Malware Analysis Report

2025-04-14 02:57

Sample ID 240613-c817rsvgmn
Target a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118
SHA256 7312a1a3a228cef5f0749c2dfa14f758e88bde7a3943aa6fced63e39c99fd7e7
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7312a1a3a228cef5f0749c2dfa14f758e88bde7a3943aa6fced63e39c99fd7e7

Threat Level: Shows suspicious behavior

The file a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:45

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:45

Reported

2024-06-13 02:48

Platform

win7-20240611-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe
PID 1732 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe
PID 1732 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe
PID 1732 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe
PID 2376 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2376 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2376 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2376 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2376 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe

C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe 5|8|4|0|0|0|5|4|7|8|5 KkhFRD0yLi8ZJ05QOkxJRD0rHChGQE9PS1JLST85KhgqP0FPVElEOC4uLyssGCtDSUQ4LBknS01HQFVDVFpFPTUsMTEwIC9TQE5PPU1aTU5MPWhvcGkyKiprbnYuREBPRCVPSkgpQVBQKUVHPkobJz9MSUNGRT01KysuMzYxMDM0KSosNC4zMTYzMC4vAhsqPC09JTQrIS0oPkdBQU5ULT8+JkE/ICwsJTQwGys9KjgoKRwvRDM4KSoYKj8sOS0xICpALjUoLBgrUFJPP1E8TFpLSkVWQUNUORknS01HQFVDVFpBTkQ8OBgrUFJPP1E8TFpJOUlFPSAqQVE9WlBKSD0gL0BUPlc+SDxISU5FOBwoQEpOTFtCUk9STz5KODAYK1RIQUlHUkdQWk1OTD0gKlJGNS0bJ0BTMT0bK0tNSU9BSUVfV0BIPEdIQEFJQUdFUE5FNRsqQU9fUlVJUEJFQDhsbnVlICpOPkxQTUZFTkdfUE8+Slo/OVVTPTIbK0FBP0BQOTEgL0RPWDxUSTlJSUNfQEo8SlRLTEFEPWZcaGxdGyo8S1dOTEo9PVdESzUuMDguLC0pJjQuJi0yMiAqTDpKPEdEQUxfSUlPTTlHRzVwcnVlGytNQUhANS00NDcuNCksMy8YK0RPV0lISDk/WkxFTUU9LC0oKS4qKiwxNSotNikwNSssJkFN

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 372

Network

Country Destination Domain Proto
US 8.8.8.8:53 srv.desk-top-app.info udp

Files

\Users\Admin\AppData\Local\Temp\beehdhgehc.exe

MD5 9d01412819ca4fb532c81a5335d76854
SHA1 ff840af40527eb8a05927036af54140d07a1ba33
SHA256 dc239681ea4e27fbe2a678f0182b8adf47a3d0b2687d1d8b7a9e3416324ca7c1
SHA512 d25be4cadcfc67ec5c5454a488ce03e9cce45e5f02238baca129c363d370174818822f78230155949c577ff6d240ed12af32d94700d4fe91dd4b3121664ddaff

C:\Users\Admin\AppData\Local\Temp\81718246741.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:45

Reported

2024-06-13 02:48

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe
PID 4728 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe
PID 4728 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe
PID 2248 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2248 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe

C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe 5|8|4|0|0|0|5|4|7|8|5 KkhFRD0yLi8ZJ05QOkxJRD0rHChGQE9PS1JLST85KhgqP0FPVElEOC4uLyssGCtDSUQ4LBknS01HQFVDVFpFPTUsMTEwIC9TQE5PPU1aTU5MPWhvcGkyKiprbnYuREBPRCVPSkgpQVBQKUVHPkobJz9MSUNGRT01KysuMzYxMDM0KSosNC4zMTYzMC4vAhsqPC09JTQrIS0oPkdBQU5ULT8+JkE/ICwsJTQwGys9KjgoKRwvRDM4KSoYKj8sOS0xICpALjUoLBgrUFJPP1E8TFpLSkVWQUNUORknS01HQFVDVFpBTkQ8OBgrUFJPP1E8TFpJOUlFPSAqQVE9WlBKSD0gL0BUPlc+SDxISU5FOBwoQEpOTFtCUk9STz5KODAYK1RIQUlHUkdQWk1OTD0gKlJGNS0bJ0BTMT0bK0tNSU9BSUVfV0BIPEdIQEFJQUdFUE5FNRsqQU9fUlVJUEJFQDhsbnVlICpOPkxQTUZFTkdfUE8+Slo/OVVTPTIbK0FBP0BQOTEgL0RPWDxUSTlJSUNfQEo8SlRLTEFEPWZcaGxdGyo8S1dOTEo9PVdESzUuMDguLC0pJjQuJi0yMiAqTDpKPEdEQUxfSUlPTTlHRzVwcnVlGytNQUhANS00NDcuNCksMy8YK0RPV0lISDk/WkxFTUU9LC0oKS4qKiwxNSotNikwNSssJkFN

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246742.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246742.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246742.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246742.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246742.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 844

Network

Country Destination Domain Proto
US 8.8.8.8:53 srv.desk-top-app.info udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe

MD5 9d01412819ca4fb532c81a5335d76854
SHA1 ff840af40527eb8a05927036af54140d07a1ba33
SHA256 dc239681ea4e27fbe2a678f0182b8adf47a3d0b2687d1d8b7a9e3416324ca7c1
SHA512 d25be4cadcfc67ec5c5454a488ce03e9cce45e5f02238baca129c363d370174818822f78230155949c577ff6d240ed12af32d94700d4fe91dd4b3121664ddaff

C:\Users\Admin\AppData\Local\Temp\81718246742.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

C:\Users\Admin\AppData\Local\Temp\81718246742.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\81718246742.txt

MD5 f8e2f71e123c5a848f2a83d2a7aef11e
SHA1 5e7a9a2937fa4f06fdf3e33d7def7de431c159b4
SHA256 79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121
SHA512 8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 02:45

Reported

2024-06-13 02:48

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1748 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1748 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1748 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1748 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe

"C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246737.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246737.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246737.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246737.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246737.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 372

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\81718246737.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 02:45

Reported

2024-06-13 02:48

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe C:\Windows\SysWOW64\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe

"C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246738.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246738.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246738.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246738.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246738.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\81718246738.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

C:\Users\Admin\AppData\Local\Temp\81718246738.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\81718246738.txt

MD5 f8e2f71e123c5a848f2a83d2a7aef11e
SHA1 5e7a9a2937fa4f06fdf3e33d7def7de431c159b4
SHA256 79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121
SHA512 8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e