067b58634c7b41fe641677e1e9cf48b4d36b4e6300e42120e5de29cfaf3db6cb

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3490dd70dba01c391d06076935523e2e.exe
Size

752KB
MD5

3490dd70dba01c391d06076935523e2e
SHA1

c8bbd41691b9c20cb6a4d25e5ebcb5684577243a
SHA256

067b58634c7b41fe641677e1e9cf48b4d36b4e6300e42120e5de29cfaf3db6cb
SHA512

8aa8a924024778a01c702d258c2b75799d2364fcdc591268ce71ed5bb1dbced075cdbcf719d5c8c6c0682524a2fddd18a5a0f4fb0d99ef6452fcee1db04c6d40
SSDEEP

12288:epPRZduJx4IvVZhS/mn7cJDzPeIn63Fu7Vi+Jzlj2JuEN5htACorlV4MgQfc8vy/:epP+x408n5Viw6ustAXr7el86/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5112	bedgiecjca.exe

Loads dropped DLL 2 IoCs

pid	Process
4856	3490dd70dba01c391d06076935523e2e.exe
4856	3490dd70dba01c391d06076935523e2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1880	5112	WerFault.exe	19

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2392	wmic.exe
Token: SeSecurityPrivilege	2392	wmic.exe
Token: SeTakeOwnershipPrivilege	2392	wmic.exe
Token: SeLoadDriverPrivilege	2392	wmic.exe
Token: SeSystemProfilePrivilege	2392	wmic.exe
Token: SeSystemtimePrivilege	2392	wmic.exe
Token: SeProfSingleProcessPrivilege	2392	wmic.exe
Token: SeIncBasePriorityPrivilege	2392	wmic.exe
Token: SeCreatePagefilePrivilege	2392	wmic.exe
Token: SeBackupPrivilege	2392	wmic.exe
Token: SeRestorePrivilege	2392	wmic.exe
Token: SeShutdownPrivilege	2392	wmic.exe
Token: SeDebugPrivilege	2392	wmic.exe
Token: SeSystemEnvironmentPrivilege	2392	wmic.exe
Token: SeRemoteShutdownPrivilege	2392	wmic.exe
Token: SeUndockPrivilege	2392	wmic.exe
Token: SeManageVolumePrivilege	2392	wmic.exe
Token: 33	2392	wmic.exe
Token: 34	2392	wmic.exe
Token: 35	2392	wmic.exe
Token: 36	2392	wmic.exe
Token: SeIncreaseQuotaPrivilege	2392	wmic.exe
Token: SeSecurityPrivilege	2392	wmic.exe
Token: SeTakeOwnershipPrivilege	2392	wmic.exe
Token: SeLoadDriverPrivilege	2392	wmic.exe
Token: SeSystemProfilePrivilege	2392	wmic.exe
Token: SeSystemtimePrivilege	2392	wmic.exe
Token: SeProfSingleProcessPrivilege	2392	wmic.exe
Token: SeIncBasePriorityPrivilege	2392	wmic.exe
Token: SeCreatePagefilePrivilege	2392	wmic.exe
Token: SeBackupPrivilege	2392	wmic.exe
Token: SeRestorePrivilege	2392	wmic.exe
Token: SeShutdownPrivilege	2392	wmic.exe
Token: SeDebugPrivilege	2392	wmic.exe
Token: SeSystemEnvironmentPrivilege	2392	wmic.exe
Token: SeRemoteShutdownPrivilege	2392	wmic.exe
Token: SeUndockPrivilege	2392	wmic.exe
Token: SeManageVolumePrivilege	2392	wmic.exe
Token: 33	2392	wmic.exe
Token: 34	2392	wmic.exe
Token: 35	2392	wmic.exe
Token: 36	2392	wmic.exe
Token: SeIncreaseQuotaPrivilege	3808	wmic.exe
Token: SeSecurityPrivilege	3808	wmic.exe
Token: SeTakeOwnershipPrivilege	3808	wmic.exe
Token: SeLoadDriverPrivilege	3808	wmic.exe
Token: SeSystemProfilePrivilege	3808	wmic.exe
Token: SeSystemtimePrivilege	3808	wmic.exe
Token: SeProfSingleProcessPrivilege	3808	wmic.exe
Token: SeIncBasePriorityPrivilege	3808	wmic.exe
Token: SeCreatePagefilePrivilege	3808	wmic.exe
Token: SeBackupPrivilege	3808	wmic.exe
Token: SeRestorePrivilege	3808	wmic.exe
Token: SeShutdownPrivilege	3808	wmic.exe
Token: SeDebugPrivilege	3808	wmic.exe
Token: SeSystemEnvironmentPrivilege	3808	wmic.exe
Token: SeRemoteShutdownPrivilege	3808	wmic.exe
Token: SeUndockPrivilege	3808	wmic.exe
Token: SeManageVolumePrivilege	3808	wmic.exe
Token: 33	3808	wmic.exe
Token: 34	3808	wmic.exe
Token: 35	3808	wmic.exe
Token: 36	3808	wmic.exe
Token: SeIncreaseQuotaPrivilege	3808	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 5112	4856	3490dd70dba01c391d06076935523e2e.exe	19
PID 4856 wrote to memory of 5112	4856	3490dd70dba01c391d06076935523e2e.exe	19
PID 4856 wrote to memory of 5112	4856	3490dd70dba01c391d06076935523e2e.exe	19
PID 5112 wrote to memory of 2392	5112	bedgiecjca.exe	20
PID 5112 wrote to memory of 2392	5112	bedgiecjca.exe	20
PID 5112 wrote to memory of 2392	5112	bedgiecjca.exe	20
PID 5112 wrote to memory of 3808	5112	bedgiecjca.exe	34
PID 5112 wrote to memory of 3808	5112	bedgiecjca.exe	34
PID 5112 wrote to memory of 3808	5112	bedgiecjca.exe	34
PID 5112 wrote to memory of 3644	5112	bedgiecjca.exe	32
PID 5112 wrote to memory of 3644	5112	bedgiecjca.exe	32
PID 5112 wrote to memory of 3644	5112	bedgiecjca.exe	32
PID 5112 wrote to memory of 3572	5112	bedgiecjca.exe	31
PID 5112 wrote to memory of 3572	5112	bedgiecjca.exe	31
PID 5112 wrote to memory of 3572	5112	bedgiecjca.exe	31
PID 5112 wrote to memory of 4656	5112	bedgiecjca.exe	26
PID 5112 wrote to memory of 4656	5112	bedgiecjca.exe	26
PID 5112 wrote to memory of 4656	5112	bedgiecjca.exe	26

