b728133491571b5473adba573e27014ccd8a83a337549e1cd61bb53675d9af81

General

Target

APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
Size

706KB
MD5

da60d646e63e252736a76998f36a6547
SHA1

ca9af1d7be7667784742ced9b33141d7c6a4e0ac
SHA256

b728133491571b5473adba573e27014ccd8a83a337549e1cd61bb53675d9af81
SHA512

d89798434962684006161403a3c41ba62232e379367211be59106d4369666cfb3dcc4c96de0e7bc7c6d162a0bda516976f061c7975c20623a3346c73e56dcea8

Score

8^/10

agilenet persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

FILES.exe

pid process

772 FILES.exe
Loads dropped DLL 1 IoCs

Processes:

APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe

pid process

1800 APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe

pid	process
772	FILES.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1800-64-0x0000000000B00000-0x0000000000B21000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\FILES = "C:\\Users\\Admin\\AppData\\Roaming\\FILES.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exeFILES.exe

pid	process
1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
772	FILES.exe
772	FILES.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exeFILES.exe

description pid process

Token: SeDebugPrivilege 1800 APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
Token: SeDebugPrivilege 772 FILES.exe

description	pid	process
Token: SeDebugPrivilege	1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
Token: SeDebugPrivilege	772	FILES.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.execmd.exe

description	pid	process	target process
PID 1800 wrote to memory of 1572	1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe	cmd.exe
PID 1800 wrote to memory of 1572	1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe	cmd.exe
PID 1800 wrote to memory of 1572	1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe	cmd.exe
PID 1800 wrote to memory of 1572	1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe	cmd.exe
PID 1572 wrote to memory of 796	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 796	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 796	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 796	1572	cmd.exe	reg.exe
PID 1800 wrote to memory of 772	1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe	FILES.exe
PID 1800 wrote to memory of 772	1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe	FILES.exe
PID 1800 wrote to memory of 772	1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe	FILES.exe
PID 1800 wrote to memory of 772	1800	APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe	FILES.exe

C:\Users\Admin\AppData\Local\Temp\APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
"C:\Users\Admin\AppData\Local\Temp\APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "FILES" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FILES.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "FILES" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FILES.exe"
3⤵
- Adds Run key to start application
PID:796

C:\Users\Admin\AppData\Roaming\FILES.exe
"C:\Users\Admin\AppData\Roaming\FILES.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
3⤵
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FILES.exe
MD5
da60d646e63e252736a76998f36a6547

SHA1
ca9af1d7be7667784742ced9b33141d7c6a4e0ac

SHA256
b728133491571b5473adba573e27014ccd8a83a337549e1cd61bb53675d9af81

SHA512
d89798434962684006161403a3c41ba62232e379367211be59106d4369666cfb3dcc4c96de0e7bc7c6d162a0bda516976f061c7975c20623a3346c73e56dcea8

Download Submit
C:\Users\Admin\AppData\Roaming\FILES.exe
MD5
da60d646e63e252736a76998f36a6547

SHA1
ca9af1d7be7667784742ced9b33141d7c6a4e0ac

SHA256
b728133491571b5473adba573e27014ccd8a83a337549e1cd61bb53675d9af81

SHA512
d89798434962684006161403a3c41ba62232e379367211be59106d4369666cfb3dcc4c96de0e7bc7c6d162a0bda516976f061c7975c20623a3346c73e56dcea8

Download Submit
\Users\Admin\AppData\Roaming\FILES.exe
MD5
da60d646e63e252736a76998f36a6547

SHA1
ca9af1d7be7667784742ced9b33141d7c6a4e0ac

SHA256
b728133491571b5473adba573e27014ccd8a83a337549e1cd61bb53675d9af81

SHA512
d89798434962684006161403a3c41ba62232e379367211be59106d4369666cfb3dcc4c96de0e7bc7c6d162a0bda516976f061c7975c20623a3346c73e56dcea8

Download Submit
memory/772-69-0x0000000000000000-mapping.dmp

Download
memory/772-72-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/772-74-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/772-77-0x0000000001011000-0x0000000001012000-memory.dmp

Filesize
4KB

Download
memory/796-67-0x0000000000000000-mapping.dmp

Download
memory/1572-66-0x0000000000000000-mapping.dmp

Download
memory/1800-65-0x0000000004B51000-0x0000000004B52000-memory.dmp

Filesize
4KB

Download
memory/1800-60-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/1800-64-0x0000000000B00000-0x0000000000B21000-memory.dmp

Filesize
132KB

Download
memory/1800-62-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads