Analysis
-
max time kernel
134s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/03/2024, 03:55
Static task
static1
Behavioral task
behavioral1
Sample
RefTechnical Drawing Sheet.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RefTechnical Drawing Sheet.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Bedwarmer.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Bedwarmer.ps1
Resource
win10v2004-20240226-en
General
-
Target
Bedwarmer.ps1
-
Size
58KB
-
MD5
aae5fcb1e66470ef7a08ea335b80ac05
-
SHA1
9422c0898c87a134c72c6ffa35c594d93dba9dc9
-
SHA256
8bd9205c7c8f112ff5cba1307842eddccc18e20e227cccb7b74e6a24e686b8b0
-
SHA512
031d187a47a9b687d6822f34e74029f2f1cf4eb8687dc2846a3d84efbf9d30d5459870842a22cdab89130915501e2593f79b2a32da5c266d382120e0a042b072
-
SSDEEP
1536:kIA6tvaB6ot7AWRT/HFQzHYDLaKzxxkRq:kIltiBhzlQELaKzjD
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1052 powershell.exe Token: SeShutdownPrivilege 1272 explorer.exe Token: SeShutdownPrivilege 1272 explorer.exe Token: SeShutdownPrivilege 1272 explorer.exe Token: SeShutdownPrivilege 1272 explorer.exe Token: SeShutdownPrivilege 1272 explorer.exe Token: SeShutdownPrivilege 1272 explorer.exe Token: SeShutdownPrivilege 1272 explorer.exe Token: SeShutdownPrivilege 1272 explorer.exe Token: SeShutdownPrivilege 1272 explorer.exe Token: SeShutdownPrivilege 1272 explorer.exe Token: SeShutdownPrivilege 1272 explorer.exe Token: SeShutdownPrivilege 1272 explorer.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe 1272 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1052 wrote to memory of 1296 1052 powershell.exe 32 PID 1052 wrote to memory of 1296 1052 powershell.exe 32 PID 1052 wrote to memory of 1296 1052 powershell.exe 32 PID 1052 wrote to memory of 2476 1052 powershell.exe 36 PID 1052 wrote to memory of 2476 1052 powershell.exe 36 PID 1052 wrote to memory of 2476 1052 powershell.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Bedwarmer.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:1296
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1052" "1140"2⤵PID:2476
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD536d7256076304a52c0027aff6c9cef8d
SHA18b0549de49e71356ae3cde0ce0923f2f9946c3a2
SHA256512b0c3dc2d37b408a125f9fbe738e818aeedf92e2e2e419605127422a5b4ac8
SHA512517811181fb898775a7e1cbf2ab65ab857e1008c38b8bc1e39787575ef4d7760fd7513d4db429cdd619a5b1e110fa9960cc87687d49512ebd543dd995a9a4035