Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 05:05
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
fa1266750ffbe8a0152adfa7b198fce241464089939ac085c077d625016f2519.exe
Resource
win7-20240508-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
fa1266750ffbe8a0152adfa7b198fce241464089939ac085c077d625016f2519.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral3
Sample
beffabfhed.exe
Resource
win7-20240508-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral4
Sample
beffabfhed.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
beffabfhed.exe
-
Size
569KB
-
MD5
b193af3d0371b5f27523ab5a836ada96
-
SHA1
073907e2dd63de28c4cadc9db94450a5648eea73
-
SHA256
29ae9d682ff68d8498a0df37dd1f5dc4dc23879dda47f29f491d4a53890b3321
-
SHA512
fa95dbde32691ad06e72fa2020382dea651a23a5caec66fabac3e847e9bafb0e8b9b5bbce708cfb89cf24403f64190328d9b2dee398e3bab0aeb0366513ff159
-
SSDEEP
12288:rLqKzrU3VEPS26dgPxsUeaYPFPmyqDseCwr5FS/TsR+:r+FIsvaYPFPmvlCwG
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2656 2844 WerFault.exe 27 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1436 wmic.exe Token: SeSecurityPrivilege 1436 wmic.exe Token: SeTakeOwnershipPrivilege 1436 wmic.exe Token: SeLoadDriverPrivilege 1436 wmic.exe Token: SeSystemProfilePrivilege 1436 wmic.exe Token: SeSystemtimePrivilege 1436 wmic.exe Token: SeProfSingleProcessPrivilege 1436 wmic.exe Token: SeIncBasePriorityPrivilege 1436 wmic.exe Token: SeCreatePagefilePrivilege 1436 wmic.exe Token: SeBackupPrivilege 1436 wmic.exe Token: SeRestorePrivilege 1436 wmic.exe Token: SeShutdownPrivilege 1436 wmic.exe Token: SeDebugPrivilege 1436 wmic.exe Token: SeSystemEnvironmentPrivilege 1436 wmic.exe Token: SeRemoteShutdownPrivilege 1436 wmic.exe Token: SeUndockPrivilege 1436 wmic.exe Token: SeManageVolumePrivilege 1436 wmic.exe Token: 33 1436 wmic.exe Token: 34 1436 wmic.exe Token: 35 1436 wmic.exe Token: SeIncreaseQuotaPrivilege 1436 wmic.exe Token: SeSecurityPrivilege 1436 wmic.exe Token: SeTakeOwnershipPrivilege 1436 wmic.exe Token: SeLoadDriverPrivilege 1436 wmic.exe Token: SeSystemProfilePrivilege 1436 wmic.exe Token: SeSystemtimePrivilege 1436 wmic.exe Token: SeProfSingleProcessPrivilege 1436 wmic.exe Token: SeIncBasePriorityPrivilege 1436 wmic.exe Token: SeCreatePagefilePrivilege 1436 wmic.exe Token: SeBackupPrivilege 1436 wmic.exe Token: SeRestorePrivilege 1436 wmic.exe Token: SeShutdownPrivilege 1436 wmic.exe Token: SeDebugPrivilege 1436 wmic.exe Token: SeSystemEnvironmentPrivilege 1436 wmic.exe Token: SeRemoteShutdownPrivilege 1436 wmic.exe Token: SeUndockPrivilege 1436 wmic.exe Token: SeManageVolumePrivilege 1436 wmic.exe Token: 33 1436 wmic.exe Token: 34 1436 wmic.exe Token: 35 1436 wmic.exe Token: SeIncreaseQuotaPrivilege 2628 wmic.exe Token: SeSecurityPrivilege 2628 wmic.exe Token: SeTakeOwnershipPrivilege 2628 wmic.exe Token: SeLoadDriverPrivilege 2628 wmic.exe Token: SeSystemProfilePrivilege 2628 wmic.exe Token: SeSystemtimePrivilege 2628 wmic.exe Token: SeProfSingleProcessPrivilege 2628 wmic.exe Token: SeIncBasePriorityPrivilege 2628 wmic.exe Token: SeCreatePagefilePrivilege 2628 wmic.exe Token: SeBackupPrivilege 2628 wmic.exe Token: SeRestorePrivilege 2628 wmic.exe Token: SeShutdownPrivilege 2628 wmic.exe Token: SeDebugPrivilege 2628 wmic.exe Token: SeSystemEnvironmentPrivilege 2628 wmic.exe Token: SeRemoteShutdownPrivilege 2628 wmic.exe Token: SeUndockPrivilege 2628 wmic.exe Token: SeManageVolumePrivilege 2628 wmic.exe Token: 33 2628 wmic.exe Token: 34 2628 wmic.exe Token: 35 2628 wmic.exe Token: SeIncreaseQuotaPrivilege 2760 wmic.exe Token: SeSecurityPrivilege 2760 wmic.exe Token: SeTakeOwnershipPrivilege 2760 wmic.exe Token: SeLoadDriverPrivilege 2760 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2844 wrote to memory of 1436 2844 beffabfhed.exe 28 PID 2844 wrote to memory of 1436 2844 beffabfhed.exe 28 PID 2844 wrote to memory of 1436 2844 beffabfhed.exe 28 PID 2844 wrote to memory of 1436 2844 beffabfhed.exe 28 PID 2844 wrote to memory of 2628 2844 beffabfhed.exe 31 PID 2844 wrote to memory of 2628 2844 beffabfhed.exe 31 PID 2844 wrote to memory of 2628 2844 beffabfhed.exe 31 PID 2844 wrote to memory of 2628 2844 beffabfhed.exe 31 PID 2844 wrote to memory of 2760 2844 beffabfhed.exe 33 PID 2844 wrote to memory of 2760 2844 beffabfhed.exe 33 PID 2844 wrote to memory of 2760 2844 beffabfhed.exe 33 PID 2844 wrote to memory of 2760 2844 beffabfhed.exe 33 PID 2844 wrote to memory of 2620 2844 beffabfhed.exe 35 PID 2844 wrote to memory of 2620 2844 beffabfhed.exe 35 PID 2844 wrote to memory of 2620 2844 beffabfhed.exe 35 PID 2844 wrote to memory of 2620 2844 beffabfhed.exe 35 PID 2844 wrote to memory of 1952 2844 beffabfhed.exe 37 PID 2844 wrote to memory of 1952 2844 beffabfhed.exe 37 PID 2844 wrote to memory of 1952 2844 beffabfhed.exe 37 PID 2844 wrote to memory of 1952 2844 beffabfhed.exe 37 PID 2844 wrote to memory of 2656 2844 beffabfhed.exe 39 PID 2844 wrote to memory of 2656 2844 beffabfhed.exe 39 PID 2844 wrote to memory of 2656 2844 beffabfhed.exe 39 PID 2844 wrote to memory of 2656 2844 beffabfhed.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\beffabfhed.exe"C:\Users\Admin\AppData\Local\Temp\beffabfhed.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81719983135.txt bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81719983135.txt bios get version2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81719983135.txt bios get version2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81719983135.txt bios get version2⤵PID:2620
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81719983135.txt bios get version2⤵PID:1952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 3722⤵
- Program crash
PID:2656
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51