Overview

overview

9

Static

static

3

sus/Pluton...er.exe

windows11-21h2-x64

3

sus/data/c...er.bat

windows11-21h2-x64

9

sus/data/d...er.bat

windows11-21h2-x64

8

sus/data/driver.sys

windows11-21h2-x64

1

sus/data/kdmapper.exe

windows11-21h2-x64

1

sus/data/m...er.bat

windows11-21h2-x64

3

sus/data/spoofer.bat

windows11-21h2-x64

1

sus/data/spoofer.exe

windows11-21h2-x64

1

sus/run.bat

windows11-21h2-x64

1

Analysis

  • max time kernel
    300s
  • max time network
    202s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-08-2024 16:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sus/data/createuser.bat

  • Size

    71B

  • MD5

    a3fca2181219e47e252ad1e6c5901c86

  • SHA1

    1b3ff050d9a5a2bec457228dd69db4bae7d550f3

  • SHA256

    68a516c4b18ba7b28af6f27d7f461aa02f4c897d16e2bf73fc39567922546a2d

  • SHA512

    279e6cd0d29d9cd8ed285238905cc1e905477c7f23ac44109d250549c6705c848b6edb970d64a0138f64c1bbe0328e8c484134f036e6160fefb92d148d85011a

Score
9/10
discovery

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sus\data\createuser.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\system32\net.exe
      net user "Exitlag" /add
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 user "Exitlag" /add
        3⤵
          PID:1356
      • C:\Windows\system32\net.exe
        net localgroup "Administrators" "Exitlag" /add
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:792
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 localgroup "Administrators" "Exitlag" /add
          3⤵
            PID:4984

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads