Overview

overview

10

Static

static

7

HEUR-Troja...97.exe

windows7-x64

10

HEUR-Troja...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    172s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2022 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe

  • Size

    555KB

  • MD5

    2102422fdf58e1f1ea628e864576f437

  • SHA1

    a071690fa220c12e9b5fa85e70dc3e7c42b30893

  • SHA256

    fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997

  • SHA512

    9894a54a6c85ce3e087ef6f2a6da1a5744d71667eaa8f17d23985e15c39a425cfe53f838875573e828170ce6d3756618c4b293e3d81dfc7a7a5570daf2c0c2b6

  • SSDEEP

    12288:gfp3lxis8EdrQso5hnyRIAPQJno5hnyRIAQg:gfp36sN5snUPjnUQg

Score
10/10
agilenetevasionransomwaretrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Clears Windows event logs 1 TTPs 3 IoCs
    evasionransomware
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 4 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3524
    • \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\clye5h5t.inf
      2⤵
        PID:4200
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\Windows\temp\mesthh4q.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3812
      • C:\Windows\temp\mesthh4q.exe
        C:\Windows\temp\mesthh4q.exe
        2⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Modifies extensions of user files
        • Windows security modification
        • Drops file in Program Files directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2748
        • C:\Windows\system32\cmd.exe
          "cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3656
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:3936
          • C:\Windows\System32\Wbem\WMIC.exe
            WMIC shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4564
          • C:\Windows\system32\wevtutil.exe
            wevtutil.exe cl Application
            4⤵
            • Clears Windows event logs
            • Suspicious use of AdjustPrivilegeToken
            PID:2288
          • C:\Windows\system32\wevtutil.exe
            wevtutil.exe cl Security
            4⤵
            • Clears Windows event logs
            • Suspicious use of AdjustPrivilegeToken
            PID:1488
          • C:\Windows\system32\wevtutil.exe
            wevtutil.exe cl System
            4⤵
            • Clears Windows event logs
            • Suspicious use of AdjustPrivilegeToken
            PID:4892
          • C:\Windows\system32\bcdedit.exe
            Bcdedit.exe /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:4352
          • C:\Windows\system32\bcdedit.exe
            Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1760
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog
            4⤵
            • Deletes backup catalog
            • Drops file in Windows directory
            PID:5088
    • C:\Windows\system32\taskkill.exe
      taskkill /IM cmstp.exe /F
      1⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1264
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:176
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4712
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:3380
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:3060

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Command-Line Interface

      1
      T1059

      Persistence

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Disabling Security Tools

      2
      T1089

      Indicator Removal on Host

      1
      T1070

      File Deletion

      3
      T1107

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      4
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\42bdbff4-2e20-4168-9b00-6137d5d5603f\AgileDotNetRT64.dll
        Filesize

        75KB

        MD5

        42b2c266e49a3acd346b91e3b0e638c0

        SHA1

        2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

        SHA256

        adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

        SHA512

        770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

        Download Submit
      • C:\Windows\Temp\mesthh4q.exe
        Filesize

        449KB

        MD5

        1db0b6b8d8429a19745386172720b241

        SHA1

        bbe8ca48fecc9ee2e909a453e60bda1548b85898

        SHA256

        0c903b0104a81695efd95240e79ba5d93cabae598acd193ac5f629d6ca10653d

        SHA512

        e483213f1e64243a8f72b75dfca4dd6998122ddf08317849d4402d118dd39a5859e60cc880523573794809a06ef4b61a36c3113d80a289277828a5340042255e

        Download Submit
      • C:\Windows\temp\clye5h5t.inf
        Filesize

        583B

        MD5

        8c0db96fe81b49ba6bd3508ef807a890

        SHA1

        aa452d23a161f21cfa7844ec9ea530433e4b6314

        SHA256

        646de5e32d78a2e858437cf8d9c8a568602df6bfa7779d1b539f3483662b77cf

        SHA512

        bf8091e46ca71ec821e624825c68a6c07fc0b1c5f3aea8cf4e3a539185fc5823a8b49d975825478415a2f284e32fe5f2b648ed315d5e769569dac82e096d50ea

        Download Submit
      • C:\Windows\temp\mesthh4q.exe
        Filesize

        449KB

        MD5

        1db0b6b8d8429a19745386172720b241

        SHA1

        bbe8ca48fecc9ee2e909a453e60bda1548b85898

        SHA256

        0c903b0104a81695efd95240e79ba5d93cabae598acd193ac5f629d6ca10653d

        SHA512

        e483213f1e64243a8f72b75dfca4dd6998122ddf08317849d4402d118dd39a5859e60cc880523573794809a06ef4b61a36c3113d80a289277828a5340042255e

        Download Submit
      • memory/1488-153-0x0000000000000000-mapping.dmp
        Download
      • memory/1760-156-0x0000000000000000-mapping.dmp
        Download
      • memory/2288-152-0x0000000000000000-mapping.dmp
        Download
      • memory/2488-143-0x00007FFA02680000-0x00007FFA03141000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2488-150-0x00007FFA02680000-0x00007FFA03141000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2488-139-0x0000000000000000-mapping.dmp
        Download
      • memory/2488-142-0x0000000000E20000-0x0000000000E96000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2748-144-0x0000000000000000-mapping.dmp
        Download
      • memory/2748-147-0x00007FFA02680000-0x00007FFA03141000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2748-145-0x00000224F5450000-0x00000224F5472000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2748-146-0x00007FFA02680000-0x00007FFA03141000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3524-138-0x00007FFA02680000-0x00007FFA03141000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3524-132-0x00000000002F0000-0x000000000037E000-memory.dmp
        Filesize

        568KB

        Download
      • memory/3524-137-0x00007FFA02680000-0x00007FFA03141000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3524-134-0x00007FFA03A80000-0x00007FFA03BCE000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/3656-148-0x0000000000000000-mapping.dmp
        Download
      • memory/3936-149-0x0000000000000000-mapping.dmp
        Download
      • memory/4200-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4352-155-0x0000000000000000-mapping.dmp
        Download
      • memory/4564-151-0x0000000000000000-mapping.dmp
        Download
      • memory/4892-154-0x0000000000000000-mapping.dmp
        Download
      • memory/5088-157-0x0000000000000000-mapping.dmp
        Download