02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14

Analysis

max time kernel
132s
max time network
132s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
Size

6.6MB
MD5

2b1e39fc33f9264f8401f6b59bb0857f
SHA1

2553c5666fa5cc37dfc68f35dadc5f026d22bc6b
SHA256

02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14
SHA512

1750fd743d8a132f6769b418789be6f84b26e9f4b13569d1afa48660ee64885f7bf8b95bb14d87c892e1b39a8bfe8bde7bd0d8ad6eeaefd00bb1a82a3fce17fa

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1360	3728	WerFault.exe	89

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3728	powershell.exe
3728	powershell.exe
3728	powershell.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2160	WMIC.exe
Token: SeSecurityPrivilege	2160	WMIC.exe
Token: SeTakeOwnershipPrivilege	2160	WMIC.exe
Token: SeLoadDriverPrivilege	2160	WMIC.exe
Token: SeSystemProfilePrivilege	2160	WMIC.exe
Token: SeSystemtimePrivilege	2160	WMIC.exe
Token: SeProfSingleProcessPrivilege	2160	WMIC.exe
Token: SeIncBasePriorityPrivilege	2160	WMIC.exe
Token: SeCreatePagefilePrivilege	2160	WMIC.exe
Token: SeBackupPrivilege	2160	WMIC.exe
Token: SeRestorePrivilege	2160	WMIC.exe
Token: SeShutdownPrivilege	2160	WMIC.exe
Token: SeDebugPrivilege	2160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2160	WMIC.exe
Token: SeRemoteShutdownPrivilege	2160	WMIC.exe
Token: SeUndockPrivilege	2160	WMIC.exe
Token: SeManageVolumePrivilege	2160	WMIC.exe
Token: 33	2160	WMIC.exe
Token: 34	2160	WMIC.exe
Token: 35	2160	WMIC.exe
Token: 36	2160	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2160	WMIC.exe
Token: SeSecurityPrivilege	2160	WMIC.exe
Token: SeTakeOwnershipPrivilege	2160	WMIC.exe
Token: SeLoadDriverPrivilege	2160	WMIC.exe
Token: SeSystemProfilePrivilege	2160	WMIC.exe
Token: SeSystemtimePrivilege	2160	WMIC.exe
Token: SeProfSingleProcessPrivilege	2160	WMIC.exe
Token: SeIncBasePriorityPrivilege	2160	WMIC.exe
Token: SeCreatePagefilePrivilege	2160	WMIC.exe
Token: SeBackupPrivilege	2160	WMIC.exe
Token: SeRestorePrivilege	2160	WMIC.exe
Token: SeShutdownPrivilege	2160	WMIC.exe
Token: SeDebugPrivilege	2160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2160	WMIC.exe
Token: SeRemoteShutdownPrivilege	2160	WMIC.exe
Token: SeUndockPrivilege	2160	WMIC.exe
Token: SeManageVolumePrivilege	2160	WMIC.exe
Token: 33	2160	WMIC.exe
Token: 34	2160	WMIC.exe
Token: 35	2160	WMIC.exe
Token: 36	2160	WMIC.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	1360	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1576	2016	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	75
PID 2016 wrote to memory of 1576	2016	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	75
PID 2016 wrote to memory of 1576	2016	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	75
PID 1576 wrote to memory of 3532	1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	78
PID 1576 wrote to memory of 3532	1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	78
PID 1576 wrote to memory of 3532	1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	78
PID 3532 wrote to memory of 2160	3532	cmd.exe	79
PID 3532 wrote to memory of 2160	3532	cmd.exe	79
PID 3532 wrote to memory of 2160	3532	cmd.exe	79
PID 1576 wrote to memory of 3864	1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	82
PID 1576 wrote to memory of 3864	1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	82
PID 1576 wrote to memory of 3864	1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	82
PID 3864 wrote to memory of 3836	3864	cmd.exe	83
PID 3864 wrote to memory of 3836	3864	cmd.exe	83
PID 3864 wrote to memory of 3836	3864	cmd.exe	83
PID 3836 wrote to memory of 1856	3836	net.exe	84
PID 3836 wrote to memory of 1856	3836	net.exe	84
PID 3836 wrote to memory of 1856	3836	net.exe	84
PID 1576 wrote to memory of 4012	1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	85
PID 1576 wrote to memory of 4012	1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	85
PID 1576 wrote to memory of 4012	1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	85
PID 4012 wrote to memory of 2868	4012	cmd.exe	86
PID 4012 wrote to memory of 2868	4012	cmd.exe	86
PID 4012 wrote to memory of 2868	4012	cmd.exe	86
PID 2868 wrote to memory of 2980	2868	net.exe	87
PID 2868 wrote to memory of 2980	2868	net.exe	87
PID 2868 wrote to memory of 2980	2868	net.exe	87
PID 1576 wrote to memory of 3728	1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	89
PID 1576 wrote to memory of 3728	1576	02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe	89

C:\Users\Admin\AppData\Local\Temp\02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
"C:\Users\Admin\AppData\Local\Temp\02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
  "C:\Users\Admin\AppData\Local\Temp\02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3836
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:2980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3728 -s 1940
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1576-131-0x0000000002880000-0x0000000002935000-memory.dmp

Filesize
724KB

Download
memory/1576-174-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/1576-170-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/1576-143-0x0000000002940000-0x00000000029BC000-memory.dmp

Filesize
496KB

Download
memory/1576-156-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/1576-127-0x00000000008A1000-0x00000000008A6000-memory.dmp

Filesize
20KB

Download
memory/3728-190-0x00000292C9600000-0x00000292C9602000-memory.dmp

Filesize
8KB

Download
memory/3728-189-0x00000292C95B0000-0x00000292C95B1000-memory.dmp

Filesize
4KB

Download
memory/3728-191-0x00000292C9603000-0x00000292C9605000-memory.dmp

Filesize
8KB

Download
memory/3728-196-0x00000292E3880000-0x00000292E3881000-memory.dmp

Filesize
4KB

Download
memory/3728-209-0x00000292C9606000-0x00000292C9608000-memory.dmp

Filesize
8KB

Download