Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 10:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
15a83b57ec05ad38e4c14f8710bd8873.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
15a83b57ec05ad38e4c14f8710bd8873.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
15a83b57ec05ad38e4c14f8710bd8873.exe
-
Size
694KB
-
MD5
15a83b57ec05ad38e4c14f8710bd8873
-
SHA1
bb1a9a3a7e2fdc7c3c6f8ea3c081c8b28183cfa2
-
SHA256
1026e860ce62280d2ed35f37280f8e42e79ab694ef4c4b30718dbdfe306b4b82
-
SHA512
dbc6204c9466f171be409d56d9bb26659b594457592c2954beecc7d8fa19dc04ca716a87c52fb434e1f8d894a32ec285e64513ee69ecc3721ced520404d81cc1
-
SSDEEP
12288:qY43eEvlkuSYi0ydxhP5vA0pj+HQkIBhEtpx3Ocz1j5yOV2slLgUM+fc8vy4h1p:qYOOuSYivrhP5o0iIoLjDyOVXl1K86+p
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2336 bedgeeddeb.exe -
Loads dropped DLL 11 IoCs
pid Process 1568 15a83b57ec05ad38e4c14f8710bd8873.exe 1568 15a83b57ec05ad38e4c14f8710bd8873.exe 1568 15a83b57ec05ad38e4c14f8710bd8873.exe 1568 15a83b57ec05ad38e4c14f8710bd8873.exe 2944 WerFault.exe 2944 WerFault.exe 2944 WerFault.exe 2944 WerFault.exe 2944 WerFault.exe 2944 WerFault.exe 2944 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2944 2336 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2688 wmic.exe Token: SeSecurityPrivilege 2688 wmic.exe Token: SeTakeOwnershipPrivilege 2688 wmic.exe Token: SeLoadDriverPrivilege 2688 wmic.exe Token: SeSystemProfilePrivilege 2688 wmic.exe Token: SeSystemtimePrivilege 2688 wmic.exe Token: SeProfSingleProcessPrivilege 2688 wmic.exe Token: SeIncBasePriorityPrivilege 2688 wmic.exe Token: SeCreatePagefilePrivilege 2688 wmic.exe Token: SeBackupPrivilege 2688 wmic.exe Token: SeRestorePrivilege 2688 wmic.exe Token: SeShutdownPrivilege 2688 wmic.exe Token: SeDebugPrivilege 2688 wmic.exe Token: SeSystemEnvironmentPrivilege 2688 wmic.exe Token: SeRemoteShutdownPrivilege 2688 wmic.exe Token: SeUndockPrivilege 2688 wmic.exe Token: SeManageVolumePrivilege 2688 wmic.exe Token: 33 2688 wmic.exe Token: 34 2688 wmic.exe Token: 35 2688 wmic.exe Token: SeIncreaseQuotaPrivilege 2688 wmic.exe Token: SeSecurityPrivilege 2688 wmic.exe Token: SeTakeOwnershipPrivilege 2688 wmic.exe Token: SeLoadDriverPrivilege 2688 wmic.exe Token: SeSystemProfilePrivilege 2688 wmic.exe Token: SeSystemtimePrivilege 2688 wmic.exe Token: SeProfSingleProcessPrivilege 2688 wmic.exe Token: SeIncBasePriorityPrivilege 2688 wmic.exe Token: SeCreatePagefilePrivilege 2688 wmic.exe Token: SeBackupPrivilege 2688 wmic.exe Token: SeRestorePrivilege 2688 wmic.exe Token: SeShutdownPrivilege 2688 wmic.exe Token: SeDebugPrivilege 2688 wmic.exe Token: SeSystemEnvironmentPrivilege 2688 wmic.exe Token: SeRemoteShutdownPrivilege 2688 wmic.exe Token: SeUndockPrivilege 2688 wmic.exe Token: SeManageVolumePrivilege 2688 wmic.exe Token: 33 2688 wmic.exe Token: 34 2688 wmic.exe Token: 35 2688 wmic.exe Token: SeIncreaseQuotaPrivilege 2680 wmic.exe Token: SeSecurityPrivilege 2680 wmic.exe Token: SeTakeOwnershipPrivilege 2680 wmic.exe Token: SeLoadDriverPrivilege 2680 wmic.exe Token: SeSystemProfilePrivilege 2680 wmic.exe Token: SeSystemtimePrivilege 2680 wmic.exe Token: SeProfSingleProcessPrivilege 2680 wmic.exe Token: SeIncBasePriorityPrivilege 2680 wmic.exe Token: SeCreatePagefilePrivilege 2680 wmic.exe Token: SeBackupPrivilege 2680 wmic.exe Token: SeRestorePrivilege 2680 wmic.exe Token: SeShutdownPrivilege 2680 wmic.exe Token: SeDebugPrivilege 2680 wmic.exe Token: SeSystemEnvironmentPrivilege 2680 wmic.exe Token: SeRemoteShutdownPrivilege 2680 wmic.exe Token: SeUndockPrivilege 2680 