a9f6ef13af75a45e21a84953e3ad505fc5f5bcd0d126ed5f8cb2bbccc5e698c1

General

Target

7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
Size

1.4MB
MD5

2cb8100f3ebd38a989dc97a960b86aa4
SHA1

7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c
SHA256

1969a9dbc990ec8d4c4c9b8133a7a7ec4651f2e5af0bc1da9e6973a22f34aad3
SHA512

2bde24565262adf6a990d09dd5d25acc4fcefb94d65cfd05d49dcf6f8daf2b7ec784cb55b0f146887e52d2c3121c2f97f01571de2cbf3a675fca9b745e168a0c

Score

7^/10

agilenet

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1100-63-0x0000000000F30000-0x0000000000F51000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe

description	pid	process	target process
PID 1100 set thread context of 308	1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

592 308 WerFault.exe 7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe

pid	pid_target	process	target process
592	308	WerFault.exe	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exeWerFault.exe

pid	process
1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1100 7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
Token: SeDebugPrivilege 592 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
Token: SeDebugPrivilege	592	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe

description	pid	process	target process
PID 1100 wrote to memory of 308	1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
PID 1100 wrote to memory of 308	1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
PID 1100 wrote to memory of 308	1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
PID 1100 wrote to memory of 308	1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
PID 1100 wrote to memory of 308	1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
PID 1100 wrote to memory of 308	1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
PID 1100 wrote to memory of 308	1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
PID 1100 wrote to memory of 308	1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
PID 1100 wrote to memory of 308	1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
PID 1100 wrote to memory of 308	1100	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
PID 308 wrote to memory of 592	308	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	WerFault.exe
PID 308 wrote to memory of 592	308	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	WerFault.exe
PID 308 wrote to memory of 592	308	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	WerFault.exe
PID 308 wrote to memory of 592	308	7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
"C:\Users\Admin\AppData\Local\Temp\7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe
"C:\Users\Admin\AppData\Local\Temp\7ddf1c0004d5cb08afdb7a4ad2198232c584ee7c.exe"
2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 512
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-67-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/308-68-0x000000000043E628-mapping.dmp

Download
memory/308-69-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/308-70-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/592-71-0x0000000000000000-mapping.dmp

Download
memory/592-72-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1100-59-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1100-61-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/1100-63-0x0000000000F30000-0x0000000000F51000-memory.dmp

Filesize
132KB

Download
memory/1100-64-0x0000000000DF1000-0x0000000000DF2000-memory.dmp

Filesize
4KB

Download
memory/1100-65-0x0000000000C40000-0x0000000000C4B000-memory.dmp

Filesize
44KB

Download
memory/1100-66-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads