197ab0612c76e350a651a8e879f48c96d8037313adac2365889d6288676584a9

General

Target

beeiehibdh.exe
Size

538KB
MD5

9ea77f6dcce94375a970d3c88a858d35
SHA1

9169860b2c4cae83db68e2df745cb904961acc98
SHA256

2291ef3611c5a92a59ae38da36dfdc60b0487cb54ea17e12c9a396d9ef6e4eed
SHA512

ae549b7f76d70dcde205a342852cbbe00f46477e3982c5b363c96b016781886c8fd908250fc231dd7ae97a10b94561b6184576201f2bbb02685a129d02b9c011
SSDEEP

12288:uU1Clfg+vT8qKgK0mwjy9iN45fUEi0RhvPnaXG:unlfg+k0mwj6DiEPaXG

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1356 2928 WerFault.exe beeiehibdh.exe

pid	pid_target	process	target process
1356	2928	WerFault.exe	beeiehibdh.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2980	wmic.exe
Token: SeSecurityPrivilege	2980	wmic.exe
Token: SeTakeOwnershipPrivilege	2980	wmic.exe
Token: SeLoadDriverPrivilege	2980	wmic.exe
Token: SeSystemProfilePrivilege	2980	wmic.exe
Token: SeSystemtimePrivilege	2980	wmic.exe
Token: SeProfSingleProcessPrivilege	2980	wmic.exe
Token: SeIncBasePriorityPrivilege	2980	wmic.exe
Token: SeCreatePagefilePrivilege	2980	wmic.exe
Token: SeBackupPrivilege	2980	wmic.exe
Token: SeRestorePrivilege	2980	wmic.exe
Token: SeShutdownPrivilege	2980	wmic.exe
Token: SeDebugPrivilege	2980	wmic.exe
Token: SeSystemEnvironmentPrivilege	2980	wmic.exe
Token: SeRemoteShutdownPrivilege	2980	wmic.exe
Token: SeUndockPrivilege	2980	wmic.exe
Token: SeManageVolumePrivilege	2980	wmic.exe
Token: 33	2980	wmic.exe
Token: 34	2980	wmic.exe
Token: 35	2980	wmic.exe
Token: SeIncreaseQuotaPrivilege	2980	wmic.exe
Token: SeSecurityPrivilege	2980	wmic.exe
Token: SeTakeOwnershipPrivilege	2980	wmic.exe
Token: SeLoadDriverPrivilege	2980	wmic.exe
Token: SeSystemProfilePrivilege	2980	wmic.exe
Token: SeSystemtimePrivilege	2980	wmic.exe
Token: SeProfSingleProcessPrivilege	2980	wmic.exe
Token: SeIncBasePriorityPrivilege	2980	wmic.exe
Token: SeCreatePagefilePrivilege	2980	wmic.exe
Token: SeBackupPrivilege	2980	wmic.exe
Token: SeRestorePrivilege	2980	wmic.exe
Token: SeShutdownPrivilege	2980	wmic.exe
Token: SeDebugPrivilege	2980	wmic.exe
Token: SeSystemEnvironmentPrivilege	2980	wmic.exe
Token: SeRemoteShutdownPrivilege	2980	wmic.exe
Token: SeUndockPrivilege	2980	wmic.exe
Token: SeManageVolumePrivilege	2980	wmic.exe
Token: 33	2980	wmic.exe
Token: 34	2980	wmic.exe
Token: 35	2980	wmic.exe
Token: SeIncreaseQuotaPrivilege	2656	wmic.exe
Token: SeSecurityPrivilege	2656	wmic.exe
Token: SeTakeOwnershipPrivilege	2656	wmic.exe
Token: SeLoadDriverPrivilege	2656	wmic.exe
Token: SeSystemProfilePrivilege	2656	wmic.exe
Token: SeSystemtimePrivilege	2656	wmic.exe
Token: SeProfSingleProcessPrivilege	2656	wmic.exe
Token: SeIncBasePriorityPrivilege	2656	wmic.exe
Token: SeCreatePagefilePrivilege	2656	wmic.exe
Token: SeBackupPrivilege	2656	wmic.exe
Token: SeRestorePrivilege	2656	wmic.exe
Token: SeShutdownPrivilege	2656	wmic.exe
Token: SeDebugPrivilege	2656	wmic.exe
Token: SeSystemEnvironmentPrivilege	2656	wmic.exe
Token: SeRemoteShutdownPrivilege	2656	wmic.exe
Token: SeUndockPrivilege	2656	wmic.exe
Token: SeManageVolumePrivilege	2656	wmic.exe
Token: 33	2656	wmic.exe
Token: 34	2656	wmic.exe
Token: 35	2656	wmic.exe
Token: SeIncreaseQuotaPrivilege	2612	wmic.exe
Token: SeSecurityPrivilege	2612	wmic.exe
Token: SeTakeOwnershipPrivilege	2612	wmic.exe
Token: SeLoadDriverPrivilege	2612	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

beeiehibdh.exe

description	pid	process	target process
PID 2928 wrote to memory of 2980	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2980	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2980	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2980	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2656	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2656	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2656	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2656	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2612	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2612	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2612	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2612	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2588	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2588	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2588	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2588	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2488	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2488	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2488	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 2488	2928	beeiehibdh.exe	wmic.exe
PID 2928 wrote to memory of 1356	2928	beeiehibdh.exe	WerFault.exe
PID 2928 wrote to memory of 1356	2928	beeiehibdh.exe	WerFault.exe
PID 2928 wrote to memory of 1356	2928	beeiehibdh.exe	WerFault.exe
PID 2928 wrote to memory of 1356	2928	beeiehibdh.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\beeiehibdh.exe
"C:\Users\Admin\AppData\Local\Temp\beeiehibdh.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716340516.txt bios get serialnumber
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716340516.txt bios get version
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716340516.txt bios get version
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716340516.txt bios get version
2⤵
PID:2588

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716340516.txt bios get version
2⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 372
2⤵
- Program crash
PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81716340516.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads