13c8992d6dbb3b30d7f4855ff9915989602ce2a4cb85a44635f7c2f721580ba8

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6da6cbc96d073d960584c4c0e7b6b1d6.exe
Size

695KB
MD5

6da6cbc96d073d960584c4c0e7b6b1d6
SHA1

602c028c73a57d10078c027d492878a88d7f4320
SHA256

13c8992d6dbb3b30d7f4855ff9915989602ce2a4cb85a44635f7c2f721580ba8
SHA512

0f26965717a2449e276d68a620659a94e3dc91301246b4e88219a5f51324c8f54156ff8c2507560a2947b8a7a4ce117ee7cd03b08ab8c58a16ac2bf7bda90afa
SSDEEP

12288:31L3NlXe4dmcUtf6830wJtU931el+oO/9S9aC9xzWs/E2d1fc8vy4ht:316YlUtfpLJmsdcS9aCzzncWK86s

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2792	bedgedcfca.exe

Loads dropped DLL 11 IoCs

pid	Process
2448	6da6cbc96d073d960584c4c0e7b6b1d6.exe
2448	6da6cbc96d073d960584c4c0e7b6b1d6.exe
2448	6da6cbc96d073d960584c4c0e7b6b1d6.exe
2448	6da6cbc96d073d960584c4c0e7b6b1d6.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1492	2792	WerFault.exe	12

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2332	wmic.exe
Token: SeSecurityPrivilege	2332	wmic.exe
Token: SeTakeOwnershipPrivilege	2332	wmic.exe
Token: SeLoadDriverPrivilege	2332	wmic.exe
Token: SeSystemProfilePrivilege	2332	wmic.exe
Token: SeSystemtimePrivilege	2332	wmic.exe
Token: SeProfSingleProcessPrivilege	2332	wmic.exe
Token: SeIncBasePriorityPrivilege	2332	wmic.exe
Token: SeCreatePagefilePrivilege	2332	wmic.exe
Token: SeBackupPrivilege	2332	wmic.exe
Token: SeRestorePrivilege	2332	wmic.exe
Token: SeShutdownPrivilege	2332	wmic.exe
Token: SeDebugPrivilege	2332	wmic.exe
Token: SeSystemEnvironmentPrivilege	2332	wmic.exe
Token: SeRemoteShutdownPrivilege	2332	wmic.exe
Token: SeUndockPrivilege	2332	wmic.exe
Token: SeManageVolumePrivilege	2332	wmic.exe
Token: 33	2332	wmic.exe
Token: 34	2332	wmic.exe
Token: 35	2332	wmic.exe
Token: SeIncreaseQuotaPrivilege	2332	wmic.exe
Token: SeSecurityPrivilege	2332	wmic.exe
Token: SeTakeOwnershipPrivilege	2332	wmic.exe
Token: SeLoadDriverPrivilege	2332	wmic.exe
Token: SeSystemProfilePrivilege	2332	wmic.exe
Token: SeSystemtimePrivilege	2332	wmic.exe
Token: SeProfSingleProcessPrivilege	2332	wmic.exe
Token: SeIncBasePriorityPrivilege	2332	wmic.exe
Token: SeCreatePagefilePrivilege	2332	wmic.exe
Token: SeBackupPrivilege	2332	wmic.exe
Token: SeRestorePrivilege	2332	wmic.exe
Token: SeShutdownPrivilege	2332	wmic.exe
Token: SeDebugPrivilege	2332	wmic.exe
Token: SeSystemEnvironmentPrivilege	2332	wmic.exe
Token: SeRemoteShutdownPrivilege	2332	wmic.exe
Token: SeUndockPrivilege	2332	wmic.exe
Token: SeManageVolumePrivilege	2332	wmic.exe
Token: 33	2332	wmic.exe
Token: 34	2332	wmic.exe
Token: 35	2332	wmic.exe
Token: SeIncreaseQuotaPrivilege	2580	wmic.exe
Token: SeSecurityPrivilege	2580	wmic.exe
Token: SeTakeOwnershipPrivilege	2580	wmic.exe
Token: SeLoadDriverPrivilege	2580	wmic.exe
Token: SeSystemProfilePrivilege	2580	wmic.exe
Token: SeSystemtimePrivilege	2580	wmic.exe
Token: SeProfSingleProcessPrivilege	2580	wmic.exe
Token: SeIncBasePriorityPrivilege	2580	wmic.exe
Token: SeCreatePagefilePrivilege	2580	wmic.exe
Token: SeBackupPrivilege	2580	wmic.exe
Token: SeRestorePrivilege	2580	wmic.exe
Token: SeShutdownPrivilege	2580	wmic.exe
Token: SeDebugPrivilege	2580	wmic.exe
Token: SeSystemEnvironmentPrivilege	2580	wmic.exe
Token: SeRemoteShutdownPrivilege	2580	wmic.exe
Token: SeUndockPrivilege	2580	wmic.exe
Token: SeManageVolumePrivilege	2580	wmic.exe
Token: 33	2580	wmic.exe
Token: 34	2580	wmic.exe
Token: 35	2580	wmic.exe
Token: SeIncreaseQuotaPrivilege	2580	wmic.exe
Token: SeSecurityPrivilege	2580	wmic.exe
Token: SeTakeOwnershipPrivilege	2580	wmic.exe
Token: SeLoadDriverPrivilege	2580	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2792	2448	6da6cbc96d073d960584c4c0e7b6b1d6.exe	12
PID 2448 wrote to memory of 2792	2448	6da6cbc96d073d960584c4c0e7b6b1d6.exe	12
PID 2448 wrote to memory of 2792	2448	6da6cbc96d073d960584c4c0e7b6b1d6.exe	12
PID 2448 wrote to memory of 2792	2448	6da6cbc96d073d960584c4c0e7b6b1d6.exe	12
PID 2792 wrote to memory of 2332	2792	bedgedcfca.exe	11
PID 2792 wrote to memory of 2332	2792	bedgedcfca.exe	11
PID 2792 wrote to memory of 2332	2792	bedgedcfca.exe	11
PID 2792 wrote to memory of 2332	2792	bedgedcfca.exe	11
PID 2792 wrote to memory of 2580	2792	bedgedcfca.exe	8
PID 2792 wrote to memory of 2580	2792	bedgedcfca.exe	8
PID 2792 wrote to memory of 2580	2792	bedgedcfca.exe	8
PID 2792 wrote to memory of 2580	2792	bedgedcfca.exe	8
PID 2792 wrote to memory of 3008	2792	bedgedcfca.exe	6
PID 2792 wrote to memory of 3008	2792	bedgedcfca.exe	6
PID 2792 wrote to memory of 3008	2792	bedgedcfca.exe	6
PID 2792 wrote to memory of 3008	2792	bedgedcfca.exe	6
PID 2792 wrote to memory of 2236	2792	bedgedcfca.exe	4
PID 2792 wrote to memory of 2236	2792	bedgedcfca.exe	4
PID 2792 wrote to memory of 2236	2792	bedgedcfca.exe	4
PID 2792 wrote to memory of 2236	2792	bedgedcfca.exe	4
PID 2792 wrote to memory of 2508	2792	bedgedcfca.exe	2
PID 2792 wrote to memory of 2508	2792	bedgedcfca.exe	2
PID 2792 wrote to memory of 2508	2792	bedgedcfca.exe	2
PID 2792 wrote to memory of 2508	2792	bedgedcfca.exe	2
PID 2792 wrote to memory of 1492	2792	bedgedcfca.exe	13
PID 2792 wrote to memory of 1492	2792	bedgedcfca.exe	13
PID 2792 wrote to memory of 1492	2792	bedgedcfca.exe	13
PID 2792 wrote to memory of 1492	2792	bedgedcfca.exe	13

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703712853.txt bios get version
1⤵
PID:2508

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703712853.txt bios get version
1⤵
PID:2236

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703712853.txt bios get version
1⤵
PID:3008

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703712853.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703712853.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Users\Admin\AppData\Local\Temp\bedgedcfca.exe
C:\Users\Admin\AppData\Local\Temp\bedgedcfca.exe 1^4^1^3^2^2^8^7^1^8^6 LkxIQTsvMSw1KxouT1Q/Tkc8Ni8YKU1BU1RNUENCQzUrJC4vbXBtXG5ibGhgaWQ6UGNhZmBfXx8rQ0ZRUkE9PCoxNi0xHS1BQT08KBouTFFMQlM7TV5BPjwuNTYyMRgoUj1MVUFRXFNQRDZnbG5vNi4scXBuJ0M9TUopU0xOKzlJTyZDTUJOHS1BREJCQ0NDOR8sQi81JjAYKUMuPCovHic9MjUnMBwuQTI7JSofJz40OSwuHi1IS048T0JQXk1QR046QlE3HytPT01CTTxTVz9USEA6Hi1IS048T0JQXks/Sz02Hyc/V0FeUlBKNRkuPVJEW0JKQkpBR0Q1Gi5ETlBSXTpLTk9NRE48Mh4tTEFARkVYS1RcU1BENh8nUEw5MR0tQksqPBgpUVFNUUdLPVhWPUZCS0xCR0s5QERNTEs5HyxHUVdLVEZOSElEOnJwbV4fJ0xEUFRPTEdGQF5NTUROXkE/V0s2MRgpR0VDQlY7KRkuQU1eQFhLP0tBPF49SEJOWE1SQzw2ZVlmcmEfLEJNT0dLRztDW0hNOzYsJzAtKy0tMjIsMC0tHydKQE5ASUpDRFhIRk1TPUtJO2RZZXJdGi5QSEpDOyktMi4uMjE3LjYeJz1OT0hLS0BBXVJBRkQ1MS41Li8uLy0jODIvNTY0NSg/RQ==
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 372
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1492

C:\Users\Admin\AppData\Local\Temp\6da6cbc96d073d960584c4c0e7b6b1d6.exe
"C:\Users\Admin\AppData\Local\Temp\6da6cbc96d073d960584c4c0e7b6b1d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703712853.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703712853.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703712853.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgedcfca.exe

Filesize
1.1MB

MD5
297a7345228a32c5453469be51750900

SHA1
d638d9509b73328ee77f2f90f440949a227ef1fc

SHA256
12da4bb2fc29f25e2a6c940195dccdac5fa6a11e4f7435020e2e02ea5598803d

SHA512
114b374b32e20edf186b2c6cff634454f4e52db9a16bfca26ddfcaed4d8b4486253361f8e028af9c49ca7144052f35fdc8dc07c23c76da742812e760d38b17a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7782.tmp\qlbxjrk.dll

Filesize
166KB

MD5
68705fcc947dd8e44856c37fee389c71

SHA1
18074eb0e2251f76201fd1f1b0f53b30939999dc

SHA256
e87e8f655ea2bca3ee19a827fb9be7eb3ca566bf1b343d5739ee701d48067a2e

SHA512
677793583d73311517ced5ec1678574296747361d4e6bb3699b5d4a8a00785c36b58c76dae52965dad6a39a9cdc8f90182f765de55603e4e712391df62a184bf

Download Submit
\Users\Admin\AppData\Local\Temp\bedgedcfca.exe

Filesize
768KB

MD5
1e8a698998d46554a3bee34759456feb

SHA1
873c244b61d02d0c3f51a8af03fb9a9362778aa1

SHA256
7561bee6e75ad26b8c371810cc8aaa3208cc6dcac15c22ebfee2922adfc64005

SHA512
bab2f30a2f239f87a8374978bc49ed0e3f274cae3533ec395a4f6cb2c43acf1f76fc023e38a4a0b8293efc2759f95cbac25d755f2debfc3cfcfe0bc41af315d3

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7782.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit