159cce80d1643bdf9bc172b6b5ee489d77ce3efef6df3f69b38df652f6c81d8a

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 08:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

608e0fee685f4685cd02d9b01152e3e1.exe
Size

695KB
MD5

608e0fee685f4685cd02d9b01152e3e1
SHA1

4bf98b5547e5903cf53e16b2797fe763d43f112f
SHA256

159cce80d1643bdf9bc172b6b5ee489d77ce3efef6df3f69b38df652f6c81d8a
SHA512

b5e264526f58c86b138ed25856e75d6443e95c19876700bd97fba3fb3214303966c9eb1056ac3128d7f364c4d75a7d1206a1fc51a257efcef9cca797c9506bfc
SSDEEP

12288:laBSKhGt61EOV5+Mj0u0VptEbMYXsYK4rzvXDJi/dfc8vy4h/:laBSfk1robebMcsyr7lX86M

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1352	bedgdijdca.exe

Loads dropped DLL 11 IoCs

pid	Process
312	608e0fee685f4685cd02d9b01152e3e1.exe
312	608e0fee685f4685cd02d9b01152e3e1.exe
312	608e0fee685f4685cd02d9b01152e3e1.exe
312	608e0fee685f4685cd02d9b01152e3e1.exe
800	WerFault.exe
800	WerFault.exe
800	WerFault.exe
800	WerFault.exe
800	WerFault.exe
800	WerFault.exe
800	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
800	1352	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2828	wmic.exe
Token: SeSecurityPrivilege	2828	wmic.exe
Token: SeTakeOwnershipPrivilege	2828	wmic.exe
Token: SeLoadDriverPrivilege	2828	wmic.exe
Token: SeSystemProfilePrivilege	2828	wmic.exe
Token: SeSystemtimePrivilege	2828	wmic.exe
Token: SeProfSingleProcessPrivilege	2828	wmic.exe
Token: SeIncBasePriorityPrivilege	2828	wmic.exe
Token: SeCreatePagefilePrivilege	2828	wmic.exe
Token: SeBackupPrivilege	2828	wmic.exe
Token: SeRestorePrivilege	2828	wmic.exe
Token: SeShutdownPrivilege	2828	wmic.exe
Token: SeDebugPrivilege	2828	wmic.exe
Token: SeSystemEnvironmentPrivilege	2828	wmic.exe
Token: SeRemoteShutdownPrivilege	2828	wmic.exe
Token: SeUndockPrivilege	2828	wmic.exe
Token: SeManageVolumePrivilege	2828	wmic.exe
Token: 33	2828	wmic.exe
Token: 34	2828	wmic.exe
Token: 35	2828	wmic.exe
Token: SeIncreaseQuotaPrivilege	2828	wmic.exe
Token: SeSecurityPrivilege	2828	wmic.exe
Token: SeTakeOwnershipPrivilege	2828	wmic.exe
Token: SeLoadDriverPrivilege	2828	wmic.exe
Token: SeSystemProfilePrivilege	2828	wmic.exe
Token: SeSystemtimePrivilege	2828	wmic.exe
Token: SeProfSingleProcessPrivilege	2828	wmic.exe
Token: SeIncBasePriorityPrivilege	2828	wmic.exe
Token: SeCreatePagefilePrivilege	2828	wmic.exe
Token: SeBackupPrivilege	2828	wmic.exe
Token: SeRestorePrivilege	2828	wmic.exe
Token: SeShutdownPrivilege	2828	wmic.exe
Token: SeDebugPrivilege	2828	wmic.exe
Token: SeSystemEnvironmentPrivilege	2828	wmic.exe
Token: SeRemoteShutdownPrivilege	2828	wmic.exe
Token: SeUndockPrivilege	2828	wmic.exe
Token: SeManageVolumePrivilege	2828	wmic.exe
Token: 33	2828	wmic.exe
Token: 34	2828	wmic.exe
