12d5b28d22d8d902d3258d92278299836df03171df250694cf7f55f0101c216e

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56e8c53996efc70c202ef222d3efd83f.exe
Size

714KB
MD5

56e8c53996efc70c202ef222d3efd83f
SHA1

92ef26b759d357784dad26f421cd9c8a802ccf6d
SHA256

12d5b28d22d8d902d3258d92278299836df03171df250694cf7f55f0101c216e
SHA512

bb30e6cf3e8721e44a46dd9b7b3fbb6f25c5ee14ef2b96475f7b52269befefa3b92b70aeef65ef26d24a1ae4dd705f56a4902e64184e864e19e906aa42d23201
SSDEEP

12288:2XUz9UXSS3Y5H1UA7WfbgIVMCeJxGoWf0N7rUSmVDzx3HDuaHi5bYC+fc8vy4hn:2FD3OVUASj1V5fpScx3HyaybYk86S

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2232	bedggafdca.exe

Loads dropped DLL 11 IoCs

pid	Process
2160	56e8c53996efc70c202ef222d3efd83f.exe
2160	56e8c53996efc70c202ef222d3efd83f.exe
2160	56e8c53996efc70c202ef222d3efd83f.exe
2160	56e8c53996efc70c202ef222d3efd83f.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2860	2232	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2764	wmic.exe
Token: SeSecurityPrivilege	2764	wmic.exe
Token: SeTakeOwnershipPrivilege	2764	wmic.exe
Token: SeLoadDriverPrivilege	2764	wmic.exe
Token: SeSystemProfilePrivilege	2764	wmic.exe
Token: SeSystemtimePrivilege	2764	wmic.exe
Token: SeProfSingleProcessPrivilege	2764	wmic.exe
Token: SeIncBasePriorityPrivilege	2764	wmic.exe
Token: SeCreatePagefilePrivilege	2764	wmic.exe
Token: SeBackupPrivilege	2764	wmic.exe
Token: SeRestorePrivilege	2764	wmic.exe
Token: SeShutdownPrivilege	2764	wmic.exe
Token: SeDebugPrivilege	2764	wmic.exe
Token: SeSystemEnvironmentPrivilege	2764	wmic.exe
Token: SeRemoteShutdownPrivilege	2764	wmic.exe
Token: SeUndockPrivilege	2764	wmic.exe
Token: SeManageVolumePrivilege	2764	wmic.exe
Token: 33	2764	wmic.exe
Token: 34	2764	wmic.exe
Token: 35	2764	wmic.exe
Token: SeIncreaseQuotaPrivilege	2764	wmic.exe
Token: SeSecurityPrivilege	2764	wmic.exe
Token: SeTakeOwnershipPrivilege	2764	wmic.exe
Token: SeLoadDriverPrivilege	2764	wmic.exe
Token: SeSystemProfilePrivilege	2764	wmic.exe
Token: SeSystemtimePrivilege	2764	wmic.exe
Token: SeProfSingleProcessPrivilege	2764	wmic.exe
Token: SeIncBasePriorityPrivilege	2764	wmic.exe
Token: SeCreatePagefilePrivilege	2764	wmic.exe
Token: SeBackupPrivilege	2764	wmic.exe
Token: SeRestorePrivilege	2764	wmic.exe
Token: SeShutdownPrivilege	2764	wmic.exe
Token: SeDebugPrivilege	2764	wmic.exe
Token: SeSystemEnvironmentPrivilege	2764	wmic.exe
Token: SeRemoteShutdownPrivilege	2764	wmic.exe
Token: SeUndockPrivilege	2764	wmic.exe
Token: SeManageVolumePrivilege	2764	wmic.exe
Token: 33	2764	wmic.exe
Token: 34	2764	wmic.exe
Token: 35	2764	wmic.exe
Token: SeIncreaseQuotaPrivilege	2092	wmic.exe
Token: SeSecurityPrivilege	2092	wmic.exe
Token: SeTakeOwnershipPrivilege	2092	wmic.exe
Token: SeLoadDriverPrivilege	2092	wmic.exe
Token: SeSystemProfilePrivilege	2092	wmic.exe
Token: SeSystemtimePrivilege	2092	wmic.exe
Token: SeProfSingleProcessPrivilege	2092	wmic.exe
Token: SeIncBasePriorityPrivilege	2092	wmic.exe
Token: SeCreatePagefilePrivilege	2092	wmic.exe
Token: SeBackupPrivilege	2092	wmic.exe
Token: SeRestorePrivilege	2092	wmic.exe
Token: SeShutdownPrivilege	2092	wmic.exe
Token: SeDebugPrivilege	2092	wmic.exe
Token: SeSystemEnvironmentPrivilege	2092	wmic.exe
Token: SeRemoteShutdownPrivilege	2092	wmic.exe
Token: SeUndockPrivilege	2092	wmic.exe
Token: SeManageVolumePrivilege	2092	wmic.exe
Token: 33	2092	wmic.exe
Token: 34	2092	wmic.exe
Token: 35	2092	wmic.exe
Token: SeIncreaseQuotaPrivilege	2092	wmic.exe
Token: SeSecurityPrivilege	2092	wmic.exe
Token: SeTakeOwnershipPrivilege	2092	wmic.exe
Token: SeLoadDriverPrivilege	2092	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2232	2160	56e8c53996efc70c202ef222d3efd83f.exe	28
PID 2160 wrote to memory of 2232	2160	56e8c53996efc70c202ef222d3efd83f.exe	28
PID 2160 wrote to memory of 2232	2160	56e8c53996efc70c202ef222d3efd83f.exe	28
PID 2160 wrote to memory of 2232	2160	56e8c53996efc70c202ef222d3efd83f.exe	28
PID 2232 wrote to memory of 2764	2232	bedggafdca.exe	29
PID 2232 wrote to memory of 2764	2232	bedggafdca.exe	29
PID 2232 wrote to memory of 2764	2232	bedggafdca.exe	29
PID 2232 wrote to memory of 2764	2232	bedggafdca.exe	29
PID 2232 wrote to memory of 2092	2232	bedggafdca.exe	32
PID 2232 wrote to memory of 2092	2232	bedggafdca.exe	32
PID 2232 wrote to memory of 2092	2232	bedggafdca.exe	32
PID 2232 wrote to memory of 2092	2232	bedggafdca.exe	32
PID 2232 wrote to memory of 2588	2232	bedggafdca.exe	34
PID 2232 wrote to memory of 2588	2232	bedggafdca.exe	34
PID 2232 wrote to memory of 2588	2232	bedggafdca.exe	34
PID 2232 wrote to memory of 2588	2232	bedggafdca.exe	34
PID 2232 wrote to memory of 1408	2232	bedggafdca.exe	37
PID 2232 wrote to memory of 1408	2232	bedggafdca.exe	37
PID 2232 wrote to memory of 1408	2232	bedggafdca.exe	37
PID 2232 wrote to memory of 1408	2232	bedggafdca.exe	37
PID 2232 wrote to memory of 2536	2232	bedggafdca.exe	39
PID 2232 wrote to memory of 2536	2232	bedggafdca.exe	39
PID 2232 wrote to memory of 2536	2232	bedggafdca.exe	39
PID 2232 wrote to memory of 2536	2232	bedggafdca.exe	39
PID 2232 wrote to memory of 2860	2232	bedggafdca.exe	40
PID 2232 wrote to memory of 2860	2232	bedggafdca.exe	40
PID 2232 wrote to memory of 2860	2232	bedggafdca.exe	40
PID 2232 wrote to memory of 2860	2232	bedggafdca.exe	40

C:\Users\Admin\AppData\Local\Temp\56e8c53996efc70c202ef222d3efd83f.exe
"C:\Users\Admin\AppData\Local\Temp\56e8c53996efc70c202ef222d3efd83f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\bedggafdca.exe
  C:\Users\Admin\AppData\Local\Temp\bedggafdca.exe 7|8|0|6|1|0|8|2|2|7|4 KEhJPjwxMTE0LBwoS1U8T0k8Oy4ZK0c9VFFOUkNHQjYtHiowanFvXHNhbWpaZWU3UWVha19gYRknRENSVEFCOyszMCkyGi5DQUI7KRwoSFJJQ1U7Ul1CQDYqNjMzMxgtUT5OTz1SWVRSRDtmbXBpMi8pcnJuLEI+T0QlVElPLTlOTidFRz5PGi5DREdBREU9NSApQzE1Ky8ZKz0qPScwICdCMTYpKhgvPjM9JS8eKEAuNS0rHy9IUE09UTxMX0pRSU4/QVI5GSdQTE5ETUFSWEFOREE3Hy9IUE09UTxMX0hATT07HihBUT1fT1FMNR4tPlQ+V0NHQ0xBTEM2HChAT01TXzpQTVBPPko9Lx8vTEY/R0dSR1VZVFJEOx4oUkY1MhouREsvOxkrS01OTkhNPV1VPkg8R00/SE05RUNOTkU1IClIU1dQU0dQQkVFN3NybWMeKE4+TFVMTUlGRV1OTz5KXz5AWUs7MBkrQUFEP1c9KR4tQk9YPFlIQE1BQV0+SjxKWUpTRTw7ZFpobF0gKUNPT0xKSD09V0lKPDEvNiwuMycrMSg0OBgtTjpOOkRMP0tfQUxRTT1FRD1gYGxrYx4oUEJFRTcwNCs0NCk1LSw2Gi5ER1VMRUs6PF9OSE09OzUoLSonMiowNSIvLjMtKTI0MClBRQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705075733.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705075733.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705075733.txt bios get version
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705075733.txt bios get version
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705075733.txt bios get version
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81705075733.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81705075733.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedggafdca.exe

Filesize
382KB

MD5
64645626f9839e980f1aed556d994408

SHA1
0ff5e780ab95689b186b753e6dac5a9f3ad6cc81

SHA256
e967efd764f97fc28b696b3311afc1207eeb6d5fa274a5615da7fa289a626f81

SHA512
32cf85f3eae9199171d310565ec3c5f1244286ec2046521a5eaf5c32a5d647490ffb6b82f81c89f2fb26d574f05febd468a338168abefb2eab1b4cedf6d3798b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedggafdca.exe

Filesize
894KB

MD5
8fac3ed1c499e3fcc9c2a90ecba10125

SHA1
0b486b3bcc9f81dc037cd9dc1225ac7b8d14e15f

SHA256
97136fac149cbbe7945268ab29d6713f11a5df59f582ea0f64156e9508d1b47f

SHA512
87afa95e911c12aa0a06aafb7de46811acbf99d071ef0bec8acb1337100c1328b607c4a6ee7e2fcf0b8d570b664377c2f0c9d41f5c8c071717a9a4e7f480f7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4683.tmp\cppahhz.dll

Filesize
153KB

MD5
256a4fd5061e042b52c698808fa161cc

SHA1
4ab8bf6233e87efe2bc7cdce908a894854ca523c

SHA256
3c857fb04ef9e3ecef14cd2c6fc8e19d2b44fe699d0dc9ef1d467731a61cb916

SHA512
6bd24d68bad8763b4e10ab6596dd23f609319d5aa6472f408ba6ccd2bab61b7c1f514337e11963ef076d65cc4b25d0914390a3aecbd1c80b4f785a984ff8eea0

Download Submit
\Users\Admin\AppData\Local\Temp\bedggafdca.exe

Filesize
975KB

MD5
a38b75869bca5b1539b4aa47e4686abf

SHA1
79435a1bb8876989c48ee51eed10070cdf13609c

SHA256
88fb510f6fef485ae8e952d547d2137fe8a1af0c785ac707b5e4a30a9b88310c

SHA512
9e76a32053fda13cb4e0c75f7398cd00581186e143a02beb53a2e4cdef2ed1609f4881924da1c02020df95fd1c56da41024fed139063c781a0afb8cf9c2abbe5

Download Submit
\Users\Admin\AppData\Local\Temp\bedggafdca.exe

Filesize
893KB

MD5
032d241346b37800f6a5dd6b9c78f7a9

SHA1
d6e4c7a5fa4842a763307e1efdeb1876e1d56203

SHA256
ef4b51bf465be3eccf403da6b60d0508ed793c9587a3d70ae1a4465c70936959

SHA512
37feda768e7d36dfbeead0de7cc1b0a0c367937f648b1e7556ca9bf721328852caab3247b3777d7c04b8edbb393e48534eebacde84d92d8587e7144a4b657442

Download Submit
\Users\Admin\AppData\Local\Temp\bedggafdca.exe

Filesize
384KB

MD5
5bf23ac2142617d1eb0676f17729f699

SHA1
d5940160417ffc3a99775f15e7317179ef51b19f

SHA256
f3c3a329bdd6a38a20547378fd2852eb9814d234ba686bc21d9750d853ffab4f

SHA512
a46083d202ef723a22dbd63efb37b90eafb8c92b4cd34fbcff96fa4ad4da945ce6e23a5d3f9f651f2f832bb9d0e9fd74e211aa28276d49bafe3ee6c2bab204ff

Download Submit
\Users\Admin\AppData\Local\Temp\bedggafdca.exe

Filesize
381KB

MD5
d74c243913e0721a7a62c2fc2e5dc439

SHA1
397fe155b514227502884b3b9ba2456b9bf2f842

SHA256
f6cd2ff2ca49a00854f99e88efb76b6673f936ad0507365ba577c52f72fe066a

SHA512
c0bf12f5f2a557ed3cce10054d82ca6ed70f07c5979059106eb1bb6892bcb6bdbed4aea6ebed2f93a46f5171972fd52e20e46ea42b2319458f6861e736870590

Download Submit
\Users\Admin\AppData\Local\Temp\bedggafdca.exe

Filesize
431KB

MD5
371d2501078d7b1aa582789cd57a72d4

SHA1
fc0b206047215a8357cdb3466b138ec149a8c828

SHA256
d497f5d19bcb9bc6d59dcfc4a9642adeea003b41e5f9903c07a79ca1e35da745

SHA512
c275489b211cd763633efe13866f4fbd4a7d4ba22a113f39f0f5b7ff489988d7ece68efe7d5974bd43b3eedc336529d77c139055f09ca158c23638b8a18d4271

Download Submit
\Users\Admin\AppData\Local\Temp\bedggafdca.exe

Filesize
92KB

MD5
7b02030ef03d879815e5598d9a2db7b3

SHA1
6d903e1a03687dcdb3e432ba5a1cceacdee3377c

SHA256
316d24a75c77517667274b5296d82394a8822dae00a95193ebf578487aeec038

SHA512
4e48626c79992b7e588a4e4983fe507995e18b10f6e0d89c1f21b5464e0715fb7b5576b0ffa1eb3848554b3fdca7fa6c0f0ba579848c722ef307dd117f325adb

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4683.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit