2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436

Analysis

max time kernel
31s
max time network
113s
platform
windows10_x64
resource
win10v20201028
submitted
05-04-2021 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
Size

7.8MB
MD5

21ff567a59d78b24c3fcaaba01b6a157
SHA1

8dd675c4a6970d227579b5c1ccc748fd1b03de4c
SHA256

2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436
SHA512

bf8e7efa3b048352f2b9c1551e5a7875735af8f5596322d93b886bd359ae8b40f38844095ea58b9b0afd086e0f47f111c928f738309eea9d15e8f1ae58333ca4

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2836	1620	WerFault.exe	88

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1620	powershell.exe
1620	powershell.exe
1620	powershell.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1864	WMIC.exe
Token: SeSecurityPrivilege	1864	WMIC.exe
Token: SeTakeOwnershipPrivilege	1864	WMIC.exe
Token: SeLoadDriverPrivilege	1864	WMIC.exe
Token: SeSystemProfilePrivilege	1864	WMIC.exe
Token: SeSystemtimePrivilege	1864	WMIC.exe
Token: SeProfSingleProcessPrivilege	1864	WMIC.exe
Token: SeIncBasePriorityPrivilege	1864	WMIC.exe
Token: SeCreatePagefilePrivilege	1864	WMIC.exe
Token: SeBackupPrivilege	1864	WMIC.exe
Token: SeRestorePrivilege	1864	WMIC.exe
Token: SeShutdownPrivilege	1864	WMIC.exe
Token: SeDebugPrivilege	1864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1864	WMIC.exe
Token: SeRemoteShutdownPrivilege	1864	WMIC.exe
Token: SeUndockPrivilege	1864	WMIC.exe
Token: SeManageVolumePrivilege	1864	WMIC.exe
Token: 33	1864	WMIC.exe
Token: 34	1864	WMIC.exe
Token: 35	1864	WMIC.exe
Token: 36	1864	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1864	WMIC.exe
Token: SeSecurityPrivilege	1864	WMIC.exe
Token: SeTakeOwnershipPrivilege	1864	WMIC.exe
Token: SeLoadDriverPrivilege	1864	WMIC.exe
Token: SeSystemProfilePrivilege	1864	WMIC.exe
Token: SeSystemtimePrivilege	1864	WMIC.exe
Token: SeProfSingleProcessPrivilege	1864	WMIC.exe
Token: SeIncBasePriorityPrivilege	1864	WMIC.exe
Token: SeCreatePagefilePrivilege	1864	WMIC.exe
Token: SeBackupPrivilege	1864	WMIC.exe
Token: SeRestorePrivilege	1864	WMIC.exe
Token: SeShutdownPrivilege	1864	WMIC.exe
Token: SeDebugPrivilege	1864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1864	WMIC.exe
Token: SeRemoteShutdownPrivilege	1864	WMIC.exe
Token: SeUndockPrivilege	1864	WMIC.exe
Token: SeManageVolumePrivilege	1864	WMIC.exe
Token: 33	1864	WMIC.exe
Token: 34	1864	WMIC.exe
Token: 35	1864	WMIC.exe
Token: 36	1864	WMIC.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2836	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 2312	3248	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	74
PID 3248 wrote to memory of 2312	3248	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	74
PID 3248 wrote to memory of 2312	3248	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	74
PID 2312 wrote to memory of 1404	2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	77
PID 2312 wrote to memory of 1404	2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	77
PID 2312 wrote to memory of 1404	2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	77
PID 1404 wrote to memory of 1864	1404	cmd.exe	78
PID 1404 wrote to memory of 1864	1404	cmd.exe	78
PID 1404 wrote to memory of 1864	1404	cmd.exe	78
PID 2312 wrote to memory of 2300	2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	81
PID 2312 wrote to memory of 2300	2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	81
PID 2312 wrote to memory of 2300	2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	81
PID 2300 wrote to memory of 3912	2300	cmd.exe	82
PID 2300 wrote to memory of 3912	2300	cmd.exe	82
PID 2300 wrote to memory of 3912	2300	cmd.exe	82
PID 3912 wrote to memory of 636	3912	net.exe	83
PID 3912 wrote to memory of 636	3912	net.exe	83
PID 3912 wrote to memory of 636	3912	net.exe	83
PID 2312 wrote to memory of 1588	2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	84
PID 2312 wrote to memory of 1588	2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	84
PID 2312 wrote to memory of 1588	2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	84
PID 1588 wrote to memory of 2900	1588	cmd.exe	85
PID 1588 wrote to memory of 2900	1588	cmd.exe	85
PID 1588 wrote to memory of 2900	1588	cmd.exe	85
PID 2900 wrote to memory of 3856	2900	net.exe	86
PID 2900 wrote to memory of 3856	2900	net.exe	86
PID 2900 wrote to memory of 3856	2900	net.exe	86
PID 2312 wrote to memory of 1620	2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	88
PID 2312 wrote to memory of 1620	2312	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	88

C:\Users\Admin\AppData\Local\Temp\2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
"C:\Users\Admin\AppData\Local\Temp\2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Users\Admin\AppData\Local\Temp\2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
  "C:\Users\Admin\AppData\Local\Temp\2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:3856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1620 -s 1932
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1620-67-0x000001FDF36B0000-0x000001FDF36B2000-memory.dmp

Filesize
8KB

Download
memory/1620-66-0x000001FDDB400000-0x000001FDDB401000-memory.dmp

Filesize
4KB

Download
memory/1620-71-0x000001FDF36B6000-0x000001FDF36B8000-memory.dmp

Filesize
8KB

Download
memory/1620-69-0x000001FDF5B00000-0x000001FDF5B01000-memory.dmp

Filesize
4KB

Download
memory/1620-68-0x000001FDF36B3000-0x000001FDF36B5000-memory.dmp

Filesize
8KB

Download
memory/1620-65-0x00007FF8207C0000-0x00007FF8211AC000-memory.dmp

Filesize
9.9MB

Download
memory/2312-15-0x00000000007D1000-0x00000000007D6000-memory.dmp

Filesize
20KB

Download
memory/2312-19-0x0000000002B31000-0x0000000002BA3000-memory.dmp

Filesize
456KB

Download
memory/2836-73-0x000001D8EE1E0000-0x000001D8EE1E1000-memory.dmp

Filesize
4KB

Download
memory/2836-72-0x000001D8EE1E0000-0x000001D8EE1E1000-memory.dmp

Filesize
4KB

Download