Overview

overview

10

Static

static

7

HEUR-Troja...97.exe

windows7-x64

10

HEUR-Troja...97.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe

  • Size

    555KB

  • Sample

    220924-lm7l4aahh5

  • MD5

    2102422fdf58e1f1ea628e864576f437

  • SHA1

    a071690fa220c12e9b5fa85e70dc3e7c42b30893

  • SHA256

    fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997

  • SHA512

    9894a54a6c85ce3e087ef6f2a6da1a5744d71667eaa8f17d23985e15c39a425cfe53f838875573e828170ce6d3756618c4b293e3d81dfc7a7a5570daf2c0c2b6

  • SSDEEP

    12288:gfp3lxis8EdrQso5hnyRIAPQJno5hnyRIAQg:gfp36sN5snUPjnUQg

Score
10/10
agilenetevasionransomwaretrojan

Malware Config

Targets

    • Target

      HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe

    • Size

      555KB

    • MD5

      2102422fdf58e1f1ea628e864576f437

    • SHA1

      a071690fa220c12e9b5fa85e70dc3e7c42b30893

    • SHA256

      fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997

    • SHA512

      9894a54a6c85ce3e087ef6f2a6da1a5744d71667eaa8f17d23985e15c39a425cfe53f838875573e828170ce6d3756618c4b293e3d81dfc7a7a5570daf2c0c2b6

    • SSDEEP

      12288:gfp3lxis8EdrQso5hnyRIAPQJno5hnyRIAQg:gfp36sN5snUPjnUQg

    Score
    10/10
    agilenetevasionransomwaretrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Windows security modification

      evasiontrojan

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

2
T1089

Indicator Removal on Host

1
T1070

File Deletion

3
T1107

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Tasks