e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d

Analysis

max time kernel
18s
max time network
114s
platform
windows10_x64
resource
win10v20201028
submitted
05-04-2021 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
Size

6.6MB
MD5

5a59ce4c687a7f855f1079dc98f71170
SHA1

3198daca631983b3301c3ce88961ee7bbcafc222
SHA256

e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d
SHA512

bddc8f9143a060be9517dfe8cf863c37f0ad05900a1a4daef5ee86473701f56997f34949aeb003533ad823f892afd4f0cfeef4f8dfdc3de31a0d9d0ffab09e25

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1752	808	WerFault.exe	88

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
808	powershell.exe
808	powershell.exe
808	powershell.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4376	WMIC.exe
Token: SeSecurityPrivilege	4376	WMIC.exe
Token: SeTakeOwnershipPrivilege	4376	WMIC.exe
Token: SeLoadDriverPrivilege	4376	WMIC.exe
Token: SeSystemProfilePrivilege	4376	WMIC.exe
Token: SeSystemtimePrivilege	4376	WMIC.exe
Token: SeProfSingleProcessPrivilege	4376	WMIC.exe
Token: SeIncBasePriorityPrivilege	4376	WMIC.exe
Token: SeCreatePagefilePrivilege	4376	WMIC.exe
Token: SeBackupPrivilege	4376	WMIC.exe
Token: SeRestorePrivilege	4376	WMIC.exe
Token: SeShutdownPrivilege	4376	WMIC.exe
Token: SeDebugPrivilege	4376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4376	WMIC.exe
Token: SeRemoteShutdownPrivilege	4376	WMIC.exe
Token: SeUndockPrivilege	4376	WMIC.exe
Token: SeManageVolumePrivilege	4376	WMIC.exe
Token: 33	4376	WMIC.exe
Token: 34	4376	WMIC.exe
Token: 35	4376	WMIC.exe
Token: 36	4376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4376	WMIC.exe
Token: SeSecurityPrivilege	4376	WMIC.exe
Token: SeTakeOwnershipPrivilege	4376	WMIC.exe
Token: SeLoadDriverPrivilege	4376	WMIC.exe
Token: SeSystemProfilePrivilege	4376	WMIC.exe
Token: SeSystemtimePrivilege	4376	WMIC.exe
Token: SeProfSingleProcessPrivilege	4376	WMIC.exe
Token: SeIncBasePriorityPrivilege	4376	WMIC.exe
Token: SeCreatePagefilePrivilege	4376	WMIC.exe
Token: SeBackupPrivilege	4376	WMIC.exe
Token: SeRestorePrivilege	4376	WMIC.exe
Token: SeShutdownPrivilege	4376	WMIC.exe
Token: SeDebugPrivilege	4376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4376	WMIC.exe
Token: SeRemoteShutdownPrivilege	4376	WMIC.exe
Token: SeUndockPrivilege	4376	WMIC.exe
Token: SeManageVolumePrivilege	4376	WMIC.exe
Token: 33	4376	WMIC.exe
Token: 34	4376	WMIC.exe
Token: 35	4376	WMIC.exe
Token: 36	4376	WMIC.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	1752	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 5104	4720	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	75
PID 4720 wrote to memory of 5104	4720	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	75
PID 4720 wrote to memory of 5104	4720	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	75
PID 5104 wrote to memory of 3084	5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	77
PID 5104 wrote to memory of 3084	5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	77
PID 5104 wrote to memory of 3084	5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	77
PID 3084 wrote to memory of 4376	3084	cmd.exe	78
PID 3084 wrote to memory of 4376	3084	cmd.exe	78
PID 3084 wrote to memory of 4376	3084	cmd.exe	78
PID 5104 wrote to memory of 1004	5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	79
PID 5104 wrote to memory of 1004	5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	79
PID 5104 wrote to memory of 1004	5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	79
PID 1004 wrote to memory of 3052	1004	cmd.exe	80
PID 1004 wrote to memory of 3052	1004	cmd.exe	80
PID 1004 wrote to memory of 3052	1004	cmd.exe	80
PID 3052 wrote to memory of 4444	3052	net.exe	81
PID 3052 wrote to memory of 4444	3052	net.exe	81
PID 3052 wrote to memory of 4444	3052	net.exe	81
PID 5104 wrote to memory of 4428	5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	82
PID 5104 wrote to memory of 4428	5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	82
PID 5104 wrote to memory of 4428	5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	82
PID 4428 wrote to memory of 4404	4428	cmd.exe	83
PID 4428 wrote to memory of 4404	4428	cmd.exe	83
PID 4428 wrote to memory of 4404	4428	cmd.exe	83
PID 4404 wrote to memory of 4460	4404	net.exe	84
PID 4404 wrote to memory of 4460	4404	net.exe	84
PID 4404 wrote to memory of 4460	4404	net.exe	84
PID 5104 wrote to memory of 808	5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	88
PID 5104 wrote to memory of 808	5104	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	88

C:\Users\Admin\AppData\Local\Temp\e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
"C:\Users\Admin\AppData\Local\Temp\e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
  "C:\Users\Admin\AppData\Local\Temp\e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:4460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:808
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 808 -s 1932
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/808-71-0x000001B6FA536000-0x000001B6FA538000-memory.dmp

Filesize
8KB

Download
memory/808-69-0x000001B6FA533000-0x000001B6FA535000-memory.dmp

Filesize
8KB

Download
memory/808-66-0x000001B6FC770000-0x000001B6FC771000-memory.dmp

Filesize
4KB

Download
memory/808-65-0x00007FF862DF0000-0x00007FF8637DC000-memory.dmp

Filesize
9.9MB

Download
memory/808-68-0x000001B6FA530000-0x000001B6FA532000-memory.dmp

Filesize
8KB

Download
memory/808-67-0x000001B6FCC90000-0x000001B6FCC91000-memory.dmp

Filesize
4KB

Download
memory/1752-72-0x000002962A6F0000-0x000002962A6F1000-memory.dmp

Filesize
4KB

Download
memory/1752-73-0x000002962A6F0000-0x000002962A6F1000-memory.dmp

Filesize
4KB

Download
memory/5104-19-0x0000000003071000-0x00000000030E3000-memory.dmp

Filesize
456KB

Download
memory/5104-15-0x00000000029B1000-0x00000000029B6000-memory.dmp

Filesize
20KB

Download