12b7dfddd5856b364d61d1bb58939cd5b461e2cca28de864c8a98fbacca36517

Analysis

max time kernel
123s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2669a0422e4d710b87705309ea364a97.exe
Size

772KB
MD5

2669a0422e4d710b87705309ea364a97
SHA1

497fcfb4fe8af4e723cd97065092c9b96276e792
SHA256

12b7dfddd5856b364d61d1bb58939cd5b461e2cca28de864c8a98fbacca36517
SHA512

472b45fd376fc219c810fdd6f079813269cf26e799224300c9952bf0716f48f3f62c272ba64bfdd8024985ed9dd96c186c647cd12bd3bc02a34bc39c683eda82
SSDEEP

12288:M8MDaOPU4lcdw3QswkII6y8aqnoWgZGMAlR9QkB2llm1iByfc8vy4hq:MXHa63QdfI0acqlK9Q6ZG86j

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3104	bedeiggeid.exe

Loads dropped DLL 2 IoCs

pid	Process
4228	2669a0422e4d710b87705309ea364a97.exe
4228	2669a0422e4d710b87705309ea364a97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5116	3104	WerFault.exe	90

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4216	wmic.exe
Token: SeSecurityPrivilege	4216	wmic.exe
Token: SeTakeOwnershipPrivilege	4216	wmic.exe
Token: SeLoadDriverPrivilege	4216	wmic.exe
Token: SeSystemProfilePrivilege	4216	wmic.exe
Token: SeSystemtimePrivilege	4216	wmic.exe
Token: SeProfSingleProcessPrivilege	4216	wmic.exe
Token: SeIncBasePriorityPrivilege	4216	wmic.exe
Token: SeCreatePagefilePrivilege	4216	wmic.exe
Token: SeBackupPrivilege	4216	wmic.exe
Token: SeRestorePrivilege	4216	wmic.exe
Token: SeShutdownPrivilege	4216	wmic.exe
Token: SeDebugPrivilege	4216	wmic.exe
Token: SeSystemEnvironmentPrivilege	4216	wmic.exe
Token: SeRemoteShutdownPrivilege	4216	wmic.exe
Token: SeUndockPrivilege	4216	wmic.exe
Token: SeManageVolumePrivilege	4216	wmic.exe
Token: 33	4216	wmic.exe
Token: 34	4216	wmic.exe
Token: 35	4216	wmic.exe
Token: 36	4216	wmic.exe
Token: SeIncreaseQuotaPrivilege	4216	wmic.exe
Token: SeSecurityPrivilege	4216	wmic.exe
Token: SeTakeOwnershipPrivilege	4216	wmic.exe
Token: SeLoadDriverPrivilege	4216	wmic.exe
Token: SeSystemProfilePrivilege	4216	wmic.exe
Token: SeSystemtimePrivilege	4216	wmic.exe
Token: SeProfSingleProcessPrivilege	4216	wmic.exe
Token: SeIncBasePriorityPrivilege	4216	wmic.exe
Token: SeCreatePagefilePrivilege	4216	wmic.exe
Token: SeBackupPrivilege	4216	wmic.exe
Token: SeRestorePrivilege	4216	wmic.exe
Token: SeShutdownPrivilege	4216	wmic.exe
Token: SeDebugPrivilege	4216	wmic.exe
Token: SeSystemEnvironmentPrivilege	4216	wmic.exe
Token: SeRemoteShutdownPrivilege	4216	wmic.exe
Token: SeUndockPrivilege	4216	wmic.exe
Token: SeManageVolumePrivilege	4216	wmic.exe
Token: 33	4216	wmic.exe
Token: 34	4216	wmic.exe
Token: 35	4216	wmic.exe
Token: 36	4216	wmic.exe
Token: SeIncreaseQuotaPrivilege	1260	wmic.exe
Token: SeSecurityPrivilege	1260	wmic.exe
Token: SeTakeOwnershipPrivilege	1260	wmic.exe
Token: SeLoadDriverPrivilege	1260	wmic.exe
Token: SeSystemProfilePrivilege	1260	wmic.exe
Token: SeSystemtimePrivilege	1260	wmic.exe
Token: SeProfSingleProcessPrivilege	1260	wmic.exe
Token: SeIncBasePriorityPrivilege	1260	wmic.exe
Token: SeCreatePagefilePrivilege	1260	wmic.exe
Token: SeBackupPrivilege	1260	wmic.exe
Token: SeRestorePrivilege	1260	wmic.exe
Token: SeShutdownPrivilege	1260	wmic.exe
Token: SeDebugPrivilege	1260	wmic.exe
Token: SeSystemEnvironmentPrivilege	1260	wmic.exe
Token: SeRemoteShutdownPrivilege	1260	wmic.exe
Token: SeUndockPrivilege	1260	wmic.exe
Token: SeManageVolumePrivilege	1260	wmic.exe
Token: 33	1260	wmic.exe
Token: 34	1260	wmic.exe
Token: 35	1260	wmic.exe
Token: 36	1260	wmic.exe
Token: SeIncreaseQuotaPrivilege	1260	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 3104	4228	2669a0422e4d710b87705309ea364a97.exe	90
PID 4228 wrote to memory of 3104	4228	2669a0422e4d710b87705309ea364a97.exe	90
PID 4228 wrote to memory of 3104	4228	2669a0422e4d710b87705309ea364a97.exe	90
PID 3104 wrote to memory of 4216	3104	bedeiggeid.exe	93
PID 3104 wrote to memory of 4216	3104	bedeiggeid.exe	93
PID 3104 wrote to memory of 4216	3104	bedeiggeid.exe	93
PID 3104 wrote to memory of 1260	3104	bedeiggeid.exe	96
PID 3104 wrote to memory of 1260	3104	bedeiggeid.exe	96
PID 3104 wrote to memory of 1260	3104	bedeiggeid.exe	96
PID 3104 wrote to memory of 5100	3104	bedeiggeid.exe	99
PID 3104 wrote to memory of 5100	3104	bedeiggeid.exe	99
PID 3104 wrote to memory of 5100	3104	bedeiggeid.exe	99
PID 3104 wrote to memory of 4000	3104	bedeiggeid.exe	101
PID 3104 wrote to memory of 4000	3104	bedeiggeid.exe	101
PID 3104 wrote to memory of 4000	3104	bedeiggeid.exe	101
PID 3104 wrote to memory of 304	3104	bedeiggeid.exe	103
PID 3104 wrote to memory of 304	3104	bedeiggeid.exe	103
PID 3104 wrote to memory of 304	3104	bedeiggeid.exe	103

C:\Users\Admin\AppData\Local\Temp\2669a0422e4d710b87705309ea364a97.exe
"C:\Users\Admin\AppData\Local\Temp\2669a0422e4d710b87705309ea364a97.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Users\Admin\AppData\Local\Temp\bedeiggeid.exe
  C:\Users\Admin\AppData\Local\Temp\bedeiggeid.exe 8!0!2!7!1!2!4!9!7!3!3 J1BHPTwxLCkrHSxLVUBJSEI5JxksSz1UVUhRSUU7Ni0dJ0RHTFNHQDQrNDErMB4oQkdANCkdLEhSTT1UQVBWQkE6KTY3LR8tTzxLU0JKX1NLSztka21tNycvcWt1LEA8TEgqTE9OJkBOTCVCS0NHIC08S0c/QkJBOm9BSTpKNS5NP0UwRUw/QUouRDg/UD5DUx4oQy85JCodLDwyOyYwHis7LDoqKSAtPTM7KSgZLEEtPSsqHy1MSUhBUjtUXUlRR1I4PFY6GC9OS05CUTpNXEJNTD82Hy1MSUhBUjtUXUdAS0E0GSxCUEVdTlFKORcoQlU9X0FGQ0pFRT46HSdITUxTXT5JSFRQPVI7KR8tUD86S0hRT1NYVFBINBksU0U9MBkuQk8oNh0sSlVMTUhLQVZQQkk7T0s+SEs9Pj5ST0Q9HihIUVtJTktRQU1DNnNwcVwZLE89VFNLTUdKPlhSUD1SXT1AV080Kx0sQElCPlc7LRcoRlBXRFdHQEtFOlhCSztSV0lTQ0A0X15pa2UeKENNU0VFTD48X0dJPDYxJSoxMCYxNDAtLzUXKFFGRUU7KjMxMC8vNjExMx4oQ01TRUVMPjxfUkJMQzktKC8uJzIuKjQoMjEuLjcrMyg6TA==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704162960.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704162960.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704162960.txt bios get version
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704162960.txt bios get version
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704162960.txt bios get version
    3⤵
    PID:304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 852
    3⤵
    - Program crash
    PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3104 -ip 3104
1⤵
PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704162960.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704162960.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704162960.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedeiggeid.exe

Filesize
1024KB

MD5
a1a104bd88ee98d13847c6bd07017a83

SHA1
f6bb00d002c164d271ec30bdaa1a2d6d5bf76e62

SHA256
7768402d66a11948be49d4a978567e898dc5588745bd5f13dc37e8dd3e6c9e8a

SHA512
d397a7124f2c1933d7b708d1e2292e3ace1a1332dfe3a79196ab9d945ebd74e0f9b67035247d030efc5eac8bb9f3190cd33011bf424556863bba3115b3bf50ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedeiggeid.exe

Filesize
385KB

MD5
8716a7b180bcfa03ef5063e9680c3d9d

SHA1
46ac83016032daff29f141be5e2f8aa487f68823

SHA256
6f53cf891e5e1b87ee1ab98a787eb58d5177b53260938798f307c4527458e7d0

SHA512
5088a6bbd9fe1c4e985b651d0070311ac2f501991727bd1de0bb7951fc823d8edc6bd0e7bb64daa8d79bdbf040023c625875a4382fc8ce05195930fcf28b8644

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4B33.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4B33.tmp\alziwxl.dll

Filesize
169KB

MD5
0108d9b53f0c4cda97c9abacfd1bdfb1

SHA1
47e0b4cf375e469c570d15d0e8616172bac7d6aa

SHA256
ab63fedf56c3b6fe833c733ad3570a820acc956023f23196501d9c6af0fb7e4e

SHA512
fa6ea4929b8890f9115bba3261afad2b7fb6de10f9fd02e43e37614af2211ddc4a383fae0a670d7d4b5caed1759b066420fe43bf362ddd130cec27f698d4aa9d

Download Submit