Analysis
-
max time kernel
48s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 13:30
Static task
static1
Behavioral task
behavioral1
Sample
f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe
Resource
win10v2004-20221111-en
General
-
Target
f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe
-
Size
512KB
-
MD5
d036fabd76bf32570481a2224706ddef
-
SHA1
f52ce02926904c648f4b4a5a4a5ad14db09c45e0
-
SHA256
f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52
-
SHA512
752c2de69fc94e66e772fd48721d71ee56da6156e7460d3a415f702a07fc14c1645e5ef7885142b8207437ba9536cd533d0fec8d8f064bc70453bd457c9d5968
-
SSDEEP
12288:SZHVhCLTfKQwDvD5H6Mrb+/0ULRctxIbuOUbXEJ6Ay:EH0KQoP3+/MSHqb
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
daff.exetes.exepid process 1932 daff.exe 1656 tes.exe -
Loads dropped DLL 5 IoCs
Processes:
f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exedaff.exepid process 1256 f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe 1932 daff.exe 1932 daff.exe 1932 daff.exe 1932 daff.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1656-67-0x00000000022E0000-0x0000000002326000-memory.dmp agile_net behavioral1/memory/1656-68-0x0000000000400000-0x000000000046E000-memory.dmp agile_net behavioral1/memory/1656-69-0x0000000000400000-0x000000000046E000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tes.exedescription pid process Token: SeDebugPrivilege 1656 tes.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
tes.exepid process 1656 tes.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exedaff.exedescription pid process target process PID 1256 wrote to memory of 1932 1256 f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe daff.exe PID 1256 wrote to memory of 1932 1256 f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe daff.exe PID 1256 wrote to memory of 1932 1256 f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe daff.exe PID 1256 wrote to memory of 1932 1256 f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe daff.exe PID 1932 wrote to memory of 1656 1932 daff.exe tes.exe PID 1932 wrote to memory of 1656 1932 daff.exe tes.exe PID 1932 wrote to memory of 1656 1932 daff.exe tes.exe PID 1932 wrote to memory of 1656 1932 daff.exe tes.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe"C:\Users\Admin\AppData\Local\Temp\f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\daff.exe"C:\Users\Admin\AppData\Local\Temp\daff.exe" -s -pfgr6edfgr6trfgr6yedgesgd2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tes.exe"C:\Users\Admin\AppData\Roaming\tes.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\daff.exeFilesize
596KB
MD598a500f286659ef1245ff1a336b549cc
SHA10073ca9bbb842f1a5e6536bf5e46e013f2bd760d
SHA256102e283847e62a965df4b2adfdfb1fa21ead76e3d94887a93783e0c55a903ee0
SHA512a16601ee0cf217ad3ec6648b24cefb46289c21f7241ce1abe364bc174fb8e0ab5399ffcaaa4b8d5e22594155eae965ef34704bf77085025b81012275e092195b
-
C:\Users\Admin\AppData\Local\Temp\daff.exeFilesize
596KB
MD598a500f286659ef1245ff1a336b549cc
SHA10073ca9bbb842f1a5e6536bf5e46e013f2bd760d
SHA256102e283847e62a965df4b2adfdfb1fa21ead76e3d94887a93783e0c55a903ee0
SHA512a16601ee0cf217ad3ec6648b24cefb46289c21f7241ce1abe364bc174fb8e0ab5399ffcaaa4b8d5e22594155eae965ef34704bf77085025b81012275e092195b
-
C:\Users\Admin\AppData\Roaming\tes.exeFilesize
427KB
MD5cc4a0feab7924798704df93b8ee167a7
SHA1b0f312a93d6093f81e3e846d18180aae59676d9a
SHA2560616a8d3fdd9bd72ae06eb8ce54960d1453c95b0e8a4c24ddcb597446d37a97d
SHA5123aca27b7380372a6b6f00dd78d804c4ffaba9c3e3f74e020785a23a56cc1a80a78f8acf902d383137e51f26183ed12ab6bb830395467493200dd44faca507356
-
\Users\Admin\AppData\Local\Temp\daff.exeFilesize
596KB
MD598a500f286659ef1245ff1a336b549cc
SHA10073ca9bbb842f1a5e6536bf5e46e013f2bd760d
SHA256102e283847e62a965df4b2adfdfb1fa21ead76e3d94887a93783e0c55a903ee0
SHA512a16601ee0cf217ad3ec6648b24cefb46289c21f7241ce1abe364bc174fb8e0ab5399ffcaaa4b8d5e22594155eae965ef34704bf77085025b81012275e092195b
-
\Users\Admin\AppData\Roaming\tes.exeFilesize
427KB
MD5cc4a0feab7924798704df93b8ee167a7
SHA1b0f312a93d6093f81e3e846d18180aae59676d9a
SHA2560616a8d3fdd9bd72ae06eb8ce54960d1453c95b0e8a4c24ddcb597446d37a97d
SHA5123aca27b7380372a6b6f00dd78d804c4ffaba9c3e3f74e020785a23a56cc1a80a78f8acf902d383137e51f26183ed12ab6bb830395467493200dd44faca507356
-
\Users\Admin\AppData\Roaming\tes.exeFilesize
427KB
MD5cc4a0feab7924798704df93b8ee167a7
SHA1b0f312a93d6093f81e3e846d18180aae59676d9a
SHA2560616a8d3fdd9bd72ae06eb8ce54960d1453c95b0e8a4c24ddcb597446d37a97d
SHA5123aca27b7380372a6b6f00dd78d804c4ffaba9c3e3f74e020785a23a56cc1a80a78f8acf902d383137e51f26183ed12ab6bb830395467493200dd44faca507356
-
\Users\Admin\AppData\Roaming\tes.exeFilesize
427KB
MD5cc4a0feab7924798704df93b8ee167a7
SHA1b0f312a93d6093f81e3e846d18180aae59676d9a
SHA2560616a8d3fdd9bd72ae06eb8ce54960d1453c95b0e8a4c24ddcb597446d37a97d
SHA5123aca27b7380372a6b6f00dd78d804c4ffaba9c3e3f74e020785a23a56cc1a80a78f8acf902d383137e51f26183ed12ab6bb830395467493200dd44faca507356
-
\Users\Admin\AppData\Roaming\tes.exeFilesize
427KB
MD5cc4a0feab7924798704df93b8ee167a7
SHA1b0f312a93d6093f81e3e846d18180aae59676d9a
SHA2560616a8d3fdd9bd72ae06eb8ce54960d1453c95b0e8a4c24ddcb597446d37a97d
SHA5123aca27b7380372a6b6f00dd78d804c4ffaba9c3e3f74e020785a23a56cc1a80a78f8acf902d383137e51f26183ed12ab6bb830395467493200dd44faca507356
-
memory/1256-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1656-64-0x0000000000000000-mapping.dmp
-
memory/1656-67-0x00000000022E0000-0x0000000002326000-memory.dmpFilesize
280KB
-
memory/1656-68-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/1656-69-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/1932-56-0x0000000000000000-mapping.dmp