Malware Analysis Report

2025-04-14 03:45

Sample ID 240612-xg3xhazbrr
Target a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118
SHA256 372e30dd35885550123f9d0e9282151fe547aa61c096ae954429740d70f0002b
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

372e30dd35885550123f9d0e9282151fe547aa61c096ae954429740d70f0002b

Threat Level: Shows suspicious behavior

The file a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 18:50

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 18:50

Reported

2024-06-12 18:52

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe
PID 2988 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe
PID 2988 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe
PID 2988 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe
PID 2188 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2188 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\WerFault.exe
PID 2188 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\WerFault.exe
PID 2188 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\WerFault.exe
PID 2188 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe

C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe 2#2#8#1#0#4#1#7#9#5#6 LU5BQz0tODErLRotUU1BUEVDNicbKUxDTFZPTkpCOzgrHi08SFNQSD00LTAvNCkfLz9IPTQrGi1OSk5EUUJNVkQ+OzAtMjQzHyhKQExUQ0peVU5LNl9vbm44Jy5zbnUnO0BNSStMTlApQElHKUNMREcfLz9LQjpGQ0I7GC5ELTwmKBspQjA1LDEcLj0qOCcvHidDNDksKhcqPjM7JTAgK09LRj9PQVJXT1JFVTo6VDceLUhRT0BUPEtaP1NKOTwgK09LRj9PQVJXTUFJRDZqYGxnX2QkMiwsHikrZ210WXVpITEpal5sY2NmJDIsYlpnb29wYx0xMG9zbltkaSMwKDQuLC0pHC0qZHNkayUuLx4pKx8wLltxYV8fKDxTP11TSks9XmRsay9qYSxbbm0rcl5rcGosY3BkICtEUTxaPUtCREhOQTwZJkNJUVJXQVJLVkw8TTczHidTSD1NRFBKT11TSks9HC5PRDgsHi08UjE5HyhJUEhSR0VEX1NERTpKR0NHRUBHQVRLQzgaLUdLXlJRTU1ASD87cmp0ZRwuSzxPT1BMQU1HW1RMPE1ZQj9RUj0uHyg/RD5DVjUwICtITFY/U0w/RUhDW0RHOk1TTlI9Qz1iYGVqYBotQkdWTkhOOjtaQ047Ki84KjAqJykzMSwpMTIcLkk4TTtKSj1LX0VNTEs8Rko7bHF1YR8oS0RHQzspMzQ0NC4nMS4uHidDT1NNRUY8Pl1SQUxFOTAqJi0wLTAoMDUmMjMoKzQyLiJPTQ==

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 368

Network

Country Destination Domain Proto
US 8.8.8.8:53 srv.desk-top-app.info udp

Files

\Users\Admin\AppData\Local\Temp\beeifecjdh.exe

MD5 414ca68096786397f155d633555090ff
SHA1 a606ee5818f05a0aafa29dba839ce33184d381fc
SHA256 ecca7e207947afd7cd3e30b130707047576bbd0980cfe4be58d9e7c91a661297
SHA512 7b499850d173bf740a9fc9f69c87139ec24c7cdded79bbe2fbc6bff44005e5f26cfccb6db436929cbaa396676b040f8d31fde4ae662dc00a3f20455f5d3ac898

C:\Users\Admin\AppData\Local\Temp\81718218224.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 18:50

Reported

2024-06-12 18:52

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe
PID 1360 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe
PID 1360 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe
PID 3980 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3980 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe

C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe 2#2#8#1#0#4#1#7#9#5#6 LU5BQz0tODErLRotUU1BUEVDNicbKUxDTFZPTkpCOzgrHi08SFNQSD00LTAvNCkfLz9IPTQrGi1OSk5EUUJNVkQ+OzAtMjQzHyhKQExUQ0peVU5LNl9vbm44Jy5zbnUnO0BNSStMTlApQElHKUNMREcfLz9LQjpGQ0I7GC5ELTwmKBspQjA1LDEcLj0qOCcvHidDNDksKhcqPjM7JTAgK09LRj9PQVJXT1JFVTo6VDceLUhRT0BUPEtaP1NKOTwgK09LRj9PQVJXTUFJRDZqYGxnX2QkMiwsHikrZ210WXVpITEpal5sY2NmJDIsYlpnb29wYx0xMG9zbltkaSMwKDQuLC0pHC0qZHNkayUuLx4pKx8wLltxYV8fKDxTP11TSks9XmRsay9qYSxbbm0rcl5rcGosY3BkICtEUTxaPUtCREhOQTwZJkNJUVJXQVJLVkw8TTczHidTSD1NRFBKT11TSks9HC5PRDgsHi08UjE5HyhJUEhSR0VEX1NERTpKR0NHRUBHQVRLQzgaLUdLXlJRTU1ASD87cmp0ZRwuSzxPT1BMQU1HW1RMPE1ZQj9RUj0uHyg/RD5DVjUwICtITFY/U0w/RUhDW0RHOk1TTlI9Qz1iYGVqYBotQkdWTkhOOjtaQ047Ki84KjAqJykzMSwpMTIcLkk4TTtKSj1LX0VNTEs8Rko7bHF1YR8oS0RHQzspMzQ0NC4nMS4uHidDT1NNRUY8Pl1SQUxFOTAqJi0wLTAoMDUmMjMoKzQyLiJPTQ==

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3980 -ip 3980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 960

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 srv.desk-top-app.info udp

Files

C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe

MD5 414ca68096786397f155d633555090ff
SHA1 a606ee5818f05a0aafa29dba839ce33184d381fc
SHA256 ecca7e207947afd7cd3e30b130707047576bbd0980cfe4be58d9e7c91a661297
SHA512 7b499850d173bf740a9fc9f69c87139ec24c7cdded79bbe2fbc6bff44005e5f26cfccb6db436929cbaa396676b040f8d31fde4ae662dc00a3f20455f5d3ac898

C:\Users\Admin\AppData\Local\Temp\81718218224.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

C:\Users\Admin\AppData\Local\Temp\81718218224.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\81718218224.txt

MD5 f8e2f71e123c5a848f2a83d2a7aef11e
SHA1 5e7a9a2937fa4f06fdf3e33d7def7de431c159b4
SHA256 79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121
SHA512 8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 18:50

Reported

2024-06-12 18:52

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2156 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe

"C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 372

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\81718218224.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 18:50

Reported

2024-06-12 18:52

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4240 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4240 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe C:\Windows\SysWOW64\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe

"C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218227.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218227.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218227.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218227.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718218227.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4240 -ip 4240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 696

Network

Files

C:\Users\Admin\AppData\Local\Temp\81718218227.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

C:\Users\Admin\AppData\Local\Temp\81718218227.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\81718218227.txt

MD5 f8e2f71e123c5a848f2a83d2a7aef11e
SHA1 5e7a9a2937fa4f06fdf3e33d7def7de431c159b4
SHA256 79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121
SHA512 8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e