Token: 35	2828	wmic.exe
Token: SeIncreaseQuotaPrivilege	2628	wmic.exe
Token: SeSecurityPrivilege	2628	wmic.exe
Token: SeTakeOwnershipPrivilege	2628	wmic.exe
Token: SeLoadDriverPrivilege	2628	wmic.exe
Token: SeSystemProfilePrivilege	2628	wmic.exe
Token: SeSystemtimePrivilege	2628	wmic.exe
Token: SeProfSingleProcessPrivilege	2628	wmic.exe
Token: SeIncBasePriorityPrivilege	2628	wmic.exe
Token: SeCreatePagefilePrivilege	2628	wmic.exe
Token: SeBackupPrivilege	2628	wmic.exe
Token: SeRestorePrivilege	2628	wmic.exe
Token: SeShutdownPrivilege	2628	wmic.exe
Token: SeDebugPrivilege	2628	wmic.exe
Token: SeSystemEnvironmentPrivilege	2628	wmic.exe
Token: SeRemoteShutdownPrivilege	2628	wmic.exe
Token: SeUndockPrivilege	2628	wmic.exe
Token: SeManageVolumePrivilege	2628	wmic.exe
Token: 33	2628	wmic.exe
Token: 34	2628	wmic.exe
Token: 35	2628	wmic.exe
Token: SeIncreaseQuotaPrivilege	2628	wmic.exe
Token: SeSecurityPrivilege	2628	wmic.exe
Token: SeTakeOwnershipPrivilege	2628	wmic.exe
Token: SeLoadDriverPrivilege	2628	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 312 wrote to memory of 1352	312	608e0fee685f4685cd02d9b01152e3e1.exe	28
PID 312 wrote to memory of 1352	312	608e0fee685f4685cd02d9b01152e3e1.exe	28
PID 312 wrote to memory of 1352	312	608e0fee685f4685cd02d9b01152e3e1.exe	28
PID 312 wrote to memory of 1352	312	608e0fee685f4685cd02d9b01152e3e1.exe	28
PID 1352 wrote to memory of 2828	1352	bedgdijdca.exe	29
PID 1352 wrote to memory of 2828	1352	bedgdijdca.exe	29
PID 1352 wrote to memory of 2828	1352	bedgdijdca.exe	29
PID 1352 wrote to memory of 2828	1352	bedgdijdca.exe	29
PID 1352 wrote to memory of 2628	1352	bedgdijdca.exe	33
PID 1352 wrote to memory of 2628	1352	bedgdijdca.exe	33
PID 1352 wrote to memory of 2628	1352	bedgdijdca.exe	33
PID 1352 wrote to memory of 2628	1352	bedgdijdca.exe	33
PID 1352 wrote to memory of 2656	1352	bedgdijdca.exe	35
PID 1352 wrote to memory of 2656	1352	bedgdijdca.exe	35
PID 1352 wrote to memory of 2656	1352	bedgdijdca.exe	35
PID 1352 wrote to memory of 2656	1352	bedgdijdca.exe	35
PID 1352 wrote to memory of 1992	1352	bedgdijdca.exe	37
PID 1352 wrote to memory of 1992	1352	bedgdijdca.exe	37
PID 1352 wrote to memory of 1992	1352	bedgdijdca.exe	37
PID 1352 wrote to memory of 1992	1352	bedgdijdca.exe	37
PID 1352 wrote to memory of 2624	1352	bedgdijdca.exe	39
PID 1352 wrote to memory of 2624	1352	bedgdijdca.exe	39
PID 1352 wrote to memory of 2624	1352	bedgdijdca.exe	39
PID 1352 wrote to memory of 2624	1352	bedgdijdca.exe	39
PID 1352 wrote to memory of 800	1352	bedgdijdca.exe	40
PID 1352 wrote to memory of 800	1352	bedgdijdca.exe	40
PID 1352 wrote to memory of 800	1352	bedgdijdca.exe	40
PID 1352 wrote to memory of 800	1352	bedgdijdca.exe	40

C:\Users\Admin\AppData\Local\Temp\608e0fee685f4685cd02d9b01152e3e1.exe
"C:\Users\Admin\AppData\Local\Temp\608e0fee685f4685cd02d9b01152e3e1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:312
- C:\Users\Admin\AppData\Local\Temp\bedgdijdca.exe
  C:\Users\Admin\AppData\Local\Temp\bedgdijdca.exe 7)1)7)0)3)5)8)6)0)5)9 KE9CRDosMS02LhcoUk5CTUQ8NzAbJkdETVdMTUNDRDgoHjEpcG9qXG9jb2VabF49T2BhZ2FiXBkuPUlQT0E+PS0uMDArICw+QT49KxcoT0tPQVA7Tl9EOzYxLzkxLhgpU0BJT0RLX1JNRDdob2tpOSgvcG1uKERASkQsTU9NKDlKUClAR0VIICw+RENDRkA9PBkvQSw1JzEbJj0xNi0uGyc+MzgkKh8oRDE4JSsgKjsuPCYxHSpITE8/TDxTWFBPRE47Q1Q0GS5JUkw/TT1UWjxOSzo9HSpITE8/TDxTWE4+SD03ICo8UURYVU9HNRovQE8+XjxNQUdBSEU4FyhHSFNRWjpMT1JKPlE2NR0qTEJBSUJSTk5fUk1ENyAqTUY8KyAsP0srPRsmS1RHVEZIPVlXQEM8TkZFRkg5QUVQSUU8GS9GTldMVUlLQkw+PXFtbV8gKkk+U05SS0RGQV9QSj5RWEQ+VEs3MhsmQUg9RVU4KRovREpYQ1JOPkhBPV9ARTxRUlBRQDw3ZlxjbGQZL0FKT0hMSjg9XkJQOi0pMS4sKDEtMDkrLigaL0s4S0BFTEJHV0NOTks6S0U9Y1xkbWUbJk1IRkU6LCwtNi4wLzYrOB0qPElXSUNIQD1fUURFPz0yJjEuKzAuMCIrMTUnLjkrOCdLRQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703686957.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703686957.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703686957.txt bios get version
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703686957.txt bios get version
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703686957.txt bios get version
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703686957.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703686957.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703686957.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgdijdca.exe

Filesize
832KB

MD5
b3c90a3dff9013828481e002f6d674b0

SHA1
03acee8ca0f2f9212cdfb7ea3b5826609094a335

SHA256
43084aae53390ae91f843a7b00590df097f82f846e87fcbc4c1245a36bc2e972

SHA512
973f1ab9526376e52f4e7a0e0c85090958858d18db2606090d14583466d97b5f4cc49353a75949fb05460558ad6943db50165b602a2b376252184bbe960a50ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso50A1.tmp\qgiqemy.dll

Filesize
166KB

MD5
74550509a1c1e57e5d6d29dec03a9c1b

SHA1
2dae29485a19eec66ced686aa1afe930f763739b

SHA256
0cd21772df76df7faf8e3991c90031f9ef4bd82f3a746416161ab882bdc9064c

SHA512
36ef4a15242d4aed82eb36cc2ae6c9705dd36ab60950fdcbca3b8522bd893e81c62675ecb8742b81714535d1af5017831d1b1a85fdd5527bbb990d5fa1714b19

Download Submit
\Users\Admin\AppData\Local\Temp\bedgdijdca.exe

Filesize
1.1MB

MD5
e5abc6a71a99cd5f1c4d06b329c76fd7

SHA1
424eb98e6a9871734ae064f1ba2708635f3c98a0

SHA256
6c13a72c3430724538a905e6462c2ade9479ad8ade0ad6c4cbd46715e03dde65

SHA512
d4d23f8863490c70390c72daa743726b5e54f5dad15b33b2b5d79d32ca50e584374efe217465aaccc89410fbd6939d32a8e360f28ee55379b940ad20f388411f

Download Submit
\Users\Admin\AppData\Local\Temp\bedgdijdca.exe

Filesize
348KB

MD5
a80c8ee7c180cab25cf95c0eab73de79

SHA1
4f3442ddd91dc195c0849436050b0e6b6c8a134f

SHA256
1db49f2ac227275b73270438d798975e1af723770950014ff5ecabc47892f7ca

SHA512
4a566f11501cc58ea5b8905ae97fc66ebb25545503efddf83de9fd77790b8efd3c0c98a562a151d1728f18697d54c1b9043ef3f88ba01bd58f0ba814d70fe896

Download Submit
\Users\Admin\AppData\Local\Temp\bedgdijdca.exe

Filesize
365KB

MD5
a8a3db38eeab0001ed6c06b3d64de26d

SHA1
a0afc21b8e19110674c1e8c5960d509fbcb3b765

SHA256
97edbea052e3a985a761918f301ee33bcdcecd216fd76085ef8df950598ae396

SHA512
96647a92cd9a9843b840744c38a16687769c7e4d978e8023e5975dc547bf26134c8216ca90437e056fd1684716c353eb837c3ce51a872092e9f08e04b55bd9e9

Download Submit
\Users\Admin\AppData\Local\Temp\bedgdijdca.exe

Filesize
138KB

MD5
274eb6f2b5c6a1895d183f1e9ed05f96

SHA1
c809ef4e9ee41fca34500dc96f3b5e4c2253b4c8

SHA256
4bb478035fe252c2270652b1dcdee4846ff633bb1cea8681d92cf1e59b16f3a8

SHA512
0a731cdcd34da9996ddb68ed8d6a41c8e88bbc68829cd340aa5495ec5c10508b1ae95a599eb86f7b5d9ad0d719d5204604ffaea94342cb9c669914b92f8ad22a

Download Submit
\Users\Admin\AppData\Local\Temp\bedgdijdca.exe

Filesize
197KB

MD5
2f990bd1bdd0a73486cce90ba7d8ea28

SHA1
cf3521d3cd2d1ef6f14c40a58acf39cfa3fcc81c

SHA256
c4bf0f9ecacb8c8e704792c97bd53782c3e49a5257f25a54208e84d3c7b9b3e0

SHA512
d3111e325bdac9d8c645b4cce295af403956d1c51d15878aadd59bc3c109c68e7b808cecb796024f6e011361205523b6528c9c1bfff11d551f69a0494bdff5b3

Download Submit
\Users\Admin\AppData\Local\Temp\bedgdijdca.exe

Filesize
460KB

MD5
ad80d3edc6b1eaa27f69bb38f4db188c

SHA1
9c17c1564f08cfaa97edaf221df12a8f146f0329

SHA256
315227bc381cc4fe42201e4e3138b875c77a223bd05e1bb0a6329c39b0b04ba3

SHA512
f2f8e52c25b9c4b9fc73f9bfbf37645e142c6d50c215ccd4f4702ca15c792fbf26703c875b20fa1f4c159cc9bfe97ecc50649de6060a3ecd5d4d8d4013ae466a

Download Submit
\Users\Admin\AppData\Local\Temp\bedgdijdca.exe

Filesize
32KB

MD5
b3f1477418f76b7268c7599645b3d5d5

SHA1
08bc03b892a1c5f776eb847d1b4abf43c768e991

SHA256
72904d2fe013caef5bc58dc99951d194293ac4618166ae78fa364d5084ef2d0f

SHA512
f2e6876b7f22d6a97753d293d86d7d84d32f27ac6836acc595096234b99ae683d7b6b41031ef467fb3db58b87ca01d6acd009aa18d7025ee2e434cc8c3d14fcd

Download Submit
\Users\Admin\AppData\Local\Temp\nso50A1.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit