863853bdbdb6ed3d644305d866286c1fa25255e62851f3d7bee5f3e2bcefaa98

Analysis

max time kernel
135s
max time network
138s
platform
windows10_x64
resource
win10v20210408
submitted
05-05-2021 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NFgODbNY.exe
Size

6.6MB
MD5

5f6a74e286c98bbe45a6a667026813bc
SHA1

5d17945ebbb46e1f73ce15a8a110e0e1b6c165da
SHA256

863853bdbdb6ed3d644305d866286c1fa25255e62851f3d7bee5f3e2bcefaa98
SHA512

0f1f2e000dc7f0f7fff435fba887c19a9698e7004bea64baddafd17d96e4bbe1266f6ce9a27296d220ef7a6b17fab65e787e01e6a1e2aff4ea0fa1d58f84a701

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe
1900	NFgODbNY.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3848	1848	WerFault.exe	88

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1848	powershell.exe
1848	powershell.exe
1848	powershell.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2052	WMIC.exe
Token: SeSecurityPrivilege	2052	WMIC.exe
Token: SeTakeOwnershipPrivilege	2052	WMIC.exe
Token: SeLoadDriverPrivilege	2052	WMIC.exe
Token: SeSystemProfilePrivilege	2052	WMIC.exe
Token: SeSystemtimePrivilege	2052	WMIC.exe
Token: SeProfSingleProcessPrivilege	2052	WMIC.exe
Token: SeIncBasePriorityPrivilege	2052	WMIC.exe
Token: SeCreatePagefilePrivilege	2052	WMIC.exe
Token: SeBackupPrivilege	2052	WMIC.exe
Token: SeRestorePrivilege	2052	WMIC.exe
Token: SeShutdownPrivilege	2052	WMIC.exe
Token: SeDebugPrivilege	2052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2052	WMIC.exe
Token: SeRemoteShutdownPrivilege	2052	WMIC.exe
Token: SeUndockPrivilege	2052	WMIC.exe
Token: SeManageVolumePrivilege	2052	WMIC.exe
Token: 33	2052	WMIC.exe
Token: 34	2052	WMIC.exe
Token: 35	2052	WMIC.exe
Token: 36	2052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2052	WMIC.exe
Token: SeSecurityPrivilege	2052	WMIC.exe
Token: SeTakeOwnershipPrivilege	2052	WMIC.exe
Token: SeLoadDriverPrivilege	2052	WMIC.exe
Token: SeSystemProfilePrivilege	2052	WMIC.exe
Token: SeSystemtimePrivilege	2052	WMIC.exe
Token: SeProfSingleProcessPrivilege	2052	WMIC.exe
Token: SeIncBasePriorityPrivilege	2052	WMIC.exe
Token: SeCreatePagefilePrivilege	2052	WMIC.exe
Token: SeBackupPrivilege	2052	WMIC.exe
Token: SeRestorePrivilege	2052	WMIC.exe
Token: SeShutdownPrivilege	2052	WMIC.exe
Token: SeDebugPrivilege	2052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2052	WMIC.exe
Token: SeRemoteShutdownPrivilege	2052	WMIC.exe
Token: SeUndockPrivilege	2052	WMIC.exe
Token: SeManageVolumePrivilege	2052	WMIC.exe
Token: 33	2052	WMIC.exe
Token: 34	2052	WMIC.exe
Token: 35	2052	WMIC.exe
Token: 36	2052	WMIC.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	3848	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 1900	808	NFgODbNY.exe	75
PID 808 wrote to memory of 1900	808	NFgODbNY.exe	75
PID 808 wrote to memory of 1900	808	NFgODbNY.exe	75
PID 1900 wrote to memory of 2112	1900	NFgODbNY.exe	77
PID 1900 wrote to memory of 2112	1900	NFgODbNY.exe	77
PID 1900 wrote to memory of 2112	1900	NFgODbNY.exe	77
PID 2112 wrote to memory of 2052	2112	cmd.exe	78
PID 2112 wrote to memory of 2052	2112	cmd.exe	78
PID 2112 wrote to memory of 2052	2112	cmd.exe	78
PID 1900 wrote to memory of 2384	1900	NFgODbNY.exe	81
PID 1900 wrote to memory of 2384	1900	NFgODbNY.exe	81
PID 1900 wrote to memory of 2384	1900	NFgODbNY.exe	81
PID 2384 wrote to memory of 3744	2384	cmd.exe	82
PID 2384 wrote to memory of 3744	2384	cmd.exe	82
PID 2384 wrote to memory of 3744	2384	cmd.exe	82
PID 3744 wrote to memory of 544	3744	net.exe	83
PID 3744 wrote to memory of 544	3744	net.exe	83
PID 3744 wrote to memory of 544	3744	net.exe	83
PID 1900 wrote to memory of 416	1900	NFgODbNY.exe	84
PID 1900 wrote to memory of 416	1900	NFgODbNY.exe	84
PID 1900 wrote to memory of 416	1900	NFgODbNY.exe	84
PID 416 wrote to memory of 3352	416	cmd.exe	86
PID 416 wrote to memory of 3352	416	cmd.exe	86
PID 416 wrote to memory of 3352	416	cmd.exe	86
PID 3352 wrote to memory of 2784	3352	net.exe	87
PID 3352 wrote to memory of 2784	3352	net.exe	87
PID 3352 wrote to memory of 2784	3352	net.exe	87
PID 1900 wrote to memory of 1848	1900	NFgODbNY.exe	88
PID 1900 wrote to memory of 1848	1900	NFgODbNY.exe	88

C:\Users\Admin\AppData\Local\Temp\NFgODbNY.exe
"C:\Users\Admin\AppData\Local\Temp\NFgODbNY.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\NFgODbNY.exe
  "C:\Users\Admin\AppData\Local\Temp\NFgODbNY.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:416
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3352
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:2784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1848 -s 2020
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1848-205-0x000001F875EC6000-0x000001F875EC8000-memory.dmp

Filesize
8KB

Download
memory/1848-190-0x000001F877F20000-0x000001F877F21000-memory.dmp

Filesize
4KB

Download
memory/1848-185-0x000001F875D50000-0x000001F875D51000-memory.dmp

Filesize
4KB

Download
memory/1848-192-0x000001F875EC0000-0x000001F875EC2000-memory.dmp

Filesize
8KB

Download
memory/1848-193-0x000001F875EC3000-0x000001F875EC5000-memory.dmp

Filesize
8KB

Download
memory/1900-170-0x0000000002360000-0x0000000002375000-memory.dmp

Filesize
84KB

Download
memory/1900-131-0x0000000002280000-0x0000000002335000-memory.dmp

Filesize
724KB

Download
memory/1900-153-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/1900-166-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/1900-142-0x00000000005C0000-0x000000000063C000-memory.dmp

Filesize
496KB

Download
memory/1900-127-0x00000000005B1000-0x00000000005B6000-memory.dmp

Filesize
20KB

Download