20e1ca6bbaaaa4490fd5b79b96b3ea50f9087b4f60d94d0070b0434f8e52baaa

Analysis

max time kernel
121s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 21:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04cb3c733ed7264145a31f39b88e51f7.exe
Size

695KB
MD5

04cb3c733ed7264145a31f39b88e51f7
SHA1

acba6990b3312cf26b2e56943a299c4a09eb55cf
SHA256

20e1ca6bbaaaa4490fd5b79b96b3ea50f9087b4f60d94d0070b0434f8e52baaa
SHA512

8855a2df08f24f7371337250b41ddd55c2571222fae8aea0007c98ef63b77a858ba46170412b65ada33c91a21c1b1a8e53671436ba7432ee8bccf468a396b936
SSDEEP

12288:m+jMaqkR1vmJqyPDtvDS21keiZU7h6xG+XOWTfD3q/RShhLgUM+fc8vy4hL:m+jMJkR1gqyJvu2KZZU7h0G+RL5h1K8j

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2228	bedgeeddca.exe

Loads dropped DLL 11 IoCs

pid	Process
2904	04cb3c733ed7264145a31f39b88e51f7.exe
2904	04cb3c733ed7264145a31f39b88e51f7.exe
2904	04cb3c733ed7264145a31f39b88e51f7.exe
2904	04cb3c733ed7264145a31f39b88e51f7.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2256	2228	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2644	wmic.exe
Token: SeSecurityPrivilege	2644	wmic.exe
Token: SeTakeOwnershipPrivilege	2644	wmic.exe
Token: SeLoadDriverPrivilege	2644	wmic.exe
Token: SeSystemProfilePrivilege	2644	wmic.exe
Token: SeSystemtimePrivilege	2644	wmic.exe
Token: SeProfSingleProcessPrivilege	2644	wmic.exe
Token: SeIncBasePriorityPrivilege	2644	wmic.exe
Token: SeCreatePagefilePrivilege	2644	wmic.exe
Token: SeBackupPrivilege	2644	wmic.exe
Token: SeRestorePrivilege	2644	wmic.exe
Token: SeShutdownPrivilege	2644	wmic.exe
Token: SeDebugPrivilege	2644	wmic.exe
Token: SeSystemEnvironmentPrivilege	2644	wmic.exe
Token: SeRemoteShutdownPrivilege	2644	wmic.exe
Token: SeUndockPrivilege	2644	wmic.exe
Token: SeManageVolumePrivilege	2644	wmic.exe
Token: 33	2644	wmic.exe
Token: 34	2644	wmic.exe
Token: 35	2644	wmic.exe
Token: SeIncreaseQuotaPrivilege	2644	wmic.exe
Token: SeSecurityPrivilege	2644	wmic.exe
Token: SeTakeOwnershipPrivilege	2644	wmic.exe
Token: SeLoadDriverPrivilege	2644	wmic.exe
Token: SeSystemProfilePrivilege	2644	wmic.exe
Token: SeSystemtimePrivilege	2644	wmic.exe
Token: SeProfSingleProcessPrivilege	2644	wmic.exe
Token: SeIncBasePriorityPrivilege	2644	wmic.exe
Token: SeCreatePagefilePrivilege	2644	wmic.exe
Token: SeBackupPrivilege	2644	wmic.exe
Token: SeRestorePrivilege	2644	wmic.exe
Token: SeShutdownPrivilege	2644	wmic.exe
Token: SeDebugPrivilege	2644	wmic.exe
Token: SeSystemEnvironmentPrivilege	2644	wmic.exe
Token: SeRemoteShutdownPrivilege	2644	wmic.exe
Token: SeUndockPrivilege	2644	wmic.exe
Token: SeManageVolumePrivilege	2644	wmic.exe
Token: 33	2644	wmic.exe
Token: 34	2644	wmic.exe
Token: 35	2644	wmic.exe
Token: SeIncreaseQuotaPrivilege	2844	wmic.exe
Token: SeSecurityPrivilege	2844	wmic.exe
Token: SeTakeOwnershipPrivilege	2844	wmic.exe
Token: SeLoadDriverPrivilege	2844	wmic.exe
Token: SeSystemProfilePrivilege	2844	wmic.exe
Token: SeSystemtimePrivilege	2844	wmic.exe
Token: SeProfSingleProcessPrivilege	2844	wmic.exe
Token: SeIncBasePriorityPrivilege	2844	wmic.exe
Token: SeCreatePagefilePrivilege	2844	wmic.exe
Token: SeBackupPrivilege	2844	wmic.exe
Token: SeRestorePrivilege	2844	wmic.exe
Token: SeShutdownPrivilege	2844	wmic.exe
Token: SeDebugPrivilege	2844	wmic.exe
Token: SeSystemEnvironmentPrivilege	2844	wmic.exe
Token: SeRemoteShutdownPrivilege	2844	wmic.exe
Token: SeUndockPrivilege	2844	wmic.exe
Token: SeManageVolumePrivilege	2844	wmic.exe
Token: 33	2844	wmic.exe
Token: 34	2844	wmic.exe
Token: 35	2844	wmic.exe
Token: SeIncreaseQuotaPrivilege	2692	wmic.exe
Token: SeSecurityPrivilege	2692	wmic.exe
Token: SeTakeOwnershipPrivilege	2692	wmic.exe
Token: SeLoadDriverPrivilege	2692	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2228	2904	04cb3c733ed7264145a31f39b88e51f7.exe	30
PID 2904 wrote to memory of 2228	2904	04cb3c733ed7264145a31f39b88e51f7.exe	30
PID 2904 wrote to memory of 2228	2904	04cb3c733ed7264145a31f39b88e51f7.exe	30
PID 2904 wrote to memory of 2228	2904	04cb3c733ed7264145a31f39b88e51f7.exe	30
PID 2228 wrote to memory of 2644	2228	bedgeeddca.exe	31
PID 2228 wrote to memory of 2644	2228	bedgeeddca.exe	31
PID 2228 wrote to memory of 2644	2228	bedgeeddca.exe	31
PID 2228 wrote to memory of 2644	2228	bedgeeddca.exe	31
PID 2228 wrote to memory of 2844	2228	bedgeeddca.exe	34
PID 2228 wrote to memory of 2844	2228	bedgeeddca.exe	34
PID 2228 wrote to memory of 2844	2228	bedgeeddca.exe	34
PID 2228 wrote to memory of 2844	2228	bedgeeddca.exe	34
PID 2228 wrote to memory of 2692	2228	bedgeeddca.exe	37
PID 2228 wrote to memory of 2692	2228	bedgeeddca.exe	37
PID 2228 wrote to memory of 2692	2228	bedgeeddca.exe	37
PID 2228 wrote to memory of 2692	2228	bedgeeddca.exe	37
PID 2228 wrote to memory of 2948	2228	bedgeeddca.exe	38
PID 2228 wrote to memory of 2948	2228	bedgeeddca.exe	38
PID 2228 wrote to memory of 2948	2228	bedgeeddca.exe	38
PID 2228 wrote to memory of 2948	2228	bedgeeddca.exe	38
PID 2228 wrote to memory of 2816	2228	bedgeeddca.exe	40
PID 2228 wrote to memory of 2816	2228	bedgeeddca.exe	40
PID 2228 wrote to memory of 2816	2228	bedgeeddca.exe	40
PID 2228 wrote to memory of 2816	2228	bedgeeddca.exe	40
PID 2228 wrote to memory of 2256	2228	bedgeeddca.exe	42
PID 2228 wrote to memory of 2256	2228	bedgeeddca.exe	42
PID 2228 wrote to memory of 2256	2228	bedgeeddca.exe	42
PID 2228 wrote to memory of 2256	2228	bedgeeddca.exe	42

C:\Users\Admin\AppData\Local\Temp\04cb3c733ed7264145a31f39b88e51f7.exe
"C:\Users\Admin\AppData\Local\Temp\04cb3c733ed7264145a31f39b88e51f7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\bedgeeddca.exe
  C:\Users\Admin\AppData\Local\Temp\bedgeeddca.exe 7#2#0#3#9#0#5#3#2#8#9 KE5JQTQxNDA0KxcoUVU/R0k/Oi4YJkdDVFRGUkZGQjUoHjAwbWlvX3JhbGVaa2U6SWVkal9fXBktREZKVERBOyouMC8yHSZDREE7KBcoTlJMO1U+UV1BOzYwNjYrMxssUT1JT0NSXExSRzpmbGtpOC8sanJxK0I9SkQrVExHLTxNTiZAR0RPHSZDR0ZBQ0A9OyAsOzE4Ki8YJj0wPSooICpBMTUkKh4vQSs9KC4eJzsuOy0uFy9LT008TDxSX01JSVE+QVE0GS1QT0ZEUEBSVzxOSkE6Fy9LT008TDxSX0s4TUA6Hic8UUNfUklMOB0tPU8+XUNKO0xES0M1FyhGT1BLXz1PTU9KPlA9MhcvT0U/RkJSTVVcTFJHOh4nTUY7Mh0mRE4uOxgmS1NOUUBNQFxVPUM8TU1CQE08RENNSUU7ICxAU1pPU0ZLQktFOmtycGIeJ0k+UlVPRUlJRF1NSj5QX0E4WU46MBgmQUdEQk89LB0tQUpYQllLOE1EQF09RTxQWU1LRT86ZFljbGMgLDtPUktKRzg9XUlNNDgsKzYqJSsuMyswMxssTjlJOkpMQkNfREtRTDhFSj1jWGxuYh4nS0JLRTooNC4zMiwvMTc5HSZESlRMREY6Ql9RQE1AOjUnMCgwMC4sKiw3MSwxLjcqTUQ=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703904251.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703904251.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703904251.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703904251.txt bios get version
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703904251.txt bios get version
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703904251.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgeeddca.exe

Filesize
1.0MB

MD5
abec42af38d7eafb06885c00da6acb24

SHA1
4ba7f3b89b5445beb1e6e61fd0c86107abee4f62

SHA256
59633dc8e1f5e56e5b3241265b62fd13cd122eabee37ec429e0d12c2a3924c60

SHA512
099e61898666d0580b70bd12519284d71149ff513960fce818ad0de078ec89d2471cd1c2244e9ce00cae6d8eda162dd9aefae655977caf9ae7a06e02d414ffad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgeeddca.exe

Filesize
823KB

MD5
2cccff7fd92bf1254c187f3c716dd40a

SHA1
98bc4e94721dd1677649818d0070991bd8723245

SHA256
0f7e91ca74f4dfb7d9770100d7e98802ed3b90900766970168b72a7777e56264

SHA512
c3b6d06138ad28831da6db80b7921076d1953ce7cf7aaa24ac0e95b17db4ab0610303dff341f9f5d1340909ebe290997df61e5a80f0c89a831e86ef31f2a2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso10E3.tmp\kgffmfg.dll

Filesize
166KB

MD5
3d0d98a345ffc429ef44d930bdb35346

SHA1
98e1e51f36d670b6817dac7b8e5a0b89d4393ef8

SHA256
49c8ae410145a399ef72f2919df9f1708d9130740852b6b7485a07f25fce3a59

SHA512
f826a7533ad34a4d689ab571e3ae08eac051720e21a275454de3d7873635a0c8c1e6b0fd23866e06ee602856542a6f4c9e60f0f001b5220d55a1bcc589d2e722

Download Submit
\Users\Admin\AppData\Local\Temp\bedgeeddca.exe

Filesize
1.1MB

MD5
ff9d9a6aaf4ee603a6001a39969c66cc

SHA1
6c1e0766a79d2045189c6c21d7f7fab56b628bdf

SHA256
11cdf8d8bde8ef07cfcf97fe00e2ae9806134849ead3d2120e15216d93e71655

SHA512
4397daf78f0fe17913a1d660d1fb6825dfe670a46bfcb2800cf046ffe7d7f6bfceaf7ed3298e03dd57385ee0dcb1b0bae2376bc268522c1fea2443f4cb8107d3

Download Submit
\Users\Admin\AppData\Local\Temp\bedgeeddca.exe

Filesize
644KB

MD5
9dfa81105fb39a44ccea4009d3b7945f

SHA1
fbfbc23e305bcb77e55a3aaafabffb83a3f34f48

SHA256
68760b23e972512e5f4cf0846bac5e3b07965ab17c0ee66612f26c0ca171edaf

SHA512
a6a895a70441c537bc13d82382c3376333378dce3c25f09db4c74da02c82a4cb8891f2689467141d23f6e1a9ea814c7bb3d51873f3fb932723eef47a0c3e136b

Download Submit
\Users\Admin\AppData\Local\Temp\bedgeeddca.exe

Filesize
883KB

MD5
dfd18e02951fcc35569f049a9fb8f229

SHA1
f96a61ccbab05093f1544339fcb7c53cda243c8a

SHA256
96b2cadfa542d142649e7d2fad48d9c651fe20e85e15feff580fe2e266b97f80

SHA512
93a2718c4195a454a73a0df21ef853ff85a52f3bc99a761f497a9d33b574e9becb7fe25cd870264e4876d2ae4c9f6285e8280b1de5d7df42a190e07162fdd5eb

Download Submit
\Users\Admin\AppData\Local\Temp\bedgeeddca.exe

Filesize
879KB

MD5
e86eadffcca0096aea4c4ec8cf59f791

SHA1
dce8b87ce87be9935d99b6c35819b44eb2833ef0

SHA256
fe087b4df320f636e97fc4b7213eebae049b6959fd37382cebc7c0da7153cf6c

SHA512
dfeb9cc19c7adf0a8c06fc1124ba09acf91cee3a984108a7971a6734dd5447083e07002f7b26430429bd3ce5e31c088038a05b8dda37c45497e665f47a8137ea

Download Submit
\Users\Admin\AppData\Local\Temp\bedgeeddca.exe

Filesize
1.0MB

MD5
f831acc2121461af1a0a0adb099f5363

SHA1
af6391814bcf94cd9daf2bb2876dcba96e32ae8c

SHA256
2f4ddfaaf97611b6a6fc0119c8248c3f7ffc39398023b5c15b8c567547758350

SHA512
d962449016db6b8399f6ea42f5929f28356665d0cb9a490945ca159dbb204fc1765db4a2ca6c7d3ee341fae5498668fe538d2c0060343cc96231edeebd948dc4

Download Submit
\Users\Admin\AppData\Local\Temp\bedgeeddca.exe

Filesize
664KB

MD5
ae7c6eaa57ca1aae382e122581d11979

SHA1
73d8891f062de81580fe4341867f065e45ad5574

SHA256
5e43ffa2d65f92d247f4685cdfabcf6c4819e53e3d98cd23c1eeb5fc2f14d9f4

SHA512
c5d96e98ed27532a62b76facefdf8506e9e28ae11e02756ae02c435bc15067887558b35ff5b39d818b6a395cce90a2af56aed95c84ddc90f0cc078e32c3a029a

Download Submit
\Users\Admin\AppData\Local\Temp\nso10E3.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit