a5b3049a22d59c619f4b48926e347f475aa2568ccf169d01ca2aa613a631928c

Analysis

max time kernel
116s
max time network
141s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-01-2022 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xjEvr.exe
Size

6.6MB
MD5

6d35df76deb4a90f3753cc5f08874594
SHA1

871eb58b0fe5e4bbabae265d144c2243bd01d706
SHA256

a5b3049a22d59c619f4b48926e347f475aa2568ccf169d01ca2aa613a631928c
SHA512

97a65b2babda90904bdbfbb0283b4b8d8556a4ebda3bf54c84478a62ea519495fd1a3df045c537c08913cd710056f60feb932a06df5cec0afb7a0c7d04a0edfd

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe
3768	xjEvr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2996	1704	WerFault.exe	80

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1704	powershell.exe
1704	powershell.exe
1704	powershell.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1336	WMIC.exe
Token: SeSecurityPrivilege	1336	WMIC.exe
Token: SeTakeOwnershipPrivilege	1336	WMIC.exe
Token: SeLoadDriverPrivilege	1336	WMIC.exe
Token: SeSystemProfilePrivilege	1336	WMIC.exe
Token: SeSystemtimePrivilege	1336	WMIC.exe
Token: SeProfSingleProcessPrivilege	1336	WMIC.exe
Token: SeIncBasePriorityPrivilege	1336	WMIC.exe
Token: SeCreatePagefilePrivilege	1336	WMIC.exe
Token: SeBackupPrivilege	1336	WMIC.exe
Token: SeRestorePrivilege	1336	WMIC.exe
Token: SeShutdownPrivilege	1336	WMIC.exe
Token: SeDebugPrivilege	1336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1336	WMIC.exe
Token: SeRemoteShutdownPrivilege	1336	WMIC.exe
Token: SeUndockPrivilege	1336	WMIC.exe
Token: SeManageVolumePrivilege	1336	WMIC.exe
Token: 33	1336	WMIC.exe
Token: 34	1336	WMIC.exe
Token: 35	1336	WMIC.exe
Token: 36	1336	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1336	WMIC.exe
Token: SeSecurityPrivilege	1336	WMIC.exe
Token: SeTakeOwnershipPrivilege	1336	WMIC.exe
Token: SeLoadDriverPrivilege	1336	WMIC.exe
Token: SeSystemProfilePrivilege	1336	WMIC.exe
Token: SeSystemtimePrivilege	1336	WMIC.exe
Token: SeProfSingleProcessPrivilege	1336	WMIC.exe
Token: SeIncBasePriorityPrivilege	1336	WMIC.exe
Token: SeCreatePagefilePrivilege	1336	WMIC.exe
Token: SeBackupPrivilege	1336	WMIC.exe
Token: SeRestorePrivilege	1336	WMIC.exe
Token: SeShutdownPrivilege	1336	WMIC.exe
Token: SeDebugPrivilege	1336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1336	WMIC.exe
Token: SeRemoteShutdownPrivilege	1336	WMIC.exe
Token: SeUndockPrivilege	1336	WMIC.exe
Token: SeManageVolumePrivilege	1336	WMIC.exe
Token: 33	1336	WMIC.exe
Token: 34	1336	WMIC.exe
Token: 35	1336	WMIC.exe
Token: 36	1336	WMIC.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2996	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 3768	2680	xjEvr.exe	70
PID 2680 wrote to memory of 3768	2680	xjEvr.exe	70
PID 2680 wrote to memory of 3768	2680	xjEvr.exe	70
PID 3768 wrote to memory of 3996	3768	xjEvr.exe	71
PID 3768 wrote to memory of 3996	3768	xjEvr.exe	71
PID 3768 wrote to memory of 3996	3768	xjEvr.exe	71
PID 3996 wrote to memory of 1336	3996	cmd.exe	72
PID 3996 wrote to memory of 1336	3996	cmd.exe	72
PID 3996 wrote to memory of 1336	3996	cmd.exe	72
PID 3768 wrote to memory of 2224	3768	xjEvr.exe	74
PID 3768 wrote to memory of 2224	3768	xjEvr.exe	74
PID 3768 wrote to memory of 2224	3768	xjEvr.exe	74
PID 2224 wrote to memory of 3564	2224	cmd.exe	75
PID 2224 wrote to memory of 3564	2224	cmd.exe	75
PID 2224 wrote to memory of 3564	2224	cmd.exe	75
PID 3564 wrote to memory of 1468	3564	net.exe	76
PID 3564 wrote to memory of 1468	3564	net.exe	76
PID 3564 wrote to memory of 1468	3564	net.exe	76
PID 3768 wrote to memory of 2148	3768	xjEvr.exe	77
PID 3768 wrote to memory of 2148	3768	xjEvr.exe	77
PID 3768 wrote to memory of 2148	3768	xjEvr.exe	77
PID 2148 wrote to memory of 2484	2148	cmd.exe	78
PID 2148 wrote to memory of 2484	2148	cmd.exe	78
PID 2148 wrote to memory of 2484	2148	cmd.exe	78
PID 2484 wrote to memory of 1744	2484	net.exe	79
PID 2484 wrote to memory of 1744	2484	net.exe	79
PID 2484 wrote to memory of 1744	2484	net.exe	79
PID 3768 wrote to memory of 1704	3768	xjEvr.exe	80
PID 3768 wrote to memory of 1704	3768	xjEvr.exe	80

C:\Users\Admin\AppData\Local\Temp\xjEvr.exe
"C:\Users\Admin\AppData\Local\Temp\xjEvr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\xjEvr.exe
  "C:\Users\Admin\AppData\Local\Temp\xjEvr.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1704 -s 1988
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1704-197-0x000001EC35A60000-0x000001EC35A82000-memory.dmp

Filesize
136KB

Download
memory/1704-214-0x000001EC1B320000-0x000001EC1B400000-memory.dmp

Filesize
896KB

Download
memory/1704-204-0x000001EC1B320000-0x000001EC1B400000-memory.dmp

Filesize
896KB

Download
memory/1704-203-0x000001EC35C10000-0x000001EC35C86000-memory.dmp

Filesize
472KB

Download
memory/1704-202-0x000001EC1B320000-0x000001EC1B400000-memory.dmp

Filesize
896KB

Download
memory/3768-173-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/3768-177-0x0000000001540000-0x0000000001555000-memory.dmp

Filesize
84KB

Download
memory/3768-156-0x0000000001451000-0x0000000001454000-memory.dmp

Filesize
12KB

Download
memory/3768-157-0x0000000001450000-0x0000000001460000-memory.dmp

Filesize
64KB

Download
memory/3768-144-0x0000000001490000-0x000000000150C000-memory.dmp

Filesize
496KB

Download
memory/3768-172-0x0000000001521000-0x0000000001524000-memory.dmp

Filesize
12KB

Download
memory/3768-161-0x0000000001461000-0x0000000001463000-memory.dmp

Filesize
8KB

Download
memory/3768-129-0x0000000001431000-0x0000000001436000-memory.dmp

Filesize
20KB

Download
memory/3768-168-0x0000000001511000-0x0000000001514000-memory.dmp

Filesize
12KB

Download