2416a4642063f854d89949ee781ddd1bb3996d1848f5a78a9a626692e3e1e930

Analysis

max time kernel
151s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

085ab77b196e0c91eccbb410df82df16.exe
Size

774KB
MD5

085ab77b196e0c91eccbb410df82df16
SHA1

7ead26c497093ab9bb0976dc44ccea613c5b579b
SHA256

2416a4642063f854d89949ee781ddd1bb3996d1848f5a78a9a626692e3e1e930
SHA512

4e59948599e866aa02906b177b78a016348805b2c50b15f42b9e58760f35cfca40d9fe6e2196d27a5bcb88e0448bfdd976a1f7765cf98ef5de5a9ff375bf97a9
SSDEEP

24576:7N32h5LUqbzfNBVq/AMM33b3sMK5hLMUsjjuyOn+y86d:B32h5LRlMOL3O5+UCuD+vw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3620	bedeggbcid.exe

Loads dropped DLL 2 IoCs

pid	Process
568	085ab77b196e0c91eccbb410df82df16.exe
568	085ab77b196e0c91eccbb410df82df16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4300	3620	WerFault.exe	91

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2580	wmic.exe
Token: SeSecurityPrivilege	2580	wmic.exe
Token: SeTakeOwnershipPrivilege	2580	wmic.exe
Token: SeLoadDriverPrivilege	2580	wmic.exe
Token: SeSystemProfilePrivilege	2580	wmic.exe
Token: SeSystemtimePrivilege	2580	wmic.exe
Token: SeProfSingleProcessPrivilege	2580	wmic.exe
Token: SeIncBasePriorityPrivilege	2580	wmic.exe
Token: SeCreatePagefilePrivilege	2580	wmic.exe
Token: SeBackupPrivilege	2580	wmic.exe
Token: SeRestorePrivilege	2580	wmic.exe
Token: SeShutdownPrivilege	2580	wmic.exe
Token: SeDebugPrivilege	2580	wmic.exe
Token: SeSystemEnvironmentPrivilege	2580	wmic.exe
Token: SeRemoteShutdownPrivilege	2580	wmic.exe
Token: SeUndockPrivilege	2580	wmic.exe
Token: SeManageVolumePrivilege	2580	wmic.exe
Token: 33	2580	wmic.exe
Token: 34	2580	wmic.exe
Token: 35	2580	wmic.exe
Token: 36	2580	wmic.exe
Token: SeIncreaseQuotaPrivilege	2580	wmic.exe
Token: SeSecurityPrivilege	2580	wmic.exe
Token: SeTakeOwnershipPrivilege	2580	wmic.exe
Token: SeLoadDriverPrivilege	2580	wmic.exe
Token: SeSystemProfilePrivilege	2580	wmic.exe
Token: SeSystemtimePrivilege	2580	wmic.exe
Token: SeProfSingleProcessPrivilege	2580	wmic.exe
Token: SeIncBasePriorityPrivilege	2580	wmic.exe
Token: SeCreatePagefilePrivilege	2580	wmic.exe
Token: SeBackupPrivilege	2580	wmic.exe
Token: SeRestorePrivilege	2580	wmic.exe
Token: SeShutdownPrivilege	2580	wmic.exe
Token: SeDebugPrivilege	2580	wmic.exe
Token: SeSystemEnvironmentPrivilege	2580	wmic.exe
Token: SeRemoteShutdownPrivilege	2580	wmic.exe
Token: SeUndockPrivilege	2580	wmic.exe
Token: SeManageVolumePrivilege	2580	wmic.exe
Token: 33	2580	wmic.exe
Token: 34	2580	wmic.exe
Token: 35	2580	wmic.exe
Token: 36	2580	wmic.exe
Token: SeIncreaseQuotaPrivilege	4816	wmic.exe
Token: SeSecurityPrivilege	4816	wmic.exe
Token: SeTakeOwnershipPrivilege	4816	wmic.exe
Token: SeLoadDriverPrivilege	4816	wmic.exe
Token: SeSystemProfilePrivilege	4816	wmic.exe
Token: SeSystemtimePrivilege	4816	wmic.exe
Token: SeProfSingleProcessPrivilege	4816	wmic.exe
Token: SeIncBasePriorityPrivilege	4816	wmic.exe
Token: SeCreatePagefilePrivilege	4816	wmic.exe
Token: SeBackupPrivilege	4816	wmic.exe
Token: SeRestorePrivilege	4816	wmic.exe
Token: SeShutdownPrivilege	4816	wmic.exe
Token: SeDebugPrivilege	4816	wmic.exe
Token: SeSystemEnvironmentPrivilege	4816	wmic.exe
Token: SeRemoteShutdownPrivilege	4816	wmic.exe
Token: SeUndockPrivilege	4816	wmic.exe
Token: SeManageVolumePrivilege	4816	wmic.exe
Token: 33	4816	wmic.exe
Token: 34	4816	wmic.exe
Token: 35	4816	wmic.exe
Token: 36	4816	wmic.exe
Token: SeIncreaseQuotaPrivilege	4816	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 3620	568	085ab77b196e0c91eccbb410df82df16.exe	91
PID 568 wrote to memory of 3620	568	085ab77b196e0c91eccbb410df82df16.exe	91
PID 568 wrote to memory of 3620	568	085ab77b196e0c91eccbb410df82df16.exe	91
PID 3620 wrote to memory of 2580	3620	bedeggbcid.exe	92
PID 3620 wrote to memory of 2580	3620	bedeggbcid.exe	92
PID 3620 wrote to memory of 2580	3620	bedeggbcid.exe	92
PID 3620 wrote to memory of 4816	3620	bedeggbcid.exe	95
PID 3620 wrote to memory of 4816	3620	bedeggbcid.exe	95
PID 3620 wrote to memory of 4816	3620	bedeggbcid.exe	95
PID 3620 wrote to memory of 2672	3620	bedeggbcid.exe	97
PID 3620 wrote to memory of 2672	3620	bedeggbcid.exe	97
PID 3620 wrote to memory of 2672	3620	bedeggbcid.exe	97
PID 3620 wrote to memory of 3348	3620	bedeggbcid.exe	100
PID 3620 wrote to memory of 3348	3620	bedeggbcid.exe	100
PID 3620 wrote to memory of 3348	3620	bedeggbcid.exe	100
PID 3620 wrote to memory of 4436	3620	bedeggbcid.exe	101
PID 3620 wrote to memory of 4436	3620	bedeggbcid.exe	101
PID 3620 wrote to memory of 4436	3620	bedeggbcid.exe	101

C:\Users\Admin\AppData\Local\Temp\085ab77b196e0c91eccbb410df82df16.exe
"C:\Users\Admin\AppData\Local\Temp\085ab77b196e0c91eccbb410df82df16.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568
- C:\Users\Admin\AppData\Local\Temp\bedeggbcid.exe
  C:\Users\Admin\AppData\Local\Temp\bedeggbcid.exe 1*6*1*3*3*2*1*8*1*7*5 LkpIQToxLyoxGSpST0FNRkI8KB8oSUROVkxPSUg8PCkbLj5IUFFHQzUxKS04MR8sQEdDNS8ZKk9MTkFSQVNXSD04MDA4MR0tUj1RT0BRWVRPSTtnbHNpNS4pcm9zLEM9UkQoU0lPKj5OTyZIR0FOGi5ASUdCQ0g9OHY/QlFGL0RIMS4xVUk2L0lFT0tMRitAPR8sQS88KS8qMR8pQy86KzAYLj0uPCcwHSxCMzUsKhsuPjQ6Ki8fJ09LSkNPQlFcTlFBVTo+WDcfLE1QTjxUPE9eP1RJPjsfJ09LSkNPQlFcTEBFRDYbLj9XQlxTUUQ8GSpEUkRcQEtDREhHQDwaLkVMUVNXQUtKVk1ETzovHydTQTxNRVhMUl1USks2Gy5QTDovHi48Uio4HylRUktSSEVEWFJERkJMSkNIRUBAQFRMSzodLUhLXktQTU5ISkI7c2p0XhsuTERRUlBNQU1AWlRNRE9cQkBRUjYtHylHRkFDVzUwGSpITV5BVkxARUg8WkRIQk9WTlM9QzZhYGZyYh0tQ0dWR0dOO0NcRk48KTgpKTEqLysuNDEmMRkqU0NMQjovMyszLzE3LjE1HS1DR1ZHR047Q1xRR0w9PC8qMDIuLy0vNCIwKjUvKjkvNShPRQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703968528.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703968528.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703968528.txt bios get version
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703968528.txt bios get version
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703968528.txt bios get version
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 960
    3⤵
    - Program crash
    PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3620 -ip 3620
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703968528.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703968528.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703968528.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedeggbcid.exe

Filesize
141KB

MD5
660b81383cfaea94edc97ba1a3d63dba

SHA1
8d83a6f0163c3a50172aa7e69025a4a0cd1e16e7

SHA256
434e3bae98189d6cefa5cf5d3d68092264e93201540bb5d74f71dce3be1bf695

SHA512
754e0508335a906e0ef2b1092f8c5a0ad6ca7929fb88d97f1d982e6bb777564b1c340f5fc57ef80c14154f4046c5b2a460262150d22f463943615b6243d77490

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedeggbcid.exe

Filesize
132KB

MD5
16e1900c8158a06060e32b1518c3623d

SHA1
bc7b212751671caf459f9f330bed287604de9294

SHA256
812c8a51cb575dd899705ed3fcc6718bce1abc9e27cc14ea76aef4c942ba5cf7

SHA512
a836f1c1c739ef50f0ead27fd348e61c54193ef4fe0a5c97db244e61f97b8839cb57d2e9becded96bb4d0c959a316ac4a76c60f21c78e15f3a1bdbb752c8bf14

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqA25B.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqA25B.tmp\jrcdlvl.dll

Filesize
169KB

MD5
04250df9913f7811b6c4a8ce9a69bf41

SHA1
94c55554a2deb109ea8034fb91b222c4ed69ba28

SHA256
a4f8731ef961aa9bd38c3870d5995a0fed71f1cdde4d856461dd27faeadf0176

SHA512
49ef818b3b10552d379f6a2b52f4f99d48b665587febc0f81475cb71e3c262e4baa3df910d70c6655f3617b60144512a6fb81cf6b2b9d0ae48ceb58e712a6a02

Download Submit