226dc9147d7395a18d7cde61fb8798ba07a25a85828b68fad6103c5581ecbd4f

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

793ecb02ec84ea4c5e06d998195ab019.exe
Size

644KB
MD5

793ecb02ec84ea4c5e06d998195ab019
SHA1

3e9cf0e8cad88ff2247ecd11ab48e92315107d8f
SHA256

226dc9147d7395a18d7cde61fb8798ba07a25a85828b68fad6103c5581ecbd4f
SHA512

6eac6ca3ed392c7cb572317cbdab2190eaaefa8f0d8713687741209ad792c459383606eebf166fc84497ec75e9fa19d2e788030aac3a9263c2b8cd3a032e0859
SSDEEP

12288:DgxIj457sC8XbgfF75YwLFGdf0AFrgbZEKrOfc8vy4hB:Dg+j4d+QNYv1XrgFEKrr866

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3056	bedejjgbca.exe

Loads dropped DLL 11 IoCs

pid	Process
2780	793ecb02ec84ea4c5e06d998195ab019.exe
2780	793ecb02ec84ea4c5e06d998195ab019.exe
2780	793ecb02ec84ea4c5e06d998195ab019.exe
2780	793ecb02ec84ea4c5e06d998195ab019.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2740	3056	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1704	wmic.exe
Token: SeSecurityPrivilege	1704	wmic.exe
Token: SeTakeOwnershipPrivilege	1704	wmic.exe
Token: SeLoadDriverPrivilege	1704	wmic.exe
Token: SeSystemProfilePrivilege	1704	wmic.exe
Token: SeSystemtimePrivilege	1704	wmic.exe
Token: SeProfSingleProcessPrivilege	1704	wmic.exe
Token: SeIncBasePriorityPrivilege	1704	wmic.exe
Token: SeCreatePagefilePrivilege	1704	wmic.exe
Token: SeBackupPrivilege	1704	wmic.exe
Token: SeRestorePrivilege	1704	wmic.exe
Token: SeShutdownPrivilege	1704	wmic.exe
Token: SeDebugPrivilege	1704	wmic.exe
Token: SeSystemEnvironmentPrivilege	1704	wmic.exe
Token: SeRemoteShutdownPrivilege	1704	wmic.exe
Token: SeUndockPrivilege	1704	wmic.exe
Token: SeManageVolumePrivilege	1704	wmic.exe
Token: 33	1704	wmic.exe
Token: 34	1704	wmic.exe
Token: 35	1704	wmic.exe
Token: SeIncreaseQuotaPrivilege	1704	wmic.exe
Token: SeSecurityPrivilege	1704	wmic.exe
Token: SeTakeOwnershipPrivilege	1704	wmic.exe
Token: SeLoadDriverPrivilege	1704	wmic.exe
Token: SeSystemProfilePrivilege	1704	wmic.exe
Token: SeSystemtimePrivilege	1704	wmic.exe
Token: SeProfSingleProcessPrivilege	1704	wmic.exe
Token: SeIncBasePriorityPrivilege	1704	wmic.exe
Token: SeCreatePagefilePrivilege	1704	wmic.exe
Token: SeBackupPrivilege	1704	wmic.exe
Token: SeRestorePrivilege	1704	wmic.exe
Token: SeShutdownPrivilege	1704	wmic.exe
Token: SeDebugPrivilege	1704	wmic.exe
Token: SeSystemEnvironmentPrivilege	1704	wmic.exe
Token: SeRemoteShutdownPrivilege	1704	wmic.exe
Token: SeUndockPrivilege	1704	wmic.exe
Token: SeManageVolumePrivilege	1704	wmic.exe
Token: 33	1704	wmic.exe
Token: 34	1704	wmic.exe
Token: 35	1704	wmic.exe
Token: SeIncreaseQuotaPrivilege	2452	wmic.exe
Token: SeSecurityPrivilege	2452	wmic.exe
Token: SeTakeOwnershipPrivilege	2452	wmic.exe
Token: SeLoadDriverPrivilege	2452	wmic.exe
Token: SeSystemProfilePrivilege	2452	wmic.exe
Token: SeSystemtimePrivilege	2452	wmic.exe
Token: SeProfSingleProcessPrivilege	2452	wmic.exe
Token: SeIncBasePriorityPrivilege	2452	wmic.exe
Token: SeCreatePagefilePrivilege	2452	wmic.exe
Token: SeBackupPrivilege	2452	wmic.exe
Token: SeRestorePrivilege	2452	wmic.exe
Token: SeShutdownPrivilege	2452	wmic.exe
Token: SeDebugPrivilege	2452	wmic.exe
Token: SeSystemEnvironmentPrivilege	2452	wmic.exe
Token: SeRemoteShutdownPrivilege	2452	wmic.exe
Token: SeUndockPrivilege	2452	wmic.exe
Token: SeManageVolumePrivilege	2452	wmic.exe
Token: 33	2452	wmic.exe
Token: 34	2452	wmic.exe
Token: 35	2452	wmic.exe
Token: SeIncreaseQuotaPrivilege	2784	wmic.exe
Token: SeSecurityPrivilege	2784	wmic.exe
Token: SeTakeOwnershipPrivilege	2784	wmic.exe
Token: SeLoadDriverPrivilege	2784	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3056	2780	793ecb02ec84ea4c5e06d998195ab019.exe	30
PID 2780 wrote to memory of 3056	2780	793ecb02ec84ea4c5e06d998195ab019.exe	30
PID 2780 wrote to memory of 3056	2780	793ecb02ec84ea4c5e06d998195ab019.exe	30
PID 2780 wrote to memory of 3056	2780	793ecb02ec84ea4c5e06d998195ab019.exe	30
PID 3056 wrote to memory of 1704	3056	bedejjgbca.exe	19
PID 3056 wrote to memory of 1704	3056	bedejjgbca.exe	19
PID 3056 wrote to memory of 1704	3056	bedejjgbca.exe	19
PID 3056 wrote to memory of 1704	3056	bedejjgbca.exe	19
PID 3056 wrote to memory of 2452	3056	bedejjgbca.exe	29
PID 3056 wrote to memory of 2452	3056	bedejjgbca.exe	29
PID 3056 wrote to memory of 2452	3056	bedejjgbca.exe	29
PID 3056 wrote to memory of 2452	3056	bedejjgbca.exe	29
PID 3056 wrote to memory of 2784	3056	bedejjgbca.exe	27
PID 3056 wrote to memory of 2784	3056	bedejjgbca.exe	27
PID 3056 wrote to memory of 2784	3056	bedejjgbca.exe	27
PID 3056 wrote to memory of 2784	3056	bedejjgbca.exe	27
PID 3056 wrote to memory of 2660	3056	bedejjgbca.exe	26
PID 3056 wrote to memory of 2660	3056	bedejjgbca.exe	26
PID 3056 wrote to memory of 2660	3056	bedejjgbca.exe	26
PID 3056 wrote to memory of 2660	3056	bedejjgbca.exe	26
PID 3056 wrote to memory of 2440	3056	bedejjgbca.exe	23
PID 3056 wrote to memory of 2440	3056	bedejjgbca.exe	23
PID 3056 wrote to memory of 2440	3056	bedejjgbca.exe	23
PID 3056 wrote to memory of 2440	3056	bedejjgbca.exe	23
PID 3056 wrote to memory of 2740	3056	bedejjgbca.exe	25
PID 3056 wrote to memory of 2740	3056	bedejjgbca.exe	25
PID 3056 wrote to memory of 2740	3056	bedejjgbca.exe	25
PID 3056 wrote to memory of 2740	3056	bedejjgbca.exe	25

C:\Users\Admin\AppData\Local\Temp\793ecb02ec84ea4c5e06d998195ab019.exe
"C:\Users\Admin\AppData\Local\Temp\793ecb02ec84ea4c5e06d998195ab019.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\bedejjgbca.exe
  C:\Users\Admin\AppData\Local\Temp\bedejjgbca.exe 9|8|7|4|8|0|2|3|6|5|4 JkhCQDUxNzAwLhwmS04+SElCOiobK0U9TVNHUklGPjgtHCopbGpvYnJdb2pYZV45SmVnaltiYRcnPUVLVEdBNy0zLikrHCdDR0E3KxwmSEtLPFVBUVlEQDQqLzUsMx4sTUBOTT1LW01SSjpib3BnMigra3J0Kz5AT0IlTUtILT9NSilFRT5IHCdDSkY9RkU7NRkrPDE7KisbKzsqNikpIC1BLTgpKBgoQCw9Ky4aKkAsNSYtGC9OT0k/UTpMWExKSVQ+PVQ5FydJTkdEU0BOWkFMRDo5GC9OT0k/UTpMWEo5TUM6GipBTz1YUUpMOx0pQFQ8VzxJPExHSz84HCZASE9MX0BPSVJPPEo2MRgvUkU7SUdQR05bTVJKOhoqUkQ1KxwnRFEuNxsrSU1HUEFNQ1xRQEg6R0ZBQU0/RD9QTkM1GStBU11PT0lQQEU+OWxyc2IaKk48TE5ORklMRFlQTzxKWEA5WVE6LBsrP0E9QVA9Lx0pRE9WPFJKOU1HQFlASjpKUkxMRUI6YFxoal0ZKzxPVUtGSj07V0JMNTEuNSgyMSUrJzAoIC1RQ0hBNCktLy0wLjErMDMXJz1LT05KTDs/W0tBRkE1Ni0vLCouJykuJjA6LzI0MDMhSEY=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3056

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703733843.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703733843.txt bios get version
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:2740

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703733843.txt bios get version
1⤵
PID:2660

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703733843.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703733843.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703733843.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso7CF.tmp\cgeaoov.dll

Filesize
169KB

MD5
a03110895e022604b5f687675fe0bb11

SHA1
eb463085dbdb50a00a1a36d5eff0e4cd1972910b

SHA256
7cc6d4ede53e6e997ff26aaa0c4b3ab9443a4257dfc1c614f242de9910285811

SHA512
4f6219e4227e4766be2a999b7db283a572ac569e2ffde142feffa40fa70c7409f607049d3ea1ff9076fa909f86020dadfc725fc56bad53de248415eb8d8cca1d

Download Submit
\Users\Admin\AppData\Local\Temp\bedejjgbca.exe

Filesize
773KB

MD5
283fce5383ca07f550450165526317e9

SHA1
d54638c64ffb4f845cda6da1029b07406faf39eb

SHA256
3ce78665becb127f5d9538e7e141baee801d286a97df66a8cb98ee01af441117

SHA512
9bfe5a4056c36e2f79c2a24247e7af204cc0ef1f4696a502eb2abb05877a89483616860bf4303f8133607f91ccfacee0cfdfa058ae7f5c18ff0616b0e8cd4396

Download Submit
\Users\Admin\AppData\Local\Temp\bedejjgbca.exe

Filesize
381KB

MD5
50fbd0fa32c7b327fbcb0b85cd23dbc3

SHA1
ce718bd9b944669e56c141a04920404618513d84

SHA256
cc6d36a0da60becb04190561ee62627fd4c896ba2e36c4d13946164c45fbfbed

SHA512
2adcc988aeb01e146322d188293a3941c3804ccbf6770551f15f0796e21a2484c465d27725aefb72f1f6fa43e4bd12735b5ff3e50ec01080fd96b4c1cd726d75

Download Submit
\Users\Admin\AppData\Local\Temp\bedejjgbca.exe

Filesize
92KB

MD5
e8799f0bd94d2abcda37180f0083322d

SHA1
203fe7d9f98948ecc1dc54f3ae1a581f11304f64

SHA256
757156ac580989292a41ed24adede8b5502f00eae9c59b352aa102d6d7ff3693

SHA512
523f3fdde7bb1134d0db5b453016dba59428c7f83eef183ca889df6bfb8d03f96ca6c9721c303a494a44798942efc1542aec06157b8f7faa81fa30826cbb0b50

Download Submit
\Users\Admin\AppData\Local\Temp\nso7CF.tmp\ZipDLL.dll

Filesize
93KB

MD5
6fe752e22ab04bf2171f160eeaa273f9

SHA1
9c6878ba59cdfd631823c614a76f9ff575fd784d

SHA256
4dfd3458cc1b83ca7d6462b9992818240b2563a66e0cd3170d91eadc4a32a5de

SHA512
91be6cd844061f267052f156948fa947670713521186817a7411414c82cdc5f19e6daa90f7e590796dda8d2c0281094ae15eeecbe43dabe4f772c7cbeed4df58

Download Submit