105a697780af65eb69c0d40e7242c184eef04aa9ff76d994f3ebcc6ad1deeb3d

Analysis

max time kernel
32s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0862c256ae01b5af2148df3c88c9a0cf.exe
Size

694KB
MD5

0862c256ae01b5af2148df3c88c9a0cf
SHA1

01f477a759b5d5189ae13c601f4edecf698e7c93
SHA256

105a697780af65eb69c0d40e7242c184eef04aa9ff76d994f3ebcc6ad1deeb3d
SHA512

ae8164b767a9ad23010702db2a7d31f9a1b2223c6edebeb6c08f953c4fbdb1f8c1d0f745260207d4a2db30c7191a2153002f03ed742895addd85ba360ac1cfda
SSDEEP

12288:mYkJaUCEtuiXlwMckU9iRX6E/Q8BuVHlwdGdjfKPDb/A9Fvntfc8vy4hW:mYkJCYcWB6E4tBlnLKPDbIPy86z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2604	bedgeaaaid.exe

Loads dropped DLL 2 IoCs

pid	Process
4808	0862c256ae01b5af2148df3c88c9a0cf.exe
4808	0862c256ae01b5af2148df3c88c9a0cf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1824	2604	WerFault.exe	47

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	748	wmic.exe
Token: SeSecurityPrivilege	748	wmic.exe
Token: SeTakeOwnershipPrivilege	748	wmic.exe
Token: SeLoadDriverPrivilege	748	wmic.exe
Token: SeSystemProfilePrivilege	748	wmic.exe
Token: SeSystemtimePrivilege	748	wmic.exe
Token: SeProfSingleProcessPrivilege	748	wmic.exe
Token: SeIncBasePriorityPrivilege	748	wmic.exe
Token: SeCreatePagefilePrivilege	748	wmic.exe
Token: SeBackupPrivilege	748	wmic.exe
Token: SeRestorePrivilege	748	wmic.exe
Token: SeShutdownPrivilege	748	wmic.exe
Token: SeDebugPrivilege	748	wmic.exe
Token: SeSystemEnvironmentPrivilege	748	wmic.exe
Token: SeRemoteShutdownPrivilege	748	wmic.exe
Token: SeUndockPrivilege	748	wmic.exe
Token: SeManageVolumePrivilege	748	wmic.exe
Token: 33	748	wmic.exe
Token: 34	748	wmic.exe
Token: 35	748	wmic.exe
Token: 36	748	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 2604	4808	0862c256ae01b5af2148df3c88c9a0cf.exe	47
PID 4808 wrote to memory of 2604	4808	0862c256ae01b5af2148df3c88c9a0cf.exe	47
PID 4808 wrote to memory of 2604	4808	0862c256ae01b5af2148df3c88c9a0cf.exe	47
PID 2604 wrote to memory of 748	2604	bedgeaaaid.exe	49
PID 2604 wrote to memory of 748	2604	bedgeaaaid.exe	49
PID 2604 wrote to memory of 748	2604	bedgeaaaid.exe	49

C:\Users\Admin\AppData\Local\Temp\0862c256ae01b5af2148df3c88c9a0cf.exe
"C:\Users\Admin\AppData\Local\Temp\0862c256ae01b5af2148df3c88c9a0cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\bedgeaaaid.exe
  C:\Users\Admin\AppData\Local\Temp\bedgeaaaid.exe 8|8|4|0|7|1|9|2|6|8|0 J0hFRDYyKS4qGC9LTT5QQkM0LhonTj1MU09LSkBCNyggJzxFU01IOzsrMTcvGCtDQkM0LhonUEpHQFU8U1ZHPjUxLjEwIChSPFBQPVJXTU5MNmdrcmoyLydrbnYnQzxRRSVUR0gpQUlPJUdIPk8YJz9MQkJCRz41ICc8LT0mMBctPio9JSkcLz0yNCsrGC88LDktKh8mQi81LSkYK1BLTjtTPUxfSEpFVjpCUDsaJ1BKR0BVPFNWQ09EQTUYK1BLTjtTPUxfRjlJRTYfJkNSPV9NSkg9GS48Vj9XQ0U8SElHRDQeKUBPS0xbQktOTlE/Sj0qGCtUQUBFSVNHVVdNTkw2HyZURzUyGCdAUyo8Fy1MTU5MQUlFWFY8Sj1HTT1BSUFARExQRjUgJ0FPX0tURVJDRUU1bG51Xh8mUD9MVUpGRU5AXkxRP0pfPDlVUzYxFy1CQUQ9UDkxGS5AUVk8WUY5SUk8XjxMPUpZSExBRDZlWGptXSAnPEtXR0tGPz5XSUg1MzEnMC4yKCoyJik1IChPOFA7REw9RFtJR1JLP0ZEPV5ZaHNeHyZSQ0VFNSkwMy8zJzEuKDEYJ0BPUE1DTTs8X0xBSUU2NiY3KSowKS0mMSs5LDQ0LDEiOUk=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703931248.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703931248.txt bios get version
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703931248.txt bios get version
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703931248.txt bios get version
    3⤵
    PID:872
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81703931248.txt bios get version
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 916
    3⤵
    - Program crash
    PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2604 -ip 2604
1⤵
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703931248.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703931248.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703931248.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgeaaaid.exe

Filesize
8KB

MD5
869d9409912720c9bada6637f7893b2b

SHA1
5f18b43900a81cfdc696025733f5bf40a671d4bb

SHA256
1b4ed704bbd1d2cee1762ab7d650b4f7a6a3add03ace37df368168f6c1abbb52

SHA512
4492ba70c5ce85a78f8e9c8cb5d436c9c083d932ce50e32d8cf6a1464f4e1b98b7fd86e62cb6dd053a290925a388b6ed89baed3fe95d178c78fa5092da74d2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgeaaaid.exe

Filesize
52KB

MD5
3e5e42aa3ffc4960e2a57ddbc3a3a317

SHA1
292288cc5c085629a25d1be726053305f5ef50ff

SHA256
ff02dc3bb0c77209b0d4d126c8edf456a623783ed1636705c75f192c81227487

SHA512
30444dd99e1259a44db6dd157143855105dbf6f8c9132696d5e63c9df8aa00d0ccf138f96ef3ca2b0fc1bccd6a484deab073dbcb92144ca4987e16fdf0691f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\ZipDLL.dll

Filesize
61KB

MD5
20707b23e996eb1f6933cec919f7062b

SHA1
e7bd244786455f9cb11fecfc7558c3e5c0e3c154

SHA256
fd32bddcaea1e623004d6d82fda8652115c0d130e4eb19753157dde63eb0c14d

SHA512
090bf40b38c6ee17f0bc1311055a9cb89098fc13bf5782ac017944bae1c3d340850a270cbf8556a25f4a49b7177302b0729bcaa917fc9c9470f0d5a20f127df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\ZipDLL.dll

Filesize
1KB

MD5
12513ddf7f778e92b59edbeb53c7d9cc

SHA1
dbb4fd09cc60fd4f8513f5617f8e9c28fafc4f72

SHA256
75f08c78a64659d8ff563e0b7eba9359fe3b1dbe92c25b4189da2bfa52fcbb11

SHA512
69e04679ea64ddcca23dce1fcbb4a854564e5dfaf6251c1c7c77817f098a806c42922f4383dcfd7359b5db8fd0c04ff695a667fc4e42d51844d688f1ff0d1a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\dbnlsav.dll

Filesize
75KB

MD5
d55e722e9b5b76df765762ae36ec8d8b

SHA1
1ec649431367deb17e494d907d1065569edfbc44

SHA256
696aeba9dffc1e6c6a52b5445fda563cb56591f75b4dae0b2af060538ed2ac7f

SHA512
65eb1e6bad6638919b3a92fdbecbf96c085c69ec4cd8516fbe6b82dd8829c6a91592ed181f0dae011e3bd69160b9b3e2fc35253fe4f0f8379517a19e7ade9a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\dbnlsav.dll

Filesize
51KB

MD5
930156e89bcf2c212b5de18524cfc37d

SHA1
2206b7d30eff53bfeeed4c818a2fcc584cced206

SHA256
bc6dd6cef5864693be9d45ba9aafa523022f7fe05bc28a13a702e30298b01da0

SHA512
9d281bf705ec0e717a09dbcd0c1fc217622296d0fca12c34c65774122900b78484425cab79c4361c4b3a43c81e29f280cf0dfc7587d8a74ecccbe5e4073d8881

Download Submit