1443c6b2ea5bbfdd51a992a2d886a90ca3b9639f15b97faab9481cdafa33619a

Analysis

max time kernel
0s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27be6755b7ac1c4e4707b797b97e90d6.exe
Size

694KB
MD5

27be6755b7ac1c4e4707b797b97e90d6
SHA1

30f5290051180fe2ffb688c81b9e2eb56b462a3a
SHA256

1443c6b2ea5bbfdd51a992a2d886a90ca3b9639f15b97faab9481cdafa33619a
SHA512

04d098ba7c0851f5453ba6278f98e89951a53dea1d13368c12c3939e2820f20f507134e985dfa6c7dc7a61666048e9ea075cd387219e8bdc48df26977f6476e2
SSDEEP

12288:yfQCopZ0XnnokJAf8zL+UW0ZHtpBiMUx23WTfJDjHY+qveyVjo+Vuufc8vy4hem:yfQanjO8za10hbu24fJfHYQ2ly86tm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3696	bedgcibdeb.exe

Loads dropped DLL 2 IoCs

pid	Process
1948	27be6755b7ac1c4e4707b797b97e90d6.exe
1948	27be6755b7ac1c4e4707b797b97e90d6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1796	3696	WerFault.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3340	DllHost.exe
Token: SeSecurityPrivilege	3340	DllHost.exe
Token: SeTakeOwnershipPrivilege	3340	DllHost.exe
Token: SeLoadDriverPrivilege	3340	DllHost.exe
Token: SeSystemProfilePrivilege	3340	DllHost.exe
Token: SeSystemtimePrivilege	3340	DllHost.exe
Token: SeProfSingleProcessPrivilege	3340	DllHost.exe
Token: SeIncBasePriorityPrivilege	3340	DllHost.exe
Token: SeCreatePagefilePrivilege	3340	DllHost.exe
Token: SeBackupPrivilege	3340	DllHost.exe
Token: SeRestorePrivilege	3340	DllHost.exe
Token: SeShutdownPrivilege	3340	DllHost.exe
Token: SeDebugPrivilege	3340	DllHost.exe
Token: SeSystemEnvironmentPrivilege	3340	DllHost.exe
Token: SeRemoteShutdownPrivilege	3340	DllHost.exe
Token: SeUndockPrivilege	3340	DllHost.exe
Token: SeManageVolumePrivilege	3340	DllHost.exe
Token: 33	3340	DllHost.exe
Token: 34	3340	DllHost.exe
Token: 35	3340	DllHost.exe
Token: 36	3340	DllHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 3696	1948	27be6755b7ac1c4e4707b797b97e90d6.exe	36
PID 1948 wrote to memory of 3696	1948	27be6755b7ac1c4e4707b797b97e90d6.exe	36
PID 1948 wrote to memory of 3696	1948	27be6755b7ac1c4e4707b797b97e90d6.exe	36
PID 3696 wrote to memory of 3340	3696	bedgcibdeb.exe	115
PID 3696 wrote to memory of 3340	3696	bedgcibdeb.exe	115
PID 3696 wrote to memory of 3340	3696	bedgcibdeb.exe	115

C:\Users\Admin\AppData\Local\Temp\27be6755b7ac1c4e4707b797b97e90d6.exe
"C:\Users\Admin\AppData\Local\Temp\27be6755b7ac1c4e4707b797b97e90d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\bedgcibdeb.exe
  C:\Users\Admin\AppData\Local\Temp\bedgcibdeb.exe 4!0!5!0!5!0!8!5!4!3!6 K1BERDg3KysuHSlPVT1QREQ1KxwsSEFUUk9NS0E/OS0aK0REU09JPDgtLjEtMxsvPkk8OCwdKUxSSkRQQ0xaRUE3LTY0NBsvS0BOUz9OX1BSRz1gb3BtNCsvbnJxLjxAT0gnUE9LLTxQSClFS0BLICpDR0k7RkVBN1NnVFEzMU5AdDAxMENJTD5uXVJiS2pIZU1XczAuSUVwZ0NZbWhHST5UZFBKdGdHVWo5RVRCY2pITkduUUMqXT8qZj5aRTZvVy5IZHYtbTRSSz1DQ1VPVS1zaFJZUU4rcnNXO1tqR2MrZU1pSUZpQDJvZ2hXKW1GU0BlUGRGMnpNVT5qXjA1SmxaQWV0RkEnbHZKcWdOJTNkT3E/T3VEUUItRWVVGitELD0xNCorHCw+Lj0oMRsvPC45KiscLz80OC0pGytBLzktLCAqUEpKQFI9UF9LUkRWOT5VOhorUE1PP1U7T1tCT0hBOCAqUEpKQFI9UF9JQUhFNRsrQlJBX1BSRz0YKkFVP1tDSERHSUZAOR0pRE9OVFpCSkpTUD9OPSsgKlRAPEpIU0tVWlVNTDUbK1NHOTIbLz9TKTgcLExRTk9JSEVXUkFJPUtNQElIQT9AUU9GOSAqSU5fSlBKUUNJRTh0bXVdGytPP1BVTU5ETj9aUVA/Tl8/QVRTNS0cLEJFREBYODEYKkVQWUBZSUFISTtaQUs9TllLVEBENWFdaW1hICpESldGR0s+PltJSz0zNSYsMDAoLTYyLiw5GCpMPkw9TEdFR19BSU9RO0hMOGZcbGtgHCxORU1APSw0KzEuNTEvMTEgKkRHUkpJST1EWlRETT04MywxKzIrMTAqLDUwLjQxNiVQSA==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3696

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703784228.txt bios get serialnumber
1⤵
PID:3340

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703784228.txt bios get version
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3696 -ip 3696
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 948
1⤵
- Program crash
PID:1796

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703784228.txt bios get version
1⤵
PID:4028

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703784228.txt bios get version
1⤵
PID:4372

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703784228.txt bios get version
1⤵
PID:2796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703784228.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703784228.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703784228.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgcibdeb.exe

Filesize
34KB

MD5
ea2bc07e3b86528a4c2cb82d0aafb78c

SHA1
9a1e45770b847e48c13d3f28cb0766bed399304d

SHA256
2d90a63626d3efe2e0fbcb92d03f0904c19498afc3bf478c3fa0269d20cd32b3

SHA512
08a79d430cbfa7fb870ebb3564603c4b5670125fc90a04fb54f221bc69f1ea625302309f1e19cc53f6c1c0df3b4825aeb49834dbefe2370572425b9d3ff4bf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgcibdeb.exe

Filesize
35KB

MD5
9282534685d24400b21c06c56a1ef9c2

SHA1
81e64e46d1e52c1119df8a4c5678ab4cb1d47208

SHA256
ad1b1634aa7c9cb0e6db933dfbdf682f8b0b6ecfcb4067028fa5d7538105b00c

SHA512
a57c0c12a1e729a5bb6989dffc481bdc0f1c299dfff5cdd9d461a037d6a60a6a87a5f655c0faf4aceb3e949672e1bf25cc6030fabc01e5603d87173ea9dd0529

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa54E7.tmp\ZipDLL.dll

Filesize
13KB

MD5
0666c878d013037077a21c8689318f68

SHA1
593e110b4a3712b220af25d064818feaed6bfa01

SHA256
0755acc5472f7da6287716a86c3d99b694b6abaa89d2598291851a653ff977ac

SHA512
d8e402eb272827e7d7aa0923deceea921e726ca66e81d0de379ebbe52f74eb9d7359cb2a6b60e7bfd69abb496044e817040351e80e4a700cac078f4fa00c883d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa54E7.tmp\ZipDLL.dll

Filesize
11KB

MD5
934c940aeea8e85550032a3f1ab9e647

SHA1
801e1c9b6ad89edda3594cdb16e7a778c751deb7

SHA256
377c68d6aa73e03886b3ab8c9f52abce70033e1411d687764bb3e0ccd594e1bc

SHA512
52efbc85c60ec153044f968ca13cb16ccdf4e1d5f0b5a70dc12de4cced7d988abce6e5bc06366b91cc3d7b50f80bbf43eb3afdea5748ea7fb35779b30c2b0b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa54E7.tmp\sxmrlgj.dll

Filesize
48KB

MD5
4bc8b049e4cdfcc56279cc9245335297

SHA1
532e068432a92e6d6494e431fdf19e5f137ea4dc

SHA256
29872b43b4ef8a8bd639f64ef3878dfd9a7ad8eb28781bed26ce699a17b3bd13

SHA512
364f168d74a844e989e94214828549fabb72d25693fc5149ef44334b345098e0bb92c47c3e0acbe319e27653f32df7ca29b9cffe07b8654bfe5bbf7cde7b3991

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa54E7.tmp\sxmrlgj.dll

Filesize
64KB

MD5
fc13198d0fabec7ff642172d1e47bc5a

SHA1
c89e858c661794a696b2f17c609e1088a8367b3d

SHA256
e63cdcaae508683cc233cee99e0dc672730057d910028ef2447fd12b3e99b710

SHA512
01387d14743ddc1a4d8ee0fc0e5fe85cac20dd06af8d8b6940471056919b9fae2c246a21c4379c297abfad9aa3870e90923f2ac5632b8232ed2786306e70e4f7

Download Submit