Analysis
-
max time kernel
137s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 09:13
Behavioral task
behavioral1
Sample
download.exe
Resource
win7-20220812-en
General
-
Target
download.exe
-
Size
203KB
-
MD5
c7db7aecb55a508371570b7008897c2d
-
SHA1
93fb24242e0157acd65ca704a090c054ccfcb841
-
SHA256
8ccef55df6fad5510b1b81c7973df1620d9c7d7504598e755f50c130d1a5ed2e
-
SHA512
0b4a3973fb571070d6f87e069ae3bac1abc39892b817f0cdeb61d59479970659def16e8c07f4f5aa79c3d2c83386743f8980dcbeaaf68e61837a47d2a95b1d15
-
SSDEEP
3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIoySnfr0CEE9R4szJbGxBzU9yA:MLV6Bta6dtJmakIM5nnz0mJ+zAapx2
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
download.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe" download.exe -
Processes:
download.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA download.exe -
Drops file in Program Files directory 2 IoCs
Processes:
download.exedescription ioc process File created C:\Program Files (x86)\AGP Monitor\agpmon.exe download.exe File opened for modification C:\Program Files (x86)\AGP Monitor\agpmon.exe download.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4248 schtasks.exe 4544 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
download.exepid process 2680 download.exe 2680 download.exe 2680 download.exe 2680 download.exe 2680 download.exe 2680 download.exe 2680 download.exe 2680 download.exe 2680 download.exe 2680 download.exe 2680 download.exe 2680 download.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
download.exepid process 2680 download.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
download.exedescription pid process Token: SeDebugPrivilege 2680 download.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
download.exedescription pid process target process PID 2680 wrote to memory of 4248 2680 download.exe schtasks.exe PID 2680 wrote to memory of 4248 2680 download.exe schtasks.exe PID 2680 wrote to memory of 4248 2680 download.exe schtasks.exe PID 2680 wrote to memory of 4544 2680 download.exe schtasks.exe PID 2680 wrote to memory of 4544 2680 download.exe schtasks.exe PID 2680 wrote to memory of 4544 2680 download.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\download.exe"C:\Users\Admin\AppData\Local\Temp\download.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB8A6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB9FF.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB8A6.tmpFilesize
1KB
MD5b8e4cf4ba028d5a6217f44c16cedd0ef
SHA1886bc81c6b4e9c36825a3bb4d142836527492d16
SHA25613c02c1aad0c4c93787dd39b1ecf279316207765fff90a468d020ba89fedcab0
SHA51256979c996421ddbc09e693087301ac4f043bcfa88fdbd8afa8917518595b557b7240104ee9007009706a15e47e98b81052f142d1d271a9bf9007a744c4c8fa7c
-
C:\Users\Admin\AppData\Local\Temp\tmpB9FF.tmpFilesize
1KB
MD5157cd55403665c49c9fd3ca1196c4397
SHA14feed6e606b41bb617274471349582963182756b
SHA25649d903f84313feb16bd189c58b6c206f98b05da00ea0da881e2ff0c893b6ba5e
SHA512bea7e3caa9c37cadd772a6d3ee0d9ed47de6b3e880cd58649be2939cacd00f70d4edc1ad177e432539267bb520094d9cda3f781cdfc69122f3775242321c11b8
-
memory/2680-132-0x0000000074BF0000-0x00000000751A1000-memory.dmpFilesize
5.7MB
-
memory/2680-137-0x0000000074BF0000-0x00000000751A1000-memory.dmpFilesize
5.7MB
-
memory/4248-133-0x0000000000000000-mapping.dmp
-
memory/4544-135-0x0000000000000000-mapping.dmp