fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997

Analysis

max time kernel
152s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24/09/2022, 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
Size

555KB
MD5

2102422fdf58e1f1ea628e864576f437
SHA1

a071690fa220c12e9b5fa85e70dc3e7c42b30893
SHA256

fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997
SHA512

9894a54a6c85ce3e087ef6f2a6da1a5744d71667eaa8f17d23985e15c39a425cfe53f838875573e828170ce6d3756618c4b293e3d81dfc7a7a5570daf2c0c2b6
SSDEEP

12288:gfp3lxis8EdrQso5hnyRIAPQJno5hnyRIAQg:gfp36sN5snUPjnUQg

Score

10^/10

agilenet evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	w1uvcmam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	w1uvcmam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	w1uvcmam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	w1uvcmam.exe

Executes dropped EXE 1 IoCs

pid	Process
796	w1uvcmam.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SplitClear.png => C:\Users\Admin\Pictures\SplitClear.png.cryt0y	w1uvcmam.exe
File renamed	C:\Users\Admin\Pictures\DismountOpen.raw => C:\Users\Admin\Pictures\DismountOpen.raw.cryt0y	w1uvcmam.exe
File renamed	C:\Users\Admin\Pictures\EnableAssert.tif => C:\Users\Admin\Pictures\EnableAssert.tif.cryt0y	w1uvcmam.exe
File renamed	C:\Users\Admin\Pictures\ResumeConvertFrom.png => C:\Users\Admin\Pictures\ResumeConvertFrom.png.cryt0y	w1uvcmam.exe
File renamed	C:\Users\Admin\Pictures\ShowWait.png => C:\Users\Admin\Pictures\ShowWait.png.cryt0y	w1uvcmam.exe
File renamed	C:\Users\Admin\Pictures\UnregisterAssert.tif => C:\Users\Admin\Pictures\UnregisterAssert.tif.cryt0y	w1uvcmam.exe
File renamed	C:\Users\Admin\Pictures\UseAdd.png => C:\Users\Admin\Pictures\UseAdd.png.cryt0y	w1uvcmam.exe
File renamed	C:\Users\Admin\Pictures\GrantLimit.raw => C:\Users\Admin\Pictures\GrantLimit.raw.cryt0y	w1uvcmam.exe
File renamed	C:\Users\Admin\Pictures\InvokeExit.png => C:\Users\Admin\Pictures\InvokeExit.png.cryt0y	w1uvcmam.exe
File renamed	C:\Users\Admin\Pictures\ReadClose.crw => C:\Users\Admin\Pictures\ReadClose.crw.cryt0y	w1uvcmam.exe

Loads dropped DLL 1 IoCs

pid	Process
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1048-54-0x0000000000C90000-0x0000000000D1E000-memory.dmp	agile_net
behavioral1/files/0x000900000001230f-62.dat	agile_net
behavioral1/files/0x000900000001230f-64.dat	agile_net
behavioral1/memory/796-65-0x0000000000E80000-0x0000000000EF6000-memory.dmp	agile_net

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	w1uvcmam.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\clock.css	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif	w1uvcmam.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png	w1uvcmam.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	w1uvcmam.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif	w1uvcmam.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left_over.gif	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF	w1uvcmam.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css	w1uvcmam.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png	w1uvcmam.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML	w1uvcmam.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.log	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	w1uvcmam.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT	w1uvcmam.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png	w1uvcmam.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml	w1uvcmam.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\init.js	w1uvcmam.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP	w1uvcmam.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\gadget.xml	w1uvcmam.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\icon.png	w1uvcmam.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\ELPHRG01.WAV	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip	w1uvcmam.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JAVA_01.MID	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01770_.GIF	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\validation.js	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Country.css	w1uvcmam.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\RSSFeeds.css	w1uvcmam.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	w1uvcmam.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00040_.GIF	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL095.XML	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01300_.GIF	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_center.gif	w1uvcmam.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png	w1uvcmam.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR11F.GIF	w1uvcmam.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.GIF	w1uvcmam.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	w1uvcmam.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\index\WindowsMediaPlayerPlayDVD.xml	w1uvcmam.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\RS_RemoveUnusedDesktopIcons.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\AERO\TS_UXSMS.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Performance\RS_SwitchIntoDMA.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Performance\TS_PIOMode.ps1	w1uvcmam.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_ja_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Printer\TS_HomeGroup.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Performance\RS_MultipleUsers.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Power\TS_Wirelessadaptersettings.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\AERO\TS_MirrorDriver.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Device\TS_HardwareDeviceMain.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Power\RS_AdjustDimDisplay.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\RS_MachineWERQueue.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Audio\RS_Unmute.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Networking\InteractiveRes.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Printer\TS_CannotConnect.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\AERO\CL_AeroFeature.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Networking\NetworkDiagnosticsTroubleshoot.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Power\TS_ScreenSaver.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Printer\TS_NoPrinterInstalled.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\AERO\TS_DWMEnable.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\AERO\CL_WinSAT.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Printer\TS_OutOfToner.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\TS_DiagnosticHistory.ps1	w1uvcmam.exe
File created	C:\Windows\assembly\pubpol4.dat	w1uvcmam.exe
File opened for modification	C:\Windows\DtcInstall.log	w1uvcmam.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\RS_UserWERQueue.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\AERO\TS_HardwareSupport.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Audio\CL_Utility.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Device\TS_WindowsUpdate.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\HomeGroup\RS_LaunchInteraction.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Power\TS_DimDisplay.ps1	w1uvcmam.exe
File opened for modification	C:\Windows\assembly\pubpol37.dat	w1uvcmam.exe
File created	C:\Windows\diagnostics\index\AudioRecordingDiagnostic.xml	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\PCW\VF_ProgramCompatibilityWizard.ps1	w1uvcmam.exe
File opened for modification	C:\Windows\TSSysprep.log	w1uvcmam.exe
File created	C:\Windows\diagnostics\index\NetworkDiagnostics_6_DA.xml	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Power\RS_ResetIdleSleepsetting.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Printer\CL_Utility.ps1	w1uvcmam.exe
File created	C:\Windows\mib.bin	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Device\RS_EnableDevice.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\HomeGroup\CL_Service.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Power\TS_DisplayIdleTimeout.ps1	w1uvcmam.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_de_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Printer\RS_SpoolerCrashing.ps1	w1uvcmam.exe
File created	C:\Windows\Boot\DVD\EFI\en-US\efisys.bin	w1uvcmam.exe
File created	C:\Windows\diagnostics\index\NetworkDiagnostics_3_HomeGroup.xml	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\AERO\RS_Themes.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Performance\TS_TooManyStartupPrograms.ps1	w1uvcmam.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Power\RS_Adjustwirelessadaptersettings.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Device\TS_NotWorkProperly.ps1	w1uvcmam.exe
File created	C:\Windows\Boot\DVD\PCAT\fr-FR\bootfix.bin	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Device\RS_UpdateDriver.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Device\RS_WindowsUpdate.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Power\RS_ChangeProcessorState.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Printer\RS_ProcessPrinterjobs.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Printer\RS_WrongDefaultPrinter.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Printer\TS_PrinterDriverError.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\HomeGroup\CL_Detection.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\index\NetworkDiagnostics_5_Inbound.xml	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Performance\RS_VisualEffects.ps1	w1uvcmam.exe
File created	C:\Windows\diagnostics\system\Performance\TS_PowerMode.ps1	w1uvcmam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1700	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	796	w1uvcmam.exe
Token: SeDebugPrivilege	796	w1uvcmam.exe
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 944	1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe	27
PID 1048 wrote to memory of 944	1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe	27
PID 1048 wrote to memory of 944	1048	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe	27
PID 1872 wrote to memory of 796	1872	cmd.exe	31
PID 1872 wrote to memory of 796	1872	cmd.exe	31
PID 1872 wrote to memory of 796	1872	cmd.exe	31
PID 796 wrote to memory of 1732	796	w1uvcmam.exe	36
PID 796 wrote to memory of 1732	796	w1uvcmam.exe	36
PID 796 wrote to memory of 1732	796	w1uvcmam.exe	36
PID 796 wrote to memory of 1964	796	w1uvcmam.exe	37
PID 796 wrote to memory of 1964	796	w1uvcmam.exe	37
PID 796 wrote to memory of 1964	796	w1uvcmam.exe	37

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- \??\c:\windows\system32\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\qntd4mxr.inf
  2⤵
  PID:944

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\w1uvcmam.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\temp\w1uvcmam.exe
  C:\Windows\temp\w1uvcmam.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Modifies extensions of user files
  - Windows security modification
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Windows\system32\cmd.exe
    "cmd.exe"
    3⤵
    PID:1964

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\w1uvcmam.exe

Filesize
449KB

MD5
1db0b6b8d8429a19745386172720b241

SHA1
bbe8ca48fecc9ee2e909a453e60bda1548b85898

SHA256
0c903b0104a81695efd95240e79ba5d93cabae598acd193ac5f629d6ca10653d

SHA512
e483213f1e64243a8f72b75dfca4dd6998122ddf08317849d4402d118dd39a5859e60cc880523573794809a06ef4b61a36c3113d80a289277828a5340042255e

Download Submit
C:\Windows\temp\qntd4mxr.inf

Filesize
583B

MD5
762e7afd44f01f83bfdc484f5cfbd603

SHA1
b5386d2bbd30c1df890be6ac594a2f614dd8e2b5

SHA256
e36e1a5dbb962545a01c567dfa639b6d40dcdda8447f6193a658b8c474dcb8af

SHA512
82118201c7100e2dda0a31e32443d766097f4017b626d0ab720efd15e7a7e7d7fde208df058c7d0299c53c75f3a65db329bec0613b454de6d8acb775fff42d29

Download Submit
C:\Windows\temp\w1uvcmam.exe

Filesize
449KB

MD5
1db0b6b8d8429a19745386172720b241

SHA1
bbe8ca48fecc9ee2e909a453e60bda1548b85898

SHA256
0c903b0104a81695efd95240e79ba5d93cabae598acd193ac5f629d6ca10653d

SHA512
e483213f1e64243a8f72b75dfca4dd6998122ddf08317849d4402d118dd39a5859e60cc880523573794809a06ef4b61a36c3113d80a289277828a5340042255e

Download Submit
\Users\Admin\AppData\Local\Temp\42bdbff4-2e20-4168-9b00-6137d5d5603f\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
memory/796-67-0x00000000005B0000-0x00000000005F2000-memory.dmp

Filesize
264KB

Download
memory/796-65-0x0000000000E80000-0x0000000000EF6000-memory.dmp

Filesize
472KB

Download
memory/944-59-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/1048-61-0x00000000003D6000-0x00000000003F5000-memory.dmp

Filesize
124KB

Download
memory/1048-60-0x00000000003D6000-0x00000000003F5000-memory.dmp

Filesize
124KB

Download
memory/1048-54-0x0000000000C90000-0x0000000000D1E000-memory.dmp

Filesize
568KB

Download
memory/1048-56-0x000007FEF69E0000-0x000007FEF6B0C000-memory.dmp

Filesize
1.2MB

Download
memory/1732-70-0x000007FEEB500000-0x000007FEEBF23000-memory.dmp

Filesize
10.1MB

Download
memory/1732-71-0x000007FEEA9A0000-0x000007FEEB4FD000-memory.dmp

Filesize
11.4MB

Download
memory/1732-72-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1732-73-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/1732-74-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download