wmic.exe Token: SeManageVolumePrivilege 2680 wmic.exe Token: 33 2680 wmic.exe Token: 34 2680 wmic.exe Token: 35 2680 wmic.exe Token: SeIncreaseQuotaPrivilege 2912 wmic.exe Token: SeSecurityPrivilege 2912 wmic.exe Token: SeTakeOwnershipPrivilege 2912 wmic.exe Token: SeLoadDriverPrivilege 2912 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1568 wrote to memory of 2336 1568 15a83b57ec05ad38e4c14f8710bd8873.exe 28 PID 1568 wrote to memory of 2336 1568 15a83b57ec05ad38e4c14f8710bd8873.exe 28 PID 1568 wrote to memory of 2336 1568 15a83b57ec05ad38e4c14f8710bd8873.exe 28 PID 1568 wrote to memory of 2336 1568 15a83b57ec05ad38e4c14f8710bd8873.exe 28 PID 2336 wrote to memory of 2688 2336 bedgeeddeb.exe 27 PID 2336 wrote to memory of 2688 2336 bedgeeddeb.exe 27 PID 2336 wrote to memory of 2688 2336 bedgeeddeb.exe 27 PID 2336 wrote to memory of 2688 2336 bedgeeddeb.exe 27 PID 2336 wrote to memory of 2680 2336 bedgeeddeb.exe 26 PID 2336 wrote to memory of 2680 2336 bedgeeddeb.exe 26 PID 2336 wrote to memory of 2680 2336 bedgeeddeb.exe 26 PID 2336 wrote to memory of 2680 2336 bedgeeddeb.exe 26 PID 2336 wrote to memory of 2912 2336 bedgeeddeb.exe 25 PID 2336 wrote to memory of 2912 2336 bedgeeddeb.exe 25 PID 2336 wrote to memory of 2912 2336 bedgeeddeb.exe 25 PID 2336 wrote to memory of 2912 2336 bedgeeddeb.exe 25 PID 2336 wrote to memory of 2596 2336 bedgeeddeb.exe 23 PID 2336 wrote to memory of 2596 2336 bedgeeddeb.exe 23 PID 2336 wrote to memory of 2596 2336 bedgeeddeb.exe 23 PID 2336 wrote to memory of 2596 2336 bedgeeddeb.exe 23 PID 2336 wrote to memory of 2592 2336 bedgeeddeb.exe 22 PID 2336 wrote to memory of 2592 2336 bedgeeddeb.exe 22 PID 2336 wrote to memory of 2592 2336 bedgeeddeb.exe 22 PID 2336 wrote to memory of 2592 2336 bedgeeddeb.exe 22 PID 2336 wrote to memory of 2944 2336 bedgeeddeb.exe 33 PID 2336 wrote to memory of 2944 2336 bedgeeddeb.exe 33 PID 2336 wrote to memory of 2944 2336 bedgeeddeb.exe 33 PID 2336 wrote to memory of 2944 2336 bedgeeddeb.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\15a83b57ec05ad38e4c14f8710bd8873.exe"C:\Users\Admin\AppData\Local\Temp\15a83b57ec05ad38e4c14f8710bd8873.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\bedgeeddeb.exeC:\Users\Admin\AppData\Local\Temp\bedgeeddeb.exe 6|8|7|0|7|0|2|5|7|7|3 KUhCRDYzLi0rGSxNTTtQQkQ7KxkoSz9MUE9LS0c/NikdKTxCU01JQjgrKS8zLxkvPElCOCkZLEpKSEROQ1JaQj06Ky4yNBkvUUBLT0JMV05SRT1mb21pNyknbHJvLkJATEQqTkdJLTpQTilCR0NJGChDRUlBRkI9OnFLR0FHQ0dBTyxOL05FSEUwMTNPLT5HOxkvPTE7KCoZLD4qNi0qIC0/LDYqKxgoRC09KywZKEEvNSYxGS9OTUg9Uj1MWFBLSVQ8PFI6GidJUkhEUz5NWEJPRDo9GS9OTUg9Uj1MWE46TUM4GShCUj1YVUtMOxsoPlU/VzxNPUxHST42HSlASFNNX0BNSFBQP0o2MRkvUkM6R0hTR05fTlJKOBkoU0c1KyAoRFEsNhksTE1HVEJNQ1pQPkk9R0ZFQk0/Qj5OT0Y1GS9CU11NTkdRQ0U+PW1yc2AZKE8/TE5SR0lMQlhOUD9KWEQ6WVE4KxksQkE9RVE9LxsoQlBZPFJOOk1HPlg+Sz1KUlBNRUI4X1ppbV0ZLz1PVUlFSD4+V0JQNjE3MicqNiomKzIwLjArLRksSjlLQUVMQ0dYQktNTDpMRT1ybW5eHSlMQk0+PS8vLC8xLi8vMCsgLT9IUEtGRzpEWFRHSD42NCkxKDIpMTMlKjMuLTIrMiNQSw==2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 3683⤵
- Loads dropped DLL
- Program crash
PID:2944
-
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704161500.txt bios get version1⤵PID:2592
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704161500.txt bios get version1⤵PID:2596
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704161500.txt bios get version1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704161500.txt bios get version1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704161500.txt bios get serialnumber1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688