Overview

overview

10

Static

static

7

HEUR-Troja...97.exe

windows7-x64

10

HEUR-Troja...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2022 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe

  • Size

    555KB

  • MD5

    2102422fdf58e1f1ea628e864576f437

  • SHA1

    a071690fa220c12e9b5fa85e70dc3e7c42b30893

  • SHA256

    fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997

  • SHA512

    9894a54a6c85ce3e087ef6f2a6da1a5744d71667eaa8f17d23985e15c39a425cfe53f838875573e828170ce6d3756618c4b293e3d81dfc7a7a5570daf2c0c2b6

  • SSDEEP

    12288:gfp3lxis8EdrQso5hnyRIAPQJno5hnyRIAQg:gfp36sN5snUPjnUQg

Score
10/10
agilenetevasionransomwaretrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 4 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1048
    • \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\qntd4mxr.inf
      2⤵
        PID:944
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\Windows\temp\w1uvcmam.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Windows\temp\w1uvcmam.exe
        C:\Windows\temp\w1uvcmam.exe
        2⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Modifies extensions of user files
        • Windows security modification
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:796
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1732
        • C:\Windows\system32\cmd.exe
          "cmd.exe"
          3⤵
            PID:1964
      • C:\Windows\system32\taskkill.exe
        taskkill /IM cmstp.exe /F
        1⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1700

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Temp\w1uvcmam.exe
        Filesize

        449KB

        MD5

        1db0b6b8d8429a19745386172720b241

        SHA1

        bbe8ca48fecc9ee2e909a453e60bda1548b85898

        SHA256

        0c903b0104a81695efd95240e79ba5d93cabae598acd193ac5f629d6ca10653d

        SHA512

        e483213f1e64243a8f72b75dfca4dd6998122ddf08317849d4402d118dd39a5859e60cc880523573794809a06ef4b61a36c3113d80a289277828a5340042255e

        Download Submit
      • C:\Windows\temp\qntd4mxr.inf
        Filesize

        583B

        MD5

        762e7afd44f01f83bfdc484f5cfbd603

        SHA1

        b5386d2bbd30c1df890be6ac594a2f614dd8e2b5

        SHA256

        e36e1a5dbb962545a01c567dfa639b6d40dcdda8447f6193a658b8c474dcb8af

        SHA512

        82118201c7100e2dda0a31e32443d766097f4017b626d0ab720efd15e7a7e7d7fde208df058c7d0299c53c75f3a65db329bec0613b454de6d8acb775fff42d29

        Download Submit
      • C:\Windows\temp\w1uvcmam.exe
        Filesize

        449KB

        MD5

        1db0b6b8d8429a19745386172720b241

        SHA1

        bbe8ca48fecc9ee2e909a453e60bda1548b85898

        SHA256

        0c903b0104a81695efd95240e79ba5d93cabae598acd193ac5f629d6ca10653d

        SHA512

        e483213f1e64243a8f72b75dfca4dd6998122ddf08317849d4402d118dd39a5859e60cc880523573794809a06ef4b61a36c3113d80a289277828a5340042255e

        Download Submit
      • \Users\Admin\AppData\Local\Temp\42bdbff4-2e20-4168-9b00-6137d5d5603f\AgileDotNetRT64.dll
        Filesize

        75KB

        MD5

        42b2c266e49a3acd346b91e3b0e638c0

        SHA1

        2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

        SHA256

        adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

        SHA512

        770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

        Download Submit
      • memory/796-67-0x00000000005B0000-0x00000000005F2000-memory.dmp
        Filesize

        264KB

        Download
      • memory/796-65-0x0000000000E80000-0x0000000000EF6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/796-63-0x0000000000000000-mapping.dmp
        Download
      • memory/944-59-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/944-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1048-61-0x00000000003D6000-0x00000000003F5000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1048-60-0x00000000003D6000-0x00000000003F5000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1048-54-0x0000000000C90000-0x0000000000D1E000-memory.dmp
        Filesize

        568KB

        Download
      • memory/1048-56-0x000007FEF69E0000-0x000007FEF6B0C000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1732-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1732-70-0x000007FEEB500000-0x000007FEEBF23000-memory.dmp
        Filesize

        10.1MB

        Download
      • memory/1732-71-0x000007FEEA9A0000-0x000007FEEB4FD000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/1732-72-0x00000000027E4000-0x00000000027E7000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1732-73-0x00000000027EB000-0x000000000280A000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1732-74-0x00000000027EB000-0x000000000280A000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1964-75-0x0000000000000000-mapping.dmp
        Download