da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a

Analysis

max time kernel
157s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Size

104KB
MD5

79f302aa124239e2e3b91952a199d0a2
SHA1

6eac448a6f91937f22455ca5aef1eb4a1bf254cd
SHA256

da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a
SHA512

f48cb8275a7f73699ea7ea9f26cf7f4fb080de6c0370fb68c0effe35214448da672ed2a0c378bb2aa2a8a78f4f80ce27c3caa7c6dbc8f1df5cefe989dea9cf0f
SSDEEP

1536:xTYd5QJc/vaSybs4eBReHbaxjg46o6qBH:V1c/2b5keuNg4HDH

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 1 IoCs

pid	Process
920	wmimgmt.exe

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
3668	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3516	tasklist.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4988	ipconfig.exe
4256	NETSTAT.EXE
4636	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4784	systeminfo.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeBackupPrivilege	4752	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeBackupPrivilege	4752	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeRestorePrivilege	4752	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeBackupPrivilege	4752	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeRestorePrivilege	4752	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeBackupPrivilege	4752	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeRestorePrivilege	4752	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeDebugPrivilege	3516	tasklist.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeRestorePrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeDebugPrivilege	4256	NETSTAT.EXE
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe
Token: SeBackupPrivilege	920	wmimgmt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 920	4752	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe	84
PID 4752 wrote to memory of 920	4752	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe	84
PID 4752 wrote to memory of 920	4752	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe	84
PID 920 wrote to memory of 4264	920	wmimgmt.exe	87
PID 920 wrote to memory of 4264	920	wmimgmt.exe	87
PID 920 wrote to memory of 4264	920	wmimgmt.exe	87
PID 4264 wrote to memory of 3632	4264	cmd.exe	89
PID 4264 wrote to memory of 3632	4264	cmd.exe	89
PID 4264 wrote to memory of 3632	4264	cmd.exe	89
PID 4264 wrote to memory of 3752	4264	cmd.exe	90
PID 4264 wrote to memory of 3752	4264	cmd.exe	90
PID 4264 wrote to memory of 3752	4264	cmd.exe	90
PID 4264 wrote to memory of 4444	4264	cmd.exe	91
PID 4264 wrote to memory of 4444	4264	cmd.exe	91
PID 4264 wrote to memory of 4444	4264	cmd.exe	91
PID 4444 wrote to memory of 4772	4444	net.exe	92
PID 4444 wrote to memory of 4772	4444	net.exe	92
PID 4444 wrote to memory of 4772	4444	net.exe	92
PID 4264 wrote to memory of 2312	4264	cmd.exe	93
PID 4264 wrote to memory of 2312	4264	cmd.exe	93
PID 4264 wrote to memory of 2312	4264	cmd.exe	93
PID 2312 wrote to memory of 4500	2312	net.exe	94
PID 2312 wrote to memory of 4500	2312	net.exe	94
PID 2312 wrote to memory of 4500	2312	net.exe	94
PID 4264 wrote to memory of 3516	4264	cmd.exe	95
PID 4264 wrote to memory of 3516	4264	cmd.exe	95
PID 4264 wrote to memory of 3516	4264	cmd.exe	95
PID 4264 wrote to memory of 4784	4264	cmd.exe	97
PID 4264 wrote to memory of 4784	4264	cmd.exe	97
PID 4264 wrote to memory of 4784	4264	cmd.exe	97
PID 4264 wrote to memory of 2084	4264	cmd.exe	100
PID 4264 wrote to memory of 2084	4264	cmd.exe	100
PID 4264 wrote to memory of 2084	4264	cmd.exe	100
PID 4264 wrote to memory of 2176	4264	cmd.exe	101
PID 4264 wrote to memory of 2176	4264	cmd.exe	101
PID 4264 wrote to memory of 2176	4264	cmd.exe	101
PID 4264 wrote to memory of 3636	4264	cmd.exe	102
PID 4264 wrote to memory of 3636	4264	cmd.exe	102
PID 4264 wrote to memory of 3636	4264	cmd.exe	102
PID 4264 wrote to memory of 2148	4264	cmd.exe	103
PID 4264 wrote to memory of 2148	4264	cmd.exe	103
PID 4264 wrote to memory of 2148	4264	cmd.exe	103
PID 4264 wrote to memory of 1892	4264	cmd.exe	104
PID 4264 wrote to memory of 1892	4264	cmd.exe	104
PID 4264 wrote to memory of 1892	4264	cmd.exe	104
PID 4264 wrote to memory of 4492	4264	cmd.exe	105
PID 4264 wrote to memory of 4492	4264	cmd.exe	105
PID 4264 wrote to memory of 4492	4264	cmd.exe	105
PID 4264 wrote to memory of 2584	4264	cmd.exe	106
PID 4264 wrote to memory of 2584	4264	cmd.exe	106
PID 4264 wrote to memory of 2584	4264	cmd.exe	106
PID 4264 wrote to memory of 5028	4264	cmd.exe	107
PID 4264 wrote to memory of 5028	4264	cmd.exe	107
PID 4264 wrote to memory of 5028	4264	cmd.exe	107
PID 4264 wrote to memory of 4592	4264	cmd.exe	108
PID 4264 wrote to memory of 4592	4264	cmd.exe	108
PID 4264 wrote to memory of 4592	4264	cmd.exe	108
PID 4264 wrote to memory of 4988	4264	cmd.exe	109
PID 4264 wrote to memory of 4988	4264	cmd.exe	109
PID 4264 wrote to memory of 4988	4264	cmd.exe	109
PID 4264 wrote to memory of 4256	4264	cmd.exe	110
PID 4264 wrote to memory of 4256	4264	cmd.exe	110
PID 4264 wrote to memory of 4256	4264	cmd.exe	110
PID 4264 wrote to memory of 4060	4264	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
"C:\Users\Admin\AppData\Local\Temp\da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752
- C:\ProgramData\Application Data\wmimgmt.exe
  "C:\ProgramData\Application Data\wmimgmt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\chcp.com
      chcp
      4⤵
      PID:3752
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4772
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4500
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3516
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4784
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\find.exe
      find "REG_"
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office
      4⤵
      PID:3636
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
      4⤵
      PID:2148
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
      4⤵
      PID:4492
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
      4⤵
      PID:5028
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
      4⤵
      PID:4592
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4988
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4256
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:4060
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -r
      4⤵
      Gathers network information
      PID:4636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
        5⤵
        
        PID:1712
      - C:\Windows\SysWOW64\ROUTE.EXE
        
        C:\Windows\system32\route.exe print
        6⤵
        
        PID:3188
  - - C:\Windows\SysWOW64\net.exe
      net start
      4⤵
      PID:3428
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start
        5⤵
        
        PID:3580
  - - C:\Windows\SysWOW64\net.exe
      net use
      4⤵
      PID:764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo n"
      4⤵
      PID:4932
  - - C:\Windows\SysWOW64\net.exe
      net share
      4⤵
      PID:4596
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        
        PID:4088
  - - C:\Windows\SysWOW64\net.exe
      net view /domain
      4⤵
      Discovers systems in the same network
      PID:3668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Application Data\wmimgmt.exe

Filesize
104KB

MD5
79f302aa124239e2e3b91952a199d0a2

SHA1
6eac448a6f91937f22455ca5aef1eb4a1bf254cd

SHA256
da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a

SHA512
f48cb8275a7f73699ea7ea9f26cf7f4fb080de6c0370fb68c0effe35214448da672ed2a0c378bb2aa2a8a78f4f80ce27c3caa7c6dbc8f1df5cefe989dea9cf0f

Download Submit
C:\ProgramData\wmimgmt.exe

Filesize
104KB

MD5
79f302aa124239e2e3b91952a199d0a2

SHA1
6eac448a6f91937f22455ca5aef1eb4a1bf254cd

SHA256
da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a

SHA512
f48cb8275a7f73699ea7ea9f26cf7f4fb080de6c0370fb68c0effe35214448da672ed2a0c378bb2aa2a8a78f4f80ce27c3caa7c6dbc8f1df5cefe989dea9cf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
43B

MD5
bc94ea5fd344443eb0319aa2356146ec

SHA1
7a85b1746abab996c4ac2f9708da3010f6efc2e8

SHA256
d5fea7a78c6684cbc368a76d78a66dbd72083f0b6a560a07619a12536e545f30

SHA512
47330c02018785196ca838ad98c5fab50a77838f543be44eaed1257d00a55042a9e8b4ebc9bdeb9e5258fb45c4648a02ab06366d1f0a5ce68fdc0b94588ce3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghi.bat

Filesize
3KB

MD5
b98e8fcde49a1caee295a6bd3d264e56

SHA1
71c82391a8617212ad48c8d79755e71be2e20be9

SHA256
e369c7e2e7ac0280882693038b213be0309c910df62f35a5159a125ecd18fb9a

SHA512
fb5fa414449e7dd4ce1fedcb92487f59ed18d7fbd3146eb59ec8f7256d68551adebb7d35e859fe7b6bce5a0b042b0de1e9ee56369a8686976dd121b44ff46742

Download Submit
memory/920-138-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4752-133-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4752-137-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads