Malware Analysis Report

2025-01-18 01:59

Sample ID 240613-jmzv5stepp
Target a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118
SHA256 783712fbae3fcd1f5eccc582495080087c80f17f8f65901d82da4b0529cd74fd
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

783712fbae3fcd1f5eccc582495080087c80f17f8f65901d82da4b0529cd74fd

Threat Level: Shows suspicious behavior

The file a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:47

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:47

Reported

2024-06-13 07:50

Platform

win7-20240220-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe
PID 1992 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe
PID 1992 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe
PID 1992 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2700 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\WerFault.exe
PID 2700 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\WerFault.exe
PID 2700 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\WerFault.exe
PID 2700 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe

C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe 4,9,6,5,5,9,1,5,6,2,0 K0dDPzgpMi4sNSArSk89S0BDOCoeL0o8TlJKSUpEPjsxHCY+RE5LSD83MDkzLSobKjpIPzcuICtHTEo/TEJPWUdEOSkzKysnHypNQ1JSPExaUElLOGJydGwxKSpuaXUpPkNTRyROSkskQEtKLElKPUkbKjpLRD1JSUA0cGJ1QXYwTm9WaVhAK0hPSTFBTmFeUXRsTEZ0cU9IakRML1pEX2hmMDZSUXAnK2I7VjMvUDVeMGdITFgxRFllUjU8L3JeUVJvVEFpVDleM047QnFsb2FwS0dHdWsvYHFRMTFFPko/XUJkSjdXT2EwXG85by1fHi9AKDcoLBcuPyw7LS0XKT8uNCwsGi1EMDQnLBsmQzA3KzEcJkpNSjtUPk5dUE5AUDw+UDwbKU5SSztPPk9WRFBGPz0cJkpNSjtUPk5dTj1EPzhrajFaXGdvbyV0ZGsXLkBSQ19RSUY4GyZEUz9dQ0k7RkRJPDwbKUZPT0tZPU1GVk4/UD0xFylPQzhNRlNNVVtMTEc4Fy5RRzsyHCY+Tiw0MSwqNzgcJkxQSUtISD9dV0FDPUpIPEhIO0VFUUlGOBsmSE5ZUFVKS0NIQDRzbW9jICtJP09QSU1ESEVfUUo/TVo7QFRNOzIcJkJEPzxXOCseL0VKWT9URUBIQ0FfQUU9TVRHU0A+O2ZdY21gGyZDSlFMTEs4PlpERzwtKjYuLSgqKTQqLSwsMCArRztNPENLQEZdSUpKTjxHQzxvbHNlHCZOREg8PCwuMzEsJy0wLS4fKj5NV0pDSTw/VlNER0M9LSkpLTAmMSsrMyotKTQuLTEvMiQ/TQ==

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264874.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264874.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264874.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264874.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264874.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 368

Network

Country Destination Domain Proto
US 8.8.8.8:53 srv.desk-top-app.info udp

Files

C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe

MD5 14f6bb0efdc609c80df44019bd131025
SHA1 21bde03107c603fd4613125b2c5db8f5ac601280
SHA256 3549df4fae9f38fd98baa38f3efb0908c6d6bdecaee647068abc6113935ebeed
SHA512 17f9920d5b5e39b2c24b49ff1a5440c3a9d0b2d198684d61f29f01e00b6b6943ae94087fb195bc68bbd9cf661f981946c470d233293b57b18caa9afbf73ae551

C:\Users\Admin\AppData\Local\Temp\81718264874.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:47

Reported

2024-06-13 07:50

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1124 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe
PID 1124 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe
PID 1124 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe
PID 888 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 888 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a47dca799c4b7851c6bcaa5ac968be3f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe

C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe 4,9,6,5,5,9,1,5,6,2,0 K0dDPzgpMi4sNSArSk89S0BDOCoeL0o8TlJKSUpEPjsxHCY+RE5LSD83MDkzLSobKjpIPzcuICtHTEo/TEJPWUdEOSkzKysnHypNQ1JSPExaUElLOGJydGwxKSpuaXUpPkNTRyROSkskQEtKLElKPUkbKjpLRD1JSUA0cGJ1QXYwTm9WaVhAK0hPSTFBTmFeUXRsTEZ0cU9IakRML1pEX2hmMDZSUXAnK2I7VjMvUDVeMGdITFgxRFllUjU8L3JeUVJvVEFpVDleM047QnFsb2FwS0dHdWsvYHFRMTFFPko/XUJkSjdXT2EwXG85by1fHi9AKDcoLBcuPyw7LS0XKT8uNCwsGi1EMDQnLBsmQzA3KzEcJkpNSjtUPk5dUE5AUDw+UDwbKU5SSztPPk9WRFBGPz0cJkpNSjtUPk5dTj1EPzhrajFaXGdvbyV0ZGsXLkBSQ19RSUY4GyZEUz9dQ0k7RkRJPDwbKUZPT0tZPU1GVk4/UD0xFylPQzhNRlNNVVtMTEc4Fy5RRzsyHCY+Tiw0MSwqNzgcJkxQSUtISD9dV0FDPUpIPEhIO0VFUUlGOBsmSE5ZUFVKS0NIQDRzbW9jICtJP09QSU1ESEVfUUo/TVo7QFRNOzIcJkJEPzxXOCseL0VKWT9URUBIQ0FfQUU9TVRHU0A+O2ZdY21gGyZDSlFMTEs4PlpERzwtKjYuLSgqKTQqLSwsMCArRztNPENLQEZdSUpKTjxHQzxvbHNlHCZOREg8PCwuMzEsJy0wLS4fKj5NV0pDSTw/VlNER0M9LSkpLTAmMSsrMyotKTQuLTEvMiQ/TQ==

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264875.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264875.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264875.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264875.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264875.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 888 -ip 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 864

Network

Country Destination Domain Proto
US 8.8.8.8:53 srv.desk-top-app.info udp

Files

C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe

MD5 14f6bb0efdc609c80df44019bd131025
SHA1 21bde03107c603fd4613125b2c5db8f5ac601280
SHA256 3549df4fae9f38fd98baa38f3efb0908c6d6bdecaee647068abc6113935ebeed
SHA512 17f9920d5b5e39b2c24b49ff1a5440c3a9d0b2d198684d61f29f01e00b6b6943ae94087fb195bc68bbd9cf661f981946c470d233293b57b18caa9afbf73ae551

C:\Users\Admin\AppData\Local\Temp\81718264875.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

C:\Users\Admin\AppData\Local\Temp\81718264875.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\81718264875.txt

MD5 f8e2f71e123c5a848f2a83d2a7aef11e
SHA1 5e7a9a2937fa4f06fdf3e33d7def7de431c159b4
SHA256 79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121
SHA512 8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 07:47

Reported

2024-06-13 07:50

Platform

win7-20240611-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2736 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe

"C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264878.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264878.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264878.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264878.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264878.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 376

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\81718264878.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 07:47

Reported

2024-06-13 07:50

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1224 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe C:\Windows\SysWOW64\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe

"C:\Users\Admin\AppData\Local\Temp\befajjefdg.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264875.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264875.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264875.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264875.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718264875.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1224 -ip 1224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 680

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\81718264875.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

C:\Users\Admin\AppData\Local\Temp\81718264875.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\81718264875.txt

MD5 f8e2f71e123c5a848f2a83d2a7aef11e
SHA1 5e7a9a2937fa4f06fdf3e33d7def7de431c159b4
SHA256 79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121
SHA512 8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e