f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52

General

Target

f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe
Size

512KB
MD5

d036fabd76bf32570481a2224706ddef
SHA1

f52ce02926904c648f4b4a5a4a5ad14db09c45e0
SHA256

f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52
SHA512

752c2de69fc94e66e772fd48721d71ee56da6156e7460d3a415f702a07fc14c1645e5ef7885142b8207437ba9536cd533d0fec8d8f064bc70453bd457c9d5968
SSDEEP

12288:SZHVhCLTfKQwDvD5H6Mrb+/0ULRctxIbuOUbXEJ6Ay:EH0KQoP3+/MSHqb

Score

8^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

daff.exetes.exe

pid process

1932 daff.exe
1656 tes.exe
Loads dropped DLL 5 IoCs

Processes:

f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exedaff.exe

pid process

1256 f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe
1932 daff.exe
1932 daff.exe
1932 daff.exe
1932 daff.exe

pid	process
1932	daff.exe
1656	tes.exe

pid	process
1256	f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe
1932	daff.exe
1932	daff.exe
1932	daff.exe
1932	daff.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1656-67-0x00000000022E0000-0x0000000002326000-memory.dmp	agile_net
behavioral1/memory/1656-68-0x0000000000400000-0x000000000046E000-memory.dmp	agile_net
behavioral1/memory/1656-69-0x0000000000400000-0x000000000046E000-memory.dmp	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tes.exe

description pid process

Token: SeDebugPrivilege 1656 tes.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

tes.exe

pid process

1656 tes.exe

description	pid	process
Token: SeDebugPrivilege	1656	tes.exe

pid	process
1656	tes.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exedaff.exe

description	pid	process	target process
PID 1256 wrote to memory of 1932	1256	f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe	daff.exe
PID 1256 wrote to memory of 1932	1256	f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe	daff.exe
PID 1256 wrote to memory of 1932	1256	f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe	daff.exe
PID 1256 wrote to memory of 1932	1256	f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe	daff.exe
PID 1932 wrote to memory of 1656	1932	daff.exe	tes.exe
PID 1932 wrote to memory of 1656	1932	daff.exe	tes.exe
PID 1932 wrote to memory of 1656	1932	daff.exe	tes.exe
PID 1932 wrote to memory of 1656	1932	daff.exe	tes.exe

C:\Users\Admin\AppData\Local\Temp\f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe
"C:\Users\Admin\AppData\Local\Temp\f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\daff.exe
"C:\Users\Admin\AppData\Local\Temp\daff.exe" -s -pfgr6edfgr6trfgr6yedgesgd
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Roaming\tes.exe
"C:\Users\Admin\AppData\Roaming\tes.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\daff.exe
Filesize
596KB

MD5
98a500f286659ef1245ff1a336b549cc

SHA1
0073ca9bbb842f1a5e6536bf5e46e013f2bd760d

SHA256
102e283847e62a965df4b2adfdfb1fa21ead76e3d94887a93783e0c55a903ee0

SHA512
a16601ee0cf217ad3ec6648b24cefb46289c21f7241ce1abe364bc174fb8e0ab5399ffcaaa4b8d5e22594155eae965ef34704bf77085025b81012275e092195b

Download Submit
C:\Users\Admin\AppData\Local\Temp\daff.exe
Filesize
596KB

MD5
98a500f286659ef1245ff1a336b549cc

SHA1
0073ca9bbb842f1a5e6536bf5e46e013f2bd760d

SHA256
102e283847e62a965df4b2adfdfb1fa21ead76e3d94887a93783e0c55a903ee0

SHA512
a16601ee0cf217ad3ec6648b24cefb46289c21f7241ce1abe364bc174fb8e0ab5399ffcaaa4b8d5e22594155eae965ef34704bf77085025b81012275e092195b

Download Submit
C:\Users\Admin\AppData\Roaming\tes.exe
Filesize
427KB

MD5
cc4a0feab7924798704df93b8ee167a7

SHA1
b0f312a93d6093f81e3e846d18180aae59676d9a

SHA256
0616a8d3fdd9bd72ae06eb8ce54960d1453c95b0e8a4c24ddcb597446d37a97d

SHA512
3aca27b7380372a6b6f00dd78d804c4ffaba9c3e3f74e020785a23a56cc1a80a78f8acf902d383137e51f26183ed12ab6bb830395467493200dd44faca507356

Download Submit
\Users\Admin\AppData\Local\Temp\daff.exe
Filesize
596KB

MD5
98a500f286659ef1245ff1a336b549cc

SHA1
0073ca9bbb842f1a5e6536bf5e46e013f2bd760d

SHA256
102e283847e62a965df4b2adfdfb1fa21ead76e3d94887a93783e0c55a903ee0

SHA512
a16601ee0cf217ad3ec6648b24cefb46289c21f7241ce1abe364bc174fb8e0ab5399ffcaaa4b8d5e22594155eae965ef34704bf77085025b81012275e092195b

Download Submit
\Users\Admin\AppData\Roaming\tes.exe
Filesize
427KB

MD5
cc4a0feab7924798704df93b8ee167a7

SHA1
b0f312a93d6093f81e3e846d18180aae59676d9a

SHA256
0616a8d3fdd9bd72ae06eb8ce54960d1453c95b0e8a4c24ddcb597446d37a97d

SHA512
3aca27b7380372a6b6f00dd78d804c4ffaba9c3e3f74e020785a23a56cc1a80a78f8acf902d383137e51f26183ed12ab6bb830395467493200dd44faca507356

Download Submit
\Users\Admin\AppData\Roaming\tes.exe
Filesize
427KB

MD5
cc4a0feab7924798704df93b8ee167a7

SHA1
b0f312a93d6093f81e3e846d18180aae59676d9a

SHA256
0616a8d3fdd9bd72ae06eb8ce54960d1453c95b0e8a4c24ddcb597446d37a97d

SHA512
3aca27b7380372a6b6f00dd78d804c4ffaba9c3e3f74e020785a23a56cc1a80a78f8acf902d383137e51f26183ed12ab6bb830395467493200dd44faca507356

Download Submit
\Users\Admin\AppData\Roaming\tes.exe
Filesize
427KB

MD5
cc4a0feab7924798704df93b8ee167a7

SHA1
b0f312a93d6093f81e3e846d18180aae59676d9a

SHA256
0616a8d3fdd9bd72ae06eb8ce54960d1453c95b0e8a4c24ddcb597446d37a97d

SHA512
3aca27b7380372a6b6f00dd78d804c4ffaba9c3e3f74e020785a23a56cc1a80a78f8acf902d383137e51f26183ed12ab6bb830395467493200dd44faca507356

Download Submit
\Users\Admin\AppData\Roaming\tes.exe
Filesize
427KB

MD5
cc4a0feab7924798704df93b8ee167a7

SHA1
b0f312a93d6093f81e3e846d18180aae59676d9a

SHA256
0616a8d3fdd9bd72ae06eb8ce54960d1453c95b0e8a4c24ddcb597446d37a97d

SHA512
3aca27b7380372a6b6f00dd78d804c4ffaba9c3e3f74e020785a23a56cc1a80a78f8acf902d383137e51f26183ed12ab6bb830395467493200dd44faca507356

Download Submit
memory/1256-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1656-64-0x0000000000000000-mapping.dmp

Download
memory/1656-67-0x00000000022E0000-0x0000000002326000-memory.dmp

Filesize
280KB

Download
memory/1656-68-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1656-69-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1932-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing