36d20a5548ccc54b9342a1ce4afadacde9aed5dbfd92769d0692a659db97328b

Analysis

max time kernel
140s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e72e4c1090fe82f7d18acba38c7ed6.exe
Size

709KB
MD5

12e72e4c1090fe82f7d18acba38c7ed6
SHA1

cd847bd91ec9062f27027fefc26efb396f1895a9
SHA256

36d20a5548ccc54b9342a1ce4afadacde9aed5dbfd92769d0692a659db97328b
SHA512

960782977661dc05ee1409b3588277caacc67521945a7164e2d516d4a2616b60b335d63b01c949869d0dd1b4b7e9b09f16b4ee4a6b43acf36e07b52fb7cb0364
SSDEEP

12288:HyGhAcNhOMqxzKJ/k3tkPUlXlcg0TG9uYdESlqtCQEJBy8fD00k2bfc8vy4hb:HQ/eJ/kmPUlXxtoeleCJJBy8fD00486E

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4412	bedgcdibca.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	12e72e4c1090fe82f7d18acba38c7ed6.exe
2400	12e72e4c1090fe82f7d18acba38c7ed6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3860	4412	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4840	wmic.exe
Token: SeSecurityPrivilege	4840	wmic.exe
Token: SeTakeOwnershipPrivilege	4840	wmic.exe
Token: SeLoadDriverPrivilege	4840	wmic.exe
Token: SeSystemProfilePrivilege	4840	wmic.exe
Token: SeSystemtimePrivilege	4840	wmic.exe
Token: SeProfSingleProcessPrivilege	4840	wmic.exe
Token: SeIncBasePriorityPrivilege	4840	wmic.exe
Token: SeCreatePagefilePrivilege	4840	wmic.exe
Token: SeBackupPrivilege	4840	wmic.exe
Token: SeRestorePrivilege	4840	wmic.exe
Token: SeShutdownPrivilege	4840	wmic.exe
Token: SeDebugPrivilege	4840	wmic.exe
Token: SeSystemEnvironmentPrivilege	4840	wmic.exe
Token: SeRemoteShutdownPrivilege	4840	wmic.exe
Token: SeUndockPrivilege	4840	wmic.exe
Token: SeManageVolumePrivilege	4840	wmic.exe
Token: 33	4840	wmic.exe
Token: 34	4840	wmic.exe
Token: 35	4840	wmic.exe
Token: 36	4840	wmic.exe
Token: SeIncreaseQuotaPrivilege	4840	wmic.exe
Token: SeSecurityPrivilege	4840	wmic.exe
Token: SeTakeOwnershipPrivilege	4840	wmic.exe
Token: SeLoadDriverPrivilege	4840	wmic.exe
Token: SeSystemProfilePrivilege	4840	wmic.exe
Token: SeSystemtimePrivilege	4840	wmic.exe
Token: SeProfSingleProcessPrivilege	4840	wmic.exe
Token: SeIncBasePriorityPrivilege	4840	wmic.exe
Token: SeCreatePagefilePrivilege	4840	wmic.exe
Token: SeBackupPrivilege	4840	wmic.exe
Token: SeRestorePrivilege	4840	wmic.exe
Token: SeShutdownPrivilege	4840	wmic.exe
Token: SeDebugPrivilege	4840	wmic.exe
Token: SeSystemEnvironmentPrivilege	4840	wmic.exe
Token: SeRemoteShutdownPrivilege	4840	wmic.exe
Token: SeUndockPrivilege	4840	wmic.exe
Token: SeManageVolumePrivilege	4840	wmic.exe
Token: 33	4840	wmic.exe
Token: 34	4840	wmic.exe
Token: 35	4840	wmic.exe
Token: 36	4840	wmic.exe
Token: SeIncreaseQuotaPrivilege	1388	wmic.exe
Token: SeSecurityPrivilege	1388	wmic.exe
Token: SeTakeOwnershipPrivilege	1388	wmic.exe
Token: SeLoadDriverPrivilege	1388	wmic.exe
Token: SeSystemProfilePrivilege	1388	wmic.exe
Token: SeSystemtimePrivilege	1388	wmic.exe
Token: SeProfSingleProcessPrivilege	1388	wmic.exe
Token: SeIncBasePriorityPrivilege	1388	wmic.exe
Token: SeCreatePagefilePrivilege	1388	wmic.exe
Token: SeBackupPrivilege	1388	wmic.exe
Token: SeRestorePrivilege	1388	wmic.exe
Token: SeShutdownPrivilege	1388	wmic.exe
Token: SeDebugPrivilege	1388	wmic.exe
Token: SeSystemEnvironmentPrivilege	1388	wmic.exe
Token: SeRemoteShutdownPrivilege	1388	wmic.exe
Token: SeUndockPrivilege	1388	wmic.exe
Token: SeManageVolumePrivilege	1388	wmic.exe
Token: 33	1388	wmic.exe
Token: 34	1388	wmic.exe
Token: 35	1388	wmic.exe
Token: 36	1388	wmic.exe
Token: SeIncreaseQuotaPrivilege	1388	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 4412	2400	12e72e4c1090fe82f7d18acba38c7ed6.exe	36
PID 2400 wrote to memory of 4412	2400	12e72e4c1090fe82f7d18acba38c7ed6.exe	36
PID 2400 wrote to memory of 4412	2400	12e72e4c1090fe82f7d18acba38c7ed6.exe	36
PID 4412 wrote to memory of 4840	4412	bedgcdibca.exe	24
PID 4412 wrote to memory of 4840	4412	bedgcdibca.exe	24
PID 4412 wrote to memory of 4840	4412	bedgcdibca.exe	24
PID 4412 wrote to memory of 1388	4412	bedgcdibca.exe	35
PID 4412 wrote to memory of 1388	4412	bedgcdibca.exe	35
PID 4412 wrote to memory of 1388	4412	bedgcdibca.exe	35
PID 4412 wrote to memory of 3476	4412	bedgcdibca.exe	34
PID 4412 wrote to memory of 3476	4412	bedgcdibca.exe	34
PID 4412 wrote to memory of 3476	4412	bedgcdibca.exe	34
PID 4412 wrote to memory of 4276	4412	bedgcdibca.exe	33
PID 4412 wrote to memory of 4276	4412	bedgcdibca.exe	33
PID 4412 wrote to memory of 4276	4412	bedgcdibca.exe	33
PID 4412 wrote to memory of 4744	4412	bedgcdibca.exe	29
PID 4412 wrote to memory of 4744	4412	bedgcdibca.exe	29
PID 4412 wrote to memory of 4744	4412	bedgcdibca.exe	29

C:\Users\Admin\AppData\Local\Temp\12e72e4c1090fe82f7d18acba38c7ed6.exe
"C:\Users\Admin\AppData\Local\Temp\12e72e4c1090fe82f7d18acba38c7ed6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\bedgcdibca.exe
  C:\Users\Admin\AppData\Local\Temp\bedgcdibca.exe 3]3]6]5]8]9]6]4]3]7]0 LE1DPzUoMy8zLCAsUE89SEA+OS0ZL0tCTlJHSUVFQTYxIi8qa2pmXnFgbW5eal84SlxjaV5gZR0sPkRLS0NAOis3NC4sGyc6Q0A6KSAsTUxKPEw9UFxCRDovMDQsKhorUD5SU0JMWk1JRjllbXRtNykqa2lwKkE+U0gqTkpIJDtMTSdJS0NJGyc6RkVARElBOhoqPCg3KS4ZL0EvNygpFylAMDYtLh0pPyw0Jy0dKEQyOicsGCZKTkw9VUBRWUtKQFA9QFI9HSxKTUc7Tz9RWEVSSTs4GCZKTkw9VUBRWUk5RD85HShFVUJZUEpDNxwsPlhCXD1IPENDSkI2ICxFSU5MVjxOTFBTQk83MBgmTkQ+R0tWTE9aTUlGOR0oVko6LBsnO00tOhkvT1JIT0FEP1tUPkxATEdAQUQ7Q0JOUkk6GipBSllOUkdURko/OGxpb2EdKFJCUU9NRkBIQ1xOU0JPWT85UE05LxkvRUY+QFA0KxwsQlNcQVNJOURDP1w+TkBPU0tMPD45Y1pscGIaKjxGUUpJSEFBXENLNSgrNCswMCsuMSsmKC4zHShQPk87R0Q8RltGR1NRPkZHNV1baHBeICxRQ0g9NCswMC8yMS4uNDEXKUBMUE5JTDs/V0tDSUI2Nyw0KS0oKC8mMDM1NTcrNCI4Rw==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4412

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703542528.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703542528.txt bios get version
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4412 -ip 4412
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 884
1⤵
- Program crash
PID:3860

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703542528.txt bios get version
1⤵
PID:4276

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703542528.txt bios get version
1⤵
PID:3476

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703542528.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bedgcdibca.exe

Filesize
382KB

MD5
f85499552f7ece45433a06017d07f9e8

SHA1
df0a99843aaa5a160f338d2e7a69ce3aa021af12

SHA256
19bef01040a91ab338703a172a1e540d839fd030dcd049539af6edd51b2740cf

SHA512
83b39add687ac2f7e4440282c5f4f88bc524c1d598277f99825fb0dcd834354d07de6e7ed942f1b5e1e9798fbdf83fe111ca4a0fc66282f4333c8d30a4dd638f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgcdibca.exe

Filesize
385KB

MD5
f3493946525dbc05c8c068f671102d29

SHA1
2d96e4fca2c3a0994f836f0fe788b377202ea98e

SHA256
752e278582d843049a71732762f6678d248c0d54bae06ef44d6cbb89f2365f89

SHA512
fb53c5d70cc9132171d0f298f9fada31134624e8a9995d0b24483cffa7c3e88369e9998d78296d50599a12157302e300b54b84dcb850ccd54329583a3f372507

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470C.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470C.tmp\ptlylyo.dll

Filesize
161KB

MD5
b63261662eb51e7ae247895304b0cf44

SHA1
a4a21465e0e48d2e536807f0a65e4d52f0c1a86d

SHA256
09676ec267ccf9a42bdeae66b482e0e1dafe8b93be269d5e217314528d4ca356

SHA512
42ca1d3449fbe6a4097ce16c25ee97e988f8cecfab8b575092a34e6856d09bdc639f70f07f73a6b950ddeca9135eae8ec40f9f47aefb7f482c4bb3fa930a9072

Download Submit