Windows Analysis Report
WWAddToLocalAdmins.exe

Overview

General Information

Sample name:	WWAddToLocalAdmins.exe
Analysis ID:	1544497
MD5:	cd54d0f310489d1cdcec2692cf9ef236
SHA1:	18b7ade73903e3562d3989515e6a5ebdbb21e058
SHA256:	291b83adc7d7d4bc86ddc24c75a26fd2c4d740a432da8d4cbf2b9e2fc4b517c4
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: WWAddToLocalAdmins.exe

ReversingLabs: Detection: 16%

Uses 32bit PE files

Source: WWAddToLocalAdmins.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

Code function: 0_2_00401467 FindResourceA,LoadResource,GetVersionExA,SetCurrentDirectoryA,LockResource,SizeofResource,KiUserExceptionDispatcher,LogonUserA,GetTickCount,GetFileAttributesA,SetFileAttributesA,SetFileAttributesA,GetExitCodeProcess,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,CreateProcessAsUserA,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,CreateProcessA,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,GetFileAttributesA,SetFileAttributesA,

0_2_00401467

Detected potential crypto function

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe	Code function: 0_2_00402757	0_2_00402757
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe	Code function: 0_2_00408917	0_2_00408917
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe	Code function: 0_2_004037C1	0_2_004037C1
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe	Code function: 0_2_00404DDD	0_2_00404DDD
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe	Code function: 0_2_00402FBA	0_2_00402FBA

Uses 32bit PE files

Source: WWAddToLocalAdmins.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@4/3@0/0

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

0_2_00401467

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

0_2_00401467

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_03

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

File created: C:\Temp\60875D.vbs

Jump to behavior

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs

Source: WWAddToLocalAdmins.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WWAddToLocalAdmins.exe

ReversingLabs: Detection: 16%

Source: unknown	Process created: C:\Users\user\Desktop\WWAddToLocalAdmins.exe "C:\Users\user\Desktop\WWAddToLocalAdmins.exe"
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs	Jump to behavior

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: adsnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

Code function: 0_2_00401C42 LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,WinExec,

0_2_00401C42

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

Code function: 0_2_004060C0 push eax; ret

0_2_004060EE

Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: cscript.exe, 00000002.00000003.2252805429.00000000031D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RA
Source: cscript.exe, 00000002.00000003.2252789003.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000003.2252770380.00000000031DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

Code function: 0_2_00407B44 WriteFile,LdrInitializeThunk,GetLastError,WriteFile,GetLastError,

0_2_00407B44

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

Code function: 0_2_00401C42 LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,WinExec,

0_2_00401C42

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

0_2_00401467

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs

Jump to behavior

Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exe

0_2_00401467

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1544497
Product:	CloudBasic
Start time:	14:07:01
Start date:	29.10.2024
Sample:	WWAddToLocalAdmins.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	cd54d0f310489d1cdcec2692cf9ef236
SHA1:	18b7ade73903e3562d3989515e6a5ebdbb21e058
SHA256:	291b83adc7d7d4bc86ddc24c75a26fd2c4d740a432da8d4cbf2b9e2fc4b517c4
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Temp\60875D.vbs	ASCII text, with very long lines (2611), with no line terminators	7DBE7E58FF8EE7A504F65B2EB0CE7E68	A862D6B97147B26F28634606DA26658CF308BFA7	5048D4CEE2439D67EE5BB920C974A27EC39CEB6F4401BC509114510D85F735E7
\Device\Mup\849224*\MAILSLOT\NET\NETLOGON	data	A512AF01F8D61D059A2D7BA9CD9DE5DD	14016E22BA3F95C5B981AB14BC7DDE8E9F2F8BED	46BA59EFD5A050C1AE1841E73158FC85D997307553936C1412D212FCD52D1C76
\Device\Mup\SSO*\MAILSLOT\NET\NETLOGON	data	435F9258D5A586F18107CD87EE1B3B2E	8E1943296338E330E9C8D5D98A93E59025195E37	D18141FAA09D353285AEB932775DF94EC72D4C3F950C057FDB18CE79414DD622

Windows Analysis Report
WWAddToLocalAdmins.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report WWAddToLocalAdmins.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
WWAddToLocalAdmins.exe