5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4

Analysis

max time kernel
132s
max time network
136s
platform
windows10_x64
resource
win10v20201028
submitted
05-04-2021 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
Size

6.6MB
MD5

0909225de438e0b387a0b184e6fcc852
SHA1

1befc5ea0bd95ded2a66c13ceb80a440c69fa039
SHA256

5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4
SHA512

b8bc019e408250d2a3dc8142c93bfc63f17f914ec5feda55b9079c81ef17023667462d140c40903db73abbe4be4e1d43cfa9659caf9da350f8bf85807571b0f3

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3052	2600	WerFault.exe	88

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2600	powershell.exe
2600	powershell.exe
2600	powershell.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1112	WMIC.exe
Token: SeSecurityPrivilege	1112	WMIC.exe
Token: SeTakeOwnershipPrivilege	1112	WMIC.exe
Token: SeLoadDriverPrivilege	1112	WMIC.exe
Token: SeSystemProfilePrivilege	1112	WMIC.exe
Token: SeSystemtimePrivilege	1112	WMIC.exe
Token: SeProfSingleProcessPrivilege	1112	WMIC.exe
Token: SeIncBasePriorityPrivilege	1112	WMIC.exe
Token: SeCreatePagefilePrivilege	1112	WMIC.exe
Token: SeBackupPrivilege	1112	WMIC.exe
Token: SeRestorePrivilege	1112	WMIC.exe
Token: SeShutdownPrivilege	1112	WMIC.exe
Token: SeDebugPrivilege	1112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1112	WMIC.exe
Token: SeRemoteShutdownPrivilege	1112	WMIC.exe
Token: SeUndockPrivilege	1112	WMIC.exe
Token: SeManageVolumePrivilege	1112	WMIC.exe
Token: 33	1112	WMIC.exe
Token: 34	1112	WMIC.exe
Token: 35	1112	WMIC.exe
Token: 36	1112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1112	WMIC.exe
Token: SeSecurityPrivilege	1112	WMIC.exe
Token: SeTakeOwnershipPrivilege	1112	WMIC.exe
Token: SeLoadDriverPrivilege	1112	WMIC.exe
Token: SeSystemProfilePrivilege	1112	WMIC.exe
Token: SeSystemtimePrivilege	1112	WMIC.exe
Token: SeProfSingleProcessPrivilege	1112	WMIC.exe
Token: SeIncBasePriorityPrivilege	1112	WMIC.exe
Token: SeCreatePagefilePrivilege	1112	WMIC.exe
Token: SeBackupPrivilege	1112	WMIC.exe
Token: SeRestorePrivilege	1112	WMIC.exe
Token: SeShutdownPrivilege	1112	WMIC.exe
Token: SeDebugPrivilege	1112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1112	WMIC.exe
Token: SeRemoteShutdownPrivilege	1112	WMIC.exe
Token: SeUndockPrivilege	1112	WMIC.exe
Token: SeManageVolumePrivilege	1112	WMIC.exe
Token: 33	1112	WMIC.exe
Token: 34	1112	WMIC.exe
Token: 35	1112	WMIC.exe
Token: 36	1112	WMIC.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	3052	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 1780	3996	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	75
PID 3996 wrote to memory of 1780	3996	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	75
PID 3996 wrote to memory of 1780	3996	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	75
PID 1780 wrote to memory of 3980	1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	77
PID 1780 wrote to memory of 3980	1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	77
PID 1780 wrote to memory of 3980	1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	77
PID 3980 wrote to memory of 1112	3980	cmd.exe	78
PID 3980 wrote to memory of 1112	3980	cmd.exe	78
PID 3980 wrote to memory of 1112	3980	cmd.exe	78
PID 1780 wrote to memory of 1784	1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	81
PID 1780 wrote to memory of 1784	1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	81
PID 1780 wrote to memory of 1784	1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	81
PID 1784 wrote to memory of 1928	1784	cmd.exe	82
PID 1784 wrote to memory of 1928	1784	cmd.exe	82
PID 1784 wrote to memory of 1928	1784	cmd.exe	82
PID 1928 wrote to memory of 2032	1928	net.exe	83
PID 1928 wrote to memory of 2032	1928	net.exe	83
PID 1928 wrote to memory of 2032	1928	net.exe	83
PID 1780 wrote to memory of 2716	1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	84
PID 1780 wrote to memory of 2716	1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	84
PID 1780 wrote to memory of 2716	1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	84
PID 2716 wrote to memory of 2736	2716	cmd.exe	85
PID 2716 wrote to memory of 2736	2716	cmd.exe	85
PID 2716 wrote to memory of 2736	2716	cmd.exe	85
PID 2736 wrote to memory of 3396	2736	net.exe	86
PID 2736 wrote to memory of 3396	2736	net.exe	86
PID 2736 wrote to memory of 3396	2736	net.exe	86
PID 1780 wrote to memory of 2600	1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	88
PID 1780 wrote to memory of 2600	1780	5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe	88

C:\Users\Admin\AppData\Local\Temp\5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
"C:\Users\Admin\AppData\Local\Temp\5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe
  "C:\Users\Admin\AppData\Local\Temp\5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:3396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2600 -s 1956
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1780-19-0x0000000002CD1000-0x0000000002D43000-memory.dmp

Filesize
456KB

Download
memory/1780-29-0x00000000033D1000-0x0000000003426000-memory.dmp

Filesize
340KB

Download
memory/1780-15-0x0000000002B41000-0x0000000002B46000-memory.dmp

Filesize
20KB

Download
memory/2600-68-0x0000028A4C440000-0x0000028A4C441000-memory.dmp

Filesize
4KB

Download
memory/2600-64-0x00007FFC34760000-0x00007FFC3514C000-memory.dmp

Filesize
9.9MB

Download
memory/2600-65-0x0000028A4A280000-0x0000028A4A281000-memory.dmp

Filesize
4KB

Download
memory/2600-66-0x0000028A4A2E0000-0x0000028A4A2E2000-memory.dmp

Filesize
8KB

Download
memory/2600-67-0x0000028A4A2E3000-0x0000028A4A2E5000-memory.dmp

Filesize
8KB

Download
memory/2600-70-0x0000028A4A2E6000-0x0000028A4A2E8000-memory.dmp

Filesize
8KB

Download
memory/3052-71-0x0000022D690D0000-0x0000022D690D1000-memory.dmp

Filesize
4KB

Download