ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2

General

Target

ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2.exe
Size

1.6MB
MD5

603ff38e1dd9be90118336909af14aed
SHA1

20f19350d5ce97fbd4a343fa0104233be514d698
SHA256

ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2
SHA512

10e41094368c3b1988f078ea33d13be8de16e7d363398134e2c6e5843ff59b605d2af94dbad0e34b5791efd49e6486fb92078e5e8eacb99a6903d2b1f7ea2db4
SSDEEP

24576:6wgm46MndwBGqdWNOYAkX0wdSTGS8K6dLw9ijqbdWM9p5IBeu1u1i4xe5Ev48o9g:6wNCyWN1AkaGS8KL9CYyOVs09

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
616	avgent.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
784	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e50625ca07ed77dd1859120b52a3bd56.exe	avgent.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e50625ca07ed77dd1859120b52a3bd56.exe	avgent.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2.exe
2036	ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\e50625ca07ed77dd1859120b52a3bd56 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\avgent.exe\" .."	avgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e50625ca07ed77dd1859120b52a3bd56 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\avgent.exe\" .."	avgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
616	avgent.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	616	avgent.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 616	2036	ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2.exe	26
PID 2036 wrote to memory of 616	2036	ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2.exe	26
PID 2036 wrote to memory of 616	2036	ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2.exe	26
PID 2036 wrote to memory of 616	2036	ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2.exe	26
PID 616 wrote to memory of 784	616	avgent.exe	27
PID 616 wrote to memory of 784	616	avgent.exe	27
PID 616 wrote to memory of 784	616	avgent.exe	27
PID 616 wrote to memory of 784	616	avgent.exe	27

C:\Users\Admin\AppData\Local\Temp\ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2.exe
"C:\Users\Admin\AppData\Local\Temp\ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\avgent.exe
  "C:\Users\Admin\AppData\Local\Temp\avgent.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\avgent.exe" "avgent.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avgent.exe

Filesize
1.6MB

MD5
603ff38e1dd9be90118336909af14aed

SHA1
20f19350d5ce97fbd4a343fa0104233be514d698

SHA256
ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2

SHA512
10e41094368c3b1988f078ea33d13be8de16e7d363398134e2c6e5843ff59b605d2af94dbad0e34b5791efd49e6486fb92078e5e8eacb99a6903d2b1f7ea2db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\avgent.exe

Filesize
1.6MB

MD5
603ff38e1dd9be90118336909af14aed

SHA1
20f19350d5ce97fbd4a343fa0104233be514d698

SHA256
ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2

SHA512
10e41094368c3b1988f078ea33d13be8de16e7d363398134e2c6e5843ff59b605d2af94dbad0e34b5791efd49e6486fb92078e5e8eacb99a6903d2b1f7ea2db4

Download Submit
\Users\Admin\AppData\Local\Temp\avgent.exe

Filesize
1.6MB

MD5
603ff38e1dd9be90118336909af14aed

SHA1
20f19350d5ce97fbd4a343fa0104233be514d698

SHA256
ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2

SHA512
10e41094368c3b1988f078ea33d13be8de16e7d363398134e2c6e5843ff59b605d2af94dbad0e34b5791efd49e6486fb92078e5e8eacb99a6903d2b1f7ea2db4

Download Submit
\Users\Admin\AppData\Local\Temp\avgent.exe

Filesize
1.6MB

MD5
603ff38e1dd9be90118336909af14aed

SHA1
20f19350d5ce97fbd4a343fa0104233be514d698

SHA256
ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2

SHA512
10e41094368c3b1988f078ea33d13be8de16e7d363398134e2c6e5843ff59b605d2af94dbad0e34b5791efd49e6486fb92078e5e8eacb99a6903d2b1f7ea2db4

Download Submit
memory/616-63-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/616-66-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/2036-55-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-62-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing