Overview

overview

10

Static

static

7

43957594ef...87.exe

windows7-x64

10

43957594ef...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe

  • Size

    305KB

  • MD5

    1a1733bae2a5c22dc130d2f0f82302ef

  • SHA1

    5334d5f2c4d14c214ce4e86fe3f5098b7f38d008

  • SHA256

    43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987

  • SHA512

    0b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30

  • SSDEEP

    6144:XNFawti8qjlBtYCcYWctAnvLxSRO3NO4n06qAOssKfpYT:doQiDpBuCcB9WO3U40hAOssMps

Score
10/10
agilenetpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe
    "C:\Users\Admin\AppData\Local\Temp\43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Roaming\WindowsUpdatechecker.exe
      "C:\Users\Admin\AppData\Roaming\WindowsUpdatechecker.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        3⤵
        • Checks for any installed AV software in registry
        • Checks processor information in registry
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:452
        • C:\Windows\SysWOW64\svchost.exe
          -k NetworkService
          4⤵
            PID:2620
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 88
              5⤵
              • Program crash
              PID:4888
        • C:\Users\Admin\AppData\Roaming\csrss.exe
          "C:\Users\Admin\AppData\Roaming\csrss.exe" -reg "explorer.exe, C:\Users\Admin\AppData\Roaming\WindowsUpdatechecker.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2300
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2620 -ip 2620
      1⤵
        PID:1996

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Security Software Discovery

      1
      T1063

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\csrss.exe
        Filesize

        305KB

        MD5

        1a1733bae2a5c22dc130d2f0f82302ef

        SHA1

        5334d5f2c4d14c214ce4e86fe3f5098b7f38d008

        SHA256

        43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987

        SHA512

        0b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30

        Download Submit
      • C:\Users\Admin\AppData\Roaming\csrss.exe
        Filesize

        305KB

        MD5

        1a1733bae2a5c22dc130d2f0f82302ef

        SHA1

        5334d5f2c4d14c214ce4e86fe3f5098b7f38d008

        SHA256

        43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987

        SHA512

        0b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30

        Download Submit
      • memory/452-144-0x0000000001760000-0x00000000017AB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/452-142-0x0000000000400000-0x0000000000426000-memory.dmp
        Filesize

        152KB

        Download
      • memory/452-136-0x0000000000400000-0x0000000000426000-memory.dmp
        Filesize

        152KB

        Download
      • memory/452-137-0x0000000000400000-0x0000000000426000-memory.dmp
        Filesize

        152KB

        Download
      • memory/452-138-0x0000000000400000-0x0000000000426000-memory.dmp
        Filesize

        152KB

        Download
      • memory/452-135-0x0000000000000000-mapping.dmp
        Download
      • memory/452-139-0x0000000000400000-0x0000000000426000-memory.dmp
        Filesize

        152KB

        Download
      • memory/452-151-0x0000000003560000-0x000000000356B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/452-150-0x0000000001760000-0x00000000017AB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/1368-134-0x00000000752A0000-0x0000000075851000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1368-132-0x00000000752A0000-0x0000000075851000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2300-152-0x00000000752A0000-0x0000000075851000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2300-145-0x0000000000000000-mapping.dmp
        Download
      • memory/2300-154-0x00000000752A0000-0x0000000075851000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2620-149-0x0000000000000000-mapping.dmp
        Download
      • memory/2620-153-0x0000000077B50000-0x0000000077CF3000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4712-148-0x00000000752A0000-0x0000000075851000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4712-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4712-140-0x00000000752A0000-0x0000000075851000-memory.dmp
        Filesize

        5.7MB

        Download