067b58634c7b41fe641677e1e9cf48b4d36b4e6300e42120e5de29cfaf3db6cb

Analysis

max time kernel
240s
max time network
288s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3490dd70dba01c391d06076935523e2e.exe
Size

752KB
MD5

3490dd70dba01c391d06076935523e2e
SHA1

c8bbd41691b9c20cb6a4d25e5ebcb5684577243a
SHA256

067b58634c7b41fe641677e1e9cf48b4d36b4e6300e42120e5de29cfaf3db6cb
SHA512

8aa8a924024778a01c702d258c2b75799d2364fcdc591268ce71ed5bb1dbced075cdbcf719d5c8c6c0682524a2fddd18a5a0f4fb0d99ef6452fcee1db04c6d40
SSDEEP

12288:epPRZduJx4IvVZhS/mn7cJDzPeIn63Fu7Vi+Jzlj2JuEN5htACorlV4MgQfc8vy/:epP+x408n5Viw6ustAXr7el86/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
528	bedgiecjca.exe

Loads dropped DLL 11 IoCs

pid	Process
2688	3490dd70dba01c391d06076935523e2e.exe
2688	3490dd70dba01c391d06076935523e2e.exe
2688	3490dd70dba01c391d06076935523e2e.exe
2688	3490dd70dba01c391d06076935523e2e.exe
400	WerFault.exe
400	WerFault.exe
400	WerFault.exe
400	WerFault.exe
400	WerFault.exe
400	WerFault.exe
400	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
400	528	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	596	wmic.exe
Token: SeSecurityPrivilege	596	wmic.exe
Token: SeTakeOwnershipPrivilege	596	wmic.exe
Token: SeLoadDriverPrivilege	596	wmic.exe
Token: SeSystemProfilePrivilege	596	wmic.exe
Token: SeSystemtimePrivilege	596	wmic.exe
Token: SeProfSingleProcessPrivilege	596	wmic.exe
Token: SeIncBasePriorityPrivilege	596	wmic.exe
Token: SeCreatePagefilePrivilege	596	wmic.exe
Token: SeBackupPrivilege	596	wmic.exe
Token: SeRestorePrivilege	596	wmic.exe
Token: SeShutdownPrivilege	596	wmic.exe
Token: SeDebugPrivilege	596	wmic.exe
Token: SeSystemEnvironmentPrivilege	596	wmic.exe
Token: SeRemoteShutdownPrivilege	596	wmic.exe
Token: SeUndockPrivilege	596	wmic.exe
Token: SeManageVolumePrivilege	596	wmic.exe
Token: 33	596	wmic.exe
Token: 34	596	wmic.exe
Token: 35	596	wmic.exe
Token: SeIncreaseQuotaPrivilege	596	wmic.exe
Token: SeSecurityPrivilege	596	wmic.exe
Token: SeTakeOwnershipPrivilege	596	wmic.exe
Token: SeLoadDriverPrivilege	596	wmic.exe
Token: SeSystemProfilePrivilege	596	wmic.exe
Token: SeSystemtimePrivilege	596	wmic.exe
Token: SeProfSingleProcessPrivilege	596	wmic.exe
Token: SeIncBasePriorityPrivilege	596	wmic.exe
Token: SeCreatePagefilePrivilege	596	wmic.exe
Token: SeBackupPrivilege	596	wmic.exe
Token: SeRestorePrivilege	596	wmic.exe
Token: SeShutdownPrivilege	596	wmic.exe
Token: SeDebugPrivilege	596	wmic.exe
Token: SeSystemEnvironmentPrivilege	596	wmic.exe
Token: SeRemoteShutdownPrivilege	596	wmic.exe
Token: SeUndockPrivilege	596	wmic.exe
Token: SeManageVolumePrivilege	596	wmic.exe
Token: 33	596	wmic.exe
