a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd

Analysis

max time kernel
6s
max time network
2s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
Size

875KB
MD5

0baf9124d7e983a20ee54e07b5e749d0
SHA1

6f7b68a0899bffe7c4fc0da6a1f46027341a4c41
SHA256

a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd
SHA512

4010ae23efaef45bf9527cb2eaf4ab71293da13dcac4d7f417b4098ce338ca063af0e82f3f2225e87bb150ca9009f8c9bfed3c21585c567ade669e153df6ae57
SSDEEP

12288:FLozg61ikvvA3+Emo7ker5I/DbtSILfXOB3k3V/UnEIOKLS4QLDg:ug6osvA3L7ky5I34ca3UNyTOKLS4Q

Score

8^/10

agilenet persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3592	win32.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x000400000001e64b-134.dat	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 3592	1340	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	25
PID 1340 wrote to memory of 3592	1340	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	25
PID 1340 wrote to memory of 3592	1340	a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe	25

C:\Users\Admin\AppData\Local\Temp\a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
"C:\Users\Admin\AppData\Local\Temp\a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exe
  2⤵
  - Executes dropped EXE
  PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exe

Filesize
24KB

MD5
f798975aec12da698c0f3f65c596da3b

SHA1
18fe04e44cfc06342c7f5012ca66cc01e9b07935

SHA256
b0d454572515ba89bfe098006901a72c0fadfb2e49833e7bfc77aea337ee3bbd

SHA512
e081aa57857b634641c4c31a07f53ddb93dbd96d5ffd44039e8be40280d82269ce31ffae9ab131fe3afa46273e0d378245461440e4543858f52aaae9023f62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exe

Filesize
37KB

MD5
753407d444e5c25ac963d7a6886dd676

SHA1
3631410e174fc9660c757a74204783ad33a63111

SHA256
8a85c61d47efe9b22784c377d92f57bfda0c4ed8c515fbb7633e26463b7a9422

SHA512
38299af93d8f910519719ae95c183b666a1ba9b67a29ebbd50f434d47d78676560fc36f62736211a2058618741b0129433b51c5ab243ed60df52abfc54fc1ec7

Download Submit