Analysis
-
max time kernel
420s -
max time network
422s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
19-02-2023 04:43
General
-
Target
file.exe
-
Size
2.0MB
-
MD5
a83d528c3debe4486cc91b5922040711
-
SHA1
765d88a6a2ac079c0a7a7ac23dc630b82095339b
-
SHA256
446deb48d5641c4977a2cdf9eb3722cbd4170a2eebd2d8c6fca1430767af04ad
-
SHA512
a8c3e4b182882e79a6b74f6d9cd6514d268b1703ff76c8e07dfb4944a7ed83051a8816b40b9a2c9927cdd73a09a932a0c2d9ea83a8007bd400d289c35b4e433f
-
SSDEEP
24576:Nwksz4Fw2f16CwIUEirFZTUvIweQ3qRbYl6DLJMv4oVI1ZwF33z5hG4vkXZurFJ:4bCwIUE2jvdQ3mb1ZGvVkZ+3lfgy
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\517ed413-7642-48b7-a7f7-416d48d677d4\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
memory/1124-60-0x0000000000000000-mapping.dmp
-
memory/1124-62-0x000007FEEBF30000-0x000007FEEC953000-memory.dmpFilesize
10.1MB
-
memory/1124-63-0x000007FEEB3D0000-0x000007FEEBF2D000-memory.dmpFilesize
11.4MB
-
memory/1124-65-0x0000000002854000-0x0000000002857000-memory.dmpFilesize
12KB
-
memory/1124-64-0x000000001B790000-0x000000001BA8F000-memory.dmpFilesize
3.0MB
-
memory/1124-66-0x0000000002854000-0x0000000002857000-memory.dmpFilesize
12KB
-
memory/1124-67-0x000000000285B000-0x000000000287A000-memory.dmpFilesize
124KB
-
memory/1716-56-0x000000001B700000-0x000000001B924000-memory.dmpFilesize
2.1MB
-
memory/1716-55-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmpFilesize
8KB
-
memory/1716-58-0x000007FEF65F0000-0x000007FEF671C000-memory.dmpFilesize
1.2MB
-
memory/1716-59-0x000000000043A000-0x0000000000459000-memory.dmpFilesize
124KB
-
memory/1716-54-0x0000000000C80000-0x0000000000E90000-memory.dmpFilesize
2.1MB
-
memory/1716-68-0x000000000043A000-0x0000000000459000-memory.dmpFilesize
124KB