Overview

overview

8

Static

static

1375950da7...c9.exe

windows7_x64

8

1375950da7...c9.exe

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-07-2021 12:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1375950da71f03040d4043d9d84ac4c9.exe

  • Size

    2.6MB

  • MD5

    1375950da71f03040d4043d9d84ac4c9

  • SHA1

    5f4baed37f6eb23d1b6efbe58ece75030f701a77

  • SHA256

    635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164

  • SHA512

    900a66f69a6392e5e73fc52b5ecd5a50559256c8e55dbdeb8ad5634a41774a9745cd07bdcf12ad4c77c39107748fe3ed11c4b27d2c0b518448949ed4e1606ce6

Score
8/10
agilenetpersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • autoit_exe 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1375950da71f03040d4043d9d84ac4c9.exe
    "C:\Users\Admin\AppData\Local\Temp\1375950da71f03040d4043d9d84ac4c9.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\Videos\Word.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\Videos\Word.exe"
        3⤵
        • Adds Run key to start application
        PID:2976
    • C:\Users\Admin\Videos\Word.exe
      "C:\Users\Admin\Videos\Word.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Users\Admin\Videos\Word.exe
        "C:\Users\Admin\Videos\Word.exe"
        3⤵
        • Executes dropped EXE
        PID:2692
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 580
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Videos\Word.exe
    MD5

    1375950da71f03040d4043d9d84ac4c9

    SHA1

    5f4baed37f6eb23d1b6efbe58ece75030f701a77

    SHA256

    635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164

    SHA512

    900a66f69a6392e5e73fc52b5ecd5a50559256c8e55dbdeb8ad5634a41774a9745cd07bdcf12ad4c77c39107748fe3ed11c4b27d2c0b518448949ed4e1606ce6

    Download Submit
  • C:\Users\Admin\Videos\Word.exe
    MD5

    1375950da71f03040d4043d9d84ac4c9

    SHA1

    5f4baed37f6eb23d1b6efbe58ece75030f701a77

    SHA256

    635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164

    SHA512

    900a66f69a6392e5e73fc52b5ecd5a50559256c8e55dbdeb8ad5634a41774a9745cd07bdcf12ad4c77c39107748fe3ed11c4b27d2c0b518448949ed4e1606ce6

    Download Submit
  • C:\Users\Admin\Videos\Word.exe
    MD5

    1375950da71f03040d4043d9d84ac4c9

    SHA1

    5f4baed37f6eb23d1b6efbe58ece75030f701a77

    SHA256

    635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164

    SHA512

    900a66f69a6392e5e73fc52b5ecd5a50559256c8e55dbdeb8ad5634a41774a9745cd07bdcf12ad4c77c39107748fe3ed11c4b27d2c0b518448949ed4e1606ce6

    Download Submit
  • memory/996-124-0x0000000006F50000-0x0000000006F51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/996-119-0x0000000005B80000-0x0000000005B81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/996-120-0x0000000005660000-0x00000000056F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/996-122-0x0000000006EC0000-0x0000000006EE1000-memory.dmp
    Filesize

    132KB

    Download
  • memory/996-123-0x0000000006F90000-0x0000000006F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/996-125-0x0000000005660000-0x00000000056F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/996-114-0x0000000000C00000-0x0000000000C01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/996-118-0x0000000005830000-0x0000000005831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/996-117-0x0000000005790000-0x0000000005791000-memory.dmp
    Filesize

    4KB

    Download
  • memory/996-116-0x0000000005C90000-0x0000000005C91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2692-146-0x0000000000426BF7-mapping.dmp
    Download
  • memory/2692-152-0x00000000007C0000-0x0000000000906000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2692-148-0x00000000007C0000-0x0000000000906000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2700-126-0x0000000000000000-mapping.dmp
    Download
  • memory/2976-127-0x0000000000000000-mapping.dmp
    Download
  • memory/3716-143-0x0000000007B00000-0x0000000007B0B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3716-144-0x0000000002900000-0x0000000002901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3716-142-0x0000000004FD0000-0x00000000054CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3716-138-0x0000000004FD0000-0x00000000054CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3716-128-0x0000000000000000-mapping.dmp
    Download