c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe
Size

53KB
MD5

b4cdc0b6c35c0316d064a56ddb1b1c40
SHA1

309f8d75c7b64703909868b7d7802cf57cc57b45
SHA256

c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581
SHA512

957e92fa97358b455fd4e321fcf2981a087f87ddccc044597b47ee3bc911787865d5daf1dfb0d084f94c29b638f49ce6b40bfb8852e79d5ffd03462f7b6d62f6
SSDEEP

768:81U+8awSaWRDapppWwaMRHoUj+hkoYPVw9OvSBKfsnrz50xM0UEZHBtBdTiada+H:81ZnZw/w1y86Wz5IUEZDL24kZFc1

Score

1^/10

Malware Config

Signatures

Runs net.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4420	WMIC.exe
Token: SeSecurityPrivilege	4420	WMIC.exe
Token: SeTakeOwnershipPrivilege	4420	WMIC.exe
Token: SeLoadDriverPrivilege	4420	WMIC.exe
Token: SeSystemProfilePrivilege	4420	WMIC.exe
Token: SeSystemtimePrivilege	4420	WMIC.exe
Token: SeProfSingleProcessPrivilege	4420	WMIC.exe
Token: SeIncBasePriorityPrivilege	4420	WMIC.exe
Token: SeCreatePagefilePrivilege	4420	WMIC.exe
Token: SeBackupPrivilege	4420	WMIC.exe
Token: SeRestorePrivilege	4420	WMIC.exe
Token: SeShutdownPrivilege	4420	WMIC.exe
Token: SeDebugPrivilege	4420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4420	WMIC.exe
Token: SeRemoteShutdownPrivilege	4420	WMIC.exe
Token: SeUndockPrivilege	4420	WMIC.exe
Token: SeManageVolumePrivilege	4420	WMIC.exe
Token: 33	4420	WMIC.exe
Token: 34	4420	WMIC.exe
Token: 35	4420	WMIC.exe
Token: 36	4420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4420	WMIC.exe
Token: SeSecurityPrivilege	4420	WMIC.exe
Token: SeTakeOwnershipPrivilege	4420	WMIC.exe
Token: SeLoadDriverPrivilege	4420	WMIC.exe
Token: SeSystemProfilePrivilege	4420	WMIC.exe
Token: SeSystemtimePrivilege	4420	WMIC.exe
Token: SeProfSingleProcessPrivilege	4420	WMIC.exe
Token: SeIncBasePriorityPrivilege	4420	WMIC.exe
Token: SeCreatePagefilePrivilege	4420	WMIC.exe
Token: SeBackupPrivilege	4420	WMIC.exe
Token: SeRestorePrivilege	4420	WMIC.exe
Token: SeShutdownPrivilege	4420	WMIC.exe
Token: SeDebugPrivilege	4420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4420	WMIC.exe
Token: SeRemoteShutdownPrivilege	4420	WMIC.exe
Token: SeUndockPrivilege	4420	WMIC.exe
Token: SeManageVolumePrivilege	4420	WMIC.exe
Token: 33	4420	WMIC.exe
Token: 34	4420	WMIC.exe
Token: 35	4420	WMIC.exe
Token: 36	4420	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 2880	4732	c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe	84
PID 4732 wrote to memory of 2880	4732	c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe	84
PID 2880 wrote to memory of 3592	2880	cmd.exe	85
PID 2880 wrote to memory of 3592	2880	cmd.exe	85
PID 2880 wrote to memory of 4420	2880	cmd.exe	86
PID 2880 wrote to memory of 4420	2880	cmd.exe	86
PID 2880 wrote to memory of 4904	2880	cmd.exe	87
PID 2880 wrote to memory of 4904	2880	cmd.exe	87
PID 2880 wrote to memory of 3128	2880	cmd.exe	89
PID 2880 wrote to memory of 3128	2880	cmd.exe	89
PID 2880 wrote to memory of 1012	2880	cmd.exe	90
PID 2880 wrote to memory of 1012	2880	cmd.exe	90
PID 3128 wrote to memory of 3844	3128	net.exe	91
PID 3128 wrote to memory of 3844	3128	net.exe	91
PID 2880 wrote to memory of 4996	2880	cmd.exe	92
PID 2880 wrote to memory of 4996	2880	cmd.exe	92
PID 2880 wrote to memory of 208	2880	cmd.exe	93
PID 2880 wrote to memory of 208	2880	cmd.exe	93
PID 4996 wrote to memory of 1836	4996	net.exe	94
PID 4996 wrote to memory of 1836	4996	net.exe	94
PID 2880 wrote to memory of 2932	2880	cmd.exe	95
PID 2880 wrote to memory of 2932	2880	cmd.exe	95
PID 2932 wrote to memory of 2728	2932	net.exe	96
PID 2932 wrote to memory of 2728	2932	net.exe	96
PID 2880 wrote to memory of 4344	2880	cmd.exe	97
PID 2880 wrote to memory of 4344	2880	cmd.exe	97
PID 2880 wrote to memory of 1056	2880	cmd.exe	98
PID 2880 wrote to memory of 1056	2880	cmd.exe	98
PID 2880 wrote to memory of 1060	2880	cmd.exe	99
PID 2880 wrote to memory of 1060	2880	cmd.exe	99
PID 1056 wrote to memory of 2140	1056	net.exe	100
PID 1056 wrote to memory of 2140	1056	net.exe	100
PID 2880 wrote to memory of 1756	2880	cmd.exe	102
PID 2880 wrote to memory of 1756	2880	cmd.exe	102
PID 2880 wrote to memory of 1960	2880	cmd.exe	103
PID 2880 wrote to memory of 1960	2880	cmd.exe	103
PID 1756 wrote to memory of 1820	1756	net.exe	104
PID 1756 wrote to memory of 1820	1756	net.exe	104
PID 2880 wrote to memory of 4160	2880	cmd.exe	105
PID 2880 wrote to memory of 4160	2880	cmd.exe	105
PID 2880 wrote to memory of 4024	2880	cmd.exe	106
PID 2880 wrote to memory of 4024	2880	cmd.exe	106
PID 4160 wrote to memory of 4404	4160	net.exe	107
PID 4160 wrote to memory of 4404	4160	net.exe	107

C:\Users\Admin\AppData\Local\Temp\c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe
"C:\Users\Admin\AppData\Local\Temp\c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\903A.tmp\password.bat" C:\Users\Admin\AppData\Local\Temp\c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:3592
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic useraccount get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- - C:\Windows\system32\findstr.exe
    findstr -v Name
    3⤵
    PID:4904
- - C:\Windows\system32\net.exe
    net user Admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin
      4⤵
      PID:3844
- - C:\Windows\system32\findstr.exe
    findstr Password
    3⤵
    PID:1012
- - C:\Windows\system32\net.exe
    net user Administrator
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Administrator
      4⤵
      PID:1836
- - C:\Windows\system32\findstr.exe
    findstr Password
    3⤵
    PID:208
- - C:\Windows\system32\net.exe
    net user DefaultAccount
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user DefaultAccount
      4⤵
      PID:2728
- - C:\Windows\system32\findstr.exe
    findstr Password
    3⤵
    PID:4344
- - C:\Windows\system32\net.exe
    net user Guest
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Guest
      4⤵
      PID:2140
- - C:\Windows\system32\findstr.exe
    findstr Password
    3⤵
    PID:1060
- - C:\Windows\system32\net.exe
    net user WDAGUtilityAccount
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user WDAGUtilityAccount
      4⤵
      PID:1820
- - C:\Windows\system32\findstr.exe
    findstr Password
    3⤵
    PID:1960
- - C:\Windows\system32\net.exe
    net user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:4404
- - C:\Windows\system32\findstr.exe
    findstr Password
    3⤵
    PID:4024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\903A.tmp\password.bat

Filesize
387B

MD5
5e4b4f1d6d501f3445d7b46d870ccc44

SHA1
116ac1b4bf93a803231d86a94521eb8a0b49af57

SHA256
cc7b990a2c81aedfab269ae6aef0c369940b238374c7f8cca219336df467d55b

SHA512
27a975d6ebf5c8657dc2916a3966a4aaf3c5f5162eb89085a2836129aa5f9de8e4bcc13123518a054e65513f36320f3357b8a941db283e9ac9a6ed19cb88b344

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads