bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da

Analysis

max time kernel
49s
max time network
114s
platform
windows10_x64
resource
win10v20201028
submitted
05-04-2021 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
Size

6.6MB
MD5

433f2dd33ad43581ccd248d2fc65d9ab
SHA1

e59089829cdc087eda6a879bcdf613ae57602c6a
SHA256

bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da
SHA512

e2d64fb81951ca011ea0d299756ba87d201725a4895465c63ff1eca320de2b7dbf52877c19e8189f7efdab34072ae1f30e3dd9174e6e2c9b98b7625cb04c4b56

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2152	3856	WerFault.exe	89

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	692	WMIC.exe
Token: SeSecurityPrivilege	692	WMIC.exe
Token: SeTakeOwnershipPrivilege	692	WMIC.exe
Token: SeLoadDriverPrivilege	692	WMIC.exe
Token: SeSystemProfilePrivilege	692	WMIC.exe
Token: SeSystemtimePrivilege	692	WMIC.exe
Token: SeProfSingleProcessPrivilege	692	WMIC.exe
Token: SeIncBasePriorityPrivilege	692	WMIC.exe
Token: SeCreatePagefilePrivilege	692	WMIC.exe
Token: SeBackupPrivilege	692	WMIC.exe
Token: SeRestorePrivilege	692	WMIC.exe
Token: SeShutdownPrivilege	692	WMIC.exe
Token: SeDebugPrivilege	692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	692	WMIC.exe
Token: SeRemoteShutdownPrivilege	692	WMIC.exe
Token: SeUndockPrivilege	692	WMIC.exe
Token: SeManageVolumePrivilege	692	WMIC.exe
Token: 33	692	WMIC.exe
Token: 34	692	WMIC.exe
Token: 35	692	WMIC.exe
Token: 36	692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	692	WMIC.exe
Token: SeSecurityPrivilege	692	WMIC.exe
Token: SeTakeOwnershipPrivilege	692	WMIC.exe
Token: SeLoadDriverPrivilege	692	WMIC.exe
Token: SeSystemProfilePrivilege	692	WMIC.exe
Token: SeSystemtimePrivilege	692	WMIC.exe
Token: SeProfSingleProcessPrivilege	692	WMIC.exe
Token: SeIncBasePriorityPrivilege	692	WMIC.exe
Token: SeCreatePagefilePrivilege	692	WMIC.exe
Token: SeBackupPrivilege	692	WMIC.exe
Token: SeRestorePrivilege	692	WMIC.exe
Token: SeShutdownPrivilege	692	WMIC.exe
Token: SeDebugPrivilege	692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	692	WMIC.exe
Token: SeRemoteShutdownPrivilege	692	WMIC.exe
Token: SeUndockPrivilege	692	WMIC.exe
Token: SeManageVolumePrivilege	692	WMIC.exe
Token: 33	692	WMIC.exe
Token: 34	692	WMIC.exe
Token: 35	692	WMIC.exe
Token: 36	692	WMIC.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	2152	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 496 wrote to memory of 1376	496	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	75
PID 496 wrote to memory of 1376	496	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	75
PID 496 wrote to memory of 1376	496	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	75
PID 1376 wrote to memory of 3736	1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	77
PID 1376 wrote to memory of 3736	1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	77
PID 1376 wrote to memory of 3736	1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	77
PID 3736 wrote to memory of 692	3736	cmd.exe	78
PID 3736 wrote to memory of 692	3736	cmd.exe	78
PID 3736 wrote to memory of 692	3736	cmd.exe	78
PID 1376 wrote to memory of 1080	1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	82
PID 1376 wrote to memory of 1080	1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	82
PID 1376 wrote to memory of 1080	1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	82
PID 1080 wrote to memory of 1192	1080	cmd.exe	83
PID 1080 wrote to memory of 1192	1080	cmd.exe	83
PID 1080 wrote to memory of 1192	1080	cmd.exe	83
PID 1192 wrote to memory of 2108	1192	net.exe	84
PID 1192 wrote to memory of 2108	1192	net.exe	84
PID 1192 wrote to memory of 2108	1192	net.exe	84
PID 1376 wrote to memory of 2632	1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	85
PID 1376 wrote to memory of 2632	1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	85
PID 1376 wrote to memory of 2632	1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	85
PID 2632 wrote to memory of 2584	2632	cmd.exe	86
PID 2632 wrote to memory of 2584	2632	cmd.exe	86
PID 2632 wrote to memory of 2584	2632	cmd.exe	86
PID 2584 wrote to memory of 3268	2584	net.exe	87
PID 2584 wrote to memory of 3268	2584	net.exe	87
PID 2584 wrote to memory of 3268	2584	net.exe	87
PID 1376 wrote to memory of 3856	1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	89
PID 1376 wrote to memory of 3856	1376	bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe	89

C:\Users\Admin\AppData\Local\Temp\bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
"C:\Users\Admin\AppData\Local\Temp\bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:496
- C:\Users\Admin\AppData\Local\Temp\bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
  "C:\Users\Admin\AppData\Local\Temp\bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:3268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3856
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3856 -s 1936
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-19-0x00000000030E1000-0x0000000003153000-memory.dmp

Filesize
456KB

Download
memory/1376-15-0x0000000000CE1000-0x0000000000CE6000-memory.dmp

Filesize
20KB

Download
memory/2152-72-0x000002573CAB0000-0x000002573CAB1000-memory.dmp

Filesize
4KB

Download
memory/3856-67-0x000002BD80390000-0x000002BD80391000-memory.dmp

Filesize
4KB

Download
memory/3856-66-0x000002BD801E0000-0x000002BD801E1000-memory.dmp

Filesize
4KB

Download
memory/3856-69-0x000002BDE59D0000-0x000002BDE59D2000-memory.dmp

Filesize
8KB

Download
memory/3856-70-0x000002BDE59D3000-0x000002BDE59D5000-memory.dmp

Filesize
8KB

Download
memory/3856-71-0x000002BDE59D6000-0x000002BDE59D8000-memory.dmp

Filesize
8KB

Download
memory/3856-65-0x00007FF808C90000-0x00007FF80967C000-memory.dmp

Filesize
9.9MB

Download