b16048a37c4e5e7cbe23a02ae21ac8140cbbb7575edfcd7de23b11664b9a507d

Analysis

max time kernel
300s
max time network
202s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07/08/2024, 11:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

release/data/createuser.bat
Size

71B
MD5

a3fca2181219e47e252ad1e6c5901c86
SHA1

1b3ff050d9a5a2bec457228dd69db4bae7d550f3
SHA256

68a516c4b18ba7b28af6f27d7f461aa02f4c897d16e2bf73fc39567922546a2d
SHA512

279e6cd0d29d9cd8ed285238905cc1e905477c7f23ac44109d250549c6705c848b6edb970d64a0138f64c1bbe0328e8c484134f036e6160fefb92d148d85011a

Score

9^/10

discovery

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001
Runs net.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 5064	4324	cmd.exe	82
PID 4324 wrote to memory of 5064	4324	cmd.exe	82
PID 5064 wrote to memory of 4660	5064	net.exe	83
PID 5064 wrote to memory of 4660	5064	net.exe	83
PID 4324 wrote to memory of 5104	4324	cmd.exe	84
PID 4324 wrote to memory of 5104	4324	cmd.exe	84
PID 5104 wrote to memory of 4248	5104	net.exe	85
PID 5104 wrote to memory of 4248	5104	net.exe	85
PID 4916 wrote to memory of 1936	4916	cmd.exe	98
PID 4916 wrote to memory of 1936	4916	cmd.exe	98
PID 4916 wrote to memory of 1420	4916	cmd.exe	99
PID 4916 wrote to memory of 1420	4916	cmd.exe	99
PID 4916 wrote to memory of 2988	4916	cmd.exe	100
PID 4916 wrote to memory of 2988	4916	cmd.exe	100
PID 4916 wrote to memory of 1836	4916	cmd.exe	101
PID 4916 wrote to memory of 1836	4916	cmd.exe	101
PID 4916 wrote to memory of 2996	4916	cmd.exe	102
PID 4916 wrote to memory of 2996	4916	cmd.exe	102
PID 4916 wrote to memory of 4048	4916	cmd.exe	103
PID 4916 wrote to memory of 4048	4916	cmd.exe	103
PID 4916 wrote to memory of 1844	4916	cmd.exe	104
PID 4916 wrote to memory of 1844	4916	cmd.exe	104
PID 1844 wrote to memory of 4712	1844	cmd.exe	105
PID 1844 wrote to memory of 4712	1844	cmd.exe	105
PID 4916 wrote to memory of 4672	4916	cmd.exe	106
PID 4916 wrote to memory of 4672	4916	cmd.exe	106
PID 4916 wrote to memory of 4424	4916	cmd.exe	107
PID 4916 wrote to memory of 4424	4916	cmd.exe	107
PID 4916 wrote to memory of 2452	4916	cmd.exe	108
PID 4916 wrote to memory of 2452	4916	cmd.exe	108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\release\data\createuser.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\system32\net.exe
  net user "Exitlag" /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user "Exitlag" /add
    3⤵
    PID:4660
- C:\Windows\system32\net.exe
  net localgroup "Administrators" "Exitlag" /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup "Administrators" "Exitlag" /add
    3⤵
    PID:4248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1608

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\release\run.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1936
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:1420
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\release\run.bat" "
  2⤵
  PID:1836
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:2996
- C:\Windows\System32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:4712
- C:\Windows\System32\mode.com
  mode 76, 30
  2⤵
  PID:4672
- C:\Windows\System32\choice.exe
  choice /C:123456 /N
  2⤵
  PID:4424
- C:\Users\Admin\Desktop\release\data\spoofer.exe
  C:\Users\Admin\Desktop\release\\data\spoofer.exe "C:\Users\Admin\Desktop\release\\data\driver.sys
  2⤵
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2452-0-0x00007FF7438A0000-0x00007FF743938000-memory.dmp

Filesize
608KB

Download