ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50

Analysis

max time kernel
177s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe
Size

120KB
MD5

9e2d5116462c18c2a8b0dcb7bd88e9ca
SHA1

74ca2e701aae44413e3706a37ff44ebbe6c0e19d
SHA256

ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50
SHA512

43da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3
SSDEEP

1536:WlnMg9bWAdy4nHfUHD28+we3cotuFDcF4DfQKRx50KVT4iKEFXvxKqHs:WlNsAdy4n/UKw4co9FMfQeN/Xey

Score

9^/10

persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 1 IoCs

pid	Process
2244	inetinfo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inet32 = "C:\\ProgramData\\Application Data\\inetinfo.exe"	ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
3620	net.exe
2984	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3652	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2868	NETSTAT.EXE
4852	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4136	systeminfo.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	NETSTAT.EXE
Token: SeDebugPrivilege	3652	tasklist.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2244	3012	ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe	83
PID 3012 wrote to memory of 2244	3012	ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe	83
PID 3012 wrote to memory of 2244	3012	ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe	83
PID 2244 wrote to memory of 1768	2244	inetinfo.exe	85
PID 2244 wrote to memory of 1768	2244	inetinfo.exe	85
PID 2244 wrote to memory of 1768	2244	inetinfo.exe	85
PID 1768 wrote to memory of 4136	1768	cmd.exe	87
PID 1768 wrote to memory of 4136	1768	cmd.exe	87
PID 1768 wrote to memory of 4136	1768	cmd.exe	87
PID 1768 wrote to memory of 1488	1768	cmd.exe	89
PID 1768 wrote to memory of 1488	1768	cmd.exe	89
PID 1768 wrote to memory of 1488	1768	cmd.exe	89
PID 1488 wrote to memory of 1864	1488	net.exe	90
PID 1488 wrote to memory of 1864	1488	net.exe	90
PID 1488 wrote to memory of 1864	1488	net.exe	90
PID 1768 wrote to memory of 4500	1768	cmd.exe	91
PID 1768 wrote to memory of 4500	1768	cmd.exe	91
PID 1768 wrote to memory of 4500	1768	cmd.exe	91
PID 4500 wrote to memory of 4224	4500	net.exe	92
PID 4500 wrote to memory of 4224	4500	net.exe	92
PID 4500 wrote to memory of 4224	4500	net.exe	92
PID 1768 wrote to memory of 4816	1768	cmd.exe	93
PID 1768 wrote to memory of 4816	1768	cmd.exe	93
PID 1768 wrote to memory of 4816	1768	cmd.exe	93
PID 4816 wrote to memory of 4600	4816	net.exe	94
PID 4816 wrote to memory of 4600	4816	net.exe	94
PID 4816 wrote to memory of 4600	4816	net.exe	94
PID 1768 wrote to memory of 3620	1768	cmd.exe	95
PID 1768 wrote to memory of 3620	1768	cmd.exe	95
PID 1768 wrote to memory of 3620	1768	cmd.exe	95
PID 1768 wrote to memory of 2984	1768	cmd.exe	96
PID 1768 wrote to memory of 2984	1768	cmd.exe	96
PID 1768 wrote to memory of 2984	1768	cmd.exe	96
PID 1768 wrote to memory of 4280	1768	cmd.exe	97
PID 1768 wrote to memory of 4280	1768	cmd.exe	97
PID 1768 wrote to memory of 4280	1768	cmd.exe	97
PID 4280 wrote to memory of 4248	4280	net.exe	98
PID 4280 wrote to memory of 4248	4280	net.exe	98
PID 4280 wrote to memory of 4248	4280	net.exe	98
PID 1768 wrote to memory of 2868	1768	cmd.exe	99
PID 1768 wrote to memory of 2868	1768	cmd.exe	99
PID 1768 wrote to memory of 2868	1768	cmd.exe	99
PID 1768 wrote to memory of 3652	1768	cmd.exe	100
PID 1768 wrote to memory of 3652	1768	cmd.exe	100
PID 1768 wrote to memory of 3652	1768	cmd.exe	100
PID 1768 wrote to memory of 4852	1768	cmd.exe	102
PID 1768 wrote to memory of 4852	1768	cmd.exe	102
PID 1768 wrote to memory of 4852	1768	cmd.exe	102
PID 1768 wrote to memory of 4952	1768	cmd.exe	103
PID 1768 wrote to memory of 4952	1768	cmd.exe	103
PID 1768 wrote to memory of 4952	1768	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe
"C:\Users\Admin\AppData\Local\Temp\ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012
- C:\ProgramData\Application Data\inetinfo.exe
  "C:\ProgramData\Application Data\inetinfo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\info.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4136
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1864
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4224
  - - C:\Windows\SysWOW64\net.exe
      net start
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start
        5⤵
        
        PID:4600
  - - C:\Windows\SysWOW64\net.exe
      net view
      4⤵
      Discovers systems in the same network
      PID:3620
  - - C:\Windows\SysWOW64\net.exe
      net view /domain
      4⤵
      Discovers systems in the same network
      PID:2984
  - - C:\Windows\SysWOW64\net.exe
      net user /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user /domain
        5⤵
        
        PID:4248
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2868
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4852
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:4952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Application Data\inetinfo.exe

Filesize
120KB

MD5
9e2d5116462c18c2a8b0dcb7bd88e9ca

SHA1
74ca2e701aae44413e3706a37ff44ebbe6c0e19d

SHA256
ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50

SHA512
43da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3

Download Submit
C:\ProgramData\inetinfo.exe

Filesize
120KB

MD5
9e2d5116462c18c2a8b0dcb7bd88e9ca

SHA1
74ca2e701aae44413e3706a37ff44ebbe6c0e19d

SHA256
ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50

SHA512
43da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.bat

Filesize
581B

MD5
52b5878fbe8ecfafe96177c8001328b7

SHA1
3bc5f0fe87c76ed056e940dfcfaa176397527d94

SHA256
2ce2bccf6b09a3b49aafe4306b378fe0f4dea8f1104c1a0dfc060af5945f37db

SHA512
d6284b5b081887a2773cd4d459c225d9952b4f28551ea98f2463ef70009443bc75138fb6e5a871a14ab7935102e57b3cbc8310cafc1d97f530ed9a8ac6c4dd5c

Download Submit
memory/2244-136-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2244-154-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3012-132-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads