1356ad87712f65146545a919ffc13ff7f8592d01ffa04ec850d4318a59618e21

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 08:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

98eed94b075366cbecbc4e822b83aa0d.exe
Size

694KB
MD5

98eed94b075366cbecbc4e822b83aa0d
SHA1

c9a13f9a42e68f0afb40c04b5a35a80683f770f6
SHA256

1356ad87712f65146545a919ffc13ff7f8592d01ffa04ec850d4318a59618e21
SHA512

6a73ea66c084afe10a391f0c95b6a0f7e1794b0721692df9bbb7ae7365dbfc1312719bca4f1f8045c91506a2c229e53afcaa8a2ef70d80557712614ec4a755fa
SSDEEP

12288:QyzrPwsFxzxrZftYbq5J6RmN0K7ArkoexibmDkMIKeO0F0ZFvntfc8vy4h5/:QQFZDtYaCCjPLiy4zw7y86q/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2844	bedgeaabeb.exe

Loads dropped DLL 11 IoCs

pid	Process
2332	98eed94b075366cbecbc4e822b83aa0d.exe
2332	98eed94b075366cbecbc4e822b83aa0d.exe
2332	98eed94b075366cbecbc4e822b83aa0d.exe
2332	98eed94b075366cbecbc4e822b83aa0d.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2880	2844	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2888	wmic.exe
Token: SeSecurityPrivilege	2888	wmic.exe
Token: SeTakeOwnershipPrivilege	2888	wmic.exe
Token: SeLoadDriverPrivilege	2888	wmic.exe
Token: SeSystemProfilePrivilege	2888	wmic.exe
Token: SeSystemtimePrivilege	2888	wmic.exe
Token: SeProfSingleProcessPrivilege	2888	wmic.exe
Token: SeIncBasePriorityPrivilege	2888	wmic.exe
Token: SeCreatePagefilePrivilege	2888	wmic.exe
Token: SeBackupPrivilege	2888	wmic.exe
Token: SeRestorePrivilege	2888	wmic.exe
Token: SeShutdownPrivilege	2888	wmic.exe
Token: SeDebugPrivilege	2888	wmic.exe
Token: SeSystemEnvironmentPrivilege	2888	wmic.exe
Token: SeRemoteShutdownPrivilege	2888	wmic.exe
Token: SeUndockPrivilege	2888	wmic.exe
Token: SeManageVolumePrivilege	2888	wmic.exe
Token: 33	2888	wmic.exe
Token: 34	2888	wmic.exe
Token: 35	2888	wmic.exe
Token: SeIncreaseQuotaPrivilege	2888	wmic.exe
Token: SeSecurityPrivilege	2888	wmic.exe
Token: SeTakeOwnershipPrivilege	2888	wmic.exe
Token: SeLoadDriverPrivilege	2888	wmic.exe
Token: SeSystemProfilePrivilege	2888	wmic.exe
Token: SeSystemtimePrivilege	2888	wmic.exe
Token: SeProfSingleProcessPrivilege	2888	wmic.exe
Token: SeIncBasePriorityPrivilege	2888	wmic.exe
Token: SeCreatePagefilePrivilege	2888	wmic.exe
Token: SeBackupPrivilege	2888	wmic.exe
Token: SeRestorePrivilege	2888	wmic.exe
Token: SeShutdownPrivilege	2888	wmic.exe
Token: SeDebugPrivilege	2888	wmic.exe
Token: SeSystemEnvironmentPrivilege	2888	wmic.exe
Token: SeRemoteShutdownPrivilege	2888	wmic.exe
Token: SeUndockPrivilege	2888	wmic.exe
Token: SeManageVolumePrivilege	2888	wmic.exe
Token: 33	2888	wmic.exe
Token: 34	2888	wmic.exe
Token: 35	2888	wmic.exe
Token: SeIncreaseQuotaPrivilege	2116	wmic.exe
Token: SeSecurityPrivilege	2116	wmic.exe
Token: SeTakeOwnershipPrivilege	2116	wmic.exe
Token: SeLoadDriverPrivilege	2116	wmic.exe
Token: SeSystemProfilePrivilege	2116	wmic.exe
Token: SeSystemtimePrivilege	2116	wmic.exe
Token: SeProfSingleProcessPrivilege	2116	wmic.exe
Token: SeIncBasePriorityPrivilege	2116	wmic.exe
Token: SeCreatePagefilePrivilege	2116	wmic.exe
Token: SeBackupPrivilege	2116	wmic.exe
Token: SeRestorePrivilege	2116	wmic.exe
Token: SeShutdownPrivilege	2116	wmic.exe
Token: SeDebugPrivilege	2116	wmic.exe
Token: SeSystemEnvironmentPrivilege	2116	wmic.exe
Token: SeRemoteShutdownPrivilege	2116	wmic.exe
Token: SeUndockPrivilege	2116	wmic.exe
Token: SeManageVolumePrivilege	2116	wmic.exe
Token: 33	2116	wmic.exe
Token: 34	2116	wmic.exe
Token: 35	2116	wmic.exe
Token: SeIncreaseQuotaPrivilege	2576	wmic.exe
Token: SeSecurityPrivilege	2576	wmic.exe
Token: SeTakeOwnershipPrivilege	2576	wmic.exe
Token: SeLoadDriverPrivilege	2576	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2844	2332	98eed94b075366cbecbc4e822b83aa0d.exe	28
PID 2332 wrote to memory of 2844	2332	98eed94b075366cbecbc4e822b83aa0d.exe	28
PID 2332 wrote to memory of 2844	2332	98eed94b075366cbecbc4e822b83aa0d.exe	28
PID 2332 wrote to memory of 2844	2332	98eed94b075366cbecbc4e822b83aa0d.exe	28
PID 2844 wrote to memory of 2888	2844	bedgeaabeb.exe	29
PID 2844 wrote to memory of 2888	2844	bedgeaabeb.exe	29
PID 2844 wrote to memory of 2888	2844	bedgeaabeb.exe	29
PID 2844 wrote to memory of 2888	2844	bedgeaabeb.exe	29
PID 2844 wrote to memory of 2116	2844	bedgeaabeb.exe	32
PID 2844 wrote to memory of 2116	2844	bedgeaabeb.exe	32
PID 2844 wrote to memory of 2116	2844	bedgeaabeb.exe	32
PID 2844 wrote to memory of 2116	2844	bedgeaabeb.exe	32
PID 2844 wrote to memory of 2576	2844	bedgeaabeb.exe	34
PID 2844 wrote to memory of 2576	2844	bedgeaabeb.exe	34
PID 2844 wrote to memory of 2576	2844	bedgeaabeb.exe	34
PID 2844 wrote to memory of 2576	2844	bedgeaabeb.exe	34
PID 2844 wrote to memory of 2700	2844	bedgeaabeb.exe	36
PID 2844 wrote to memory of 2700	2844	bedgeaabeb.exe	36
PID 2844 wrote to memory of 2700	2844	bedgeaabeb.exe	36
PID 2844 wrote to memory of 2700	2844	bedgeaabeb.exe	36
PID 2844 wrote to memory of 2172	2844	bedgeaabeb.exe	38
PID 2844 wrote to memory of 2172	2844	bedgeaabeb.exe	38
PID 2844 wrote to memory of 2172	2844	bedgeaabeb.exe	38
PID 2844 wrote to memory of 2172	2844	bedgeaabeb.exe	38
PID 2844 wrote to memory of 2880	2844	bedgeaabeb.exe	40
PID 2844 wrote to memory of 2880	2844	bedgeaabeb.exe	40
PID 2844 wrote to memory of 2880	2844	bedgeaabeb.exe	40
PID 2844 wrote to memory of 2880	2844	bedgeaabeb.exe	40

C:\Users\Admin\AppData\Local\Temp\98eed94b075366cbecbc4e822b83aa0d.exe
"C:\Users\Admin\AppData\Local\Temp\98eed94b075366cbecbc4e822b83aa0d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\bedgeaabeb.exe
  C:\Users\Admin\AppData\Local\Temp\bedgeaabeb.exe 4\5\2\3\6\5\5\9\6\1\2 K0tHQTcuKyksHy1PUEBNQz84JxouTEFPVUxMRkQ7Ny8eKz9HUE5EPzQsLzA1Mh4sPUQ/NCofLUxNTUFPPk9WQ0M7LTE3MRoqTjxMVUNOWlNPRjhja25vOCsqcW9wKT88TUorUEpOKjtLSyVDTURLGy1ARkQ+QkNDO3NLTDEqKzRJS1BUSz03RUYrSUNPNUw/Lx4sPiw4JCsfLUAtOyorGyo7LTwrLRstQS44KCgaLkIxOCsuGipLSUlDUz9PXU1MRFE4PVg7HCpOT0k/UDpOXkNRRz86GipLSUlDUz9PXUs7SEA0Gi5DVEBdUkxHOBcpRFZBWkFKPkdERT88HitDTVBOWj1JSVZRQU07LRoqTz87TUlVSlNcT01HNBouVEk4MB0pP04oNx8tTlBMUUNIQFZRREo/SktCQ0g8Pj9UUEg4HixDTlpJT01SRUhDOm5tcFwaLlBBT1NPSERJPllUUUFNXUE7VE40LB8tRERCQlI4LBcpSFFbP1dLO0hEOllETD9NV01OQD80YGBqb2AeLD5KUkVGTj9AWkdNNzQwJSw2LC0pLzIqGypHO1E/SEdDSVlESUpOQEpIOHJvb2AbJk5IS0E4LzEtMS8nLzc2LhstQUlSSUNJQEJbT0dKPzgyJjMuMCwsMycrNS4vNC8wJjxL
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81707812440.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81707812440.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81707812440.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81707812440.txt bios get version
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81707812440.txt bios get version
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81707812440.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd49FC.tmp\dbnlsav.dll

Filesize
166KB

MD5
5e67e30a2af79344cfa992d4cf4637f6

SHA1
4c73d4c38386f954f29b1be938f39429ca2365a8

SHA256
782282379bac3424c8f26c3c1375e82886573e90bd66ddca536ccd460aeee152

SHA512
184cb9520c44a23601773544c64548673716399f3d6b035b8c8aa53edcc2d632c5346f1e0a69dfb03ee89d6db4870841e32453e7228cce536748466085b829ea

Download Submit
\Users\Admin\AppData\Local\Temp\bedgeaabeb.exe

Filesize
1.1MB

MD5
47821f42b07356ed9581793476a8ea96

SHA1
5085cc4947a4462bc5238bcc4a2bf86bbaf0a7ca

SHA256
06336d68efc4c4879b066959da0e6f39bc8ba63517e5f1ca81f8e23f7a62304b

SHA512
9809d8479f4461346ec858e8c370efecb1eca08346eee8420a82aa0d3d4757bb9c6d6e88e4b8300773063ff8e888c0142612696cbcf10aa568bc1ef3cde2c4a1

Download Submit
\Users\Admin\AppData\Local\Temp\nsd49FC.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit