c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14

Analysis

max time kernel
226s
max time network
333s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Size

70KB
MD5

4a9e537690c47b80219ef48d07dfcd86
SHA1

2357224b7f59940c77015ca600e02615b5128cfc
SHA256

c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14
SHA512

55ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782
SSDEEP

768:QkpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvOR:tkQJcqwmIfj+ECJG/kvO

Score

9^/10

collection

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 1 IoCs

pid	Process
896	wmimgmt.exe

Loads dropped DLL 2 IoCs

pid	Process
1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	reg.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1872	tasklist.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
928	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1992	systeminfo.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeBackupPrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeRestorePrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeBackupPrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeBackupPrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeRestorePrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeBackupPrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeRestorePrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeBackupPrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeRestorePrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeBackupPrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeRestorePrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeBackupPrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeRestorePrivilege	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Token: SeDebugPrivilege	1872	tasklist.exe
Token: SeBackupPrivilege	896	wmimgmt.exe
Token: SeBackupPrivilege	896	wmimgmt.exe
Token: SeBackupPrivilege	896	wmimgmt.exe
Token: SeBackupPrivilege	896	wmimgmt.exe
Token: SeBackupPrivilege	896	wmimgmt.exe
Token: SeBackupPrivilege	896	wmimgmt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 896	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe	28
PID 1940 wrote to memory of 896	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe	28
PID 1940 wrote to memory of 896	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe	28
PID 1940 wrote to memory of 896	1940	c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe	28
PID 896 wrote to memory of 1704	896	wmimgmt.exe	29
PID 896 wrote to memory of 1704	896	wmimgmt.exe	29
PID 896 wrote to memory of 1704	896	wmimgmt.exe	29
PID 896 wrote to memory of 1704	896	wmimgmt.exe	29
PID 1704 wrote to memory of 732	1704	cmd.exe	31
PID 1704 wrote to memory of 732	1704	cmd.exe	31
PID 1704 wrote to memory of 732	1704	cmd.exe	31
PID 1704 wrote to memory of 732	1704	cmd.exe	31
PID 1704 wrote to memory of 1468	1704	cmd.exe	32
PID 1704 wrote to memory of 1468	1704	cmd.exe	32
PID 1704 wrote to memory of 1468	1704	cmd.exe	32
PID 1704 wrote to memory of 1468	1704	cmd.exe	32
PID 1704 wrote to memory of 816	1704	cmd.exe	33
PID 1704 wrote to memory of 816	1704	cmd.exe	33
PID 1704 wrote to memory of 816	1704	cmd.exe	33
PID 1704 wrote to memory of 816	1704	cmd.exe	33
PID 816 wrote to memory of 300	816	net.exe	34
PID 816 wrote to memory of 300	816	net.exe	34
PID 816 wrote to memory of 300	816	net.exe	34
PID 816 wrote to memory of 300	816	net.exe	34
PID 1704 wrote to memory of 884	1704	cmd.exe	35
PID 1704 wrote to memory of 884	1704	cmd.exe	35
PID 1704 wrote to memory of 884	1704	cmd.exe	35
PID 1704 wrote to memory of 884	1704	cmd.exe	35
PID 884 wrote to memory of 620	884	net.exe	36
PID 884 wrote to memory of 620	884	net.exe	36
PID 884 wrote to memory of 620	884	net.exe	36
PID 884 wrote to memory of 620	884	net.exe	36
PID 1704 wrote to memory of 1872	1704	cmd.exe	37
PID 1704 wrote to memory of 1872	1704	cmd.exe	37
PID 1704 wrote to memory of 1872	1704	cmd.exe	37
PID 1704 wrote to memory of 1872	1704	cmd.exe	37
PID 1704 wrote to memory of 1992	1704	cmd.exe	39
PID 1704 wrote to memory of 1992	1704	cmd.exe	39
PID 1704 wrote to memory of 1992	1704	cmd.exe	39
PID 1704 wrote to memory of 1992	1704	cmd.exe	39
PID 1704 wrote to memory of 840	1704	cmd.exe	41
PID 1704 wrote to memory of 840	1704	cmd.exe	41
PID 1704 wrote to memory of 840	1704	cmd.exe	41
PID 1704 wrote to memory of 840	1704	cmd.exe	41
PID 1704 wrote to memory of 1516	1704	cmd.exe	42
PID 1704 wrote to memory of 1516	1704	cmd.exe	42
PID 1704 wrote to memory of 1516	1704	cmd.exe	42
PID 1704 wrote to memory of 1516	1704	cmd.exe	42
PID 1704 wrote to memory of 1712	1704	cmd.exe	43
PID 1704 wrote to memory of 1712	1704	cmd.exe	43
PID 1704 wrote to memory of 1712	1704	cmd.exe	43
PID 1704 wrote to memory of 1712	1704	cmd.exe	43
PID 1704 wrote to memory of 1564	1704	cmd.exe	44
PID 1704 wrote to memory of 1564	1704	cmd.exe	44
PID 1704 wrote to memory of 1564	1704	cmd.exe	44
PID 1704 wrote to memory of 1564	1704	cmd.exe	44
PID 1704 wrote to memory of 1284	1704	cmd.exe	45
PID 1704 wrote to memory of 1284	1704	cmd.exe	45
PID 1704 wrote to memory of 1284	1704	cmd.exe	45
PID 1704 wrote to memory of 1284	1704	cmd.exe	45
PID 1704 wrote to memory of 1604	1704	cmd.exe	46
PID 1704 wrote to memory of 1604	1704	cmd.exe	46
PID 1704 wrote to memory of 1604	1704	cmd.exe	46
PID 1704 wrote to memory of 1604	1704	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
"C:\Users\Admin\AppData\Local\Temp\c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\ProgramData\Application Data\wmimgmt.exe
  "C:\ProgramData\Application Data\wmimgmt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
      4⤵
      PID:732
  - - C:\Windows\SysWOW64\chcp.com
      chcp
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:300
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:620
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1872
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1992
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\find.exe
      find "REG_"
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1028
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s
      4⤵
      PID:792
  - - C:\Windows\SysWOW64\net.exe
      net user Admin
      4⤵
      PID:1540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Admin
        5⤵
        
        PID:1360
  - - C:\Windows\SysWOW64\net.exe
      net user Admin /domain
      4⤵
      PID:1412
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Admin /domain
        5⤵
        
        PID:1740
  - - C:\Windows\SysWOW64\net.exe
      net group
      4⤵
      PID:2036
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group
        5⤵
        
        PID:1612
  - - C:\Windows\SysWOW64\net.exe
      net group /domain
      4⤵
      PID:944
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group /domain
        5⤵
        
        PID:816
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins"
      4⤵
      PID:1368
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins"
        5⤵
        
        PID:884
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      PID:740
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:1228
  - - C:\Windows\SysWOW64\net.exe
      net group "domain computers"
      4⤵
      PID:1736
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain computers"
        5⤵
        
        PID:1616
  - - C:\Windows\SysWOW64\net.exe
      net group "domain computers" /domain
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain computers" /domain
        5⤵
        
        PID:1992
  - - C:\Windows\SysWOW64\net.exe
      net group "domain controllers"
      4⤵
      PID:1516
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain controllers"
        5⤵
        
        PID:1712
  - - C:\Windows\SysWOW64\net.exe
      net group "domain controllers" /domain
      4⤵
      PID:1596
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain controllers" /domain
        5⤵
        
        PID:1560
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Application Data\wmimgmt.exe

Filesize
70KB

MD5
4a9e537690c47b80219ef48d07dfcd86

SHA1
2357224b7f59940c77015ca600e02615b5128cfc

SHA256
c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14

SHA512
55ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782

Download Submit
C:\ProgramData\wmimgmt.exe

Filesize
70KB

MD5
4a9e537690c47b80219ef48d07dfcd86

SHA1
2357224b7f59940c77015ca600e02615b5128cfc

SHA256
c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14

SHA512
55ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
49B

MD5
5e4d7b79ea0658b667c35146ae177b94

SHA1
2b2d107a5f5620ec36bad720ac0783939aeb437d

SHA256
659963ec47461993584e081568c2a9a21705b7180da9d4c9ca7c3dfdc7ad8c33

SHA512
ce163c916598c53192cabde8643d1c9bd910d3b7b113b3a15ee924fa03a5f0ee9f5c078adaad60053db000e7b2872c499dc58e250d95adebe9244489044e6d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghi.bat

Filesize
4KB

MD5
b91bc08162fbc3445c5424b77183b807

SHA1
52b2a60db40cdcc655648a65210ed26219c033e1

SHA256
7cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a

SHA512
2f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35

Download Submit
\ProgramData\wmimgmt.exe

Filesize
70KB

MD5
4a9e537690c47b80219ef48d07dfcd86

SHA1
2357224b7f59940c77015ca600e02615b5128cfc

SHA256
c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14

SHA512
55ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782

Download Submit
\ProgramData\wmimgmt.exe

Filesize
70KB

MD5
4a9e537690c47b80219ef48d07dfcd86

SHA1
2357224b7f59940c77015ca600e02615b5128cfc

SHA256
c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14

SHA512
55ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782

Download Submit
memory/896-71-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/896-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1940-54-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/1940-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1940-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1940-58-0x00000000002A0000-0x00000000002BB000-memory.dmp

Filesize
108KB

Download
memory/1940-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads