2416a4642063f854d89949ee781ddd1bb3996d1848f5a78a9a626692e3e1e930

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

085ab77b196e0c91eccbb410df82df16.exe
Size

774KB
MD5

085ab77b196e0c91eccbb410df82df16
SHA1

7ead26c497093ab9bb0976dc44ccea613c5b579b
SHA256

2416a4642063f854d89949ee781ddd1bb3996d1848f5a78a9a626692e3e1e930
SHA512

4e59948599e866aa02906b177b78a016348805b2c50b15f42b9e58760f35cfca40d9fe6e2196d27a5bcb88e0448bfdd976a1f7765cf98ef5de5a9ff375bf97a9
SSDEEP

24576:7N32h5LUqbzfNBVq/AMM33b3sMK5hLMUsjjuyOn+y86d:B32h5LRlMOL3O5+UCuD+vw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	bedeggbcid.exe

Loads dropped DLL 11 IoCs

pid	Process
2352	085ab77b196e0c91eccbb410df82df16.exe
2352	085ab77b196e0c91eccbb410df82df16.exe
2352	085ab77b196e0c91eccbb410df82df16.exe
2352	085ab77b196e0c91eccbb410df82df16.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	2836	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2832	wmic.exe
Token: SeSecurityPrivilege	2832	wmic.exe
Token: SeTakeOwnershipPrivilege	2832	wmic.exe
Token: SeLoadDriverPrivilege	2832	wmic.exe
Token: SeSystemProfilePrivilege	2832	wmic.exe
Token: SeSystemtimePrivilege	2832	wmic.exe
Token: SeProfSingleProcessPrivilege	2832	wmic.exe
Token: SeIncBasePriorityPrivilege	2832	wmic.exe
Token: SeCreatePagefilePrivilege	2832	wmic.exe
Token: SeBackupPrivilege	2832	wmic.exe
Token: SeRestorePrivilege	2832	wmic.exe
Token: SeShutdownPrivilege	2832	wmic.exe
Token: SeDebugPrivilege	2832	wmic.exe
Token: SeSystemEnvironmentPrivilege	2832	wmic.exe
Token: SeRemoteShutdownPrivilege	2832	wmic.exe
Token: SeUndockPrivilege	2832	wmic.exe
Token: SeManageVolumePrivilege	2832	wmic.exe
Token: 33	2832	wmic.exe
Token: 34	2832	wmic.exe
Token: 35	2832	wmic.exe
Token: SeIncreaseQuotaPrivilege	2832	wmic.exe
Token: SeSecurityPrivilege	2832	wmic.exe
Token: SeTakeOwnershipPrivilege	2832	wmic.exe
Token: SeLoadDriverPrivilege	2832	wmic.exe
Token: SeSystemProfilePrivilege	2832	wmic.exe
Token: SeSystemtimePrivilege	2832	wmic.exe
Token: SeProfSingleProcessPrivilege	2832	wmic.exe
Token: SeIncBasePriorityPrivilege	2832	wmic.exe
Token: SeCreatePagefilePrivilege	2832	wmic.exe
Token: SeBackupPrivilege	2832	wmic.exe
Token: SeRestorePrivilege	2832	wmic.exe
Token: SeShutdownPrivilege	2832	wmic.exe
Token: SeDebugPrivilege	2832	wmic.exe
Token: SeSystemEnvironmentPrivilege	2832	wmic.exe
Token: SeRemoteShutdownPrivilege	2832	wmic.exe
Token: SeUndockPrivilege	2832	wmic.exe
Token: SeManageVolumePrivilege	2832	wmic.exe
Token: 33	2832	wmic.exe
Token: 34	2832	wmic.exe
Token: 35	2832	wmic.exe
Token: SeIncreaseQuotaPrivilege	2868	wmic.exe
Token: SeSecurityPrivilege	2868	wmic.exe
Token: SeTakeOwnershipPrivilege	2868	wmic.exe
Token: SeLoadDriverPrivilege	2868	wmic.exe
Token: SeSystemProfilePrivilege	2868	wmic.exe
Token: SeSystemtimePrivilege	2868	wmic.exe
Token: SeProfSingleProcessPrivilege	2868	wmic.exe
Token: SeIncBasePriorityPrivilege	2868	wmic.exe
Token: SeCreatePagefilePrivilege	2868	wmic.exe
Token: SeBackupPrivilege	2868	wmic.exe
Token: SeRestorePrivilege	2868	wmic.exe
Token: SeShutdownPrivilege	2868	wmic.exe
Token: SeDebugPrivilege	2868	wmic.exe
Token: SeSystemEnvironmentPrivilege	2868	wmic.exe
Token: SeRemoteShutdownPrivilege	2868	wmic.exe
Token: SeUndockPrivilege	2868	wmic.exe
Token: SeManageVolumePrivilege	2868	wmic.exe
Token: 33	2868	wmic.exe
Token: 34	2868	wmic.exe
Token: 35	2868	wmic.exe
Token: SeIncreaseQuotaPrivilege	2868	wmic.exe
Token: SeSecurityPrivilege	2868	wmic.exe
Token: SeTakeOwnershipPrivilege	2868	wmic.exe
Token: SeLoadDriverPrivilege	2868	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2836	2352	085ab77b196e0c91eccbb410df82df16.exe	28
PID 2352 wrote to memory of 2836	2352	085ab77b196e0c91eccbb410df82df16.exe	28
PID 2352 wrote to memory of 2836	2352	085ab77b196e0c91eccbb410df82df16.exe	28
PID 2352 wrote to memory of 2836	2352	085ab77b196e0c91eccbb410df82df16.exe	28
PID 2836 wrote to memory of 2832	2836	bedeggbcid.exe	29
PID 2836 wrote to memory of 2832	2836	bedeggbcid.exe	29
PID 2836 wrote to memory of 2832	2836	bedeggbcid.exe	29
PID 2836 wrote to memory of 2832	2836	bedeggbcid.exe	29
PID 2836 wrote to memory of 2868	2836	bedeggbcid.exe	33
PID 2836 wrote to memory of 2868	2836	bedeggbcid.exe	33
PID 2836 wrote to memory of 2868	2836	bedeggbcid.exe	33
PID 2836 wrote to memory of 2868	2836	bedeggbcid.exe	33
PID 2836 wrote to memory of 2588	2836	bedeggbcid.exe	35
PID 2836 wrote to memory of 2588	2836	bedeggbcid.exe	35
PID 2836 wrote to memory of 2588	2836	bedeggbcid.exe	35
PID 2836 wrote to memory of 2588	2836	bedeggbcid.exe	35
PID 2836 wrote to memory of 1984	2836	bedeggbcid.exe	37
PID 2836 wrote to memory of 1984	2836	bedeggbcid.exe	37
PID 2836 wrote to memory of 1984	2836	bedeggbcid.exe	37
PID 2836 wrote to memory of 1984	2836	bedeggbcid.exe	37
PID 2836 wrote to memory of 2920	2836	bedeggbcid.exe	38
PID 2836 wrote to memory of 2920	2836	bedeggbcid.exe	38
PID 2836 wrote to memory of 2920	2836	bedeggbcid.exe	38
PID 2836 wrote to memory of 2920	2836	bedeggbcid.exe	38
PID 2836 wrote to memory of 2748	2836	bedeggbcid.exe	40
PID 2836 wrote to memory of 2748	2836	bedeggbcid.exe	40
PID 2836 wrote to memory of 2748	2836	bedeggbcid.exe	40
PID 2836 wrote to memory of 2748	2836	bedeggbcid.exe	40

C:\Users\Admin\AppData\Local\Temp\085ab77b196e0c91eccbb410df82df16.exe
"C:\Users\Admin\AppData\Local\Temp\085ab77b196e0c91eccbb410df82df16.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\bedeggbcid.exe
  C:\Users\Admin\AppData\Local\Temp\bedeggbcid.exe 1*6*1*3*3*2*1*8*1*7*5 LkpIQToxLyoxGSpST0FNRkI8KB8oSUROVkxPSUg8PCkbLj5IUFFHQzUxKS04MR8sQEdDNS8ZKk9MTkFSQVNXSD04MDA4MR0tUj1RT0BRWVRPSTtnbHNpNS4pcm9zLEM9UkQoU0lPKj5OTyZIR0FOGi5ASUdCQ0g9OHY/QlFGL0RIMS4xVUk2L0lFT0tMRitAPR8sQS88KS8qMR8pQy86KzAYLj0uPCcwHSxCMzUsKhsuPjQ6Ki8fJ09LSkNPQlFcTlFBVTo+WDcfLE1QTjxUPE9eP1RJPjsfJ09LSkNPQlFcTEBFRDYbLj9XQlxTUUQ8GSpEUkRcQEtDREhHQDwaLkVMUVNXQUtKVk1ETzovHydTQTxNRVhMUl1USks2Gy5QTDovHi48Uio4HylRUktSSEVEWFJERkJMSkNIRUBAQFRMSzodLUhLXktQTU5ISkI7c2p0XhsuTERRUlBNQU1AWlRNRE9cQkBRUjYtHylHRkFDVzUwGSpITV5BVkxARUg8WkRIQk9WTlM9QzZhYGZyYh0tQ0dWR0dOO0NcRk48KTgpKTEqLysuNDEmMRkqU0NMQjovMyszLzE3LjE1HS1DR1ZHR047Q1xRR0w9PC8qMDIuLy0vNCIwKjUvKjkvNShPRQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703968509.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703968509.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703968509.txt bios get version
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703968509.txt bios get version
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703968509.txt bios get version
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703968509.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703968509.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703968509.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedeggbcid.exe

Filesize
1.0MB

MD5
3168e3016d5223f4004e3ca16c5cca74

SHA1
8d5cb06581a6c1bbfee86706ae9fdcb2c539f3a4

SHA256
03e104c235a148fa29f791e3c6a531621d47bdfac87e13fb8e151bc6b78d3e66

SHA512
2b80486d3a099f6230a863ffff19f6d7f8445dd927ebf73ba76ee5109c34098ddbe43fb53ad666e7981be5fad2b2556780506e353b3a4eb271d9cc01632c0c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedeggbcid.exe

Filesize
954KB

MD5
bc9d0424689c17bc45f06cf68c172ed8

SHA1
418529ad80ba30f30a3c9c3947fb962ba7fdd146

SHA256
c3895d2651a544a74ba2b80366e23b1ff0fa6660d8c7bf1e6e0239a691bc373d

SHA512
f86b1c20defbc48b7bd75e8b9e80269551a90fedb16766763972d280211134d4544acff25610732505bd3cd143fdcc0609a1948ae9e7431d064f773f5e8e419e

Download Submit
\Users\Admin\AppData\Local\Temp\bedeggbcid.exe

Filesize
1.2MB

MD5
db592a6778719ecc3e009615a0b0676f

SHA1
8e87122553bffa0a5b1c32d840f71bb4abffedf7

SHA256
6e954e721eb2cf823834c312c2c4fb16f73e932bb0ed01afc3a0e993706b9984

SHA512
608bfcaf7152a804d8723c015eddaa9b961c5c378dc2d65953dfca68edb8c2d8eb282df372eea6c1372145042efd25073064e73c411e292cc4eac237b592c574

Download Submit
\Users\Admin\AppData\Local\Temp\bedeggbcid.exe

Filesize
1.0MB

MD5
01c143062d736b9dccbc090dbb80fdcb

SHA1
c5afa085aad4702d9ea72a86cd24fd1a3a7e2216

SHA256
be5e5c1639d629ec4683a50aeaa94d9394722ea5701430798fd35cffb64d5aa5

SHA512
5c967bca860a17ae6dc66736bf582f52ac68859468a2da824c859c4147dcd3ce03346b740a438ff631b76ec11d713e9a3ed89795d0762300655cdb77d25e8009

Download Submit
\Users\Admin\AppData\Local\Temp\bedeggbcid.exe

Filesize
64KB

MD5
1491687e792c83889f583fd20285e9e1

SHA1
eb731eea3b8f55f3e5a8c7eefea6b4e44b7cfe93

SHA256
6c5766ebd80343b175726223a049cfa2d48bff1017b6133cb9931926cb085fa1

SHA512
ab6755c2fddce5f41dd8a276a941e63bad91078a75943c44600d314f666c796768bdad102ae1b2aa0e8d2e3169ea033a9b8900833b65a4fad4bbc8007a9b696c

Download Submit
\Users\Admin\AppData\Local\Temp\bedeggbcid.exe

Filesize
342KB

MD5
a48547a0e546ebd3b8eb9c8d7a2f5d09

SHA1
77f6dd03c8c7b2109416b4c9eb54a6de95149349

SHA256
3be993759256c8ae1d75c34315e8cc7f172dc039bad06d11c92efe233bcbf4d3

SHA512
63984efc88669299a758bb870eed7ae6ab6a99de102210d8591fd24bcfe5f5e7eccb9b15eddd567e083638c3727b62eb1b836e81f3752b015ba60a01c407cee4

Download Submit
\Users\Admin\AppData\Local\Temp\bedeggbcid.exe

Filesize
310KB

MD5
f2074e88dae13c2749ac6487173de3b4

SHA1
4c5cb147cc3bf1909528605ad5961902f127f89c

SHA256
15f11f89c462be03f3c3851257641c1e6a684472a83d64c29268ce1731cb5fa9

SHA512
5ae64b93f89332de07220e23f02d568369809e2429d7718c698f70ea68e01111b648bf3137fb1cd0cfac78e3c5b96209e622e244565798235896d6a3a6271f23

Download Submit
\Users\Admin\AppData\Local\Temp\bedeggbcid.exe

Filesize
335KB

MD5
e8d9b8ee316e719e3b86a4023aac34c7

SHA1
73b9151ffd744899a85eab337284a13690462a67

SHA256
e585532f094066fb53b9fb7dc32231887f132a3802211de492fcfab2785e520e

SHA512
3be6cdf9f43567880fac74d1345a556a00763eb1175a3fe99e279abb2960594106d33b92a79f793a6b59675d5a450f9911388393059d725ed926432aa322e044

Download Submit
\Users\Admin\AppData\Local\Temp\bedeggbcid.exe

Filesize
307KB

MD5
f87131590a1f931baf5eede4967e08fe

SHA1
026049a264eec1d2421a80b6f5722ab7c74edea9

SHA256
dc21a7a32ddcd832ef9d3b2be4008500ea79d25a5c794dca1bb6740f61c19ae1

SHA512
b54a1e4afbffae2d831dab92861180a0e1bfe809d4a7aedbe5de37fcad7f6eb454d6a0153ce44385c929b5f08237f40a5ebf0b28025be7de231b57fbb371c517

Download Submit
\Users\Admin\AppData\Local\Temp\bedeggbcid.exe

Filesize
284KB

MD5
449ba4440d2c1cf8c4488a3aa3c39afe

SHA1
27f7cb912b53baf413cd01687b8d8a37a408ff62

SHA256
27e44dee728888823b2aa8a95200c88c857d4e2d55863229100e9dfdd17aec4a

SHA512
2312aba57871a0a07d6f734fa80f0b487738e700da9889a7eea1d1bae6680cd66df797054fd029bf73d2a3f5ec7125752c19f994c8f7d706da0f1b3c0ab075c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4B53.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4B53.tmp\jrcdlvl.dll

Filesize
169KB

MD5
04250df9913f7811b6c4a8ce9a69bf41

SHA1
94c55554a2deb109ea8034fb91b222c4ed69ba28

SHA256
a4f8731ef961aa9bd38c3870d5995a0fed71f1cdde4d856461dd27faeadf0176

SHA512
49ef818b3b10552d379f6a2b52f4f99d48b665587febc0f81475cb71e3c262e4baa3df910d70c6655f3617b60144512a6fb81cf6b2b9d0ae48ceb58e712a6a02

Download Submit