28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951

Analysis

max time kernel
143s
max time network
145s
platform
windows10_x64
resource
win10v20201028
submitted
05-04-2021 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
Size

6.6MB
MD5

611b27f49da01bbd6b68be24774924ec
SHA1

1e30a84b6e107f87750c996f3353e9d13ae27c62
SHA256

28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951
SHA512

ddb08d2b4f0ba7394469321cad4a4f11fd530e17346850808c780812af6494ecac0ecc1522d771230f27573e01c2b35009926f8c4e201ad51d03c7e783dde11f

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
212	2592	WerFault.exe	90

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2696	WMIC.exe
Token: SeSecurityPrivilege	2696	WMIC.exe
Token: SeTakeOwnershipPrivilege	2696	WMIC.exe
Token: SeLoadDriverPrivilege	2696	WMIC.exe
Token: SeSystemProfilePrivilege	2696	WMIC.exe
Token: SeSystemtimePrivilege	2696	WMIC.exe
Token: SeProfSingleProcessPrivilege	2696	WMIC.exe
Token: SeIncBasePriorityPrivilege	2696	WMIC.exe
Token: SeCreatePagefilePrivilege	2696	WMIC.exe
Token: SeBackupPrivilege	2696	WMIC.exe
Token: SeRestorePrivilege	2696	WMIC.exe
Token: SeShutdownPrivilege	2696	WMIC.exe
Token: SeDebugPrivilege	2696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2696	WMIC.exe
Token: SeRemoteShutdownPrivilege	2696	WMIC.exe
Token: SeUndockPrivilege	2696	WMIC.exe
Token: SeManageVolumePrivilege	2696	WMIC.exe
Token: 33	2696	WMIC.exe
Token: 34	2696	WMIC.exe
Token: 35	2696	WMIC.exe
Token: 36	2696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2696	WMIC.exe
Token: SeSecurityPrivilege	2696	WMIC.exe
Token: SeTakeOwnershipPrivilege	2696	WMIC.exe
Token: SeLoadDriverPrivilege	2696	WMIC.exe
Token: SeSystemProfilePrivilege	2696	WMIC.exe
Token: SeSystemtimePrivilege	2696	WMIC.exe
Token: SeProfSingleProcessPrivilege	2696	WMIC.exe
Token: SeIncBasePriorityPrivilege	2696	WMIC.exe
Token: SeCreatePagefilePrivilege	2696	WMIC.exe
Token: SeBackupPrivilege	2696	WMIC.exe
Token: SeRestorePrivilege	2696	WMIC.exe
Token: SeShutdownPrivilege	2696	WMIC.exe
Token: SeDebugPrivilege	2696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2696	WMIC.exe
Token: SeRemoteShutdownPrivilege	2696	WMIC.exe
Token: SeUndockPrivilege	2696	WMIC.exe
Token: SeManageVolumePrivilege	2696	WMIC.exe
Token: 33	2696	WMIC.exe
Token: 34	2696	WMIC.exe
Token: 35	2696	WMIC.exe
Token: 36	2696	WMIC.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	212	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 3084	1108	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	74
PID 1108 wrote to memory of 3084	1108	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	74
PID 1108 wrote to memory of 3084	1108	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	74
PID 3084 wrote to memory of 3520	3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	78
PID 3084 wrote to memory of 3520	3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	78
PID 3084 wrote to memory of 3520	3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	78
PID 3520 wrote to memory of 2696	3520	cmd.exe	79
PID 3520 wrote to memory of 2696	3520	cmd.exe	79
PID 3520 wrote to memory of 2696	3520	cmd.exe	79
PID 3084 wrote to memory of 3220	3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	83
PID 3084 wrote to memory of 3220	3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	83
PID 3084 wrote to memory of 3220	3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	83
PID 3220 wrote to memory of 3208	3220	cmd.exe	84
PID 3220 wrote to memory of 3208	3220	cmd.exe	84
PID 3220 wrote to memory of 3208	3220	cmd.exe	84
PID 3208 wrote to memory of 2760	3208	net.exe	85
PID 3208 wrote to memory of 2760	3208	net.exe	85
PID 3208 wrote to memory of 2760	3208	net.exe	85
PID 3084 wrote to memory of 612	3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	86
PID 3084 wrote to memory of 612	3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	86
PID 3084 wrote to memory of 612	3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	86
PID 612 wrote to memory of 1032	612	cmd.exe	87
PID 612 wrote to memory of 1032	612	cmd.exe	87
PID 612 wrote to memory of 1032	612	cmd.exe	87
PID 1032 wrote to memory of 2524	1032	net.exe	88
PID 1032 wrote to memory of 2524	1032	net.exe	88
PID 1032 wrote to memory of 2524	1032	net.exe	88
PID 3084 wrote to memory of 2592	3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	90
PID 3084 wrote to memory of 2592	3084	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	90

C:\Users\Admin\AppData\Local\Temp\28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
"C:\Users\Admin\AppData\Local\Temp\28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
  "C:\Users\Admin\AppData\Local\Temp\28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3208
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:2524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2592 -s 1984
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-72-0x000002A0023D0000-0x000002A0023D1000-memory.dmp

Filesize
4KB

Download
memory/2592-71-0x000001851D216000-0x000001851D218000-memory.dmp

Filesize
8KB

Download
memory/2592-69-0x000001851FE10000-0x000001851FE11000-memory.dmp

Filesize
4KB

Download
memory/2592-68-0x000001851D213000-0x000001851D215000-memory.dmp

Filesize
8KB

Download
memory/2592-67-0x000001851D210000-0x000001851D212000-memory.dmp

Filesize
8KB

Download
memory/2592-65-0x00007FFC486E0000-0x00007FFC490CC000-memory.dmp

Filesize
9.9MB

Download
memory/2592-66-0x000001851D1C0000-0x000001851D1C1000-memory.dmp

Filesize
4KB

Download
memory/3084-15-0x0000000000D01000-0x0000000000D06000-memory.dmp

Filesize
20KB

Download
memory/3084-30-0x0000000002EC1000-0x0000000002F16000-memory.dmp

Filesize
340KB

Download