f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b

Analysis

max time kernel
144s
max time network
147s
platform
windows10_x64
resource
win10v20210410
submitted
16-05-2021 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
Size

6.6MB
MD5

62b44b7bec4ad127738623276af34870
SHA1

767b3a0b2947c67fb846327e265c21e118512998
SHA256

f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b
SHA512

5022c2af70cfc6db7d01756bf900e88000e7851f5916e282ab8f1de624c94d385863912b9241a65ff1b50b8a3958d1f38fff293ed3b40f374e1f8b8226350db6

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2916	3036	WerFault.exe	89

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3036	powershell.exe
3036	powershell.exe
3036	powershell.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2152	WMIC.exe
Token: SeSecurityPrivilege	2152	WMIC.exe
Token: SeTakeOwnershipPrivilege	2152	WMIC.exe
Token: SeLoadDriverPrivilege	2152	WMIC.exe
Token: SeSystemProfilePrivilege	2152	WMIC.exe
Token: SeSystemtimePrivilege	2152	WMIC.exe
Token: SeProfSingleProcessPrivilege	2152	WMIC.exe
Token: SeIncBasePriorityPrivilege	2152	WMIC.exe
Token: SeCreatePagefilePrivilege	2152	WMIC.exe
Token: SeBackupPrivilege	2152	WMIC.exe
Token: SeRestorePrivilege	2152	WMIC.exe
Token: SeShutdownPrivilege	2152	WMIC.exe
Token: SeDebugPrivilege	2152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2152	WMIC.exe
Token: SeRemoteShutdownPrivilege	2152	WMIC.exe
Token: SeUndockPrivilege	2152	WMIC.exe
Token: SeManageVolumePrivilege	2152	WMIC.exe
Token: 33	2152	WMIC.exe
Token: 34	2152	WMIC.exe
Token: 35	2152	WMIC.exe
Token: 36	2152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2152	WMIC.exe
Token: SeSecurityPrivilege	2152	WMIC.exe
Token: SeTakeOwnershipPrivilege	2152	WMIC.exe
Token: SeLoadDriverPrivilege	2152	WMIC.exe
Token: SeSystemProfilePrivilege	2152	WMIC.exe
Token: SeSystemtimePrivilege	2152	WMIC.exe
Token: SeProfSingleProcessPrivilege	2152	WMIC.exe
Token: SeIncBasePriorityPrivilege	2152	WMIC.exe
Token: SeCreatePagefilePrivilege	2152	WMIC.exe
Token: SeBackupPrivilege	2152	WMIC.exe
Token: SeRestorePrivilege	2152	WMIC.exe
Token: SeShutdownPrivilege	2152	WMIC.exe
Token: SeDebugPrivilege	2152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2152	WMIC.exe
Token: SeRemoteShutdownPrivilege	2152	WMIC.exe
Token: SeUndockPrivilege	2152	WMIC.exe
Token: SeManageVolumePrivilege	2152	WMIC.exe
Token: 33	2152	WMIC.exe
Token: 34	2152	WMIC.exe
Token: 35	2152	WMIC.exe
Token: 36	2152	WMIC.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2916	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1584	2116	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	75
PID 2116 wrote to memory of 1584	2116	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	75
PID 2116 wrote to memory of 1584	2116	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	75
PID 1584 wrote to memory of 1168	1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	78
PID 1584 wrote to memory of 1168	1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	78
PID 1584 wrote to memory of 1168	1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	78
PID 1168 wrote to memory of 2152	1168	cmd.exe	79
PID 1168 wrote to memory of 2152	1168	cmd.exe	79
PID 1168 wrote to memory of 2152	1168	cmd.exe	79
PID 1584 wrote to memory of 2752	1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	82
PID 1584 wrote to memory of 2752	1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	82
PID 1584 wrote to memory of 2752	1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	82
PID 2752 wrote to memory of 4004	2752	cmd.exe	83
PID 2752 wrote to memory of 4004	2752	cmd.exe	83
PID 2752 wrote to memory of 4004	2752	cmd.exe	83
PID 4004 wrote to memory of 3936	4004	net.exe	84
PID 4004 wrote to memory of 3936	4004	net.exe	84
PID 4004 wrote to memory of 3936	4004	net.exe	84
PID 1584 wrote to memory of 2912	1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	85
PID 1584 wrote to memory of 2912	1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	85
PID 1584 wrote to memory of 2912	1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	85
PID 2912 wrote to memory of 3160	2912	cmd.exe	86
PID 2912 wrote to memory of 3160	2912	cmd.exe	86
PID 2912 wrote to memory of 3160	2912	cmd.exe	86
PID 3160 wrote to memory of 3156	3160	net.exe	87
PID 3160 wrote to memory of 3156	3160	net.exe	87
PID 3160 wrote to memory of 3156	3160	net.exe	87
PID 1584 wrote to memory of 3036	1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	89
PID 1584 wrote to memory of 3036	1584	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	89

C:\Users\Admin\AppData\Local\Temp\f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
"C:\Users\Admin\AppData\Local\Temp\f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
  "C:\Users\Admin\AppData\Local\Temp\f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4004
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3160
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:3156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3036 -s 2004
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-141-0x0000000000CF0000-0x0000000000D6C000-memory.dmp

Filesize
496KB

Download
memory/1584-169-0x00000000029D0000-0x00000000029E5000-memory.dmp

Filesize
84KB

Download
memory/1584-152-0x0000000000C90000-0x0000000000CA0000-memory.dmp

Filesize
64KB

Download
memory/1584-165-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/1584-127-0x00000000005D1000-0x00000000005D6000-memory.dmp

Filesize
20KB

Download
memory/1584-131-0x00000000021C0000-0x0000000002275000-memory.dmp

Filesize
724KB

Download
memory/3036-184-0x0000021019750000-0x0000021019751000-memory.dmp

Filesize
4KB

Download
memory/3036-189-0x000002101BA20000-0x000002101BA21000-memory.dmp

Filesize
4KB

Download
memory/3036-191-0x00000210197C0000-0x00000210197C2000-memory.dmp

Filesize
8KB

Download
memory/3036-193-0x00000210197C3000-0x00000210197C5000-memory.dmp

Filesize
8KB

Download
memory/3036-204-0x00000210197C6000-0x00000210197C8000-memory.dmp

Filesize
8KB

Download