1c321d88c1ef2dfaf2224d63dbabdb3c78f2237072eac0711f2fcd13b87449f1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231ff99512e2c0f0d8dd1e01cb20fadc.exe
Size

770KB
MD5

231ff99512e2c0f0d8dd1e01cb20fadc
SHA1

e9eeaade823c54e81d0b62623a30ac5015eafb78
SHA256

1c321d88c1ef2dfaf2224d63dbabdb3c78f2237072eac0711f2fcd13b87449f1
SHA512

4e4d085702480bfeff50bbefcbc7b130ec56b3c3a5d69c7207f96e93589a98aff061bc4f2a2abead20622ccbd8baf8937647cd561915932374a2248332efcbf4
SSDEEP

24576:5PBYL1NgGWsy9RTcxTvUZTL58Zs6Qd86Z:56LjgVsyAxjUZTL58xQay

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2308	bedebjgigg.exe

Loads dropped DLL 11 IoCs

pid	Process
1876	231ff99512e2c0f0d8dd1e01cb20fadc.exe
1876	231ff99512e2c0f0d8dd1e01cb20fadc.exe
1876	231ff99512e2c0f0d8dd1e01cb20fadc.exe
1876	231ff99512e2c0f0d8dd1e01cb20fadc.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1216	2308	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2736	wmic.exe
Token: SeSecurityPrivilege	2736	wmic.exe
Token: SeTakeOwnershipPrivilege	2736	wmic.exe
Token: SeLoadDriverPrivilege	2736	wmic.exe
Token: SeSystemProfilePrivilege	2736	wmic.exe
Token: SeSystemtimePrivilege	2736	wmic.exe
Token: SeProfSingleProcessPrivilege	2736	wmic.exe
Token: SeIncBasePriorityPrivilege	2736	wmic.exe
Token: SeCreatePagefilePrivilege	2736	wmic.exe
Token: SeBackupPrivilege	2736	wmic.exe
Token: SeRestorePrivilege	2736	wmic.exe
Token: SeShutdownPrivilege	2736	wmic.exe
Token: SeDebugPrivilege	2736	wmic.exe
Token: SeSystemEnvironmentPrivilege	2736	wmic.exe
Token: SeRemoteShutdownPrivilege	2736	wmic.exe
Token: SeUndockPrivilege	2736	wmic.exe
Token: SeManageVolumePrivilege	2736	wmic.exe
Token: 33	2736	wmic.exe
Token: 34	2736	wmic.exe
Token: 35	2736	wmic.exe
Token: SeIncreaseQuotaPrivilege	2736	wmic.exe
Token: SeSecurityPrivilege	2736	wmic.exe
Token: SeTakeOwnershipPrivilege	2736	wmic.exe
Token: SeLoadDriverPrivilege	2736	wmic.exe
Token: SeSystemProfilePrivilege	2736	wmic.exe
Token: SeSystemtimePrivilege	2736	wmic.exe
Token: SeProfSingleProcessPrivilege	2736	wmic.exe
Token: SeIncBasePriorityPrivilege	2736	wmic.exe
Token: SeCreatePagefilePrivilege	2736	wmic.exe
Token: SeBackupPrivilege	2736	wmic.exe
Token: SeRestorePrivilege	2736	wmic.exe
Token: SeShutdownPrivilege	2736	wmic.exe
Token: SeDebugPrivilege	2736	wmic.exe
Token: SeSystemEnvironmentPrivilege	2736	wmic.exe
Token: SeRemoteShutdownPrivilege	2736	wmic.exe
Token: SeUndockPrivilege	2736	wmic.exe
Token: SeManageVolumePrivilege	2736	wmic.exe
Token: 33	2736	wmic.exe
Token: 34	2736	wmic.exe
Token: 35	2736	wmic.exe
Token: SeIncreaseQuotaPrivilege	2856	wmic.exe
Token: SeSecurityPrivilege	2856	wmic.exe
Token: SeTakeOwnershipPrivilege	2856	wmic.exe
Token: SeLoadDriverPrivilege	2856	wmic.exe
Token: SeSystemProfilePrivilege	2856	wmic.exe
Token: SeSystemtimePrivilege	2856	wmic.exe
Token: SeProfSingleProcessPrivilege	2856	wmic.exe
Token: SeIncBasePriorityPrivilege	2856	wmic.exe
Token: SeCreatePagefilePrivilege	2856	wmic.exe
Token: SeBackupPrivilege	2856	wmic.exe
Token: SeRestorePrivilege	2856	wmic.exe
Token: SeShutdownPrivilege	2856	wmic.exe
Token: SeDebugPrivilege	2856	wmic.exe
Token: SeSystemEnvironmentPrivilege	2856	wmic.exe
Token: SeRemoteShutdownPrivilege	2856	wmic.exe
Token: SeUndockPrivilege	2856	wmic.exe
Token: SeManageVolumePrivilege	2856	wmic.exe
Token: 33	2856	wmic.exe
Token: 34	2856	wmic.exe
Token: 35	2856	wmic.exe
Token: SeIncreaseQuotaPrivilege	2692	wmic.exe
Token: SeSecurityPrivilege	2692	wmic.exe
Token: SeTakeOwnershipPrivilege	2692	wmic.exe
Token: SeLoadDriverPrivilege	2692	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2308	1876	231ff99512e2c0f0d8dd1e01cb20fadc.exe	27
PID 1876 wrote to memory of 2308	1876	231ff99512e2c0f0d8dd1e01cb20fadc.exe	27
PID 1876 wrote to memory of 2308	1876	231ff99512e2c0f0d8dd1e01cb20fadc.exe	27
PID 1876 wrote to memory of 2308	1876	231ff99512e2c0f0d8dd1e01cb20fadc.exe	27
PID 2308 wrote to memory of 2736	2308	bedebjgigg.exe	16
PID 2308 wrote to memory of 2736	2308	bedebjgigg.exe	16
PID 2308 wrote to memory of 2736	2308	bedebjgigg.exe	16
PID 2308 wrote to memory of 2736	2308	bedebjgigg.exe	16
PID 2308 wrote to memory of 2856	2308	bedebjgigg.exe	26
PID 2308 wrote to memory of 2856	2308	bedebjgigg.exe	26
PID 2308 wrote to memory of 2856	2308	bedebjgigg.exe	26
PID 2308 wrote to memory of 2856	2308	bedebjgigg.exe	26
PID 2308 wrote to memory of 2692	2308	bedebjgigg.exe	24
PID 2308 wrote to memory of 2692	2308	bedebjgigg.exe	24
PID 2308 wrote to memory of 2692	2308	bedebjgigg.exe	24
PID 2308 wrote to memory of 2692	2308	bedebjgigg.exe	24
PID 2308 wrote to memory of 2540	2308	bedebjgigg.exe	23
PID 2308 wrote to memory of 2540	2308	bedebjgigg.exe	23
PID 2308 wrote to memory of 2540	2308	bedebjgigg.exe	23
PID 2308 wrote to memory of 2540	2308	bedebjgigg.exe	23
PID 2308 wrote to memory of 3024	2308	bedebjgigg.exe	21
PID 2308 wrote to memory of 3024	2308	bedebjgigg.exe	21
PID 2308 wrote to memory of 3024	2308	bedebjgigg.exe	21
PID 2308 wrote to memory of 3024	2308	bedebjgigg.exe	21
PID 2308 wrote to memory of 1216	2308	bedebjgigg.exe	20
PID 2308 wrote to memory of 1216	2308	bedebjgigg.exe	20
PID 2308 wrote to memory of 1216	2308	bedebjgigg.exe	20
PID 2308 wrote to memory of 1216	2308	bedebjgigg.exe	20

C:\Users\Admin\AppData\Local\Temp\231ff99512e2c0f0d8dd1e01cb20fadc.exe
"C:\Users\Admin\AppData\Local\Temp\231ff99512e2c0f0d8dd1e01cb20fadc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\bedebjgigg.exe
  C:\Users\Admin\AppData\Local\Temp\bedebjgigg.exe 7^4^1^0^4^1^4^3^1^8^7 KExIRDkyLC8xGChMUUFQRUM5LR8nRz5QVk9OSkVBPCgZKEBIU1BIQDoxLy0sLB8vP0hAOi8YKElOTkRRQlBcSDw2KjI4NBwuT0JRTj5LW1RSSDxkcXNoMygrcnJyLUBCUkMmTUtPLT1PTCtIRj9IHC5DSEg/SEg8NnBBUU8wR01ARCpCLkE1VUcvTVJMPzJJPR8vQDA5KjAYKD0uPC0tHytBMjUmKhwuRDA8KS4fJz0uOSwxHC5MT048TjxQXlBOSFI+QlE2GStPUktDUUBTVz5OSEA9HC5MT048TjxQXk49TEE6Hyc+UUFeVU5LOR0uPVE+W0JNQEtFS0Q1GShETlNQXj5PTk9MPk48MhwuUEVARkRSS1RfUVFIOh8nT0Y5MSArQ08uPBgoS1FNVEVMQVxWPUU8S0xFRUw9RERNS0U5Hy9FUltPVEZNQklEPXBxcWIfJ0s+UFRSSkhKRF5NTD5OXkQ9WE86MRgoQUVDRVQ8LR0uQUxYQFhOPUxFQF49RzxOWFBQREA6ZVllbGEfL0BOU0tLRzo9W0hQOTAzNS0qKysqMTAuLTM1HydNQklEPS0zLzExKDAuMjQgK0NLVE1ESDpAXlRFTEE6NScqLCsxMC00Ji85LTIzLjQqTEw=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2308

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703573981.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:1216

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703573981.txt bios get version
1⤵
PID:3024

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703573981.txt bios get version
1⤵
PID:2540

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703573981.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703573981.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst12E6.tmp\ZipDLL.dll

Filesize
92KB

MD5
411bb9971a3aa2923e60176c49c0e892

SHA1
97b00e65b22c877f29d82ae22f49a90b1e16eb67

SHA256
ef661aa6cbe0ab3e33e263a372e78db93b79386d2b08d08b0809a474b7b4f4b0

SHA512
0a2f9c5ec38d08a4bc48a0d1b78ab623d4aa10854287496ded4720035e5714a592d72967a870ab2efaa914e4f4875b57cc8652d89882e4e7194efcd3072e088c

Download Submit
\Users\Admin\AppData\Local\Temp\nst12E6.tmp\fjezkbl.dll

Filesize
92KB

MD5
c073fb5cc7380310d8463204b6e6d5ed

SHA1
6cb5c540d4b50ba00949478073cef7cab84d5d26

SHA256
9c6e7a124710cc0087922289e197e598d96b95f60511cd8e9ea4c77a9753030c

SHA512
28cd41c260c4db3cd15e9f7d817d470ad7c3507a5c8b5ca84db589e0624e02f5e2c40f773d2f842ef9a8fe3047b215ad4719c9a24de9358d60c438fb4bc6824c

Download Submit