Token: 34	596	wmic.exe
Token: 35	596	wmic.exe
Token: SeIncreaseQuotaPrivilege	1180	wmic.exe
Token: SeSecurityPrivilege	1180	wmic.exe
Token: SeTakeOwnershipPrivilege	1180	wmic.exe
Token: SeLoadDriverPrivilege	1180	wmic.exe
Token: SeSystemProfilePrivilege	1180	wmic.exe
Token: SeSystemtimePrivilege	1180	wmic.exe
Token: SeProfSingleProcessPrivilege	1180	wmic.exe
Token: SeIncBasePriorityPrivilege	1180	wmic.exe
Token: SeCreatePagefilePrivilege	1180	wmic.exe
Token: SeBackupPrivilege	1180	wmic.exe
Token: SeRestorePrivilege	1180	wmic.exe
Token: SeShutdownPrivilege	1180	wmic.exe
Token: SeDebugPrivilege	1180	wmic.exe
Token: SeSystemEnvironmentPrivilege	1180	wmic.exe
Token: SeRemoteShutdownPrivilege	1180	wmic.exe
Token: SeUndockPrivilege	1180	wmic.exe
Token: SeManageVolumePrivilege	1180	wmic.exe
Token: 33	1180	wmic.exe
Token: 34	1180	wmic.exe
Token: 35	1180	wmic.exe
Token: SeIncreaseQuotaPrivilege	1180	wmic.exe
Token: SeSecurityPrivilege	1180	wmic.exe
Token: SeTakeOwnershipPrivilege	1180	wmic.exe
Token: SeLoadDriverPrivilege	1180	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 528	2688	3490dd70dba01c391d06076935523e2e.exe	27
PID 2688 wrote to memory of 528	2688	3490dd70dba01c391d06076935523e2e.exe	27
PID 2688 wrote to memory of 528	2688	3490dd70dba01c391d06076935523e2e.exe	27
PID 2688 wrote to memory of 528	2688	3490dd70dba01c391d06076935523e2e.exe	27
PID 528 wrote to memory of 596	528	bedgiecjca.exe	28
PID 528 wrote to memory of 596	528	bedgiecjca.exe	28
PID 528 wrote to memory of 596	528	bedgiecjca.exe	28
PID 528 wrote to memory of 596	528	bedgiecjca.exe	28
PID 528 wrote to memory of 1180	528	bedgiecjca.exe	31
PID 528 wrote to memory of 1180	528	bedgiecjca.exe	31
PID 528 wrote to memory of 1180	528	bedgiecjca.exe	31
PID 528 wrote to memory of 1180	528	bedgiecjca.exe	31
PID 528 wrote to memory of 2600	528	bedgiecjca.exe	33
PID 528 wrote to memory of 2600	528	bedgiecjca.exe	33
PID 528 wrote to memory of 2600	528	bedgiecjca.exe	33
PID 528 wrote to memory of 2600	528	bedgiecjca.exe	33
PID 528 wrote to memory of 2460	528	bedgiecjca.exe	35
PID 528 wrote to memory of 2460	528	bedgiecjca.exe	35
PID 528 wrote to memory of 2460	528	bedgiecjca.exe	35
PID 528 wrote to memory of 2460	528	bedgiecjca.exe	35
PID 528 wrote to memory of 2968	528	bedgiecjca.exe	37
PID 528 wrote to memory of 2968	528	bedgiecjca.exe	37
PID 528 wrote to memory of 2968	528	bedgiecjca.exe	37
PID 528 wrote to memory of 2968	528	bedgiecjca.exe	37
PID 528 wrote to memory of 400	528	bedgiecjca.exe	39
PID 528 wrote to memory of 400	528	bedgiecjca.exe	39
PID 528 wrote to memory of 400	528	bedgiecjca.exe	39
PID 528 wrote to memory of 400	528	bedgiecjca.exe	39

