5d6deb056a1b40dee972a4515d89afe16c5ef76a045ac2c6220cd1085ab6b88a

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2023, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Agentes_Seguridad.exe
Size

88KB
MD5

1fc5329c18b6347c1636bf6740228bc5
SHA1

e2845fcedbb2e8e45c902fa70a6976d0687fa662
SHA256

5d6deb056a1b40dee972a4515d89afe16c5ef76a045ac2c6220cd1085ab6b88a
SHA512

43f143ac477f77acb2123631aad43729eecf116cd5a18b1a4f6cf87578a69fdcaebd1c4eb6c0950ba7ad0b2d5187e2d7bfe1bc9bab827acb98be30cf59bd08c2
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfOxDH1:Hq6+ouCpk2mpcWJ0r+QNTBfOZ1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Agentes_Seguridad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
1100	timeout.exe
3124	timeout.exe
4704	timeout.exe
1824	timeout.exe
4440	timeout.exe
1152	timeout.exe
1936	timeout.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1712	msiexec.exe
Token: SeSecurityPrivilege	4344	msiexec.exe
Token: SeCreateTokenPrivilege	1712	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1712	msiexec.exe
Token: SeLockMemoryPrivilege	1712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1712	msiexec.exe
Token: SeMachineAccountPrivilege	1712	msiexec.exe
Token: SeTcbPrivilege	1712	msiexec.exe
Token: SeSecurityPrivilege	1712	msiexec.exe
Token: SeTakeOwnershipPrivilege	1712	msiexec.exe
Token: SeLoadDriverPrivilege	1712	msiexec.exe
Token: SeSystemProfilePrivilege	1712	msiexec.exe
Token: SeSystemtimePrivilege	1712	msiexec.exe
Token: SeProfSingleProcessPrivilege	1712	msiexec.exe
Token: SeIncBasePriorityPrivilege	1712	msiexec.exe
Token: SeCreatePagefilePrivilege	1712	msiexec.exe
Token: SeCreatePermanentPrivilege	1712	msiexec.exe
Token: SeBackupPrivilege	1712	msiexec.exe
Token: SeRestorePrivilege	1712	msiexec.exe
Token: SeShutdownPrivilege	1712	msiexec.exe
Token: SeDebugPrivilege	1712	msiexec.exe
Token: SeAuditPrivilege	1712	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1712	msiexec.exe
Token: SeChangeNotifyPrivilege	1712	msiexec.exe
Token: SeRemoteShutdownPrivilege	1712	msiexec.exe
Token: SeUndockPrivilege	1712	msiexec.exe
Token: SeSyncAgentPrivilege	1712	msiexec.exe
Token: SeEnableDelegationPrivilege	1712	msiexec.exe
Token: SeManageVolumePrivilege	1712	msiexec.exe
Token: SeImpersonatePrivilege	1712	msiexec.exe
Token: SeCreateGlobalPrivilege	1712	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 3472	1516	Agentes_Seguridad.exe	86
PID 1516 wrote to memory of 3472	1516	Agentes_Seguridad.exe	86
PID 3472 wrote to memory of 1100	3472	cmd.exe	92
PID 3472 wrote to memory of 1100	3472	cmd.exe	92
PID 3472 wrote to memory of 3124	3472	cmd.exe	96
PID 3472 wrote to memory of 3124	3472	cmd.exe	96
PID 3472 wrote to memory of 1712	3472	cmd.exe	97
PID 3472 wrote to memory of 1712	3472	cmd.exe	97
PID 3472 wrote to memory of 4704	3472	cmd.exe	99
PID 3472 wrote to memory of 4704	3472	cmd.exe	99
PID 3472 wrote to memory of 1824	3472	cmd.exe	104
PID 3472 wrote to memory of 1824	3472	cmd.exe	104
PID 3472 wrote to memory of 4440	3472	cmd.exe	105
PID 3472 wrote to memory of 4440	3472	cmd.exe	105
PID 3472 wrote to memory of 1396	3472	cmd.exe	106
PID 3472 wrote to memory of 1396	3472	cmd.exe	106
PID 3472 wrote to memory of 1152	3472	cmd.exe	108
PID 3472 wrote to memory of 1152	3472	cmd.exe	108
PID 3472 wrote to memory of 2916	3472	cmd.exe	113
PID 3472 wrote to memory of 2916	3472	cmd.exe	113
PID 2916 wrote to memory of 3692	2916	net.exe	114
PID 2916 wrote to memory of 3692	2916	net.exe	114
PID 3472 wrote to memory of 4960	3472	cmd.exe	115
PID 3472 wrote to memory of 4960	3472	cmd.exe	115
PID 4960 wrote to memory of 5076	4960	net.exe	116
PID 4960 wrote to memory of 5076	4960	net.exe	116
PID 3472 wrote to memory of 1936	3472	cmd.exe	117
PID 3472 wrote to memory of 1936	3472	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\Agentes_Seguridad.exe
"C:\Users\Admin\AppData\Local\Temp\Agentes_Seguridad.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\81D7.tmp\81D8.tmp\81D9.bat C:\Users\Admin\AppData\Local\Temp\Agentes_Seguridad.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1100
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3124
- - C:\Windows\system32\msiexec.exe
    msiexec /I C:\Instaladores\Qualys_Netskope\NSClient_84.2.2.576.msi /qn token=kL2RDKffsNqc637CG94L host=addon-davivienda-co.goskope.com mode=peruserconfig autoupdate=on
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4704
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1824
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4440
- - C:\Windows\system32\cscript.exe
    cscript //B "C:\Windows\system32\slmgr.vbs" /ipk GGFFH-WGNB4-CXXDQ-WTB8B-WHV3B
    3⤵
    PID:1396
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1152
- - C:\Windows\system32\net.exe
    net user administrador /active:yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user administrador /active:yes
      4⤵
      PID:3692
- - C:\Windows\system32\net.exe
    net user BancoDavivienda /delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user BancoDavivienda /delete
      4⤵
      PID:5076
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81D7.tmp\81D8.tmp\81D9.bat

Filesize
1KB

MD5
9426ea177514706ca2b92b10dc6a2036

SHA1
e9101b85e53e9563884f768b743e72bd4e058773

SHA256
72a9b68f780ffd5025891881248902e784ba556cc9e431dd8beba445a731a77c

SHA512
459cd8215ba0d6ed822d2f4e7cafa3221547233b52fd5b5dcd33ebcf2cb894c07f9dd5b2fc731241d1a9444bec5a82cc772fa4993b6fc7022cb2543db3eb974d

Download Submit