b0567bf7f7bc01115f2543c15d01b54e6203b8aeb0b9f3f825a7a6387388c17c

General

Target

Newsoftwares.exe
Size

288KB
MD5

4a99cba59f2b4dee2ee00008a9d05c51
SHA1

610a01f81450435e1f27f9bcc8667b2d70df1047
SHA256

e856ec7bc5fffc6b47454658106fe7321f3c41c5c1dff82a19ee6395bb3717b9
SHA512

cf32e48033737fd28ad74635440b9141e4c644d746303fbb55705d9896f69cad2013c946275ce85f0da7922e6bef94c450a94329d37dbb3a39f9567667b2668a
SSDEEP

6144:FFJ0Ptm/YvbLh0JRjPC3pazLmVWs+Mw1jVc/x0nDONlhieyAYux:wEA50323G6cAw1O/x0nDOtio

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

befeejabed.exe

pid process

2272 befeejabed.exe
Loads dropped DLL 5 IoCs

Processes:

Newsoftwares.exeWerFault.exe

pid process

1192 Newsoftwares.exe
2512 WerFault.exe
2512 WerFault.exe
2512 WerFault.exe
2512 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2512 2272 WerFault.exe befeejabed.exe

pid	process
2272	befeejabed.exe

pid	process
1192	Newsoftwares.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe

pid	pid_target	process	target process
2512	2272	WerFault.exe	befeejabed.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2884	wmic.exe
Token: SeSecurityPrivilege	2884	wmic.exe
Token: SeTakeOwnershipPrivilege	2884	wmic.exe
Token: SeLoadDriverPrivilege	2884	wmic.exe
Token: SeSystemProfilePrivilege	2884	wmic.exe
Token: SeSystemtimePrivilege	2884	wmic.exe
Token: SeProfSingleProcessPrivilege	2884	wmic.exe
Token: SeIncBasePriorityPrivilege	2884	wmic.exe
Token: SeCreatePagefilePrivilege	2884	wmic.exe
Token: SeBackupPrivilege	2884	wmic.exe
Token: SeRestorePrivilege	2884	wmic.exe
Token: SeShutdownPrivilege	2884	wmic.exe
Token: SeDebugPrivilege	2884	wmic.exe
Token: SeSystemEnvironmentPrivilege	2884	wmic.exe
Token: SeRemoteShutdownPrivilege	2884	wmic.exe
Token: SeUndockPrivilege	2884	wmic.exe
Token: SeManageVolumePrivilege	2884	wmic.exe
Token: 33	2884	wmic.exe
Token: 34	2884	wmic.exe
Token: 35	2884	wmic.exe
Token: SeIncreaseQuotaPrivilege	2884	wmic.exe
Token: SeSecurityPrivilege	2884	wmic.exe
Token: SeTakeOwnershipPrivilege	2884	wmic.exe
Token: SeLoadDriverPrivilege	2884	wmic.exe
Token: SeSystemProfilePrivilege	2884	wmic.exe
Token: SeSystemtimePrivilege	2884	wmic.exe
Token: SeProfSingleProcessPrivilege	2884	wmic.exe
Token: SeIncBasePriorityPrivilege	2884	wmic.exe
Token: SeCreatePagefilePrivilege	2884	wmic.exe
Token: SeBackupPrivilege	2884	wmic.exe
Token: SeRestorePrivilege	2884	wmic.exe
Token: SeShutdownPrivilege	2884	wmic.exe
Token: SeDebugPrivilege	2884	wmic.exe
Token: SeSystemEnvironmentPrivilege	2884	wmic.exe
Token: SeRemoteShutdownPrivilege	2884	wmic.exe
Token: SeUndockPrivilege	2884	wmic.exe
Token: SeManageVolumePrivilege	2884	wmic.exe
Token: 33	2884	wmic.exe
Token: 34	2884	wmic.exe
Token: 35	2884	wmic.exe
Token: SeIncreaseQuotaPrivilege	2608	wmic.exe
Token: SeSecurityPrivilege	2608	wmic.exe
Token: SeTakeOwnershipPrivilege	2608	wmic.exe
Token: SeLoadDriverPrivilege	2608	wmic.exe
Token: SeSystemProfilePrivilege	2608	wmic.exe
Token: SeSystemtimePrivilege	2608	wmic.exe
Token: SeProfSingleProcessPrivilege	2608	wmic.exe
Token: SeIncBasePriorityPrivilege	2608	wmic.exe
Token: SeCreatePagefilePrivilege	2608	wmic.exe
Token: SeBackupPrivilege	2608	wmic.exe
Token: SeRestorePrivilege	2608	wmic.exe
Token: SeShutdownPrivilege	2608	wmic.exe
Token: SeDebugPrivilege	2608	wmic.exe
Token: SeSystemEnvironmentPrivilege	2608	wmic.exe
Token: SeRemoteShutdownPrivilege	2608	wmic.exe
Token: SeUndockPrivilege	2608	wmic.exe
Token: SeManageVolumePrivilege	2608	wmic.exe
Token: 33	2608	wmic.exe
Token: 34	2608	wmic.exe
Token: 35	2608	wmic.exe
Token: SeIncreaseQuotaPrivilege	2720	wmic.exe
Token: SeSecurityPrivilege	2720	wmic.exe
Token: SeTakeOwnershipPrivilege	2720	wmic.exe
Token: SeLoadDriverPrivilege	2720	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Newsoftwares.exebefeejabed.exe

description	pid	process	target process
PID 1192 wrote to memory of 2272	1192	Newsoftwares.exe	befeejabed.exe
PID 1192 wrote to memory of 2272	1192	Newsoftwares.exe	befeejabed.exe
PID 1192 wrote to memory of 2272	1192	Newsoftwares.exe	befeejabed.exe
PID 1192 wrote to memory of 2272	1192	Newsoftwares.exe	befeejabed.exe
PID 2272 wrote to memory of 2884	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2884	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2884	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2884	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2608	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2608	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2608	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2608	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2720	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2720	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2720	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2720	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2820	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2820	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2820	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2820	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2744	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2744	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2744	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2744	2272	befeejabed.exe	wmic.exe
PID 2272 wrote to memory of 2512	2272	befeejabed.exe	WerFault.exe
PID 2272 wrote to memory of 2512	2272	befeejabed.exe	WerFault.exe
PID 2272 wrote to memory of 2512	2272	befeejabed.exe	WerFault.exe
PID 2272 wrote to memory of 2512	2272	befeejabed.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Newsoftwares.exe
"C:\Users\Admin\AppData\Local\Temp\Newsoftwares.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\befeejabed.exe
C:\Users\Admin\AppData\Local\Temp\befeejabed.exe 9!0!7!4!1!0!4!6!3!1!2 JlBCQDwxNTIxMR4mU04+T0lANy0fLUVFTVNOUkdDQTwvFy89RVJURT46MTctMDIcLkNFPjovHiZQS0tDVT9OXEhCNDIxNDU0HClQRFBNRUtbVFJIN2Vzcmc6KCtycnIoQURRQi1NS08tPUpNLUdFRkgcLkNIQ0BKRzs9GStDMTknLh8tOzI2KTAgKz4wPCsoIChAMz0pKx0uQiw9Ji0fL0xMTENTOlRYTFFJUjtAWDsXL0lOTkRRPVFeQ0xMOjkfL0xMTENTOlRYSkBNQTdMc2ZcchkrRFhBWVJRSjQgKEFXRVs9SkNKQE4+OR8vRElQU105UkhTUkVONzIfLUtIOkpKWUtPXFRQQz0ZK1VNOSwdLkJKMTYcLlJRSFFISzxfUEFLQ0tHQkhLOEc+UVFMORosSFFWUk5KU0lJPzpzcGxlGStRRVBPT01HRUdYUVJFTllBQFdKPSscLkhFPkJXOyggKEVSX0BTS0BLQENYQU1DTlNNU0M7PV9da3NhGixDTU5ORUtARFtDTTwwJzgnLTAwKjMwLS8pMhkrT0FOO0lLQ0NfQkpSVD1GSTxyaXVeHC5URUdCPC8rNS01LzQ0Ki4fLTtPUEpLTz0+XFNHREU2Li44KywtMDQhNDMtMjouKydASw==
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716308446.txt bios get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716308446.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716308446.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716308446.txt bios get version
3⤵
PID:2820

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716308446.txt bios get version
3⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 368
3⤵
- Loads dropped DLL
- Program crash
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81716308446.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\befeejabed.exe

Filesize
568KB

MD5
a4e3d3ccd35ed83abdcc004db2092b2d

SHA1
f289a9a1d5aabeadd3d868ae0af099bf2e31a5e3

SHA256
e456949843d43f8bc31d575ba43ce788ebe6ca54aa11db78e480ce94553ab47f

SHA512
1325f969f66bc952ab0f23d29f6d83b1fd2277948de588f809582f2650a5373a0dd2d8d0b1a02c66f6fd3c5e98de59c961f21e68130813d1c5a7f50bdb74be7c

Download Submit

Analysis

Sharing