591bf6c785a42e2ad6c91e94c544e69e68a0484acd47c1b1747b49d8fb1b3d11

Resubmissions

04-09-2021 07:37

210904-jf39zshben 10

04-09-2021 07:35

210904-jeq82aeab3 10

Analysis

max time kernel
380s
max time network
1584s
platform
windows10_x64
resource
win10-en
submitted
04-09-2021 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.bin.exe
Size

6.6MB
MD5

2787bb2d1ab223f8ac2692f3a8fd85fc
SHA1

dc34ee4e46ddea333cdc90e4aad7589cb8ee1ea0
SHA256

952e3e059251cd41e3c67006c5aa4b75fe3e6b0f18d96554b2d60d4ccfb78cb4
SHA512

d79bd7599ccb09fa72b939a506d04e28cb958e59c3987ab4d375e76337d5b1e33369d59397338aaeaf938c14ec9d93b20501d5224d151631c69c874d0657e9f3

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe
1364	svchost.bin.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1220	4076	WerFault.exe	89

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3380	WMIC.exe
Token: SeSecurityPrivilege	3380	WMIC.exe
Token: SeTakeOwnershipPrivilege	3380	WMIC.exe
Token: SeLoadDriverPrivilege	3380	WMIC.exe
Token: SeSystemProfilePrivilege	3380	WMIC.exe
Token: SeSystemtimePrivilege	3380	WMIC.exe
Token: SeProfSingleProcessPrivilege	3380	WMIC.exe
Token: SeIncBasePriorityPrivilege	3380	WMIC.exe
Token: SeCreatePagefilePrivilege	3380	WMIC.exe
Token: SeBackupPrivilege	3380	WMIC.exe
Token: SeRestorePrivilege	3380	WMIC.exe
Token: SeShutdownPrivilege	3380	WMIC.exe
Token: SeDebugPrivilege	3380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3380	WMIC.exe
Token: SeRemoteShutdownPrivilege	3380	WMIC.exe
Token: SeUndockPrivilege	3380	WMIC.exe
Token: SeManageVolumePrivilege	3380	WMIC.exe
Token: 33	3380	WMIC.exe
Token: 34	3380	WMIC.exe
Token: 35	3380	WMIC.exe
Token: 36	3380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3380	WMIC.exe
Token: SeSecurityPrivilege	3380	WMIC.exe
Token: SeTakeOwnershipPrivilege	3380	WMIC.exe
Token: SeLoadDriverPrivilege	3380	WMIC.exe
Token: SeSystemProfilePrivilege	3380	WMIC.exe
Token: SeSystemtimePrivilege	3380	WMIC.exe
Token: SeProfSingleProcessPrivilege	3380	WMIC.exe
Token: SeIncBasePriorityPrivilege	3380	WMIC.exe
Token: SeCreatePagefilePrivilege	3380	WMIC.exe
Token: SeBackupPrivilege	3380	WMIC.exe
Token: SeRestorePrivilege	3380	WMIC.exe
Token: SeShutdownPrivilege	3380	WMIC.exe
Token: SeDebugPrivilege	3380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3380	WMIC.exe
Token: SeRemoteShutdownPrivilege	3380	WMIC.exe
Token: SeUndockPrivilege	3380	WMIC.exe
Token: SeManageVolumePrivilege	3380	WMIC.exe
Token: 33	3380	WMIC.exe
Token: 34	3380	WMIC.exe
Token: 35	3380	WMIC.exe
Token: 36	3380	WMIC.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	1220	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 1364	3916	svchost.bin.exe	75
PID 3916 wrote to memory of 1364	3916	svchost.bin.exe	75
PID 3916 wrote to memory of 1364	3916	svchost.bin.exe	75
PID 1364 wrote to memory of 3420	1364	svchost.bin.exe	78
PID 1364 wrote to memory of 3420	1364	svchost.bin.exe	78
PID 1364 wrote to memory of 3420	1364	svchost.bin.exe	78
PID 3420 wrote to memory of 3380	3420	cmd.exe	79
PID 3420 wrote to memory of 3380	3420	cmd.exe	79
PID 3420 wrote to memory of 3380	3420	cmd.exe	79
PID 1364 wrote to memory of 2600	1364	svchost.bin.exe	82
PID 1364 wrote to memory of 2600	1364	svchost.bin.exe	82
PID 1364 wrote to memory of 2600	1364	svchost.bin.exe	82
PID 2600 wrote to memory of 2764	2600	cmd.exe	83
PID 2600 wrote to memory of 2764	2600	cmd.exe	83
PID 2600 wrote to memory of 2764	2600	cmd.exe	83
PID 2764 wrote to memory of 2464	2764	net.exe	84
PID 2764 wrote to memory of 2464	2764	net.exe	84
PID 2764 wrote to memory of 2464	2764	net.exe	84
PID 1364 wrote to memory of 2952	1364	svchost.bin.exe	85
PID 1364 wrote to memory of 2952	1364	svchost.bin.exe	85
PID 1364 wrote to memory of 2952	1364	svchost.bin.exe	85
PID 2952 wrote to memory of 1432	2952	cmd.exe	86
PID 2952 wrote to memory of 1432	2952	cmd.exe	86
PID 2952 wrote to memory of 1432	2952	cmd.exe	86
PID 1432 wrote to memory of 1080	1432	net.exe	87
PID 1432 wrote to memory of 1080	1432	net.exe	87
PID 1432 wrote to memory of 1080	1432	net.exe	87
PID 1364 wrote to memory of 4076	1364	svchost.bin.exe	89
PID 1364 wrote to memory of 4076	1364	svchost.bin.exe	89

C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:1080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4076 -s 1916
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1220

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20210904-0740.dm
1⤵
PID:2284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1364-166-0x00000000038D0000-0x00000000038E0000-memory.dmp

Filesize
64KB

Download
memory/1364-142-0x0000000002FF0000-0x000000000306C000-memory.dmp

Filesize
496KB

Download
memory/1364-170-0x00000000038E0000-0x00000000038F5000-memory.dmp

Filesize
84KB

Download
memory/1364-128-0x0000000002FE1000-0x0000000002FE6000-memory.dmp

Filesize
20KB

Download
memory/1364-132-0x0000000003190000-0x0000000003245000-memory.dmp

Filesize
724KB

Download
memory/1364-153-0x0000000003250000-0x0000000003260000-memory.dmp

Filesize
64KB

Download
memory/4076-185-0x0000029768AF0000-0x0000029768AF1000-memory.dmp

Filesize
4KB

Download
memory/4076-190-0x000002976ACD0000-0x000002976ACD1000-memory.dmp

Filesize
4KB

Download
memory/4076-191-0x0000029768B70000-0x0000029768B72000-memory.dmp

Filesize
8KB

Download
memory/4076-193-0x0000029768B73000-0x0000029768B75000-memory.dmp

Filesize
8KB

Download
memory/4076-199-0x0000029768B76000-0x0000029768B78000-memory.dmp

Filesize
8KB

Download