36d20a5548ccc54b9342a1ce4afadacde9aed5dbfd92769d0692a659db97328b

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e72e4c1090fe82f7d18acba38c7ed6.exe
Size

709KB
MD5

12e72e4c1090fe82f7d18acba38c7ed6
SHA1

cd847bd91ec9062f27027fefc26efb396f1895a9
SHA256

36d20a5548ccc54b9342a1ce4afadacde9aed5dbfd92769d0692a659db97328b
SHA512

960782977661dc05ee1409b3588277caacc67521945a7164e2d516d4a2616b60b335d63b01c949869d0dd1b4b7e9b09f16b4ee4a6b43acf36e07b52fb7cb0364
SSDEEP

12288:HyGhAcNhOMqxzKJ/k3tkPUlXlcg0TG9uYdESlqtCQEJBy8fD00k2bfc8vy4hb:HQ/eJ/kmPUlXxtoeleCJJBy8fD00486E

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2764	bedgcdibca.exe

Loads dropped DLL 11 IoCs

pid	Process
2060	12e72e4c1090fe82f7d18acba38c7ed6.exe
2060	12e72e4c1090fe82f7d18acba38c7ed6.exe
2060	12e72e4c1090fe82f7d18acba38c7ed6.exe
2060	12e72e4c1090fe82f7d18acba38c7ed6.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2864	2764	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe
Token: 33	2696	wmic.exe
Token: 34	2696	wmic.exe
Token: 35	2696	wmic.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe
Token: 33	2696	wmic.exe
Token: 34	2696	wmic.exe
Token: 35	2696	wmic.exe
Token: SeIncreaseQuotaPrivilege	2280	wmic.exe
Token: SeSecurityPrivilege	2280	wmic.exe
Token: SeTakeOwnershipPrivilege	2280	wmic.exe
Token: SeLoadDriverPrivilege	2280	wmic.exe
Token: SeSystemProfilePrivilege	2280	wmic.exe
Token: SeSystemtimePrivilege	2280	wmic.exe
Token: SeProfSingleProcessPrivilege	2280	wmic.exe
Token: SeIncBasePriorityPrivilege	2280	wmic.exe
Token: SeCreatePagefilePrivilege	2280	wmic.exe
Token: SeBackupPrivilege	2280	wmic.exe
Token: SeRestorePrivilege	2280	wmic.exe
Token: SeShutdownPrivilege	2280	wmic.exe
Token: SeDebugPrivilege	2280	wmic.exe
Token: SeSystemEnvironmentPrivilege	2280	wmic.exe
Token: SeRemoteShutdownPrivilege	2280	wmic.exe
Token: SeUndockPrivilege	2280	wmic.exe
Token: SeManageVolumePrivilege	2280	wmic.exe
Token: 33	2280	wmic.exe
Token: 34	2280	wmic.exe
Token: 35	2280	wmic.exe
Token: SeIncreaseQuotaPrivilege	2940	wmic.exe
Token: SeSecurityPrivilege	2940	wmic.exe
Token: SeTakeOwnershipPrivilege	2940	wmic.exe
Token: SeLoadDriverPrivilege	2940	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2764	2060	12e72e4c1090fe82f7d18acba38c7ed6.exe	29
PID 2060 wrote to memory of 2764	2060	12e72e4c1090fe82f7d18acba38c7ed6.exe	29
PID 2060 wrote to memory of 2764	2060	12e72e4c1090fe82f7d18acba38c7ed6.exe	29
PID 2060 wrote to memory of 2764	2060	12e72e4c1090fe82f7d18acba38c7ed6.exe	29
PID 2764 wrote to memory of 2696	2764	bedgcdibca.exe	17
PID 2764 wrote to memory of 2696	2764	bedgcdibca.exe	17
PID 2764 wrote to memory of 2696	2764	bedgcdibca.exe	17
PID 2764 wrote to memory of 2696	2764	bedgcdibca.exe	17
PID 2764 wrote to memory of 2280	2764	bedgcdibca.exe	28
PID 2764 wrote to memory of 2280	2764	bedgcdibca.exe	28
PID 2764 wrote to memory of 2280	2764	bedgcdibca.exe	28
PID 2764 wrote to memory of 2280	2764	bedgcdibca.exe	28
PID 2764 wrote to memory of 2940	2764	bedgcdibca.exe	26
PID 2764 wrote to memory of 2940	2764	bedgcdibca.exe	26
PID 2764 wrote to memory of 2940	2764	bedgcdibca.exe	26
PID 2764 wrote to memory of 2940	2764	bedgcdibca.exe	26
PID 2764 wrote to memory of 2760	2764	bedgcdibca.exe	25
PID 2764 wrote to memory of 2760	2764	bedgcdibca.exe	25
PID 2764 wrote to memory of 2760	2764	bedgcdibca.exe	25
PID 2764 wrote to memory of 2760	2764	bedgcdibca.exe	25
PID 2764 wrote to memory of 2600	2764	bedgcdibca.exe	23
PID 2764 wrote to memory of 2600	2764	bedgcdibca.exe	23
PID 2764 wrote to memory of 2600	2764	bedgcdibca.exe	23
PID 2764 wrote to memory of 2600	2764	bedgcdibca.exe	23
PID 2764 wrote to memory of 2864	2764	bedgcdibca.exe	22
PID 2764 wrote to memory of 2864	2764	bedgcdibca.exe	22
PID 2764 wrote to memory of 2864	2764	bedgcdibca.exe	22
PID 2764 wrote to memory of 2864	2764	bedgcdibca.exe	22

C:\Users\Admin\AppData\Local\Temp\12e72e4c1090fe82f7d18acba38c7ed6.exe
"C:\Users\Admin\AppData\Local\Temp\12e72e4c1090fe82f7d18acba38c7ed6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\bedgcdibca.exe
  C:\Users\Admin\AppData\Local\Temp\bedgcdibca.exe 3]3]6]5]8]9]6]4]3]7]0 LE1DPzUoMy8zLCAsUE89SEA+OS0ZL0tCTlJHSUVFQTYxIi8qa2pmXnFgbW5eal84SlxjaV5gZR0sPkRLS0NAOis3NC4sGyc6Q0A6KSAsTUxKPEw9UFxCRDovMDQsKhorUD5SU0JMWk1JRjllbXRtNykqa2lwKkE+U0gqTkpIJDtMTSdJS0NJGyc6RkVARElBOhoqPCg3KS4ZL0EvNygpFylAMDYtLh0pPyw0Jy0dKEQyOicsGCZKTkw9VUBRWUtKQFA9QFI9HSxKTUc7Tz9RWEVSSTs4GCZKTkw9VUBRWUk5RD85HShFVUJZUEpDNxwsPlhCXD1IPENDSkI2ICxFSU5MVjxOTFBTQk83MBgmTkQ+R0tWTE9aTUlGOR0oVko6LBsnO00tOhkvT1JIT0FEP1tUPkxATEdAQUQ7Q0JOUkk6GipBSllOUkdURko/OGxpb2EdKFJCUU9NRkBIQ1xOU0JPWT85UE05LxkvRUY+QFA0KxwsQlNcQVNJOURDP1w+TkBPU0tMPD45Y1pscGIaKjxGUUpJSEFBXENLNSgrNCswMCsuMSsmKC4zHShQPk87R0Q8RltGR1NRPkZHNV1baHBeICxRQ0g9NCswMC8yMS4uNDEXKUBMUE5JTDs/V0tDSUI2Nyw0KS0oKC8mMDM1NTcrNCI4Rw==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2764

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703542528.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:2864

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703542528.txt bios get version
1⤵
PID:2600

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703542528.txt bios get version
1⤵
PID:2760

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703542528.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703542528.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bedgcdibca.exe

Filesize
96KB

MD5
cd84d5beff470df7edf55254d985e65f

SHA1
1298f71fe654da8d86f3f68c53c06bc41769fab3

SHA256
5acd5ad0eb060f128e9b3167b3f99ba2368bf8b56b7eec24926edd9dcec0c3af

SHA512
70f90ad553fd5b6344017f3b2b56dde37482b2c034d2475682981e4bef5fee356b31a11acb33574e0c7a0b10ca70cf5a9c33d5a52a385bb0e2d4539f792b103e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgcdibca.exe

Filesize
92KB

MD5
375f58a1dc6c2b97a8455e9014d4c175

SHA1
4b906ebbf43226a849d16134c4b1a5e86efded99

SHA256
463864d2c3a8ab831d91e1cab26494a1718aa5ddd9604c19ec1ec7b4a19f4dce

SHA512
02f0d756a54e298154f2843a37b79199583ce27ed1cb1dc8a8fbbbcee4bd32fd198df0ac4d5800e2569f767d01fe60a29854d8e1c0538a2369753109be094299

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst13D0.tmp\ptlylyo.dll

Filesize
161KB

MD5
b63261662eb51e7ae247895304b0cf44

SHA1
a4a21465e0e48d2e536807f0a65e4d52f0c1a86d

SHA256
09676ec267ccf9a42bdeae66b482e0e1dafe8b93be269d5e217314528d4ca356

SHA512
42ca1d3449fbe6a4097ce16c25ee97e988f8cecfab8b575092a34e6856d09bdc639f70f07f73a6b950ddeca9135eae8ec40f9f47aefb7f482c4bb3fa930a9072

Download Submit
\Users\Admin\AppData\Local\Temp\bedgcdibca.exe

Filesize
95KB

MD5
014dc0fb55f7707743329a30a9d56700

SHA1
bb9cea1b9cb5fe0d64f93dd0ef9730fe5eab5fd4

SHA256
682a22082224377c6823badbd1fe486f25eafdf226085067a938c61ea996483e

SHA512
e04b028dcfc3deeb86becb2e7073bdfbd4d50b754f30372f9f342890bab42f163825cc715e8a4d7b1a7d469fe7e52381217aa7020ad74f75a170bbc8709060f9

Download Submit
\Users\Admin\AppData\Local\Temp\bedgcdibca.exe

Filesize
381KB

MD5
f507f5a914a636906a39dd7f7621aa18

SHA1
10ff1a1e3e78993aadbcb448b8ef9eecfb2afdb4

SHA256
09390f869fdb3eaa3d76aa20de2db7349e92d4a1dffc4c4d8e7cc883f993e412

SHA512
aba5206e4f4236e34821ca3aefa9202f93e31b9518a9dabd816456a45e5941c1eb4a89567401be8cceda67930474c3c13ea558e6ac927c6a4f1e02271a5e439a

Download Submit
\Users\Admin\AppData\Local\Temp\nst13D0.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit