Analysis
-
max time kernel
133s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/03/2024, 07:33
Static task
static1
Behavioral task
behavioral1
Sample
Ref_Technical Drawing Sheet.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Ref_Technical Drawing Sheet.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Bedwarmer.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Bedwarmer.ps1
Resource
win10v2004-20231215-en
General
-
Target
Bedwarmer.ps1
-
Size
58KB
-
MD5
aae5fcb1e66470ef7a08ea335b80ac05
-
SHA1
9422c0898c87a134c72c6ffa35c594d93dba9dc9
-
SHA256
8bd9205c7c8f112ff5cba1307842eddccc18e20e227cccb7b74e6a24e686b8b0
-
SHA512
031d187a47a9b687d6822f34e74029f2f1cf4eb8687dc2846a3d84efbf9d30d5459870842a22cdab89130915501e2593f79b2a32da5c266d382120e0a042b072
-
SSDEEP
1536:kIA6tvaB6ot7AWRT/HFQzHYDLaKzxxkRq:kIltiBhzlQELaKzjD
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 856 powershell.exe 856 powershell.exe 856 powershell.exe 856 powershell.exe 856 powershell.exe 856 powershell.exe 856 powershell.exe 856 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2292 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 856 powershell.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 856 wrote to memory of 2980 856 powershell.exe 29 PID 856 wrote to memory of 2980 856 powershell.exe 29 PID 856 wrote to memory of 2980 856 powershell.exe 29 PID 856 wrote to memory of 2732 856 powershell.exe 31 PID 856 wrote to memory of 2732 856 powershell.exe 31 PID 856 wrote to memory of 2732 856 powershell.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Bedwarmer.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2980
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "856" "1140"2⤵PID:2732
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55ba36a75fcfed55b0d6f545c4a9bd684
SHA14d3542d14aad9ade62981228ef614f9296fd708c
SHA256ee35ab49e9081362ad24b3b87d1ad572f323a47a48d18a593520cc2078dc9eb0
SHA51267e81dd63b11860349eed18cf451eabf6b0b4325766b9d157dc2db3f7694ab58e862fa9be656ed62b2cfd4c95535e4df84fc36010b62eaed838ee5896d77b5c5