105a697780af65eb69c0d40e7242c184eef04aa9ff76d994f3ebcc6ad1deeb3d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0862c256ae01b5af2148df3c88c9a0cf.exe
Size

694KB
MD5

0862c256ae01b5af2148df3c88c9a0cf
SHA1

01f477a759b5d5189ae13c601f4edecf698e7c93
SHA256

105a697780af65eb69c0d40e7242c184eef04aa9ff76d994f3ebcc6ad1deeb3d
SHA512

ae8164b767a9ad23010702db2a7d31f9a1b2223c6edebeb6c08f953c4fbdb1f8c1d0f745260207d4a2db30c7191a2153002f03ed742895addd85ba360ac1cfda
SSDEEP

12288:mYkJaUCEtuiXlwMckU9iRX6E/Q8BuVHlwdGdjfKPDb/A9Fvntfc8vy4hW:mYkJCYcWB6E4tBlnLKPDbIPy86z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3024	bedgeaaaid.exe

Loads dropped DLL 11 IoCs

pid	Process
2220	0862c256ae01b5af2148df3c88c9a0cf.exe
2220	0862c256ae01b5af2148df3c88c9a0cf.exe
2220	0862c256ae01b5af2148df3c88c9a0cf.exe
2220	0862c256ae01b5af2148df3c88c9a0cf.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2944	3024	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2996	wmic.exe
Token: SeSecurityPrivilege	2996	wmic.exe
Token: SeTakeOwnershipPrivilege	2996	wmic.exe
Token: SeLoadDriverPrivilege	2996	wmic.exe
Token: SeSystemProfilePrivilege	2996	wmic.exe
Token: SeSystemtimePrivilege	2996	wmic.exe
Token: SeProfSingleProcessPrivilege	2996	wmic.exe
Token: SeIncBasePriorityPrivilege	2996	wmic.exe
Token: SeCreatePagefilePrivilege	2996	wmic.exe
Token: SeBackupPrivilege	2996	wmic.exe
Token: SeRestorePrivilege	2996	wmic.exe
Token: SeShutdownPrivilege	2996	wmic.exe
Token: SeDebugPrivilege	2996	wmic.exe
Token: SeSystemEnvironmentPrivilege	2996	wmic.exe
Token: SeRemoteShutdownPrivilege	2996	wmic.exe
Token: SeUndockPrivilege	2996	wmic.exe
Token: SeManageVolumePrivilege	2996	wmic.exe
Token: 33	2996	wmic.exe
Token: 34	2996	wmic.exe
Token: 35	2996	wmic.exe
Token: SeIncreaseQuotaPrivilege	2996	wmic.exe
Token: SeSecurityPrivilege	2996	wmic.exe
Token: SeTakeOwnershipPrivilege	2996	wmic.exe
Token: SeLoadDriverPrivilege	2996	wmic.exe
Token: SeSystemProfilePrivilege	2996	wmic.exe
Token: SeSystemtimePrivilege	2996	wmic.exe
Token: SeProfSingleProcessPrivilege	2996	wmic.exe
Token: SeIncBasePriorityPrivilege	2996	wmic.exe
Token: SeCreatePagefilePrivilege	2996	wmic.exe
Token: SeBackupPrivilege	2996	wmic.exe
Token: SeRestorePrivilege	2996	wmic.exe
Token: SeShutdownPrivilege	2996	wmic.exe
Token: SeDebugPrivilege	2996	wmic.exe
Token: SeSystemEnvironmentPrivilege	2996	wmic.exe
Token: SeRemoteShutdownPrivilege	2996	wmic.exe
Token: SeUndockPrivilege	2996	wmic.exe
Token: SeManageVolumePrivilege	2996	wmic.exe
Token: 33	2996	wmic.exe
Token: 34	2996	wmic.exe
Token: 35	2996	wmic.exe
Token: SeIncreaseQuotaPrivilege	2576	wmic.exe
Token: SeSecurityPrivilege	2576	wmic.exe
Token: SeTakeOwnershipPrivilege	2576	wmic.exe
Token: SeLoadDriverPrivilege	2576	wmic.exe
Token: SeSystemProfilePrivilege	2576	wmic.exe
Token: SeSystemtimePrivilege	2576	wmic.exe
Token: SeProfSingleProcessPrivilege	2576	wmic.exe
Token: SeIncBasePriorityPrivilege	2576	wmic.exe
Token: SeCreatePagefilePrivilege	2576	wmic.exe
Token: SeBackupPrivilege	2576	wmic.exe
Token: SeRestorePrivilege	2576	wmic.exe
Token: SeShutdownPrivilege	2576	wmic.exe
Token: SeDebugPrivilege	2576	wmic.exe
Token: SeSystemEnvironmentPrivilege	2576	wmic.exe
Token: SeRemoteShutdownPrivilege	2576	wmic.exe
Token: SeUndockPrivilege	2576	wmic.exe
Token: SeManageVolumePrivilege	2576	wmic.exe
Token: 33	2576	wmic.exe
Token: 34	2576	wmic.exe
Token: 35	2576	wmic.exe
Token: SeIncreaseQuotaPrivilege	2100	wmic.exe
Token: SeSecurityPrivilege	2100	wmic.exe
Token: SeTakeOwnershipPrivilege	2100	wmic.exe
Token: SeLoadDriverPrivilege	2100	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 3024	2220	0862c256ae01b5af2148df3c88c9a0cf.exe	28
PID 2220 wrote to memory of 3024	2220	0862c256ae01b5af2148df3c88c9a0cf.exe	28
PID 2220 wrote to memory of 3024	2220	0862c256ae01b5af2148df3c88c9a0cf.exe	28
PID 2220 wrote to memory of 3024	2220	0862c256ae01b5af2148df3c88c9a0cf.exe	28
PID 3024 wrote to memory of 2996	3024	bedgeaaaid.exe	27
PID 3024 wrote to memory of 2996	3024	bedgeaaaid.exe	27
PID 3024 wrote to memory of 2996	3024	bedgeaaaid.exe	27
PID 3024 wrote to memory of 2996	3024	bedgeaaaid.exe	27
PID 3024 wrote to memory of 2576	3024	bedgeaaaid.exe	26
PID 3024 wrote to memory of 2576	3024	bedgeaaaid.exe	26
PID 3024 wrote to memory of 2576	3024	bedgeaaaid.exe	26
PID 3024 wrote to memory of 2576	3024	bedgeaaaid.exe	26
PID 3024 wrote to memory of 2100	3024	bedgeaaaid.exe	25
PID 3024 wrote to memory of 2100	3024	bedgeaaaid.exe	25
PID 3024 wrote to memory of 2100	3024	bedgeaaaid.exe	25
PID 3024 wrote to memory of 2100	3024	bedgeaaaid.exe	25
PID 3024 wrote to memory of 1808	3024	bedgeaaaid.exe	23
PID 3024 wrote to memory of 1808	3024	bedgeaaaid.exe	23
PID 3024 wrote to memory of 1808	3024	bedgeaaaid.exe	23
PID 3024 wrote to memory of 1808	3024	bedgeaaaid.exe	23
PID 3024 wrote to memory of 2448	3024	bedgeaaaid.exe	22
PID 3024 wrote to memory of 2448	3024	bedgeaaaid.exe	22
PID 3024 wrote to memory of 2448	3024	bedgeaaaid.exe	22
PID 3024 wrote to memory of 2448	3024	bedgeaaaid.exe	22
PID 3024 wrote to memory of 2944	3024	bedgeaaaid.exe	40
PID 3024 wrote to memory of 2944	3024	bedgeaaaid.exe	40
PID 3024 wrote to memory of 2944	3024	bedgeaaaid.exe	40
PID 3024 wrote to memory of 2944	3024	bedgeaaaid.exe	40

C:\Users\Admin\AppData\Local\Temp\0862c256ae01b5af2148df3c88c9a0cf.exe
"C:\Users\Admin\AppData\Local\Temp\0862c256ae01b5af2148df3c88c9a0cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\bedgeaaaid.exe
  C:\Users\Admin\AppData\Local\Temp\bedgeaaaid.exe 8|8|4|0|7|1|9|2|6|8|0 J0hFRDYyKS4qGC9LTT5QQkM0LhonTj1MU09LSkBCNyggJzxFU01IOzsrMTcvGCtDQkM0LhonUEpHQFU8U1ZHPjUxLjEwIChSPFBQPVJXTU5MNmdrcmoyLydrbnYnQzxRRSVUR0gpQUlPJUdIPk8YJz9MQkJCRz41ICc8LT0mMBctPio9JSkcLz0yNCsrGC88LDktKh8mQi81LSkYK1BLTjtTPUxfSEpFVjpCUDsaJ1BKR0BVPFNWQ09EQTUYK1BLTjtTPUxfRjlJRTYfJkNSPV9NSkg9GS48Vj9XQ0U8SElHRDQeKUBPS0xbQktOTlE/Sj0qGCtUQUBFSVNHVVdNTkw2HyZURzUyGCdAUyo8Fy1MTU5MQUlFWFY8Sj1HTT1BSUFARExQRjUgJ0FPX0tURVJDRUU1bG51Xh8mUD9MVUpGRU5AXkxRP0pfPDlVUzYxFy1CQUQ9UDkxGS5AUVk8WUY5SUk8XjxMPUpZSExBRDZlWGptXSAnPEtXR0tGPz5XSUg1MzEnMC4yKCoyJik1IChPOFA7REw9RFtJR1JLP0ZEPV5ZaHNeHyZSQ0VFNSkwMy8zJzEuKDEYJ0BPUE1DTTs8X0xBSUU2NiY3KSowKS0mMSs5LDQ0LDEiOUk=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2944

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703931268.txt bios get version
1⤵
PID:2448

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703931268.txt bios get version
1⤵
PID:1808

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703931268.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703931268.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703931268.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyD3B.tmp\dbnlsav.dll

Filesize
98KB

MD5
7e5afd954bf3ccd84f0179344c29b158

SHA1
7b132c50f081209a5a79e7907ecbb49dfe90ae06

SHA256
b4524e94a513f23f687522d289e48a05522074182e0114060070619082f91325

SHA512
dd7f6d470d1bd292d46ae99569f008341f8ee36f28a169657c1bfa6653526bc02ccff06ea212ce6ac7649c551d7092361fddb4ebabb792183a54c9f6f0d6499e

Download Submit
\Users\Admin\AppData\Local\Temp\bedgeaaaid.exe

Filesize
92KB

MD5
7c71f18f704ae178b8c324adb135cdb2

SHA1
0965b0688e218be0ee02716e19fb6ad883e179d4

SHA256
2d7be368b1c7a8fd9b4e284126ba5b1ba52d37961091c068317f3c949eafe545

SHA512
b2906950b690d5fffe2c5f9a33f1275a33ec113f7a3789fcc2b2b4f27b9467251b8c170e70fd37af2e6c7cc89d720492f54b4bbee7221c718db0a7dbbf84fdbf

Download Submit
\Users\Admin\AppData\Local\Temp\nsyD3B.tmp\ZipDLL.dll

Filesize
92KB

MD5
59d92c69d7384fb9e32b4d435ed3447b

SHA1
cdc0eb8ba6b58a4c8c0fee1fd7560154d06ccfd5

SHA256
f514d46e78885cfd4ffa6445a37a9b20af04d1b14aacd1e2c4bf6227b20a8c2d

SHA512
de5a2632d4a271ec1dd1a5e04e918260afc55f9bd56b3f060944a9756ff2866702191ddee13a20cea23b970086d813ea4ff044324520f3f4da94bc47fea9daaa

Download Submit
\Users\Admin\AppData\Local\Temp\nsyD3B.tmp\dbnlsav.dll

Filesize
166KB

MD5
5e67e30a2af79344cfa992d4cf4637f6

SHA1
4c73d4c38386f954f29b1be938f39429ca2365a8

SHA256
782282379bac3424c8f26c3c1375e82886573e90bd66ddca536ccd460aeee152

SHA512
184cb9520c44a23601773544c64548673716399f3d6b035b8c8aa53edcc2d632c5346f1e0a69dfb03ee89d6db4870841e32453e7228cce536748466085b829ea

Download Submit