a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd

General

Target

a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
Size

875KB
MD5

0baf9124d7e983a20ee54e07b5e749d0
SHA1

6f7b68a0899bffe7c4fc0da6a1f46027341a4c41
SHA256

a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd
SHA512

4010ae23efaef45bf9527cb2eaf4ab71293da13dcac4d7f417b4098ce338ca063af0e82f3f2225e87bb150ca9009f8c9bfed3c21585c567ade669e153df6ae57
SSDEEP

12288:FLozg61ikvvA3+Emo7ker5I/DbtSILfXOB3k3V/UnEIOKLS4QLDg:ug6osvA3L7ky5I34ca3UNyTOKLS4Q

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1744	win32.exe
1088	CAMSTE~1.EXE

Loads dropped DLL 4 IoCs

pid	Process
1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
1744	win32.exe
1744	win32.exe
1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x000c0000000122e9-55.dat	agile_net
behavioral1/files/0x000c0000000122e9-57.dat	agile_net
behavioral1/files/0x000c0000000122e9-59.dat	agile_net
behavioral1/files/0x000c0000000122e9-60.dat	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1744	win32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1744	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	27
PID 1064 wrote to memory of 1744	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	27
PID 1064 wrote to memory of 1744	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	27
PID 1064 wrote to memory of 1744	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	27
PID 1064 wrote to memory of 1744	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	27
PID 1064 wrote to memory of 1744	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	27
PID 1064 wrote to memory of 1744	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	27
PID 1064 wrote to memory of 1088	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	28
PID 1064 wrote to memory of 1088	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	28
PID 1064 wrote to memory of 1088	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	28
PID 1064 wrote to memory of 1088	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	28
PID 1064 wrote to memory of 1088	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	28
PID 1064 wrote to memory of 1088	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	28
PID 1064 wrote to memory of 1088	1064	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	28

C:\Users\Admin\AppData\Local\Temp\a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
"C:\Users\Admin\AppData\Local\Temp\a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CAMSTE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CAMSTE~1.EXE
  2⤵
  - Executes dropped EXE
  PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CAMSTE~1.EXE

Filesize
427KB

MD5
243cee9625b37e0773d1ddd3d69e1526

SHA1
2b7ca49b61fea948a78d50848d535be2d6c68009

SHA256
28a9667ed1bfa034979571d1a89da0965d9b137130d877b07eef865f714c0088

SHA512
a1e398998f62cd3c782f632d6e338587c55100f81960a59886e174659538052483d6d7e588457a109d043f9c3e5fdcb4e2c5776286bb1a68ba3460e66527d607

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CAMSTE~1.EXE

Filesize
427KB

MD5
243cee9625b37e0773d1ddd3d69e1526

SHA1
2b7ca49b61fea948a78d50848d535be2d6c68009

SHA256
28a9667ed1bfa034979571d1a89da0965d9b137130d877b07eef865f714c0088

SHA512
a1e398998f62cd3c782f632d6e338587c55100f81960a59886e174659538052483d6d7e588457a109d043f9c3e5fdcb4e2c5776286bb1a68ba3460e66527d607

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exe

Filesize
403KB

MD5
63892ebce4036f604aa3bf3137904831

SHA1
99b4ad0983286aa3318ea71d88f359a2e34e3ad4

SHA256
f216524bbdda5343457fc8a951cc3a72e0259c4bfe3fd81d4f7e0709f96fc7e6

SHA512
c7cc6a9f2e48ce20b3fa245ab58b746503e5a26bd7d46dfc8aad7000bbb122e7d845630171b19ec3d0690d1ce31731d371a6a93a79f225aaa44f4668646a1aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exe

Filesize
403KB

MD5
63892ebce4036f604aa3bf3137904831

SHA1
99b4ad0983286aa3318ea71d88f359a2e34e3ad4

SHA256
f216524bbdda5343457fc8a951cc3a72e0259c4bfe3fd81d4f7e0709f96fc7e6

SHA512
c7cc6a9f2e48ce20b3fa245ab58b746503e5a26bd7d46dfc8aad7000bbb122e7d845630171b19ec3d0690d1ce31731d371a6a93a79f225aaa44f4668646a1aae

Download Submit
\Users\Admin\AppData\Local\Temp\284877ff-5f2f-42db-b598-d043f6f1f0a2\AgileDotNetRT.dll

Filesize
119KB

MD5
3289e1d8d7227a102ec7345ce050776f

SHA1
0e3d5324a0e2a58219ff0e3664a930e0943e0cd6

SHA256
bf81634b71d21be6f7c5515dc07ea2233a2d3f2a27c202348bfb9cd11b27789b

SHA512
85627c2d47cf9890a25a587af7ed2ac73e3974992d974b3d50d8d92c973fcb899800fac10459deeebc456fef8ed1fab050be81fca824f58fee10dbd452a3bec5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CAMSTE~1.EXE

Filesize
427KB

MD5
243cee9625b37e0773d1ddd3d69e1526

SHA1
2b7ca49b61fea948a78d50848d535be2d6c68009

SHA256
28a9667ed1bfa034979571d1a89da0965d9b137130d877b07eef865f714c0088

SHA512
a1e398998f62cd3c782f632d6e338587c55100f81960a59886e174659538052483d6d7e588457a109d043f9c3e5fdcb4e2c5776286bb1a68ba3460e66527d607

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exe

Filesize
403KB

MD5
63892ebce4036f604aa3bf3137904831

SHA1
99b4ad0983286aa3318ea71d88f359a2e34e3ad4

SHA256
f216524bbdda5343457fc8a951cc3a72e0259c4bfe3fd81d4f7e0709f96fc7e6

SHA512
c7cc6a9f2e48ce20b3fa245ab58b746503e5a26bd7d46dfc8aad7000bbb122e7d845630171b19ec3d0690d1ce31731d371a6a93a79f225aaa44f4668646a1aae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exe

Filesize
403KB

MD5
63892ebce4036f604aa3bf3137904831

SHA1
99b4ad0983286aa3318ea71d88f359a2e34e3ad4

SHA256
f216524bbdda5343457fc8a951cc3a72e0259c4bfe3fd81d4f7e0709f96fc7e6

SHA512
c7cc6a9f2e48ce20b3fa245ab58b746503e5a26bd7d46dfc8aad7000bbb122e7d845630171b19ec3d0690d1ce31731d371a6a93a79f225aaa44f4668646a1aae

Download Submit
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1088-71-0x000007FEF4360000-0x000007FEF4D83000-memory.dmp

Filesize
10.1MB

Download
memory/1088-72-0x000007FEF3080000-0x000007FEF4116000-memory.dmp

Filesize
16.6MB

Download
memory/1088-73-0x0000000000AE6000-0x0000000000B05000-memory.dmp

Filesize
124KB

Download
memory/1088-74-0x0000000000AE6000-0x0000000000B05000-memory.dmp

Filesize
124KB

Download
memory/1744-63-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-64-0x0000000073DA0000-0x0000000073DD2000-memory.dmp

Filesize
200KB

Download
memory/1744-65-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-66-0x0000000073DA0000-0x0000000073DD2000-memory.dmp

Filesize
200KB

Download
memory/1744-62-0x0000000074140000-0x000000007419B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing