6747a2a27e10336a97cf9c606aca001ae8c464bfd0300de6b6ee56c3158b5b71 | Triage

Submit
Reports

Overview

overview

Static

static

7

6747a2a27e...71.exe

windows7-x64

6747a2a27e...71.exe

windows10-2004-x64

Sharing

General

Target

6747a2a27e10336a97cf9c606aca001ae8c464bfd0300de6b6ee56c3158b5b71
Size

114KB
Sample

221128-wc6bdsdd56
MD5

919b78ba094eb8f98f41165b5173468b
SHA1

174f1bee60add9f9a1b24e954f35ce855fde3032
SHA256

6747a2a27e10336a97cf9c606aca001ae8c464bfd0300de6b6ee56c3158b5b71
SHA512

0eca71bd8240fe484e89d70d95ce45b22b266c409f5c23013e266e3bc6f87c250b36292e63f04b9891f85949e6978507d98a73570884073418e42fd99f40b0d8
SSDEEP

1536:Ir7Q2d8CSCc2zcM6Gtu7juJpeus/ol6MgPiABllwJYR8D+2Ec18cKjALJJJ9TkV7:Ifd9PlEXu3s/GgKKsK8JEpsTTw

Score

10^/10

agilenet persistence upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6747a2a27e10336a97cf9c606aca001ae8c464bfd0300de6b6ee56c3158b5b71.exe

Resource

win7-20221111-en

agilenet persistence upx

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

6747a2a27e10336a97cf9c606aca001ae8c464bfd0300de6b6ee56c3158b5b71.exe

Resource

win10v2004-20220812-en

agilenet persistence upx

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Targets

- Target
  
  6747a2a27e10336a97cf9c606aca001ae8c464bfd0300de6b6ee56c3158b5b71
- Size
  
  114KB
- MD5
  
  919b78ba094eb8f98f41165b5173468b
- SHA1
  
  174f1bee60add9f9a1b24e954f35ce855fde3032
- SHA256
  
  6747a2a27e10336a97cf9c606aca001ae8c464bfd0300de6b6ee56c3158b5b71
- SHA512
  
  0eca71bd8240fe484e89d70d95ce45b22b266c409f5c23013e266e3bc6f87c250b36292e63f04b9891f85949e6978507d98a73570884073418e42fd99f40b0d8
- SSDEEP
  
  1536:Ir7Q2d8CSCc2zcM6Gtu7juJpeus/ol6MgPiABllwJYR8D+2Ec18cKjALJJJ9TkV7:Ifd9PlEXu3s/GgKKsK8JEpsTTw
Score

10^/10

agilenet persistence upx
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agilenetpersistenceupx

behavioral2

agilenetpersistenceupx

© 2018-2024

Terms | Privacy