C:\Users\Admin\AppData\Local\Temp\3490dd70dba01c391d06076935523e2e.exe
"C:\Users\Admin\AppData\Local\Temp\3490dd70dba01c391d06076935523e2e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\bedgiecjca.exe
  C:\Users\Admin\AppData\Local\Temp\bedgiecjca.exe 5#2#0#2#9#5#4#8#7#1#6 Kk5JQjQsNSsvMhoqUVVAR0RANSkfKUlDVFVGTUdBPTwrIDAwbmlqYG1cc2hca2U7SWBlZVpmXxstREdKT0U8NjExMi8yHiY+RTw2LxoqTlJNO1A/TFhIPjgwNjcrLhwnTERMUUNSXUxNSDVhc25rOC8tam1yJj1ETUYrVE1HKD1ISS1DSURPHiY+SEE8SkM/OyAtOyw5JSofKT8wPSsoGys8LDwnLB4vQis4KSkZLj4wOy0vFypMSkhDTz5SX05JRFI5PFg3Gy1QUEY/UTtNXj9QSkE7FypMSkhDTz5SX0w4SEE1GS4/U0NfU0lHORgoRFJAXUNLO0dFRj48GipGT1FLWj5KSFZNQFA9MxcqUEA6TUVUTVVdTE1INRkuUEg7Mh4mP08pNh8pTVNOUkBIQVdQREY+TU1DQEg9Pz5UTEc7IC1ATltKTk1OREtFO2ttcV0ZLkxAUlVQRURKP1hUTUBQX0I4VE81Kx8pQ0dEQ084LRgoSE1aQllMOEhFO1hESD5QWU5LQEA1X2BmbmMgLTtKU0ZFTjs/XUlONDMyJjI0KCw3OCwoMDUYKE87TT9MSjxHW0FHUk48Skw7XVxoa14fKU9HTUM0LDArLzcvLTc2NhcqQEdQTUZKP0RdS0RJPTY2KSwyLzAnLDEiLjkuNDgyNiE8SQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703827451.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703827451.txt bios get version
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 952
    3⤵
    - Program crash
    PID:1880
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703827451.txt bios get version
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703827451.txt bios get version
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703827451.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5112 -ip 5112
1⤵
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nss415F.tmp\auexhjf.dll

Filesize
158KB

MD5
1a45bce2804a4afd8f1a6250c0519126

SHA1
9a13a0fb88995915f0963fb9054b322d744ab169

SHA256
e3315c422b1d58cc03d88017a07ec7ee97c67b3da5688e61304f04987b2bf2a9

SHA512
331dae89cb933b032ee0e0430fdafc4f03be4734c711a115e18412905afcf8b7d1240e9e47ef890eec65fc8ff364207c84957aadf9a6ab684c9b7e3e337116a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss415F.tmp\auexhjf.dll

Filesize
92KB

MD5
e09375942516978a5bc976cb653b43dd

SHA1
fb076daa5db37024357852a79419e85555cd07ec

SHA256
466aaf57c7363743dcd5c3f4813adf58848249f536fed932063397db8f59e60a

SHA512
0c3c71ad14ac127557c47e36864b0d9785ccdd44fbc3aabb5d5702d929d75e08a72ede5a665785dee8157eeb1147c5fb1b5548628a92857e7a9f817754556ebd

Download Submit