Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
c7df6ebac28de20ebbdf09f570d5c6b3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c7df6ebac28de20ebbdf09f570d5c6b3.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/docqoul.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/docqoul.dll
Resource
win10v2004-20240226-en
General
-
Target
c7df6ebac28de20ebbdf09f570d5c6b3.exe
-
Size
642KB
-
MD5
c7df6ebac28de20ebbdf09f570d5c6b3
-
SHA1
cbe182de2a56a8d84d0aa80e37e1331ef1961422
-
SHA256
21f8c57f7b987e665d400ff7542c34528aac712b6a1c45d18c336b22940478fd
-
SHA512
33fc619f95f2832de08d7f0304dec588f3e1bacc9369316ca302bbd52c781a5d2130d20bf4450ae98cfd92035777739dce95105b10e798f082689729c4eb11c9
-
SSDEEP
12288:c6ARp+7TjVtM3JvOT7MqYiTVMrLTn6sJIvPJTfUn6D8tExkrJ0mTQPT3RZTafc8Y:cBRpEOJvOTiwm6AI5bdw/Z8P7RZT386x
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1552 bedfhegfae.exe -
Loads dropped DLL 2 IoCs
pid Process 4640 c7df6ebac28de20ebbdf09f570d5c6b3.exe 4640 c7df6ebac28de20ebbdf09f570d5c6b3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1480 1552 WerFault.exe 99 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1992 wmic.exe Token: SeSecurityPrivilege 1992 wmic.exe Token: SeTakeOwnershipPrivilege 1992 wmic.exe Token: SeLoadDriverPrivilege 1992 wmic.exe Token: SeSystemProfilePrivilege 1992 wmic.exe Token: SeSystemtimePrivilege 1992 wmic.exe Token: SeProfSingleProcessPrivilege 1992 wmic.exe Token: SeIncBasePriorityPrivilege 1992 wmic.exe Token: SeCreatePagefilePrivilege 1992 wmic.exe Token: SeBackupPrivilege 1992 wmic.exe Token: SeRestorePrivilege 1992 wmic.exe Token: SeShutdownPrivilege 1992 wmic.exe Token: SeDebugPrivilege 1992 wmic.exe Token: SeSystemEnvironmentPrivilege 1992 wmic.exe Token: SeRemoteShutdownPrivilege 1992 wmic.exe Token: SeUndockPrivilege 1992 wmic.exe Token: SeManageVolumePrivilege 1992 wmic.exe Token: 33 1992 wmic.exe Token: 34 1992 wmic.exe Token: 35 1992 wmic.exe Token: 36 1992 wmic.exe Token: SeIncreaseQuotaPrivilege 1992 wmic.exe Token: SeSecurityPrivilege 1992 wmic.exe Token: SeTakeOwnershipPrivilege 1992 wmic.exe Token: SeLoadDriverPrivilege 1992 wmic.exe Token: SeSystemProfilePrivilege 1992 wmic.exe Token: SeSystemtimePrivilege 1992 wmic.exe Token: SeProfSingleProcessPrivilege 1992 wmic.exe Token: SeIncBasePriorityPrivilege 1992 wmic.exe Token: SeCreatePagefilePrivilege 1992 wmic.exe Token: SeBackupPrivilege 1992 wmic.exe Token: SeRestorePrivilege 1992 wmic.exe Token: SeShutdownPrivilege 1992 wmic.exe Token: SeDebugPrivilege 1992 wmic.exe Token: SeSystemEnvironmentPrivilege 1992 wmic.exe Token: SeRemoteShutdownPrivilege 1992 wmic.exe Token: SeUndockPrivilege 1992 wmic.exe Token: SeManageVolumePrivilege 1992 wmic.exe Token: 33 1992 wmic.exe Token: 34 1992 wmic.exe Token: 35 1992 wmic.exe Token: 36 1992 wmic.exe Token: SeIncreaseQuotaPrivilege 1096 wmic.exe Token: SeSecurityPrivilege 1096 wmic.exe Token: SeTakeOwnershipPrivilege 1096 wmic.exe Token: SeLoadDriverPrivilege 1096 wmic.exe Token: SeSystemProfilePrivilege 1096 wmic.exe Token: SeSystemtimePrivilege 1096 wmic.exe Token: SeProfSingleProcessPrivilege 1096 wmic.exe Token: SeIncBasePriorityPrivilege 1096 wmic.exe Token: SeCreatePagefilePrivilege 1096 wmic.exe Token: SeBackupPrivilege 1096 wmic.exe Token: SeRestorePrivilege 1096 wmic.exe Token: SeShutdownPrivilege 1096 wmic.exe Token: SeDebugPrivilege 1096 wmic.exe Token: SeSystemEnvironmentPrivilege 1096 wmic.exe Token: SeRemoteShutdownPrivilege 1096 wmic.exe Token: SeUndockPrivilege 1096 wmic.exe Token: SeManageVolumePrivilege 1096 wmic.exe Token: 33 1096 wmic.exe Token: 34 1096 wmic.exe Token: 35 1096 wmic.exe Token: 36 1096 wmic.exe Token: SeIncreaseQuotaPrivilege 1096 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4640 wrote to memory of 1552 4640 c7df6ebac28de20ebbdf09f570d5c6b3.exe 99 PID 4640 wrote to memory of 1552 4640 c7df6ebac28de20ebbdf09f570d5c6b3.exe 99 PID 4640 wrote to memory of 1552 4640 c7df6ebac28de20ebbdf09f570d5c6b3.exe 99 PID 1552 wrote to memory of 1992 1552 bedfhegfae.exe 100 PID 1552 wrote to memory of 1992 1552 bedfhegfae.exe 100 PID 1552 wrote to memory of 1992 1552 bedfhegfae.exe 100 PID 1552 wrote to memory of 1096 1552 bedfhegfae.exe 104 PID 1552 wrote to memory of 1096 1552 bedfhegfae.exe 104 PID 1552 wrote to memory of 1096 1552 bedfhegfae.exe 104 PID 1552 wrote to memory of 4440 1552 bedfhegfae.exe 106 PID 1552 wrote to memory of 4440 1552 bedfhegfae.exe 106 PID 1552 wrote to memory of 4440 1552 bedfhegfae.exe 106 PID 1552 wrote to memory of 4472 1552 bedfhegfae.exe 108 PID 1552 wrote to memory of 4472 1552 bedfhegfae.exe 108 PID 1552 wrote to memory of 4472 1552 bedfhegfae.exe 108 PID 1552 wrote to memory of 3432 1552 bedfhegfae.exe 110 PID 1552 wrote to memory of 3432 1552 bedfhegfae.exe 110 PID 1552 wrote to memory of 3432 1552 bedfhegfae.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7df6ebac28de20ebbdf09f570d5c6b3.exe"C:\Users\Admin\AppData\Local\Temp\c7df6ebac28de20ebbdf09f570d5c6b3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\bedfhegfae.exeC:\Users\Admin\AppData\Local\Temp\bedfhegfae.exe 2^4^9^5^3^1^2^0^2^1^8 LUxAPzowNzM0MhgtT0w9TUhCPS4fJ0xBS1JMUUlJQjwpIy4na29uYnVhc2ZfaVw4T2RnbV9mXR4rO0RQU0dEOzEvNS0pGyxCR0Q7LxgtTElKQVRBVF1IPDsuLTQxMh4vUURKVEFJWlJRSj1mc2xuNiYqcHF0LkJES0kpS0pNLD9QTi1BTEJGGyxCSklBSkFCORcqQTA7LS8fJ0IuNCguHy1EMTwlLxwmPzE8KzEeLjwzOSQsHS5OUk1DTUFQVktPSFRBQVg1HitHTUxDU0NSXj1TSDg4HS5OUk1DTUFQVkk+TEM9Hi49VkFWUE9LOyAtRFBDWzpIQUtHTkM8GC1ERk5RXkBSTVZLQ040MB0uUkg/TUNXS0xaUlFKPR4uTks5KRssQ1ExOx8nUFFFT0ZMQ19VRERBS0RARkw/R0NUSko5FypGUl1SU01MR0k8OHFxc2UeLkpDUExNS0hMR11US0NOVj8+WFE9MB8nRkU7QFU8LyAtSEtdQFBJPkxHQ11ERkFOUEtRREI9ZGBkcWEXKkFOVU5KTjlCW0BLOjMvLjQ0Ji80KSkuODIgLVNBS0E0LDEyMzczMys0NBcqQU5VTkpOOUJbS0RKRDs3LTAnMCwoMCcwMDoxODIwNCFLSg==2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get version3⤵PID:4440
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get version3⤵PID:4472
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get version3⤵PID:3432
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 9523⤵
- Program crash
PID:1480
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1552 -ip 15521⤵PID:2304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵PID:3056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
58B
MD5dd876faf0fd44a5fab3e82368e2e8b15
SHA101b04083fa278dda3a81705ca5abcfee487a3c90
SHA2565602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9
SHA512e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b
-
Filesize
763KB
MD5ab63528ff6d78d76b683b002f4572360
SHA109bd7d4eaec671f0c99cb6b98f32bca75397349b
SHA2564cf5c585a5770746ed1c99e45b17e51283307b53742de668d3186adc8ff8f9e0
SHA512fcf4344f9439efa5c54511048d802f4cd62dd0825b76836025ccbe9c484c2f55f830846bc75cd194bc62e919cc671d3484c8a23829f7dfa532b0e6db11486990
-
Filesize
163KB
MD52dc35ddcabcb2b24919b9afae4ec3091
SHA19eeed33c3abc656353a7ebd1c66af38cccadd939
SHA2566bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA5120ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901
-
Filesize
166KB
MD553151bef33d66c48ac125453d985793f
SHA1c7698b54280742fe8dc745ce736e8e4344c09477
SHA256014565ad3a80d4767fbd327ea6b078fce2e80017cba355c302c91aa034984eaf
SHA512b2f3e118573c037bf759d2b7fb5ee5278abc574244d635d21eef0018aa062429fe03ad0a4256b1a1b1f16070d3819f99d728442a74e02d4ece7ceec5ea4ec041