21f8c57f7b987e665d400ff7542c34528aac712b6a1c45d18c336b22940478fd

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7df6ebac28de20ebbdf09f570d5c6b3.exe
Size

642KB
MD5

c7df6ebac28de20ebbdf09f570d5c6b3
SHA1

cbe182de2a56a8d84d0aa80e37e1331ef1961422
SHA256

21f8c57f7b987e665d400ff7542c34528aac712b6a1c45d18c336b22940478fd
SHA512

33fc619f95f2832de08d7f0304dec588f3e1bacc9369316ca302bbd52c781a5d2130d20bf4450ae98cfd92035777739dce95105b10e798f082689729c4eb11c9
SSDEEP

12288:c6ARp+7TjVtM3JvOT7MqYiTVMrLTn6sJIvPJTfUn6D8tExkrJ0mTQPT3RZTafc8Y:cBRpEOJvOTiwm6AI5bdw/Z8P7RZT386x

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1552	bedfhegfae.exe

Loads dropped DLL 2 IoCs

pid	Process
4640	c7df6ebac28de20ebbdf09f570d5c6b3.exe
4640	c7df6ebac28de20ebbdf09f570d5c6b3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1480	1552	WerFault.exe	99

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1992	wmic.exe
Token: SeSecurityPrivilege	1992	wmic.exe
Token: SeTakeOwnershipPrivilege	1992	wmic.exe
Token: SeLoadDriverPrivilege	1992	wmic.exe
Token: SeSystemProfilePrivilege	1992	wmic.exe
Token: SeSystemtimePrivilege	1992	wmic.exe
Token: SeProfSingleProcessPrivilege	1992	wmic.exe
Token: SeIncBasePriorityPrivilege	1992	wmic.exe
Token: SeCreatePagefilePrivilege	1992	wmic.exe
Token: SeBackupPrivilege	1992	wmic.exe
Token: SeRestorePrivilege	1992	wmic.exe
Token: SeShutdownPrivilege	1992	wmic.exe
Token: SeDebugPrivilege	1992	wmic.exe
Token: SeSystemEnvironmentPrivilege	1992	wmic.exe
Token: SeRemoteShutdownPrivilege	1992	wmic.exe
Token: SeUndockPrivilege	1992	wmic.exe
Token: SeManageVolumePrivilege	1992	wmic.exe
Token: 33	1992	wmic.exe
Token: 34	1992	wmic.exe
Token: 35	1992	wmic.exe
Token: 36	1992	wmic.exe
Token: SeIncreaseQuotaPrivilege	1992	wmic.exe
Token: SeSecurityPrivilege	1992	wmic.exe
Token: SeTakeOwnershipPrivilege	1992	wmic.exe
Token: SeLoadDriverPrivilege	1992	wmic.exe
Token: SeSystemProfilePrivilege	1992	wmic.exe
Token: SeSystemtimePrivilege	1992	wmic.exe
Token: SeProfSingleProcessPrivilege	1992	wmic.exe
Token: SeIncBasePriorityPrivilege	1992	wmic.exe
Token: SeCreatePagefilePrivilege	1992	wmic.exe
Token: SeBackupPrivilege	1992	wmic.exe
Token: SeRestorePrivilege	1992	wmic.exe
Token: SeShutdownPrivilege	1992	wmic.exe
Token: SeDebugPrivilege	1992	wmic.exe
Token: SeSystemEnvironmentPrivilege	1992	wmic.exe
Token: SeRemoteShutdownPrivilege	1992	wmic.exe
Token: SeUndockPrivilege	1992	wmic.exe
Token: SeManageVolumePrivilege	1992	wmic.exe
Token: 33	1992	wmic.exe
Token: 34	1992	wmic.exe
Token: 35	1992	wmic.exe
Token: 36	1992	wmic.exe
Token: SeIncreaseQuotaPrivilege	1096	wmic.exe
Token: SeSecurityPrivilege	1096	wmic.exe
Token: SeTakeOwnershipPrivilege	1096	wmic.exe
Token: SeLoadDriverPrivilege	1096	wmic.exe
Token: SeSystemProfilePrivilege	1096	wmic.exe
Token: SeSystemtimePrivilege	1096	wmic.exe
Token: SeProfSingleProcessPrivilege	1096	wmic.exe
Token: SeIncBasePriorityPrivilege	1096	wmic.exe
Token: SeCreatePagefilePrivilege	1096	wmic.exe
Token: SeBackupPrivilege	1096	wmic.exe
Token: SeRestorePrivilege	1096	wmic.exe
Token: SeShutdownPrivilege	1096	wmic.exe
Token: SeDebugPrivilege	1096	wmic.exe
Token: SeSystemEnvironmentPrivilege	1096	wmic.exe
Token: SeRemoteShutdownPrivilege	1096	wmic.exe
Token: SeUndockPrivilege	1096	wmic.exe
Token: SeManageVolumePrivilege	1096	wmic.exe
Token: 33	1096	wmic.exe
Token: 34	1096	wmic.exe
Token: 35	1096	wmic.exe
Token: 36	1096	wmic.exe
Token: SeIncreaseQuotaPrivilege	1096	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 1552	4640	c7df6ebac28de20ebbdf09f570d5c6b3.exe	99
PID 4640 wrote to memory of 1552	4640	c7df6ebac28de20ebbdf09f570d5c6b3.exe	99
PID 4640 wrote to memory of 1552	4640	c7df6ebac28de20ebbdf09f570d5c6b3.exe	99
PID 1552 wrote to memory of 1992	1552	bedfhegfae.exe	100
PID 1552 wrote to memory of 1992	1552	bedfhegfae.exe	100
PID 1552 wrote to memory of 1992	1552	bedfhegfae.exe	100
PID 1552 wrote to memory of 1096	1552	bedfhegfae.exe	104
PID 1552 wrote to memory of 1096	1552	bedfhegfae.exe	104
PID 1552 wrote to memory of 1096	1552	bedfhegfae.exe	104
PID 1552 wrote to memory of 4440	1552	bedfhegfae.exe	106
PID 1552 wrote to memory of 4440	1552	bedfhegfae.exe	106
PID 1552 wrote to memory of 4440	1552	bedfhegfae.exe	106
PID 1552 wrote to memory of 4472	1552	bedfhegfae.exe	108
PID 1552 wrote to memory of 4472	1552	bedfhegfae.exe	108
PID 1552 wrote to memory of 4472	1552	bedfhegfae.exe	108
PID 1552 wrote to memory of 3432	1552	bedfhegfae.exe	110
PID 1552 wrote to memory of 3432	1552	bedfhegfae.exe	110
PID 1552 wrote to memory of 3432	1552	bedfhegfae.exe	110

C:\Users\Admin\AppData\Local\Temp\c7df6ebac28de20ebbdf09f570d5c6b3.exe
"C:\Users\Admin\AppData\Local\Temp\c7df6ebac28de20ebbdf09f570d5c6b3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\bedfhegfae.exe
  C:\Users\Admin\AppData\Local\Temp\bedfhegfae.exe 2^4^9^5^3^1^2^0^2^1^8 LUxAPzowNzM0MhgtT0w9TUhCPS4fJ0xBS1JMUUlJQjwpIy4na29uYnVhc2ZfaVw4T2RnbV9mXR4rO0RQU0dEOzEvNS0pGyxCR0Q7LxgtTElKQVRBVF1IPDsuLTQxMh4vUURKVEFJWlJRSj1mc2xuNiYqcHF0LkJES0kpS0pNLD9QTi1BTEJGGyxCSklBSkFCORcqQTA7LS8fJ0IuNCguHy1EMTwlLxwmPzE8KzEeLjwzOSQsHS5OUk1DTUFQVktPSFRBQVg1HitHTUxDU0NSXj1TSDg4HS5OUk1DTUFQVkk+TEM9Hi49VkFWUE9LOyAtRFBDWzpIQUtHTkM8GC1ERk5RXkBSTVZLQ040MB0uUkg/TUNXS0xaUlFKPR4uTks5KRssQ1ExOx8nUFFFT0ZMQ19VRERBS0RARkw/R0NUSko5FypGUl1SU01MR0k8OHFxc2UeLkpDUExNS0hMR11US0NOVj8+WFE9MB8nRkU7QFU8LyAtSEtdQFBJPkxHQ11ERkFOUEtRREI9ZGBkcWEXKkFOVU5KTjlCW0BLOjMvLjQ0Ji80KSkuODIgLVNBS0E0LDEyMzczMys0NBcqQU5VTkpOOUJbS0RKRDs3LTAnMCwoMCcwMDoxODIwNCFLSg==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get version
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get version
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710396344.txt bios get version
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 952
    3⤵
    - Program crash
    PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1552 -ip 1552
1⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81710396344.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81710396344.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81710396344.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedfhegfae.exe

Filesize
763KB

MD5
ab63528ff6d78d76b683b002f4572360

SHA1
09bd7d4eaec671f0c99cb6b98f32bca75397349b

SHA256
4cf5c585a5770746ed1c99e45b17e51283307b53742de668d3186adc8ff8f9e0

SHA512
fcf4344f9439efa5c54511048d802f4cd62dd0825b76836025ccbe9c484c2f55f830846bc75cd194bc62e919cc671d3484c8a23829f7dfa532b0e6db11486990

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc23B1.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc23B1.tmp\docqoul.dll

Filesize
166KB

MD5
53151bef33d66c48ac125453d985793f

SHA1
c7698b54280742fe8dc745ce736e8e4344c09477

SHA256
014565ad3a80d4767fbd327ea6b078fce2e80017cba355c302c91aa034984eaf

SHA512
b2f3e118573c037bf759d2b7fb5ee5278abc574244d635d21eef0018aa062429fe03ad0a4256b1a1b1f16070d3819f99d728442a74e02d4ece7ceec5ea4ec041

Download Submit