Analysis
-
max time kernel
91s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2022 04:41
Behavioral task
behavioral1
Sample
3ae29db0d835a3cc48cc336488002922.exe
Resource
win7-20220812-en
General
-
Target
3ae29db0d835a3cc48cc336488002922.exe
-
Size
203KB
-
MD5
3ae29db0d835a3cc48cc336488002922
-
SHA1
4aef9906e6cc92985c1d60f2e1f0dd7d7ccc5235
-
SHA256
5e2a88e15bae77d518675c76f6dbb359bded2ae8fdaabe8f0751aa8c47bb9ba6
-
SHA512
faa1a30c139c1e2dc21216643611a982c56f0d9aa586b8d4d8b30853859a2e686d43e74f473e55da940f48c71f0160610a1cb2c48fa913efb2c2ea6c70c0f639
-
SSDEEP
3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIN0iT05t4Ziu8hBVv4TPcXQZqG:sLV6Bta6dtJmakIM5yGtMMnEcXs7hms
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3ae29db0d835a3cc48cc336488002922.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe" 3ae29db0d835a3cc48cc336488002922.exe -
Processes:
3ae29db0d835a3cc48cc336488002922.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3ae29db0d835a3cc48cc336488002922.exe -
Drops file in Program Files directory 2 IoCs
Processes:
3ae29db0d835a3cc48cc336488002922.exedescription ioc process File created C:\Program Files (x86)\AGP Monitor\agpmon.exe 3ae29db0d835a3cc48cc336488002922.exe File opened for modification C:\Program Files (x86)\AGP Monitor\agpmon.exe 3ae29db0d835a3cc48cc336488002922.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3344 schtasks.exe 4060 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
3ae29db0d835a3cc48cc336488002922.exepid process 4896 3ae29db0d835a3cc48cc336488002922.exe 4896 3ae29db0d835a3cc48cc336488002922.exe 4896 3ae29db0d835a3cc48cc336488002922.exe 4896 3ae29db0d835a3cc48cc336488002922.exe 4896 3ae29db0d835a3cc48cc336488002922.exe 4896 3ae29db0d835a3cc48cc336488002922.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
3ae29db0d835a3cc48cc336488002922.exepid process 4896 3ae29db0d835a3cc48cc336488002922.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3ae29db0d835a3cc48cc336488002922.exedescription pid process Token: SeDebugPrivilege 4896 3ae29db0d835a3cc48cc336488002922.exe Token: SeDebugPrivilege 4896 3ae29db0d835a3cc48cc336488002922.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3ae29db0d835a3cc48cc336488002922.exedescription pid process target process PID 4896 wrote to memory of 3344 4896 3ae29db0d835a3cc48cc336488002922.exe schtasks.exe PID 4896 wrote to memory of 3344 4896 3ae29db0d835a3cc48cc336488002922.exe schtasks.exe PID 4896 wrote to memory of 3344 4896 3ae29db0d835a3cc48cc336488002922.exe schtasks.exe PID 4896 wrote to memory of 4060 4896 3ae29db0d835a3cc48cc336488002922.exe schtasks.exe PID 4896 wrote to memory of 4060 4896 3ae29db0d835a3cc48cc336488002922.exe schtasks.exe PID 4896 wrote to memory of 4060 4896 3ae29db0d835a3cc48cc336488002922.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ae29db0d835a3cc48cc336488002922.exe"C:\Users\Admin\AppData\Local\Temp\3ae29db0d835a3cc48cc336488002922.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8467.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8969.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8467.tmpFilesize
1KB
MD58d33688d3753a900f1c0fcf72fe2bcd9
SHA10863b585ceeaea0804530555dfa362655dc17545
SHA25639cd1f404be845d4410a7a1aeaa5e1a9e6ce8330c358dc8e45782298ba36029b
SHA512637093d724740beeaa5d1d9b8b0a940d8b89d4df9f33fe0b80ca311733255a3a7464e3ca08bff47f17e00c5104ed03e5c14266b1e90b85da2e682bf0a2ec1c8e
-
C:\Users\Admin\AppData\Local\Temp\tmp8969.tmpFilesize
1KB
MD5157cd55403665c49c9fd3ca1196c4397
SHA14feed6e606b41bb617274471349582963182756b
SHA25649d903f84313feb16bd189c58b6c206f98b05da00ea0da881e2ff0c893b6ba5e
SHA512bea7e3caa9c37cadd772a6d3ee0d9ed47de6b3e880cd58649be2939cacd00f70d4edc1ad177e432539267bb520094d9cda3f781cdfc69122f3775242321c11b8
-
memory/3344-133-0x0000000000000000-mapping.dmp
-
memory/4060-135-0x0000000000000000-mapping.dmp
-
memory/4896-132-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/4896-137-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB