Analysis
-
max time kernel
420s -
max time network
422s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
19-02-2023 04:43
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
2.0MB
-
MD5
a83d528c3debe4486cc91b5922040711
-
SHA1
765d88a6a2ac079c0a7a7ac23dc630b82095339b
-
SHA256
446deb48d5641c4977a2cdf9eb3722cbd4170a2eebd2d8c6fca1430767af04ad
-
SHA512
a8c3e4b182882e79a6b74f6d9cd6514d268b1703ff76c8e07dfb4944a7ed83051a8816b40b9a2c9927cdd73a09a932a0c2d9ea83a8007bd400d289c35b4e433f
-
SSDEEP
24576:Nwksz4Fw2f16CwIUEirFZTUvIweQ3qRbYl6DLJMv4oVI1ZwF33z5hG4vkXZurFJ:4bCwIUE2jvdQ3mb1ZGvVkZ+3lfgy
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
file.exepid process 1716 file.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1716-56-0x000000001B700000-0x000000001B924000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1124 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file.exepowershell.exedescription pid process Token: SeDebugPrivilege 1716 file.exe Token: SeDebugPrivilege 1124 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
file.exepid process 1716 file.exe 1716 file.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
file.exedescription pid process target process PID 1716 wrote to memory of 1124 1716 file.exe powershell.exe PID 1716 wrote to memory of 1124 1716 file.exe powershell.exe PID 1716 wrote to memory of 1124 1716 file.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\517ed413-7642-48b7-a7f7-416d48d677d4\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
memory/1124-60-0x0000000000000000-mapping.dmp
-
memory/1124-62-0x000007FEEBF30000-0x000007FEEC953000-memory.dmpFilesize
10.1MB
-
memory/1124-63-0x000007FEEB3D0000-0x000007FEEBF2D000-memory.dmpFilesize
11.4MB
-
memory/1124-65-0x0000000002854000-0x0000000002857000-memory.dmpFilesize
12KB
-
memory/1124-64-0x000000001B790000-0x000000001BA8F000-memory.dmpFilesize
3.0MB
-
memory/1124-66-0x0000000002854000-0x0000000002857000-memory.dmpFilesize
12KB
-
memory/1124-67-0x000000000285B000-0x000000000287A000-memory.dmpFilesize
124KB
-
memory/1716-56-0x000000001B700000-0x000000001B924000-memory.dmpFilesize
2.1MB
-
memory/1716-55-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmpFilesize
8KB
-
memory/1716-58-0x000007FEF65F0000-0x000007FEF671C000-memory.dmpFilesize
1.2MB
-
memory/1716-59-0x000000000043A000-0x0000000000459000-memory.dmpFilesize
124KB
-
memory/1716-54-0x0000000000C80000-0x0000000000E90000-memory.dmpFilesize
2.1MB
-
memory/1716-68-0x000000000043A000-0x0000000000459000-memory.dmpFilesize
124KB