12b7dfddd5856b364d61d1bb58939cd5b461e2cca28de864c8a98fbacca36517

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2669a0422e4d710b87705309ea364a97.exe
Size

772KB
MD5

2669a0422e4d710b87705309ea364a97
SHA1

497fcfb4fe8af4e723cd97065092c9b96276e792
SHA256

12b7dfddd5856b364d61d1bb58939cd5b461e2cca28de864c8a98fbacca36517
SHA512

472b45fd376fc219c810fdd6f079813269cf26e799224300c9952bf0716f48f3f62c272ba64bfdd8024985ed9dd96c186c647cd12bd3bc02a34bc39c683eda82
SSDEEP

12288:M8MDaOPU4lcdw3QswkII6y8aqnoWgZGMAlR9QkB2llm1iByfc8vy4hq:MXHa63QdfI0acqlK9Q6ZG86j

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2648	bedeiggeid.exe

Loads dropped DLL 11 IoCs

pid	Process
1232	2669a0422e4d710b87705309ea364a97.exe
1232	2669a0422e4d710b87705309ea364a97.exe
1232	2669a0422e4d710b87705309ea364a97.exe
1232	2669a0422e4d710b87705309ea364a97.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2920	2648	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3040	wmic.exe
Token: SeSecurityPrivilege	3040	wmic.exe
Token: SeTakeOwnershipPrivilege	3040	wmic.exe
Token: SeLoadDriverPrivilege	3040	wmic.exe
Token: SeSystemProfilePrivilege	3040	wmic.exe
Token: SeSystemtimePrivilege	3040	wmic.exe
Token: SeProfSingleProcessPrivilege	3040	wmic.exe
Token: SeIncBasePriorityPrivilege	3040	wmic.exe
Token: SeCreatePagefilePrivilege	3040	wmic.exe
Token: SeBackupPrivilege	3040	wmic.exe
Token: SeRestorePrivilege	3040	wmic.exe
Token: SeShutdownPrivilege	3040	wmic.exe
Token: SeDebugPrivilege	3040	wmic.exe
Token: SeSystemEnvironmentPrivilege	3040	wmic.exe
Token: SeRemoteShutdownPrivilege	3040	wmic.exe
Token: SeUndockPrivilege	3040	wmic.exe
Token: SeManageVolumePrivilege	3040	wmic.exe
Token: 33	3040	wmic.exe
Token: 34	3040	wmic.exe
Token: 35	3040	wmic.exe
Token: SeIncreaseQuotaPrivilege	3040	wmic.exe
Token: SeSecurityPrivilege	3040	wmic.exe
Token: SeTakeOwnershipPrivilege	3040	wmic.exe
Token: SeLoadDriverPrivilege	3040	wmic.exe
Token: SeSystemProfilePrivilege	3040	wmic.exe
Token: SeSystemtimePrivilege	3040	wmic.exe
Token: SeProfSingleProcessPrivilege	3040	wmic.exe
Token: SeIncBasePriorityPrivilege	3040	wmic.exe
Token: SeCreatePagefilePrivilege	3040	wmic.exe
Token: SeBackupPrivilege	3040	wmic.exe
Token: SeRestorePrivilege	3040	wmic.exe
Token: SeShutdownPrivilege	3040	wmic.exe
Token: SeDebugPrivilege	3040	wmic.exe
Token: SeSystemEnvironmentPrivilege	3040	wmic.exe
Token: SeRemoteShutdownPrivilege	3040	wmic.exe
Token: SeUndockPrivilege	3040	wmic.exe
Token: SeManageVolumePrivilege	3040	wmic.exe
Token: 33	3040	wmic.exe
Token: 34	3040	wmic.exe
Token: 35	3040	wmic.exe
Token: SeIncreaseQuotaPrivilege	2804	wmic.exe
Token: SeSecurityPrivilege	2804	wmic.exe
Token: SeTakeOwnershipPrivilege	2804	wmic.exe
Token: SeLoadDriverPrivilege	2804	wmic.exe
Token: SeSystemProfilePrivilege	2804	wmic.exe
Token: SeSystemtimePrivilege	2804	wmic.exe
Token: SeProfSingleProcessPrivilege	2804	wmic.exe
Token: SeIncBasePriorityPrivilege	2804	wmic.exe
Token: SeCreatePagefilePrivilege	2804	wmic.exe
Token: SeBackupPrivilege	2804	wmic.exe
Token: SeRestorePrivilege	2804	wmic.exe
Token: SeShutdownPrivilege	2804	wmic.exe
Token: SeDebugPrivilege	2804	wmic.exe
Token: SeSystemEnvironmentPrivilege	2804	wmic.exe
Token: SeRemoteShutdownPrivilege	2804	wmic.exe
Token: SeUndockPrivilege	2804	wmic.exe
Token: SeManageVolumePrivilege	2804	wmic.exe
Token: 33	2804	wmic.exe
Token: 34	2804	wmic.exe
Token: 35	2804	wmic.exe
Token: SeIncreaseQuotaPrivilege	2548	wmic.exe
Token: SeSecurityPrivilege	2548	wmic.exe
Token: SeTakeOwnershipPrivilege	2548	wmic.exe
Token: SeLoadDriverPrivilege	2548	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2648	1232	2669a0422e4d710b87705309ea364a97.exe	28
PID 1232 wrote to memory of 2648	1232	2669a0422e4d710b87705309ea364a97.exe	28
PID 1232 wrote to memory of 2648	1232	2669a0422e4d710b87705309ea364a97.exe	28
PID 1232 wrote to memory of 2648	1232	2669a0422e4d710b87705309ea364a97.exe	28
PID 2648 wrote to memory of 3040	2648	bedeiggeid.exe	30
PID 2648 wrote to memory of 3040	2648	bedeiggeid.exe	30
PID 2648 wrote to memory of 3040	2648	bedeiggeid.exe	30
PID 2648 wrote to memory of 3040	2648	bedeiggeid.exe	30
PID 2648 wrote to memory of 2804	2648	bedeiggeid.exe	33
PID 2648 wrote to memory of 2804	2648	bedeiggeid.exe	33
PID 2648 wrote to memory of 2804	2648	bedeiggeid.exe	33
PID 2648 wrote to memory of 2804	2648	bedeiggeid.exe	33
PID 2648 wrote to memory of 2548	2648	bedeiggeid.exe	35
PID 2648 wrote to memory of 2548	2648	bedeiggeid.exe	35
PID 2648 wrote to memory of 2548	2648	bedeiggeid.exe	35
PID 2648 wrote to memory of 2548	2648	bedeiggeid.exe	35
PID 2648 wrote to memory of 1996	2648	bedeiggeid.exe	36
PID 2648 wrote to memory of 1996	2648	bedeiggeid.exe	36
PID 2648 wrote to memory of 1996	2648	bedeiggeid.exe	36
PID 2648 wrote to memory of 1996	2648	bedeiggeid.exe	36
PID 2648 wrote to memory of 2132	2648	bedeiggeid.exe	39
PID 2648 wrote to memory of 2132	2648	bedeiggeid.exe	39
PID 2648 wrote to memory of 2132	2648	bedeiggeid.exe	39
PID 2648 wrote to memory of 2132	2648	bedeiggeid.exe	39
PID 2648 wrote to memory of 2920	2648	bedeiggeid.exe	40
PID 2648 wrote to memory of 2920	2648	bedeiggeid.exe	40
PID 2648 wrote to memory of 2920	2648	bedeiggeid.exe	40
PID 2648 wrote to memory of 2920	2648	bedeiggeid.exe	40

C:\Users\Admin\AppData\Local\Temp\2669a0422e4d710b87705309ea364a97.exe
"C:\Users\Admin\AppData\Local\Temp\2669a0422e4d710b87705309ea364a97.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\bedeiggeid.exe
  C:\Users\Admin\AppData\Local\Temp\bedeiggeid.exe 8!0!2!7!1!2!4!9!7!3!3 J1BHPTwxLCkrHSxLVUBJSEI5JxksSz1UVUhRSUU7Ni0dJ0RHTFNHQDQrNDErMB4oQkdANCkdLEhSTT1UQVBWQkE6KTY3LR8tTzxLU0JKX1NLSztka21tNycvcWt1LEA8TEgqTE9OJkBOTCVCS0NHIC08S0c/QkJBOm9BSTpKNS5NP0UwRUw/QUouRDg/UD5DUx4oQy85JCodLDwyOyYwHis7LDoqKSAtPTM7KSgZLEEtPSsqHy1MSUhBUjtUXUlRR1I4PFY6GC9OS05CUTpNXEJNTD82Hy1MSUhBUjtUXUdAS0E0GSxCUEVdTlFKORcoQlU9X0FGQ0pFRT46HSdITUxTXT5JSFRQPVI7KR8tUD86S0hRT1NYVFBINBksU0U9MBkuQk8oNh0sSlVMTUhLQVZQQkk7T0s+SEs9Pj5ST0Q9HihIUVtJTktRQU1DNnNwcVwZLE89VFNLTUdKPlhSUD1SXT1AV080Kx0sQElCPlc7LRcoRlBXRFdHQEtFOlhCSztSV0lTQ0A0X15pa2UeKENNU0VFTD48X0dJPDYxJSoxMCYxNDAtLzUXKFFGRUU7KjMxMC8vNjExMx4oQ01TRUVMPjxfUkJMQzktKC8uJzIuKjQoMjEuLjcrMyg6TA==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704162980.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704162980.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704162980.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704162980.txt bios get version
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704162980.txt bios get version
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704162980.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedeiggeid.exe

Filesize
546KB

MD5
507e722c0dc3f88032250e1ce2c80427

SHA1
be75336b7c158be8c94cd823e3c14b8a5799ab46

SHA256
efb00e84cc0fd5ea679af200a2f66c336d819369365d2a2b7b67dc6c577a2dbe

SHA512
7e9c287ab7aeb0116f165d6d0a837d52c1d69b8581fee7099f627c92a75fdef39427783749bb163f48ba41262b441a68e840b8f1ab9358c2d72110797ef24b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedeiggeid.exe

Filesize
193KB

MD5
eab024340df9b5091beea4b7fd2ecddb

SHA1
e5e80ddb9c58b343d18b1b597f92837355c81222

SHA256
99c9d82de8c93346e7f3647411c6948d9e6c27489f427b26db53ba8ead08a664

SHA512
cd38979f973d41a9499613a336ac1d711813d0d63f01f2da56c2c693273bb1d412ea089b3c2455f9da18e7206a6d699395c672c8f3160e99d07bee0042275b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3A72.tmp\alziwxl.dll

Filesize
169KB

MD5
0108d9b53f0c4cda97c9abacfd1bdfb1

SHA1
47e0b4cf375e469c570d15d0e8616172bac7d6aa

SHA256
ab63fedf56c3b6fe833c733ad3570a820acc956023f23196501d9c6af0fb7e4e

SHA512
fa6ea4929b8890f9115bba3261afad2b7fb6de10f9fd02e43e37614af2211ddc4a383fae0a670d7d4b5caed1759b066420fe43bf362ddd130cec27f698d4aa9d

Download Submit
\Users\Admin\AppData\Local\Temp\bedeiggeid.exe

Filesize
513KB

MD5
c0e811a22523fa8247a16da37209376a

SHA1
21a575329836c0d1651d2fd4860a7fe482afe8ec

SHA256
7d587ec0980f7069082bb4833a2d82ff4d3a060753b6ab0108176c6dd4621935

SHA512
49546c55814bef2279e6d7d90b8d284f0feceec1d36c7a4e12634abde3aeebd5119129fc79aa4ea7d6ef3f0e23f678411e179816c961b6084347198b5a2715b6

Download Submit
\Users\Admin\AppData\Local\Temp\bedeiggeid.exe

Filesize
894KB

MD5
1863e0311a6506c5a50b5f7078cae087

SHA1
bac4b581f70b936316acb301d5a3109867c2f786

SHA256
b8823ba0787cd4aea568eadecbcee577a8014d144c068ad64d05dc61f258ce66

SHA512
839bc77dd8ea604d77c0a46889187ac5d0933f06948ab2a068b215b2efd2d58ef76130160903c850b07afc26abd3a5600fbce447e8f3a755eee3cb5e59d21c93

Download Submit
\Users\Admin\AppData\Local\Temp\bedeiggeid.exe

Filesize
92KB

MD5
a74dae5a2302ac403791cae85ead502a

SHA1
5041f31d1297c3f4655a5416b50046f81aa3e378

SHA256
3af86b7a5279c2fc328438228bf7ccec214bf3f60a9ff1cb5d2d948324f9e827

SHA512
0a54aa6c74b36d5b06781e1c6d064b849f0803a03f90836af166b27648a204f1fd6485817b7546f451b13adacd3e314821e8adb0fd4d43ea4f8d887f671faefd

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3A72.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit