e0e5b1601c2737b8df9d6920c8cc2829a1df01306e4abd056257245248d07e5d20e93d905

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhegfae.exe

Filesize
704KB

MD5
7f676292cd44917e4dd7d26dc63d1e56

SHA1
a35fbe6aedda0bcca06477664d048f05e10a606e

SHA256
67e1f9dae006fd2082f3fefab815438dba6ca7d564476720a5ce9c1eb7a14755

SHA512
7078a919496962fab03ca88289db3fe0fe83056b478438c69aef3a558866c03947fd5b3c80a9a533e17c9a976e77fd5c5c3ab3527493d30c993580e243da90fe

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhegfae.exe

Filesize
640KB

MD5
f1f0df97a537b9004ef8385cb3b86aa2

SHA1
e8fd3ebfffa155fb2c980ddc62818e50288e9658

SHA256
87dfd9e8fd540e54ab96a41e121dae16378ed910f84c909656e9a60e52f4ff76

SHA512
f6e42e836f605b6b3903bbd645f8b4d9025b2e41f4874a471764297bcfa095e85fef01d828c4579aaf27964efed140ee1d205efebaea9f9e06b9a5b90791e94c

Download Submit
\Users\Admin\AppData\Local\Temp\bedfhegfae.exe

Filesize
763KB

MD5
ab63528ff6d78d76b683b002f4572360

SHA1
09bd7d4eaec671f0c99cb6b98f32bca75397349b

SHA256
4cf5c585a5770746ed1c99e45b17e51283307b53742de668d3186adc8ff8f9e0

SHA512
fcf4344f9439efa5c54511048d802f4cd62dd0825b76836025ccbe9c484c2f55f830846bc75cd194bc62e919cc671d3484c8a23829f7dfa532b0e6db11486990

Download Submit
\Users\Admin\AppData\Local\Temp\nso7003.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit