d278c3aa58ec53e40450b6316a414cf4440c4de8000e810b1d5a96c1e332b1c6

Analysis

max time kernel
34s
max time network
123s
platform
windows10_x64
resource
win10v20210408
submitted
29-06-2021 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

asdfa.exe
Size

6.6MB
MD5

84ff84125412cc31a157f9bde26ece4f
SHA1

3696f153950863249b13ebf02c7059c3c3304530
SHA256

d278c3aa58ec53e40450b6316a414cf4440c4de8000e810b1d5a96c1e332b1c6
SHA512

d0dfcfa397f13e77e276e0d82f64513c9489a1fa776bcfd61f927b1433989832f03cb7597171a8c96f8d1fb4ebb564e3f773f75ec5a5b6f792e63bbaa5bc0072

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe
1876	asdfa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2652	3308	WerFault.exe	88

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3308	powershell.exe
3308	powershell.exe
3308	powershell.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe
Token: 36	2020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe
Token: 36	2020	WMIC.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	2652	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 1876	3492	asdfa.exe	75
PID 3492 wrote to memory of 1876	3492	asdfa.exe	75
PID 3492 wrote to memory of 1876	3492	asdfa.exe	75
PID 1876 wrote to memory of 1200	1876	asdfa.exe	77
PID 1876 wrote to memory of 1200	1876	asdfa.exe	77
PID 1876 wrote to memory of 1200	1876	asdfa.exe	77
PID 1200 wrote to memory of 2020	1200	cmd.exe	78
PID 1200 wrote to memory of 2020	1200	cmd.exe	78
PID 1200 wrote to memory of 2020	1200	cmd.exe	78
PID 1876 wrote to memory of 2456	1876	asdfa.exe	82
PID 1876 wrote to memory of 2456	1876	asdfa.exe	82
PID 1876 wrote to memory of 2456	1876	asdfa.exe	82
PID 2456 wrote to memory of 3008	2456	cmd.exe	83
PID 2456 wrote to memory of 3008	2456	cmd.exe	83
PID 2456 wrote to memory of 3008	2456	cmd.exe	83
PID 3008 wrote to memory of 3736	3008	net.exe	84
PID 3008 wrote to memory of 3736	3008	net.exe	84
PID 3008 wrote to memory of 3736	3008	net.exe	84
PID 1876 wrote to memory of 3844	1876	asdfa.exe	85
PID 1876 wrote to memory of 3844	1876	asdfa.exe	85
PID 1876 wrote to memory of 3844	1876	asdfa.exe	85
PID 3844 wrote to memory of 2884	3844	cmd.exe	86
PID 3844 wrote to memory of 2884	3844	cmd.exe	86
PID 3844 wrote to memory of 2884	3844	cmd.exe	86
PID 2884 wrote to memory of 2812	2884	net.exe	87
PID 2884 wrote to memory of 2812	2884	net.exe	87
PID 2884 wrote to memory of 2812	2884	net.exe	87
PID 1876 wrote to memory of 3308	1876	asdfa.exe	88
PID 1876 wrote to memory of 3308	1876	asdfa.exe	88

C:\Users\Admin\AppData\Local\Temp\asdfa.exe
"C:\Users\Admin\AppData\Local\Temp\asdfa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Local\Temp\asdfa.exe
  "C:\Users\Admin\AppData\Local\Temp\asdfa.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3308 -s 1896
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1876-169-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/1876-127-0x0000000000A61000-0x0000000000A66000-memory.dmp

Filesize
20KB

Download
memory/1876-173-0x0000000002750000-0x0000000002765000-memory.dmp

Filesize
84KB

Download
memory/1876-131-0x0000000002DD0000-0x0000000002E85000-memory.dmp

Filesize
724KB

Download
memory/1876-156-0x0000000000D00000-0x0000000000D10000-memory.dmp

Filesize
64KB

Download
memory/1876-143-0x0000000002E90000-0x0000000002F0C000-memory.dmp

Filesize
496KB

Download
memory/3308-188-0x0000017C25160000-0x0000017C25161000-memory.dmp

Filesize
4KB

Download
memory/3308-189-0x0000017C3D410000-0x0000017C3D412000-memory.dmp

Filesize
8KB

Download
memory/3308-190-0x0000017C3D413000-0x0000017C3D415000-memory.dmp

Filesize
8KB

Download
memory/3308-195-0x0000017C3D350000-0x0000017C3D351000-memory.dmp

Filesize
4KB

Download
memory/3308-208-0x0000017C3D416000-0x0000017C3D418000-memory.dmp

Filesize
8KB

Download