C:\Users\Admin\AppData\Local\Temp\3490dd70dba01c391d06076935523e2e.exe
"C:\Users\Admin\AppData\Local\Temp\3490dd70dba01c391d06076935523e2e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\bedgiecjca.exe
  C:\Users\Admin\AppData\Local\Temp\bedgiecjca.exe 5#2#0#2#9#5#4#8#7#1#6 Kk5JQjQsNSsvMhoqUVVAR0RANSkfKUlDVFVGTUdBPTwrIDAwbmlqYG1cc2hca2U7SWBlZVpmXxstREdKT0U8NjExMi8yHiY+RTw2LxoqTlJNO1A/TFhIPjgwNjcrLhwnTERMUUNSXUxNSDVhc25rOC8tam1yJj1ETUYrVE1HKD1ISS1DSURPHiY+SEE8SkM/OyAtOyw5JSofKT8wPSsoGys8LDwnLB4vQis4KSkZLj4wOy0vFypMSkhDTz5SX05JRFI5PFg3Gy1QUEY/UTtNXj9QSkE7FypMSkhDTz5SX0w4SEE1GS4/U0NfU0lHORgoRFJAXUNLO0dFRj48GipGT1FLWj5KSFZNQFA9MxcqUEA6TUVUTVVdTE1INRkuUEg7Mh4mP08pNh8pTVNOUkBIQVdQREY+TU1DQEg9Pz5UTEc7IC1ATltKTk1OREtFO2ttcV0ZLkxAUlVQRURKP1hUTUBQX0I4VE81Kx8pQ0dEQ084LRgoSE1aQllMOEhFO1hESD5QWU5LQEA1X2BmbmMgLTtKU0ZFTjs/XUlONDMyJjI0KCw3OCwoMDUYKE87TT9MSjxHW0FHUk48Skw7XVxoa14fKU9HTUM0LDArLzcvLTc2NhcqQEdQTUZKP0RdS0RJPTY2KSwyLzAnLDEiLjkuNDgyNiE8SQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703827636.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:596
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703827636.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703827636.txt bios get version
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703827636.txt bios get version
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703827636.txt bios get version
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703827636.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703827636.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703827636.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgiecjca.exe

Filesize
236KB

MD5
97fa41818347d1e8901368c11bc5948a

SHA1
5106884c3ee8cf2ec31f872c309244aba29dc337

SHA256
2fbfd415c44b2bc5494a3f3cfe980d33d4f69234065d689cd6238366733f4314

SHA512
db432484164d05505161db99bca91dd5aa852629581626317dbc8d4263b15145a1a60d0a6dc483f3ad8da212361191302b32b4b33cd64c98c5a026f78e6e6e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgiecjca.exe

Filesize
1.2MB

MD5
7c7cdf02883bb35698ab09e7d3d182e4

SHA1
cbd17a842927fdfc97c7375465f233809b8dca8b

SHA256
943bc14230cf9366cedf45f1cf348dc088eeb31037544c06bab457e7c5f54f70

SHA512
783eebe784a0b471656c46884d53912394fe7d479158b6266d7c26f9f92dd6140ab294578a01b83bbeda083050870351b0b1da48e85d28c9744409b8798023fb

Download Submit
\Users\Admin\AppData\Local\Temp\bedgiecjca.exe

Filesize
768KB

MD5
e71843cc970099759e0c798776cdca14

SHA1
51b8b7ff91516a4a53002ceb4718e24e1b417c51

SHA256
6a0a0dd2dffd5dd6302677b52c66151c8c1e06c8d708850aadd19eeaf17e2f61

SHA512
9932a89d6bdb2929469bd70536bf39da961c16258744a245c4dcde9001e20e52fb3bb7899321dfce72f41b920bbfb2145ef6e1a5ff24e4179e38f4e2df4bd152

Download Submit
\Users\Admin\AppData\Local\Temp\bedgiecjca.exe

Filesize
391KB

MD5
99c3926f63094a5a78205da3d97f1974

SHA1
c7d2b8ac2196cd7b643c55a609633f44f8989ddd

SHA256
3a85ec8f443a5667854aa161cc6ed6234b46f2d94cec4cca4b4adbbbdcac29c4

SHA512
25a8f1cfc2d194c036b1b2e00e26764fac7660460904331df993fd7bb2aa6db02a62ebcdeecc9e24f590c179ddda85a1ee8b9f2acc2610183c1a01ed7734d6b6

Download Submit
\Users\Admin\AppData\Local\Temp\bedgiecjca.exe

Filesize
154KB

MD5
f2e4ca280e7f7772da8c6b79f5483fdc

SHA1
d1032d0e9dca62a2fc0ebfec44f39fb3370717f2

SHA256
7f260a701bdb473654dc8db6478bd1af52c71f47b897fa4109e7381cb141bc5d

SHA512
b0e6d098cc1cc0b3f6f976f69658673388af19d5728933903baf855e8528161772d8f8f5ca469acad0b72ca7bcf184de2f507f0ff2513d08e3d0154c364ecc32

Download Submit
\Users\Admin\AppData\Local\Temp\bedgiecjca.exe

Filesize
820KB

MD5
8ac96715d73463ddf4b7c8d885ef4def

SHA1
e234e80ce6fd03b8f5af35575f7fb67933180b72

SHA256
d7ec1d361eea9b39c29b736f4a1092ccb9a4ee1267dfd18dba18b25b45a43053

SHA512
c16357015c68a100cf9f2bd092752f8eed633df99af3a5b68cf75c7a4a6a3754478efe747cad7a8c8c472a148ff43e3a249acf7a5844132ae1ed321196c25a3c

Download Submit
\Users\Admin\AppData\Local\Temp\bedgiecjca.exe

Filesize
661KB

MD5
5074389688b33cff97894364e4f6f9c8

SHA1
4e6c2ecee50cf2d7db428d94b330a72731198486

SHA256
96df9b85c59346e3b3fa81b64a2a6af56368c5fbc86ca4f9c46942a2a6e8bcb7

SHA512
56b2d2fb5be56c77a117ed7763a171eac36c60bc8024d29f314d5523ede2490a10aab48887293bc950d06915e99a2f2187d79e03beeab9a922970512c68ff9ff

Download Submit
\Users\Admin\AppData\Local\Temp\bedgiecjca.exe

Filesize
668KB

MD5
af90d4dbe6e453a3ac86c6f7d1a964aa

SHA1
8d95544260c2008b4c68a65173c0808e9e5a319d

SHA256
2b0600463784f73a06d1d6a1ee5e5ad97290e607df612a46f893d141b8ca030d

SHA512
eaad07afbf0da5f9f90fac681ba08bcb529800cbf94acaaf2eb09c737c5cefe66144ddc09a3bff16d01d387173477a37d14695cb115886c93603e3cab87e52bf

Download Submit
\Users\Admin\AppData\Local\Temp\bedgiecjca.exe

Filesize
596KB

MD5
3ed92d995235a782e39a0d63ff406616

SHA1
048aca11d3ffe4148cc2e3f06dc37ba863639eb3

SHA256
c4726db13b37647bc8cf9d23fb42448ff882e371adb425a652526170feeecacb

SHA512
80f80591c5118384acfbc30a0894440cd5fb7c53ce18bb95a0eaef377cb3f1832f5a0f21df47b2750080a8eb137678d916c87fa6a345df8ac8ef74b6f3fc8496

Download Submit
\Users\Admin\AppData\Local\Temp\bedgiecjca.exe

Filesize
539KB

MD5
079d9ccdf0036fea51700873a65bd38e

SHA1
6c327c9098e76ee2491200a72d69eca85083cbf0

SHA256
9dae65b02766eea53b0e8c8b5b7c54a7235bddad02c7f5bf214cf4654e420b3c

SHA512
2dc3d7ff554bb7fbc0e2563775afb6a9f6b5f555272f526db0d4b45ce958037c009876b8ae1a1fa2a8793b454c3b5cddd00a89692869beae9828779e0061273a

Download Submit
\Users\Admin\AppData\Local\Temp\nsz6DB2.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsz6DB2.tmp\auexhjf.dll

Filesize
158KB

MD5
1a45bce2804a4afd8f1a6250c0519126

SHA1
9a13a0fb88995915f0963fb9054b322d744ab169

SHA256
e3315c422b1d58cc03d88017a07ec7ee97c67b3da5688e61304f04987b2bf2a9

SHA512
331dae89cb933b032ee0e0430fdafc4f03be4734c711a115e18412905afcf8b7d1240e9e47ef890eec65fc8ff364207c84957aadf9a6ab684c9b7e3e337116a0

Download Submit