cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b

General

Target

cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
Size

15.9MB
MD5

1f6ffbf88537755b91d44ef7f2adec54
SHA1

e85536f40c73aa0293645bc0e61c4290af3a0b65
SHA256

cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b
SHA512

bc0922aa3a79d6790c4c21b7c404d439233120772528ddcb96c390f276e91f9f162d6a490e02ee4bd963aa02ec15ed88e202e75155e02b1e41a593372fe8f161

Score

8^/10

agilenet evasion vmprotect

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2340-165-0x00000000032D0000-0x000000000330E000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe

Loads dropped DLL 1 IoCs

Processes:

cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe

pid process

2340 cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe

Obfuscated with Agile.Net obfuscator 7 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2340-159-0x0000000000620000-0x00000000032C8000-memory.dmp	agile_net
behavioral2/memory/2340-160-0x0000000000620000-0x00000000032C8000-memory.dmp	agile_net
behavioral2/memory/2340-162-0x0000000000620000-0x00000000032C8000-memory.dmp	agile_net
behavioral2/memory/2340-164-0x0000000000620000-0x00000000032C8000-memory.dmp	agile_net
behavioral2/memory/2340-168-0x0000000003310000-0x0000000003334000-memory.dmp	agile_net
behavioral2/memory/2340-169-0x0000000003340000-0x00000000033A6000-memory.dmp	agile_net
behavioral2/memory/2340-170-0x0000000003640000-0x00000000038CE000-memory.dmp	agile_net

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe

pid	process
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

620 taskkill.exe
2000 taskkill.exe
4052 taskkill.exe
1996 taskkill.exe
1080 taskkill.exe

pid	process
620	taskkill.exe
2000	taskkill.exe
4052	taskkill.exe
1996	taskkill.exe
1080	taskkill.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe

pid	process
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	4052	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	620	taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2340 wrote to memory of 1672	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe	cmd.exe
PID 2340 wrote to memory of 1672	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe	cmd.exe
PID 2340 wrote to memory of 2416	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe	cmd.exe
PID 2340 wrote to memory of 2416	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe	cmd.exe
PID 2340 wrote to memory of 796	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe	cmd.exe
PID 2340 wrote to memory of 796	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe	cmd.exe
PID 2340 wrote to memory of 316	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe	cmd.exe
PID 2340 wrote to memory of 316	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe	cmd.exe
PID 2340 wrote to memory of 3928	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe	cmd.exe
PID 2340 wrote to memory of 3928	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe	cmd.exe
PID 2340 wrote to memory of 3112	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe	cmd.exe
PID 2340 wrote to memory of 3112	2340	cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe	cmd.exe
PID 1672 wrote to memory of 2000	1672	cmd.exe	taskkill.exe
PID 1672 wrote to memory of 2000	1672	cmd.exe	taskkill.exe
PID 796 wrote to memory of 1900	796	cmd.exe	sc.exe
PID 796 wrote to memory of 1900	796	cmd.exe	sc.exe
PID 2416 wrote to memory of 4052	2416	cmd.exe	taskkill.exe
PID 2416 wrote to memory of 4052	2416	cmd.exe	taskkill.exe
PID 316 wrote to memory of 1996	316	cmd.exe	taskkill.exe
PID 316 wrote to memory of 1996	316	cmd.exe	taskkill.exe
PID 3112 wrote to memory of 1080	3112	cmd.exe	taskkill.exe
PID 3112 wrote to memory of 1080	3112	cmd.exe	taskkill.exe
PID 3928 wrote to memory of 620	3928	cmd.exe	taskkill.exe
PID 3928 wrote to memory of 620	3928	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe
"C:\Users\Admin\AppData\Local\Temp\cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM UnrealCEFSubProcess.exe /T
2⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\taskkill.exe
taskkill /F /IM UnrealCEFSubProcess.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM EpicGamesLauncher.exe /T
2⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\system32\taskkill.exe
taskkill /F /IM EpicGamesLauncher.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop HTTPDebuggerPro
2⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
PID:1900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM IPROSetMonitor.exe /T
2⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\taskkill.exe
taskkill /F /IM IPROSetMonitor.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM "Razer Synapse Service Process.exe" /T
2⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\taskkill.exe
taskkill /F /IM "Razer Synapse Service Process.exe" /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM "Razer Synapse Service.exe" /T
2⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\system32\taskkill.exe
taskkill /F /IM "Razer Synapse Service.exe" /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\333d975b-78a7-46ce-aaa9-98c12a985d28\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
memory/316-174-0x0000000000000000-mapping.dmp

Download
memory/620-182-0x0000000000000000-mapping.dmp

Download
memory/796-173-0x0000000000000000-mapping.dmp

Download
memory/1080-181-0x0000000000000000-mapping.dmp

Download
memory/1672-171-0x0000000000000000-mapping.dmp

Download
memory/1900-178-0x0000000000000000-mapping.dmp

Download
memory/1996-180-0x0000000000000000-mapping.dmp

Download
memory/2000-177-0x0000000000000000-mapping.dmp

Download
memory/2340-144-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-164-0x0000000000620000-0x00000000032C8000-memory.dmp

Filesize
44.7MB

Download
memory/2340-141-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-142-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-143-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-130-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-146-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-148-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-145-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-149-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-147-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-150-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-151-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-152-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-153-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-154-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-155-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-156-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-157-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-158-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/2340-159-0x0000000000620000-0x00000000032C8000-memory.dmp

Filesize
44.7MB

Download
memory/2340-160-0x0000000000620000-0x00000000032C8000-memory.dmp

Filesize
44.7MB

Download
memory/2340-161-0x00007FFE4B660000-0x00007FFE4B670000-memory.dmp

Filesize
64KB

Download
memory/2340-162-0x0000000000620000-0x00000000032C8000-memory.dmp

Filesize
44.7MB

Download
memory/2340-163-0x00007FFE2EC30000-0x00007FFE2F6F1000-memory.dmp

Filesize
10.8MB

Download
memory/2340-140-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-165-0x00000000032D0000-0x000000000330E000-memory.dmp

Filesize
248KB

Download
memory/2340-138-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-167-0x00007FFE2FE50000-0x00007FFE2FF9E000-memory.dmp

Filesize
1.3MB

Download
memory/2340-168-0x0000000003310000-0x0000000003334000-memory.dmp

Filesize
144KB

Download
memory/2340-169-0x0000000003340000-0x00000000033A6000-memory.dmp

Filesize
408KB

Download
memory/2340-170-0x0000000003640000-0x00000000038CE000-memory.dmp

Filesize
2.6MB

Download
memory/2340-139-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-188-0x00000249B4DA0000-0x00000249B4DA4000-memory.dmp

Filesize
16KB

Download
memory/2340-137-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-136-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-187-0x00000249B4C70000-0x00000249B4C8E000-memory.dmp

Filesize
120KB

Download
memory/2340-186-0x0000024999CA9000-0x0000024999CAF000-memory.dmp

Filesize
24KB

Download
memory/2340-133-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-134-0x00007FFDCD750000-0x00007FFDCD760000-memory.dmp

Filesize
64KB

Download
memory/2340-185-0x00000249B4CA0000-0x00000249B4CC2000-memory.dmp

Filesize
136KB

Download
memory/2340-135-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-131-0x00007FFE4B630000-0x00007FFE4B640000-memory.dmp

Filesize
64KB

Download
memory/2340-132-0x00007FF4A78F0000-0x00007FF4A7CC1000-memory.dmp

Filesize
3.8MB

Download
memory/2340-183-0x00000000033B0000-0x0000000003460000-memory.dmp

Filesize
704KB

Download
memory/2340-184-0x00000249B4CE0000-0x00000249B4D56000-memory.dmp

Filesize
472KB

Download
memory/2416-172-0x0000000000000000-mapping.dmp

Download
memory/3112-176-0x0000000000000000-mapping.dmp

Download
memory/3928-175-0x0000000000000000-mapping.dmp

Download
memory/4052-179-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads