1026e860ce62280d2ed35f37280f8e42e79ab694ef4c4b30718dbdfe306b4b82

Analysis

max time kernel
141s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15a83b57ec05ad38e4c14f8710bd8873.exe
Size

694KB
MD5

15a83b57ec05ad38e4c14f8710bd8873
SHA1

bb1a9a3a7e2fdc7c3c6f8ea3c081c8b28183cfa2
SHA256

1026e860ce62280d2ed35f37280f8e42e79ab694ef4c4b30718dbdfe306b4b82
SHA512

dbc6204c9466f171be409d56d9bb26659b594457592c2954beecc7d8fa19dc04ca716a87c52fb434e1f8d894a32ec285e64513ee69ecc3721ced520404d81cc1
SSDEEP

12288:qY43eEvlkuSYi0ydxhP5vA0pj+HQkIBhEtpx3Ocz1j5yOV2slLgUM+fc8vy4h1p:qYOOuSYivrhP5o0iIoLjDyOVXl1K86+p

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3844	bedgeeddeb.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	15a83b57ec05ad38e4c14f8710bd8873.exe
2548	15a83b57ec05ad38e4c14f8710bd8873.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1692	3844	WerFault.exe	42

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3596	wmic.exe
Token: SeSecurityPrivilege	3596	wmic.exe
Token: SeTakeOwnershipPrivilege	3596	wmic.exe
Token: SeLoadDriverPrivilege	3596	wmic.exe
Token: SeSystemProfilePrivilege	3596	wmic.exe
Token: SeSystemtimePrivilege	3596	wmic.exe
Token: SeProfSingleProcessPrivilege	3596	wmic.exe
Token: SeIncBasePriorityPrivilege	3596	wmic.exe
Token: SeCreatePagefilePrivilege	3596	wmic.exe
Token: SeBackupPrivilege	3596	wmic.exe
Token: SeRestorePrivilege	3596	wmic.exe
Token: SeShutdownPrivilege	3596	wmic.exe
Token: SeDebugPrivilege	3596	wmic.exe
Token: SeSystemEnvironmentPrivilege	3596	wmic.exe
Token: SeRemoteShutdownPrivilege	3596	wmic.exe
Token: SeUndockPrivilege	3596	wmic.exe
Token: SeManageVolumePrivilege	3596	wmic.exe
Token: 33	3596	wmic.exe
Token: 34	3596	wmic.exe
Token: 35	3596	wmic.exe
Token: 36	3596	wmic.exe
Token: SeIncreaseQuotaPrivilege	3596	wmic.exe
Token: SeSecurityPrivilege	3596	wmic.exe
Token: SeTakeOwnershipPrivilege	3596	wmic.exe
Token: SeLoadDriverPrivilege	3596	wmic.exe
Token: SeSystemProfilePrivilege	3596	wmic.exe
Token: SeSystemtimePrivilege	3596	wmic.exe
Token: SeProfSingleProcessPrivilege	3596	wmic.exe
Token: SeIncBasePriorityPrivilege	3596	wmic.exe
Token: SeCreatePagefilePrivilege	3596	wmic.exe
Token: SeBackupPrivilege	3596	wmic.exe
Token: SeRestorePrivilege	3596	wmic.exe
Token: SeShutdownPrivilege	3596	wmic.exe
Token: SeDebugPrivilege	3596	wmic.exe
Token: SeSystemEnvironmentPrivilege	3596	wmic.exe
Token: SeRemoteShutdownPrivilege	3596	wmic.exe
Token: SeUndockPrivilege	3596	wmic.exe
Token: SeManageVolumePrivilege	3596	wmic.exe
Token: 33	3596	wmic.exe
Token: 34	3596	wmic.exe
Token: 35	3596	wmic.exe
Token: 36	3596	wmic.exe
Token: SeIncreaseQuotaPrivilege	1840	wmic.exe
Token: SeSecurityPrivilege	1840	wmic.exe
Token: SeTakeOwnershipPrivilege	1840	wmic.exe
Token: SeLoadDriverPrivilege	1840	wmic.exe
Token: SeSystemProfilePrivilege	1840	wmic.exe
Token: SeSystemtimePrivilege	1840	wmic.exe
Token: SeProfSingleProcessPrivilege	1840	wmic.exe
Token: SeIncBasePriorityPrivilege	1840	wmic.exe
Token: SeCreatePagefilePrivilege	1840	wmic.exe
Token: SeBackupPrivilege	1840	wmic.exe
Token: SeRestorePrivilege	1840	wmic.exe
Token: SeShutdownPrivilege	1840	wmic.exe
Token: SeDebugPrivilege	1840	wmic.exe
Token: SeSystemEnvironmentPrivilege	1840	wmic.exe
Token: SeRemoteShutdownPrivilege	1840	wmic.exe
Token: SeUndockPrivilege	1840	wmic.exe
Token: SeManageVolumePrivilege	1840	wmic.exe
Token: 33	1840	wmic.exe
Token: 34	1840	wmic.exe
Token: 35	1840	wmic.exe
Token: 36	1840	wmic.exe
Token: SeIncreaseQuotaPrivilege	1840	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3844	2548	15a83b57ec05ad38e4c14f8710bd8873.exe	42
PID 2548 wrote to memory of 3844	2548	15a83b57ec05ad38e4c14f8710bd8873.exe	42
PID 2548 wrote to memory of 3844	2548	15a83b57ec05ad38e4c14f8710bd8873.exe	42
PID 3844 wrote to memory of 3596	3844	bedgeeddeb.exe	41
PID 3844 wrote to memory of 3596	3844	bedgeeddeb.exe	41
PID 3844 wrote to memory of 3596	3844	bedgeeddeb.exe	41
PID 3844 wrote to memory of 1840	3844	bedgeeddeb.exe	54
PID 3844 wrote to memory of 1840	3844	bedgeeddeb.exe	54
PID 3844 wrote to memory of 1840	3844	bedgeeddeb.exe	54
PID 3844 wrote to memory of 2192	3844	bedgeeddeb.exe	56
PID 3844 wrote to memory of 2192	3844	bedgeeddeb.exe	56
PID 3844 wrote to memory of 2192	3844	bedgeeddeb.exe	56
PID 3844 wrote to memory of 1068	3844	bedgeeddeb.exe	58
PID 3844 wrote to memory of 1068	3844	bedgeeddeb.exe	58
PID 3844 wrote to memory of 1068	3844	bedgeeddeb.exe	58
PID 3844 wrote to memory of 2376	3844	bedgeeddeb.exe	60
PID 3844 wrote to memory of 2376	3844	bedgeeddeb.exe	60
PID 3844 wrote to memory of 2376	3844	bedgeeddeb.exe	60

C:\Users\Admin\AppData\Local\Temp\15a83b57ec05ad38e4c14f8710bd8873.exe
"C:\Users\Admin\AppData\Local\Temp\15a83b57ec05ad38e4c14f8710bd8873.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\bedgeeddeb.exe
  C:\Users\Admin\AppData\Local\Temp\bedgeeddeb.exe 6|8|7|0|7|0|2|5|7|7|3 KUhCRDYzLi0rGSxNTTtQQkQ7KxkoSz9MUE9LS0c/NikdKTxCU01JQjgrKS8zLxkvPElCOCkZLEpKSEROQ1JaQj06Ky4yNBkvUUBLT0JMV05SRT1mb21pNyknbHJvLkJATEQqTkdJLTpQTilCR0NJGChDRUlBRkI9OnFLR0FHQ0dBTyxOL05FSEUwMTNPLT5HOxkvPTE7KCoZLD4qNi0qIC0/LDYqKxgoRC09KywZKEEvNSYxGS9OTUg9Uj1MWFBLSVQ8PFI6GidJUkhEUz5NWEJPRDo9GS9OTUg9Uj1MWE46TUM4GShCUj1YVUtMOxsoPlU/VzxNPUxHST42HSlASFNNX0BNSFBQP0o2MRkvUkM6R0hTR05fTlJKOBkoU0c1KyAoRFEsNhksTE1HVEJNQ1pQPkk9R0ZFQk0/Qj5OT0Y1GS9CU11NTkdRQ0U+PW1yc2AZKE8/TE5SR0lMQlhOUD9KWEQ6WVE4KxksQkE9RVE9LxsoQlBZPFJOOk1HPlg+Sz1KUlBNRUI4X1ppbV0ZLz1PVUlFSD4+V0JQNjE3MicqNiomKzIwLjArLRksSjlLQUVMQ0dYQktNTDpMRT1ybW5eHSlMQk0+PS8vLC8xLi8vMCsgLT9IUEtGRzpEWFRHSD42NCkxKDIpMTMlKjMuLTIrMiNQSw==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704161538.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704161538.txt bios get version
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704161538.txt bios get version
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704161538.txt bios get version
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 856
    3⤵
    - Program crash
    PID:1692

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704161538.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3844 -ip 3844
1⤵
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads