375d3e4c75eb3efe8b4c88d41c7a74ae459eed2d14f79b114f21ab9466986ab4

Analysis

max time kernel
147s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31352410a534efcd465ab27260dd45ed.exe
Size

642KB
MD5

31352410a534efcd465ab27260dd45ed
SHA1

1891236a1ad27986e9235a7f264c1dc205586f0e
SHA256

375d3e4c75eb3efe8b4c88d41c7a74ae459eed2d14f79b114f21ab9466986ab4
SHA512

a8b5d5b6c730821e21a5a4fa061c9407a2f5b3f1e6d2361c8a1eda02bab65b8261787133da691b6de7f60713dc2c150fda69f9121bc73c727f3d6fa18ee5a8ec
SSDEEP

12288:X/sZLjhgwc6QvMGDqv0TmDsDLIHVRFxaZtvJrjfi/fc8vy4hT:X/sLOJvFqK6d7o9jb86A

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4872	bedfibgige.exe

Loads dropped DLL 2 IoCs

pid	Process
876	31352410a534efcd465ab27260dd45ed.exe
876	31352410a534efcd465ab27260dd45ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5116	4872	WerFault.exe	90

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3080	wmic.exe
Token: SeSecurityPrivilege	3080	wmic.exe
Token: SeTakeOwnershipPrivilege	3080	wmic.exe
Token: SeLoadDriverPrivilege	3080	wmic.exe
Token: SeSystemProfilePrivilege	3080	wmic.exe
Token: SeSystemtimePrivilege	3080	wmic.exe
Token: SeProfSingleProcessPrivilege	3080	wmic.exe
Token: SeIncBasePriorityPrivilege	3080	wmic.exe
Token: SeCreatePagefilePrivilege	3080	wmic.exe
Token: SeBackupPrivilege	3080	wmic.exe
Token: SeRestorePrivilege	3080	wmic.exe
Token: SeShutdownPrivilege	3080	wmic.exe
Token: SeDebugPrivilege	3080	wmic.exe
Token: SeSystemEnvironmentPrivilege	3080	wmic.exe
Token: SeRemoteShutdownPrivilege	3080	wmic.exe
Token: SeUndockPrivilege	3080	wmic.exe
Token: SeManageVolumePrivilege	3080	wmic.exe
Token: 33	3080	wmic.exe
Token: 34	3080	wmic.exe
Token: 35	3080	wmic.exe
Token: 36	3080	wmic.exe
Token: SeIncreaseQuotaPrivilege	3080	wmic.exe
Token: SeSecurityPrivilege	3080	wmic.exe
Token: SeTakeOwnershipPrivilege	3080	wmic.exe
Token: SeLoadDriverPrivilege	3080	wmic.exe
Token: SeSystemProfilePrivilege	3080	wmic.exe
Token: SeSystemtimePrivilege	3080	wmic.exe
Token: SeProfSingleProcessPrivilege	3080	wmic.exe
Token: SeIncBasePriorityPrivilege	3080	wmic.exe
Token: SeCreatePagefilePrivilege	3080	wmic.exe
Token: SeBackupPrivilege	3080	wmic.exe
Token: SeRestorePrivilege	3080	wmic.exe
Token: SeShutdownPrivilege	3080	wmic.exe
Token: SeDebugPrivilege	3080	wmic.exe
Token: SeSystemEnvironmentPrivilege	3080	wmic.exe
Token: SeRemoteShutdownPrivilege	3080	wmic.exe
Token: SeUndockPrivilege	3080	wmic.exe
Token: SeManageVolumePrivilege	3080	wmic.exe
Token: 33	3080	wmic.exe
Token: 34	3080	wmic.exe
Token: 35	3080	wmic.exe
Token: 36	3080	wmic.exe
Token: SeIncreaseQuotaPrivilege	4204	wmic.exe
Token: SeSecurityPrivilege	4204	wmic.exe
Token: SeTakeOwnershipPrivilege	4204	wmic.exe
Token: SeLoadDriverPrivilege	4204	wmic.exe
Token: SeSystemProfilePrivilege	4204	wmic.exe
Token: SeSystemtimePrivilege	4204	wmic.exe
Token: SeProfSingleProcessPrivilege	4204	wmic.exe
Token: SeIncBasePriorityPrivilege	4204	wmic.exe
Token: SeCreatePagefilePrivilege	4204	wmic.exe
Token: SeBackupPrivilege	4204	wmic.exe
Token: SeRestorePrivilege	4204	wmic.exe
Token: SeShutdownPrivilege	4204	wmic.exe
Token: SeDebugPrivilege	4204	wmic.exe
Token: SeSystemEnvironmentPrivilege	4204	wmic.exe
Token: SeRemoteShutdownPrivilege	4204	wmic.exe
Token: SeUndockPrivilege	4204	wmic.exe
Token: SeManageVolumePrivilege	4204	wmic.exe
Token: 33	4204	wmic.exe
Token: 34	4204	wmic.exe
Token: 35	4204	wmic.exe
Token: 36	4204	wmic.exe
Token: SeIncreaseQuotaPrivilege	4204	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 4872	876	31352410a534efcd465ab27260dd45ed.exe	90
PID 876 wrote to memory of 4872	876	31352410a534efcd465ab27260dd45ed.exe	90
PID 876 wrote to memory of 4872	876	31352410a534efcd465ab27260dd45ed.exe	90
PID 4872 wrote to memory of 3080	4872	bedfibgige.exe	93
PID 4872 wrote to memory of 3080	4872	bedfibgige.exe	93
PID 4872 wrote to memory of 3080	4872	bedfibgige.exe	93
PID 4872 wrote to memory of 4204	4872	bedfibgige.exe	96
PID 4872 wrote to memory of 4204	4872	bedfibgige.exe	96
PID 4872 wrote to memory of 4204	4872	bedfibgige.exe	96
PID 4872 wrote to memory of 2816	4872	bedfibgige.exe	102
PID 4872 wrote to memory of 2816	4872	bedfibgige.exe	102
PID 4872 wrote to memory of 2816	4872	bedfibgige.exe	102
PID 4872 wrote to memory of 3036	4872	bedfibgige.exe	101
PID 4872 wrote to memory of 3036	4872	bedfibgige.exe	101
PID 4872 wrote to memory of 3036	4872	bedfibgige.exe	101
PID 4872 wrote to memory of 3264	4872	bedfibgige.exe	100
PID 4872 wrote to memory of 3264	4872	bedfibgige.exe	100
PID 4872 wrote to memory of 3264	4872	bedfibgige.exe	100

C:\Users\Admin\AppData\Local\Temp\31352410a534efcd465ab27260dd45ed.exe
"C:\Users\Admin\AppData\Local\Temp\31352410a534efcd465ab27260dd45ed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\bedfibgige.exe
  C:\Users\Admin\AppData\Local\Temp\bedfibgige.exe 4^4^6^7^4^9^6^1^9^0^9 K0xDPTkoMzEsNxcrT087TEA+PCcgJkpBTlBLSUVIOz0oHCs+Qk9LQ0M0MTAzMxooP0A+PCcgJkxOST1ROk5eQEQ0LTIzLRwmTURJVjxOW09LSDRic2twMSsrbWtyJT5ESkskUEtKJj1HSi1ATj1LHCk8SEA9SkBENBwrPio5JCsfJkQpOSkrGSs7LTwkMRcrQC42KSgaLjs1NCktGihMSUlDTENLW0xMQlI4PVg0ICZMTkk9UTpOXjxVQz05GihMSUlDTENLW0o7RkE0Gi48WDxbUUxFORcpRE9FVj9JPkVFRT88Fy8/S09OWD5JSVZKRUk5LBooUD87TUJZRlFbT0tINBouTU00LhwpPU8oN2tnMSgcK0xOSktDTDxfTkFIPUhJPENMOEc8UU5GNhwmQ1JWUkxKUENGQTRucWxlFytOP01RSUhIRUdWUU8/S1s7O1hKPSkcK0JCQDxSPCggJkVPWT1VRTtMQENWQUo9S1VHTkQ7PV1daG1eHCY+Tk5OQ0s9PlhFRzcwMDQlMDAoKzEqKDArMBcrUENGQTQrMyo1Ly40Lys0FylDRldFSEs7PVtLQ0w8PS4rLikrLCgvKTA6KDE2LDEmOEc=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703599786.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3080
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703599786.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4204
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703599786.txt bios get version
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703599786.txt bios get version
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703599786.txt bios get version
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 856
    3⤵
    - Program crash
    PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4872 -ip 4872
1⤵
PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703599786.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703599786.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedfibgige.exe

Filesize
19KB

MD5
769e7fee566ad0e1ffec411ee2fb6472

SHA1
3416db26b58522502f7cc81af7003cae26e18b19

SHA256
403f5e77e9cc6552a7ed188cc88da5a99dcf87d156bb65a2796cb19041bfa06b

SHA512
6ee975cd2680c8be24a24014a0386123fd0b2162836ca938a8f574d945c97c3e1467fa4d54970479071ced4c9614cde977c6c7318df7a94c219e6f509af9ffcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedfibgige.exe

Filesize
34KB

MD5
9fef1747a1245e0919c423bdbe328650

SHA1
bae225c9e948758383b416c2077a34a3b6527ac2

SHA256
0bbca45cc04fb0ab34354a96d28f9988899d67f3f3aa3d5b2ac9752219b2b115

SHA512
918f73addc585887189fde915a78f27aac2d777a5f2d723229da86c4bf43d1947587702aa3113026d452d89d84e05ef0869cff99235a11d27ec1c28c1f859a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz85DA.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz85DA.tmp\bpcnrtp.dll

Filesize
74KB

MD5
15f757fbb60250454129dd7f85198a7f

SHA1
b4b99cf55e2366e1bc734dbb157c40e0922bdfef

SHA256
f1c6012b4afc92a6898ec0fd00168f90a2095634cf2cdb7ba73d7b62d6144422

SHA512
dcbce67b6ae6d3eb82271b2061bcf9b5971c414326bb5af9bc9cc05ae98bfa9a78c1e727289e99df7933584433ab4ca7083cc7f84e1851b7babc9407edb862ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz85DA.tmp\bpcnrtp.dll

Filesize
117KB

MD5
9d359b6fafd330e360b9bad5f1f830f4

SHA1
1a2e4a7f338ecb12716082daa2c807024cffd07e

SHA256
ef6d64ac41a74b475a5bb25319544edadc8257dde6e1a7a59e4d76d167ade3f4

SHA512
974a1d671aefda913f26e666b50ddb41f70956a55150839b2313c7c487a6875b9f735fa908bdf44dfda80fd2e15714faa84644ceb9bf1c29a9be43b44ea847f7

Download Submit