15806331386f446a7507203bd9e00e7d74ae339ddf6a6db249833b62a8a10c10

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb7ec9a748a73506d5a8be38c30dfea2.exe
Size

709KB
MD5

cb7ec9a748a73506d5a8be38c30dfea2
SHA1

481aac7a4f4d58726b07ba9de1c80ceae5337ff4
SHA256

15806331386f446a7507203bd9e00e7d74ae339ddf6a6db249833b62a8a10c10
SHA512

f026e35eeb059499a3571486e857404d340e65ff832518f957857ea3170066bfaa22bf8a63b1e8475f8d60e029c81ff7bd720f231b5c01634b2e2d12d0019524
SSDEEP

12288:0WTX0pTYSMtR7ZSiJf1McX/lQN2Xh1Agt4SiMzkuUAjAD7qmEDNWvAmfc8vy4hqE:0WTEpTYxthZSIf+cX/lQN2CSZzXJEDCw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2492	bedgcbgfeb.exe

Loads dropped DLL 11 IoCs

pid	Process
2176	cb7ec9a748a73506d5a8be38c30dfea2.exe
2176	cb7ec9a748a73506d5a8be38c30dfea2.exe
2176	cb7ec9a748a73506d5a8be38c30dfea2.exe
2176	cb7ec9a748a73506d5a8be38c30dfea2.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2620	2492	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2716	wmic.exe
Token: SeSecurityPrivilege	2716	wmic.exe
Token: SeTakeOwnershipPrivilege	2716	wmic.exe
Token: SeLoadDriverPrivilege	2716	wmic.exe
Token: SeSystemProfilePrivilege	2716	wmic.exe
Token: SeSystemtimePrivilege	2716	wmic.exe
Token: SeProfSingleProcessPrivilege	2716	wmic.exe
Token: SeIncBasePriorityPrivilege	2716	wmic.exe
Token: SeCreatePagefilePrivilege	2716	wmic.exe
Token: SeBackupPrivilege	2716	wmic.exe
Token: SeRestorePrivilege	2716	wmic.exe
Token: SeShutdownPrivilege	2716	wmic.exe
Token: SeDebugPrivilege	2716	wmic.exe
Token: SeSystemEnvironmentPrivilege	2716	wmic.exe
Token: SeRemoteShutdownPrivilege	2716	wmic.exe
Token: SeUndockPrivilege	2716	wmic.exe
Token: SeManageVolumePrivilege	2716	wmic.exe
Token: 33	2716	wmic.exe
Token: 34	2716	wmic.exe
Token: 35	2716	wmic.exe
Token: SeIncreaseQuotaPrivilege	2716	wmic.exe
Token: SeSecurityPrivilege	2716	wmic.exe
Token: SeTakeOwnershipPrivilege	2716	wmic.exe
Token: SeLoadDriverPrivilege	2716	wmic.exe
Token: SeSystemProfilePrivilege	2716	wmic.exe
Token: SeSystemtimePrivilege	2716	wmic.exe
Token: SeProfSingleProcessPrivilege	2716	wmic.exe
Token: SeIncBasePriorityPrivilege	2716	wmic.exe
Token: SeCreatePagefilePrivilege	2716	wmic.exe
Token: SeBackupPrivilege	2716	wmic.exe
Token: SeRestorePrivilege	2716	wmic.exe
Token: SeShutdownPrivilege	2716	wmic.exe
Token: SeDebugPrivilege	2716	wmic.exe
Token: SeSystemEnvironmentPrivilege	2716	wmic.exe
Token: SeRemoteShutdownPrivilege	2716	wmic.exe
Token: SeUndockPrivilege	2716	wmic.exe
Token: SeManageVolumePrivilege	2716	wmic.exe
Token: 33	2716	wmic.exe
Token: 34	2716	wmic.exe
Token: 35	2716	wmic.exe
Token: SeIncreaseQuotaPrivilege	2320	wmic.exe
Token: SeSecurityPrivilege	2320	wmic.exe
Token: SeTakeOwnershipPrivilege	2320	wmic.exe
Token: SeLoadDriverPrivilege	2320	wmic.exe
Token: SeSystemProfilePrivilege	2320	wmic.exe
Token: SeSystemtimePrivilege	2320	wmic.exe
Token: SeProfSingleProcessPrivilege	2320	wmic.exe
Token: SeIncBasePriorityPrivilege	2320	wmic.exe
Token: SeCreatePagefilePrivilege	2320	wmic.exe
Token: SeBackupPrivilege	2320	wmic.exe
Token: SeRestorePrivilege	2320	wmic.exe
Token: SeShutdownPrivilege	2320	wmic.exe
Token: SeDebugPrivilege	2320	wmic.exe
Token: SeSystemEnvironmentPrivilege	2320	wmic.exe
Token: SeRemoteShutdownPrivilege	2320	wmic.exe
Token: SeUndockPrivilege	2320	wmic.exe
Token: SeManageVolumePrivilege	2320	wmic.exe
Token: 33	2320	wmic.exe
Token: 34	2320	wmic.exe
Token: 35	2320	wmic.exe
Token: SeIncreaseQuotaPrivilege	2388	wmic.exe
Token: SeSecurityPrivilege	2388	wmic.exe
Token: SeTakeOwnershipPrivilege	2388	wmic.exe
Token: SeLoadDriverPrivilege	2388	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2492	2176	cb7ec9a748a73506d5a8be38c30dfea2.exe	28
PID 2176 wrote to memory of 2492	2176	cb7ec9a748a73506d5a8be38c30dfea2.exe	28
PID 2176 wrote to memory of 2492	2176	cb7ec9a748a73506d5a8be38c30dfea2.exe	28
PID 2176 wrote to memory of 2492	2176	cb7ec9a748a73506d5a8be38c30dfea2.exe	28
PID 2492 wrote to memory of 2716	2492	bedgcbgfeb.exe	29
PID 2492 wrote to memory of 2716	2492	bedgcbgfeb.exe	29
PID 2492 wrote to memory of 2716	2492	bedgcbgfeb.exe	29
PID 2492 wrote to memory of 2716	2492	bedgcbgfeb.exe	29
PID 2492 wrote to memory of 2320	2492	bedgcbgfeb.exe	32
PID 2492 wrote to memory of 2320	2492	bedgcbgfeb.exe	32
PID 2492 wrote to memory of 2320	2492	bedgcbgfeb.exe	32
PID 2492 wrote to memory of 2320	2492	bedgcbgfeb.exe	32
PID 2492 wrote to memory of 2388	2492	bedgcbgfeb.exe	34
PID 2492 wrote to memory of 2388	2492	bedgcbgfeb.exe	34
PID 2492 wrote to memory of 2388	2492	bedgcbgfeb.exe	34
PID 2492 wrote to memory of 2388	2492	bedgcbgfeb.exe	34
PID 2492 wrote to memory of 2508	2492	bedgcbgfeb.exe	36
PID 2492 wrote to memory of 2508	2492	bedgcbgfeb.exe	36
PID 2492 wrote to memory of 2508	2492	bedgcbgfeb.exe	36
PID 2492 wrote to memory of 2508	2492	bedgcbgfeb.exe	36
PID 2492 wrote to memory of 2956	2492	bedgcbgfeb.exe	38
PID 2492 wrote to memory of 2956	2492	bedgcbgfeb.exe	38
PID 2492 wrote to memory of 2956	2492	bedgcbgfeb.exe	38
PID 2492 wrote to memory of 2956	2492	bedgcbgfeb.exe	38
PID 2492 wrote to memory of 2620	2492	bedgcbgfeb.exe	40
PID 2492 wrote to memory of 2620	2492	bedgcbgfeb.exe	40
PID 2492 wrote to memory of 2620	2492	bedgcbgfeb.exe	40
PID 2492 wrote to memory of 2620	2492	bedgcbgfeb.exe	40

C:\Users\Admin\AppData\Local\Temp\cb7ec9a748a73506d5a8be38c30dfea2.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ec9a748a73506d5a8be38c30dfea2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\bedgcbgfeb.exe
  C:\Users\Admin\AppData\Local\Temp\bedgcbgfeb.exe 3!0!3!1!5!7!1!6!2!6!5 LFBGQzgwMiowGipQVT9PRD08Kh4pSUJUVE5NREg+OyobLERGUk9CQzcvKzIuMx0uPkJDNy4aKk1STENQPFNZRz44LjY2MxsoUj9QUEBPX1JRRzZnbnJqNSwvcHFxJ0M/UUUoUU9NLDxJTyhHSEFMICxCR0JCRUc+OFRnVlAzKlU/di0vUnp0STNaTC9FLkpSRGdMQywscDBxaERZb2dHQkVTZk1LdWdJVGoyTFNEYGtJTkltUTwxXEEnZz9aRzVvUDVHZnMubjRUSj08SlRRUi50aFRYUUcycXVUPFxqSWIrXlRnVGVMbGVKZTIwOFM/VGI2YkF5TE1jTFReT1BmZHZDUlZCa09zTjFKaWNlamszY1VjN0FTaTtlL008GyxELjwxLTEqHik/Lz0qMBsoQy07JywdL0EzOCYwGi0+MDotLh8qSVFJQk8+UV9NUURPQD1XNxssUE9OP05CTl0/UElBOh8qSVFJQk8+UV9LQEg+PBotP1NCX1JRRzYfKUNSQFxDSkNHQk0/OxoqRU9QU1o7UUlVTUBPPS0fKk1HO0xFVExVXFRNRTwaLVBIOjIdLj9MMDceKU1STlFISD5eUUNGPkxNQkhIOkY/U0xHOiAsSE5YUU9MTkRKRTpzbW5kGi1MQFFVT01ER0ZZU01AT19BQFRMPCweKUNGREJXOCofKUdNWkFZS0BIQkJZQ0g+T1lNU0A9PGBfZm5iICxDSlBNRk07P1xJTTwsKTYoLzEzKzE2NCkqNCweKUs+Uj5LRz5LWUdITlFBSUs4X2BmcV8bLFRGTEA2MC4xMC0vNTI2LRkuPk1RSUlPPkNaTUhHQzcyLDYsMSsqNCQvKzUwMjc0LSNPRw==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710508286.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710508286.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710508286.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710508286.txt bios get version
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81710508286.txt bios get version
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81710508286.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgcbgfeb.exe

Filesize
1.1MB

MD5
c131a8eb9b1b0805634f791cd27a690a

SHA1
4ae9dc37a5e8d4b8ee90a3f0fe1e1d5cb961d01c

SHA256
35c9ff8e29df959389e0b2d4317fde5142d5e6c471001173902e0289f5d5ee32

SHA512
701e9a13076e23d2ec17ea0ce82854013ce56327812dc7882cb05d93e4d6abd002c1d1e67b4f0133d3dd3a844be5e39112a0163d9f36d540603401a5d783835f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\czifqiz.dll

Filesize
161KB

MD5
fe65cdd18d4c567b6a3c12214c55f4e7

SHA1
5312c385a6267b17ae7c314e1fd8863ed94a6744

SHA256
e189e3ef2008c32f528f2d6a7c463f6e8de238ad0e550dadde580515f5a56063

SHA512
bc826255605c6ec151b36222e5b2c0e1bd06e224e9342e984050f8681cb1ab624f58d86acee424195c1a369e912234eeec2bc9ad4bf04ce815dc4e973023dd76

Download Submit
\Users\Admin\AppData\Local\Temp\bedgcbgfeb.exe

Filesize
704KB

MD5
7b953bc79c0a756deec2f65e81d4ce7c

SHA1
c1eecd344844dc710430bc969c52e065e108f3fc

SHA256
f6b68d05e620795b6f0adfd1d13ecbe9b87bfe71924dced3e49ea4ed843f6140

SHA512
f342e395c9c18ccaf7d5685a90ba931602cd625c36c998ffd281c888f2429026bc588d6410f56138c758222b7e99c5b39e770a9065067a7ddb52cf89d67bbeaa

Download Submit
\Users\Admin\AppData\Local\Temp\bedgcbgfeb.exe

Filesize
640KB

MD5
abe485707f689a9c5d7804c4c0bfdf74

SHA1
fccb953fa5304e73f4be20e6c7b73f7e23606473

SHA256
0905d38a39b3c5a564920c26f73baa41c2639a989e3224cec21605b5dfb70060

SHA512
60c26b4cdc396248f7aa17d6a52c0077b00f74229855597a43e0a82bea40282757ef535e8838ac92f813d8979664b41ed8aab0ef608e7a6ddcc89bb3f316016b

Download Submit
\Users\Admin\AppData\Local\Temp\bedgcbgfeb.exe

Filesize
576KB

MD5
f0082205b8dbddb0ff3f81fd704d3ae2

SHA1
bd79af3aa8bdd6efff8760a433978f407ab5a7cc

SHA256
d5c672285f04ceff5d0b84c0cecc0bed4e8ff6349d97e8787a5188ef9e91166a

SHA512
85b7b198f3a056c81a73251efbb0d9978c99f297d97f5dec53336b3e3f01896775d5089bcfe21d65d246c41fefe1b21963543cab37e4aae3dee46c7de0935ff4

Download Submit
\Users\Admin\AppData\Local\Temp\bedgcbgfeb.exe

Filesize
512KB

MD5
480502a5ba00011172fa940f645c03d2

SHA1
101fbec30daf1609d3aaec375c36ada0c48c875b

SHA256
f80f0dae918fb0b1b0461f89511f53e23c6c0423255a68e3a1ad2e0654b2bb4c

SHA512
45aeb031d6b1e42206bf5d88692a00af08b09d6a618c48314ef3d0c25fe2fcfc6e21a154597207b988e8bcd3fda033c3b2024965567a22d036f98d31f15f42e7

Download Submit
\Users\Admin\AppData\Local\Temp\nst2B94.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit