76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e

Analysis

max time kernel
151s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Size

60KB
MD5

a0068ae7ff0080ef15e60e1d213c53b1
SHA1

1685fd8007c01c2efc9f273f092cda13141fb0eb
SHA256

76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e
SHA512

f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb
SSDEEP

768:ukpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvORBX80X/s:3kQJcqwmIfj+ECJG/kvO40vs

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 1 IoCs

pid	Process
3556	wmimgmt.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2228	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3704	systeminfo.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeBackupPrivilege	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Token: SeBackupPrivilege	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Token: SeBackupPrivilege	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Token: SeRestorePrivilege	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Token: SeBackupPrivilege	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Token: SeBackupPrivilege	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Token: SeBackupPrivilege	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Token: SeRestorePrivilege	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Token: SeBackupPrivilege	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Token: SeRestorePrivilege	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Token: SeBackupPrivilege	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Token: SeRestorePrivilege	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeRestorePrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeRestorePrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeDebugPrivilege	2228	tasklist.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe
Token: SeBackupPrivilege	3556	wmimgmt.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 3556	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe	84
PID 1528 wrote to memory of 3556	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe	84
PID 1528 wrote to memory of 3556	1528	76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe	84
PID 3556 wrote to memory of 1508	3556	wmimgmt.exe	89
PID 3556 wrote to memory of 1508	3556	wmimgmt.exe	89
PID 3556 wrote to memory of 1508	3556	wmimgmt.exe	89
PID 1508 wrote to memory of 3976	1508	cmd.exe	91
PID 1508 wrote to memory of 3976	1508	cmd.exe	91
PID 1508 wrote to memory of 3976	1508	cmd.exe	91
PID 1508 wrote to memory of 1020	1508	cmd.exe	94
PID 1508 wrote to memory of 1020	1508	cmd.exe	94
PID 1508 wrote to memory of 1020	1508	cmd.exe	94
PID 1508 wrote to memory of 4856	1508	cmd.exe	95
PID 1508 wrote to memory of 4856	1508	cmd.exe	95
PID 1508 wrote to memory of 4856	1508	cmd.exe	95
PID 4856 wrote to memory of 4120	4856	net.exe	96
PID 4856 wrote to memory of 4120	4856	net.exe	96
PID 4856 wrote to memory of 4120	4856	net.exe	96
PID 1508 wrote to memory of 3908	1508	cmd.exe	97
PID 1508 wrote to memory of 3908	1508	cmd.exe	97
PID 1508 wrote to memory of 3908	1508	cmd.exe	97
PID 3908 wrote to memory of 4708	3908	net.exe	98
PID 3908 wrote to memory of 4708	3908	net.exe	98
PID 3908 wrote to memory of 4708	3908	net.exe	98
PID 1508 wrote to memory of 2228	1508	cmd.exe	99
PID 1508 wrote to memory of 2228	1508	cmd.exe	99
PID 1508 wrote to memory of 2228	1508	cmd.exe	99
PID 1508 wrote to memory of 3704	1508	cmd.exe	101
PID 1508 wrote to memory of 3704	1508	cmd.exe	101
PID 1508 wrote to memory of 3704	1508	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
"C:\Users\Admin\AppData\Local\Temp\76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\ProgramData\Application Data\wmimgmt.exe
  "C:\ProgramData\Application Data\wmimgmt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
      4⤵
      PID:3976
  - - C:\Windows\SysWOW64\chcp.com
      chcp
      4⤵
      PID:1020
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4120
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4708
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2228
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Application Data\wmimgmt.exe

Filesize
60KB

MD5
a0068ae7ff0080ef15e60e1d213c53b1

SHA1
1685fd8007c01c2efc9f273f092cda13141fb0eb

SHA256
76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e

SHA512
f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb

Download Submit
C:\ProgramData\wmimgmt.exe

Filesize
60KB

MD5
a0068ae7ff0080ef15e60e1d213c53b1

SHA1
1685fd8007c01c2efc9f273f092cda13141fb0eb

SHA256
76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e

SHA512
f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
49B

MD5
2fa848e6957ded59d3105baff2173502

SHA1
69ac17fab606ccaf02eab35dcee4ef0d8030f572

SHA256
50ddb97831bd430b8433f5b5e823f1be7bf84a3fdbc10571cf609d3456007bd5

SHA512
6c58cc68d1bdf0334f438719ede384267fffd26df94996d7762dc12d3dc952282afc07d244eada6f3459a1ac75b61588125b05d4a2790884dd97b6a72db2450e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghi.bat

Filesize
4KB

MD5
b91bc08162fbc3445c5424b77183b807

SHA1
52b2a60db40cdcc655648a65210ed26219c033e1

SHA256
7cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a

SHA512
2f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35

Download Submit
memory/1528-133-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1528-132-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1528-137-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3556-138-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download