Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

WWAddToLocalAdmins.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	5.6126558170625005
Filename:	WWAddToLocalAdmins.exe
Filesize:	90112
MD5:	cd54d0f310489d1cdcec2692cf9ef236
SHA1:	18b7ade73903e3562d3989515e6a5ebdbb21e058
SHA256:	291b83adc7d7d4bc86ddc24c75a26fd2c4d740a432da8d4cbf2b9e2fc4b517c4
SHA512:	f5b51b42cf57ccc1dce94739e1f727b16c51e0b29c575ea514e338f2fab8c8f022bbceac261aac5d50e0ccafa57f700b9d6339c230d0aa2b83b2476d9e2de1c2
SSDEEP:	1536:Qpgvvf/afJnTsK8W1tBq5eGWclBjleBKBw/C:vvn/6wwt3hclBhX
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........<..do..do..do..ho..doF.jo..do..no..doF.9o..do..eo..do..oo..do..bo..doRich..do................PE..L...uhNE...................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation
Contains functionality to launch a process as a different user	System Summary	Native API
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality for error logging	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query windows version	Language, Device and Operating System Detection
Creates temporary files	System Summary
Executes visual basic scripts	System Summary	Scripting
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Temp\60875D.vbs

ASCII text, with very long lines (2611), with no line terminators

dropped

Details

File:	C:\Temp\60875D.vbs
Category:	dropped
Dump:	60875D.vbs.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\WWAddToLocalAdmins.exe
Type:	ASCII text, with very long lines (2611), with no line terminators
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:v//////////////////////////////////////////////////////////////X:P
Size:	2611
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Creates temporary files	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

\Device\Mup\849224*\MAILSLOT\NET\NETLOGON

data

dropped

Details

File:	\Device\Mup\849224*\MAILSLOT\NET\NETLOGON
Category:	dropped
Dump:	NETLOGON1.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\SysWOW64\cscript.exe
Type:	data
Entropy:	3.545063206984032
Encrypted:	false
Ssdeep:	3:5cl115lll55I2Y1AnWSgll//8lLn:Cl11sGWJltMLn
Size:	64
Whitelisted:	false
Reputation:	low

\Device\Mup\SSO*\MAILSLOT\NET\NETLOGON

data

dropped

Details

File:	\Device\Mup\SSO*\MAILSLOT\NET\NETLOGON
Category:	dropped
Dump:	NETLOGON5.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\SysWOW64\cscript.exe
Type:	data
Entropy:	3.7249034414266404
Encrypted:	false
Ssdeep:	3:5cl115lll55I2Y1AnJjUSRPlslLn:Cl11sGm1Ln
Size:	64
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\WWAddToLocalAdmins.exe

"C:\Users\user\Desktop\WWAddToLocalAdmins.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2408
Target ID:	0
Parent PID:	1028
Name:	WWAddToLocalAdmins.exe
Path:	C:\Users\user\Desktop\WWAddToLocalAdmins.exe
Commandline:	"C:\Users\user\Desktop\WWAddToLocalAdmins.exe"
Size:	90112
MD5:	CD54D0F310489D1CDCEC2692CF9EF236
Time:	09:07:53
Date:	29/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	98304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5384
Target ID:	1
Parent PID:	2408
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:07:53
Date:	29/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cscript.exe

"C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs

Details

Is windows:	true
Is dropped:	false
PID:	1848
Target ID:	2
Parent PID:	2408
Name:	cscript.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\cscript.exe
Commandline:	"C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs
Size:	144896
MD5:	CB601B41D4C8074BE8A84AED564A94DC
Time:	09:07:53
Date:	29/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xc60000
Modulesize:	159744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

31E6000

heap

page read and write

31CA000

heap

page read and write

51CF000

stack

page read and write

31BB000

heap

page read and write

31E2000

heap

page read and write

1FB0000

heap

page read and write

4FA000

heap

page read and write

31C1000

heap

page read and write

3170000

heap

page read and write

31DF000

heap

page read and write

420000

heap

page read and write

3190000

heap

page read and write

490000

heap

page read and write

414000

unkown

page readonly

31A5000

heap

page read and write

31CD000

heap

page read and write

521E000

stack

page read and write

400000

unkown

page readonly

348C000

heap

page read and write

31E1000

heap

page read and write

4D40000

heap

page read and write

31A7000

heap

page read and write

31D6000

heap

page read and write

2460000

heap

page read and write

19A000

stack

page read and write

531F000

stack

page read and write

46E000

stack

page read and write

31C0000

heap

page read and write

31E4000

heap

page read and write

30FE000

stack

page read and write

2D95000

heap

page read and write

3198000

heap

page read and write

A9B000

stack

page read and write

C10000

heap

page read and write

4FE000

heap

page read and write

31CE000

heap

page read and write

31E2000

heap

page read and write

211F000

stack

page read and write

9C000

stack

page read and write

5330000

heap

page read and write

40C000

unkown

page readonly

4F0000

heap

page read and write

2D90000

heap

page read and write

31E5000

heap

page read and write

417000

unkown

page read and write

401000

unkown

page execute read

31C9000

heap

page read and write

3480000

heap

page read and write

31DF000

heap

page read and write

31A7000

heap

page read and write

31DA000

heap

page read and write

40C000

unkown

page readonly

31B7000

heap

page read and write

31A4000

heap

page read and write

50CE000

stack

page read and write

414000

unkown

page readonly

401000

unkown

page execute read

2010000

heap

page read and write

2DDE000

stack

page read and write

31E2000

heap

page read and write

2016000

heap

page read and write

C5E000

stack

page read and write

31CE000

heap

page read and write

4DE000

stack

page read and write

1F0000

heap

page read and write

31BA000

heap

page read and write

411000

unkown

page read and write

31CE000

heap

page read and write

338E000

stack

page read and write

7BF000

stack

page read and write

31B6000

heap

page read and write

B99000

stack

page read and write

40F000

unkown

page write copy

400000

unkown

page readonly

40F000

unkown

page read and write

31D5000

heap

page read and write

19D000

stack

page read and write

2D60000

heap

page read and write

411000

unkown

page write copy

There are 69 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
WWAddToLocalAdmins.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportWWAddToLocalAdmins.exe

Files

Processes

Memdumps

IOC Report
WWAddToLocalAdmins.exe