Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 02:45
Static task
static1
Behavioral task
behavioral1
Sample
a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
beehdhgehc.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
beehdhgehc.exe
Resource
win10v2004-20240508-en
General
-
Target
beehdhgehc.exe
-
Size
563KB
-
MD5
9d01412819ca4fb532c81a5335d76854
-
SHA1
ff840af40527eb8a05927036af54140d07a1ba33
-
SHA256
dc239681ea4e27fbe2a678f0182b8adf47a3d0b2687d1d8b7a9e3416324ca7c1
-
SHA512
d25be4cadcfc67ec5c5454a488ce03e9cce45e5f02238baca129c363d370174818822f78230155949c577ff6d240ed12af32d94700d4fe91dd4b3121664ddaff
-
SSDEEP
12288:NCsn5OejVsQwDgLMUB5vIXbyVxbHFoVlbOzKBztyAH40:NCyPB+D8MUB5vIXbyVxbHFKl62Bz4AHh
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2700 1748 WerFault.exe 27 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1928 wmic.exe Token: SeSecurityPrivilege 1928 wmic.exe Token: SeTakeOwnershipPrivilege 1928 wmic.exe Token: SeLoadDriverPrivilege 1928 wmic.exe Token: SeSystemProfilePrivilege 1928 wmic.exe Token: SeSystemtimePrivilege 1928 wmic.exe Token: SeProfSingleProcessPrivilege 1928 wmic.exe Token: SeIncBasePriorityPrivilege 1928 wmic.exe Token: SeCreatePagefilePrivilege 1928 wmic.exe Token: SeBackupPrivilege 1928 wmic.exe Token: SeRestorePrivilege 1928 wmic.exe Token: SeShutdownPrivilege 1928 wmic.exe Token: SeDebugPrivilege 1928 wmic.exe Token: SeSystemEnvironmentPrivilege 1928 wmic.exe Token: SeRemoteShutdownPrivilege 1928 wmic.exe Token: SeUndockPrivilege 1928 wmic.exe Token: SeManageVolumePrivilege 1928 wmic.exe Token: 33 1928 wmic.exe Token: 34 1928 wmic.exe Token: 35 1928 wmic.exe Token: SeIncreaseQuotaPrivilege 1928 wmic.exe Token: SeSecurityPrivilege 1928 wmic.exe Token: SeTakeOwnershipPrivilege 1928 wmic.exe Token: SeLoadDriverPrivilege 1928 wmic.exe Token: SeSystemProfilePrivilege 1928 wmic.exe Token: SeSystemtimePrivilege 1928 wmic.exe Token: SeProfSingleProcessPrivilege 1928 wmic.exe Token: SeIncBasePriorityPrivilege 1928 wmic.exe Token: SeCreatePagefilePrivilege 1928 wmic.exe Token: SeBackupPrivilege 1928 wmic.exe Token: SeRestorePrivilege 1928 wmic.exe Token: SeShutdownPrivilege 1928 wmic.exe Token: SeDebugPrivilege 1928 wmic.exe Token: SeSystemEnvironmentPrivilege 1928 wmic.exe Token: SeRemoteShutdownPrivilege 1928 wmic.exe Token: SeUndockPrivilege 1928 wmic.exe Token: SeManageVolumePrivilege 1928 wmic.exe Token: 33 1928 wmic.exe Token: 34 1928 wmic.exe Token: 35 1928 wmic.exe Token: SeIncreaseQuotaPrivilege 2392 wmic.exe Token: SeSecurityPrivilege 2392 wmic.exe Token: SeTakeOwnershipPrivilege 2392 wmic.exe Token: SeLoadDriverPrivilege 2392 wmic.exe Token: SeSystemProfilePrivilege 2392 wmic.exe Token: SeSystemtimePrivilege 2392 wmic.exe Token: SeProfSingleProcessPrivilege 2392 wmic.exe Token: SeIncBasePriorityPrivilege 2392 wmic.exe Token: SeCreatePagefilePrivilege 2392 wmic.exe Token: SeBackupPrivilege 2392 wmic.exe Token: SeRestorePrivilege 2392 wmic.exe Token: SeShutdownPrivilege 2392 wmic.exe Token: SeDebugPrivilege 2392 wmic.exe Token: SeSystemEnvironmentPrivilege 2392 wmic.exe Token: SeRemoteShutdownPrivilege 2392 wmic.exe Token: SeUndockPrivilege 2392 wmic.exe Token: SeManageVolumePrivilege 2392 wmic.exe Token: 33 2392 wmic.exe Token: 34 2392 wmic.exe Token: 35 2392 wmic.exe Token: SeIncreaseQuotaPrivilege 2748 wmic.exe Token: SeSecurityPrivilege 2748 wmic.exe Token: SeTakeOwnershipPrivilege 2748 wmic.exe Token: SeLoadDriverPrivilege 2748 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1748 wrote to memory of 1928 1748 beehdhgehc.exe 28 PID 1748 wrote to memory of 1928 1748 beehdhgehc.exe 28 PID 1748 wrote to memory of 1928 1748 beehdhgehc.exe 28 PID 1748 wrote to memory of 1928 1748 beehdhgehc.exe 28 PID 1748 wrote to memory of 2392 1748 beehdhgehc.exe 31 PID 1748 wrote to memory of 2392 1748 beehdhgehc.exe 31 PID 1748 wrote to memory of 2392 1748 beehdhgehc.exe 31 PID 1748 wrote to memory of 2392 1748 beehdhgehc.exe 31 PID 1748 wrote to memory of 2748 1748 beehdhgehc.exe 33 PID 1748 wrote to memory of 2748 1748 beehdhgehc.exe 33 PID 1748 wrote to memory of 2748 1748 beehdhgehc.exe 33 PID 1748 wrote to memory of 2748 1748 beehdhgehc.exe 33 PID 1748 wrote to memory of 2772 1748 beehdhgehc.exe 35 PID 1748 wrote to memory of 2772 1748 beehdhgehc.exe 35 PID 1748 wrote to memory of 2772 1748 beehdhgehc.exe 35 PID 1748 wrote to memory of 2772 1748 beehdhgehc.exe 35 PID 1748 wrote to memory of 2800 1748 beehdhgehc.exe 37 PID 1748 wrote to memory of 2800 1748 beehdhgehc.exe 37 PID 1748 wrote to memory of 2800 1748 beehdhgehc.exe 37 PID 1748 wrote to memory of 2800 1748 beehdhgehc.exe 37 PID 1748 wrote to memory of 2700 1748 beehdhgehc.exe 39 PID 1748 wrote to memory of 2700 1748 beehdhgehc.exe 39 PID 1748 wrote to memory of 2700 1748 beehdhgehc.exe 39 PID 1748 wrote to memory of 2700 1748 beehdhgehc.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe"C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718246737.txt bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718246737.txt bios get version2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718246737.txt bios get version2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718246737.txt bios get version2⤵PID:2772
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718246737.txt bios get version2⤵PID:2800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 3722⤵
- Program crash
PID:2700
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51