bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25

Analysis

max time kernel
18s
max time network
106s
platform
windows10_x64
resource
win10v20201028
submitted
05-04-2021 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
Size

6.6MB
MD5

399f290d4092909f40188d037c75001e
SHA1

f2db04769b8227882aaca73a1f49e1afc3b0b14f
SHA256

bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25
SHA512

a8c7e0d4eb15f60b6bc749d3dcf6b4bddb2abf932d039786e006dd66f1199ca3a32a16fa933bc195015da84f98f6a716cedd89b41932eee68a548a0e29acead0

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3808	492	WerFault.exe	89

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
492	powershell.exe
492	powershell.exe
492	powershell.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe
3808	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	904	WMIC.exe
Token: SeSecurityPrivilege	904	WMIC.exe
Token: SeTakeOwnershipPrivilege	904	WMIC.exe
Token: SeLoadDriverPrivilege	904	WMIC.exe
Token: SeSystemProfilePrivilege	904	WMIC.exe
Token: SeSystemtimePrivilege	904	WMIC.exe
Token: SeProfSingleProcessPrivilege	904	WMIC.exe
Token: SeIncBasePriorityPrivilege	904	WMIC.exe
Token: SeCreatePagefilePrivilege	904	WMIC.exe
Token: SeBackupPrivilege	904	WMIC.exe
Token: SeRestorePrivilege	904	WMIC.exe
Token: SeShutdownPrivilege	904	WMIC.exe
Token: SeDebugPrivilege	904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	904	WMIC.exe
Token: SeRemoteShutdownPrivilege	904	WMIC.exe
Token: SeUndockPrivilege	904	WMIC.exe
Token: SeManageVolumePrivilege	904	WMIC.exe
Token: 33	904	WMIC.exe
Token: 34	904	WMIC.exe
Token: 35	904	WMIC.exe
Token: 36	904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	904	WMIC.exe
Token: SeSecurityPrivilege	904	WMIC.exe
Token: SeTakeOwnershipPrivilege	904	WMIC.exe
Token: SeLoadDriverPrivilege	904	WMIC.exe
Token: SeSystemProfilePrivilege	904	WMIC.exe
Token: SeSystemtimePrivilege	904	WMIC.exe
Token: SeProfSingleProcessPrivilege	904	WMIC.exe
Token: SeIncBasePriorityPrivilege	904	WMIC.exe
Token: SeCreatePagefilePrivilege	904	WMIC.exe
Token: SeBackupPrivilege	904	WMIC.exe
Token: SeRestorePrivilege	904	WMIC.exe
Token: SeShutdownPrivilege	904	WMIC.exe
Token: SeDebugPrivilege	904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	904	WMIC.exe
Token: SeRemoteShutdownPrivilege	904	WMIC.exe
Token: SeUndockPrivilege	904	WMIC.exe
Token: SeManageVolumePrivilege	904	WMIC.exe
Token: 33	904	WMIC.exe
Token: 34	904	WMIC.exe
Token: 35	904	WMIC.exe
Token: 36	904	WMIC.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	3808	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 3552	1176	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	75
PID 1176 wrote to memory of 3552	1176	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	75
PID 1176 wrote to memory of 3552	1176	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	75
PID 3552 wrote to memory of 908	3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	78
PID 3552 wrote to memory of 908	3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	78
PID 3552 wrote to memory of 908	3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	78
PID 908 wrote to memory of 904	908	cmd.exe	79
PID 908 wrote to memory of 904	908	cmd.exe	79
PID 908 wrote to memory of 904	908	cmd.exe	79
PID 3552 wrote to memory of 2308	3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	80
PID 3552 wrote to memory of 2308	3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	80
PID 3552 wrote to memory of 2308	3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	80
PID 2308 wrote to memory of 4020	2308	cmd.exe	81
PID 2308 wrote to memory of 4020	2308	cmd.exe	81
PID 2308 wrote to memory of 4020	2308	cmd.exe	81
PID 4020 wrote to memory of 3708	4020	net.exe	82
PID 4020 wrote to memory of 3708	4020	net.exe	82
PID 4020 wrote to memory of 3708	4020	net.exe	82
PID 3552 wrote to memory of 3800	3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	83
PID 3552 wrote to memory of 3800	3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	83
PID 3552 wrote to memory of 3800	3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	83
PID 3800 wrote to memory of 2372	3800	cmd.exe	84
PID 3800 wrote to memory of 2372	3800	cmd.exe	84
PID 3800 wrote to memory of 2372	3800	cmd.exe	84
PID 2372 wrote to memory of 684	2372	net.exe	85
PID 2372 wrote to memory of 684	2372	net.exe	85
PID 2372 wrote to memory of 684	2372	net.exe	85
PID 3552 wrote to memory of 492	3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	89
PID 3552 wrote to memory of 492	3552	bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe	89

C:\Users\Admin\AppData\Local\Temp\bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
"C:\Users\Admin\AppData\Local\Temp\bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe
  "C:\Users\Admin\AppData\Local\Temp\bda942e7765c6aaca064d28e3ebab5a7c22be23469b4c4a8b07f907229b7ff25.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:492
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 492 -s 1940
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/492-65-0x00007FFE1FC20000-0x00007FFE2060C000-memory.dmp

Filesize
9.9MB

Download
memory/492-71-0x000001EC25DC6000-0x000001EC25DC8000-memory.dmp

Filesize
8KB

Download
memory/492-69-0x000001EC28AA0000-0x000001EC28AA1000-memory.dmp

Filesize
4KB

Download
memory/492-68-0x000001EC288F0000-0x000001EC288F1000-memory.dmp

Filesize
4KB

Download
memory/492-67-0x000001EC25DC3000-0x000001EC25DC5000-memory.dmp

Filesize
8KB

Download
memory/492-66-0x000001EC25DC0000-0x000001EC25DC2000-memory.dmp

Filesize
8KB

Download
memory/3552-19-0x00000000034F1000-0x0000000003563000-memory.dmp

Filesize
456KB

Download
memory/3552-15-0x0000000001491000-0x0000000001496000-memory.dmp

Filesize
20KB

Download
memory/3808-72-0x000001484D700000-0x000001484D701000-memory.dmp

Filesize
4KB

Download