02cc6945c8a524424cf8f399905e53ca88f505c54ed425a92a1e95b2d31b2d9d

General

Target

Consumer_p_.exe
Size

31.9MB
MD5

f077fe80c3a20870c75c3eb8464eb360
SHA1

3c212a8ec8b7c8b3e69340b69d2ac4e690ec4a6c
SHA256

02cc6945c8a524424cf8f399905e53ca88f505c54ed425a92a1e95b2d31b2d9d
SHA512

e1f4e97d26dd19b465e62cea2aebf58ca0857aa8575e288665838e0073905001972614af9bb9518a5d2823a7dd6d16d4ed626c7c1266eaf347c9b8ce43cfc0ae
SSDEEP

786432:7LIPpTfGiQlJe01j3m3q2YA72qP/gqyT0s5:70PNfG5lJemjW3GA7xnu

Score

7^/10

agilenet

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

Consumer_p_.exe

pid process

2664 Consumer_p_.exe

pid	process
2664	Consumer_p_.exe

Obfuscated with Agile.Net obfuscator 7 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2664-136-0x0000000000F20000-0x00000000022CA000-memory.dmp	agile_net
behavioral2/memory/2664-139-0x0000000000F20000-0x00000000022CA000-memory.dmp	agile_net
behavioral2/memory/2664-140-0x0000000000F20000-0x00000000022CA000-memory.dmp	agile_net
behavioral2/memory/2664-149-0x0000000000F20000-0x00000000022CA000-memory.dmp	agile_net
behavioral2/memory/2664-150-0x0000000000F20000-0x00000000022CA000-memory.dmp	agile_net
behavioral2/memory/2664-174-0x0000000000F20000-0x00000000022CA000-memory.dmp	agile_net
behavioral2/memory/2664-175-0x0000000000F20000-0x00000000022CA000-memory.dmp	agile_net

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

Consumer_p_.exe

pid process

2664 Consumer_p_.exe
2664 Consumer_p_.exe
2664 Consumer_p_.exe
2664 Consumer_p_.exe
2664 Consumer_p_.exe
2664 Consumer_p_.exe
2664 Consumer_p_.exe

pid	process
2664	Consumer_p_.exe
2664	Consumer_p_.exe
2664	Consumer_p_.exe
2664	Consumer_p_.exe
2664	Consumer_p_.exe
2664	Consumer_p_.exe
2664	Consumer_p_.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeConsumer_p_.exe

pid	process
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
2664	Consumer_p_.exe
2664	Consumer_p_.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3488 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3488	taskmgr.exe
Token: SeSystemProfilePrivilege	3488	taskmgr.exe
Token: SeCreateGlobalPrivilege	3488	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe
3488	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\Consumer_p_.exe
"C:\Users\Admin\AppData\Local\Temp\Consumer_p_.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evb25B9.tmp
Filesize
1KB

MD5
3806bcda771165ebd7311315c196e516

SHA1
b41d54b069d01913682709a5b56bc6087060636b

SHA256
a2ffa98c72f46c414a76b71e9412020a25f50584d468cddaae5f23a7af972c30

SHA512
6acc0fb93bc6d6b66334990b647e57553def97a204684696757d647ff771ad7ed46e593176ea42b0aca4ae54f56dd85d3b42fa4e638547c04322417e5d0d5eef

Download Submit
memory/2664-148-0x0000000180000000-0x000000018272B000-memory.dmp

Filesize
39.2MB

Download
memory/2664-169-0x0000000180000000-0x000000018272B000-memory.dmp

Filesize
39.2MB

Download
memory/2664-136-0x0000000000F20000-0x00000000022CA000-memory.dmp

Filesize
19.7MB

Download
memory/2664-137-0x00007FFA70670000-0x00007FFA70680000-memory.dmp

Filesize
64KB

Download
memory/2664-138-0x00007FFAEF9F0000-0x00007FFAEFA00000-memory.dmp

Filesize
64KB

Download
memory/2664-139-0x0000000000F20000-0x00000000022CA000-memory.dmp

Filesize
19.7MB

Download
memory/2664-140-0x0000000000F20000-0x00000000022CA000-memory.dmp

Filesize
19.7MB

Download
memory/2664-149-0x0000000000F20000-0x00000000022CA000-memory.dmp

Filesize
19.7MB

Download
memory/2664-167-0x00007FFAF0670000-0x00007FFAF0672000-memory.dmp

Filesize
8KB

Download
memory/2664-135-0x00007FF4A1E50000-0x00007FF4A2221000-memory.dmp

Filesize
3.8MB

Download
memory/2664-134-0x00007FF4A1C60000-0x00007FF4A1E4F000-memory.dmp

Filesize
1.9MB

Download
memory/2664-150-0x0000000000F20000-0x00000000022CA000-memory.dmp

Filesize
19.7MB

Download
memory/2664-151-0x00007FF4A1E50000-0x00007FF4A2221000-memory.dmp

Filesize
3.8MB

Download
memory/2664-133-0x0000000000F20000-0x00000000022CA000-memory.dmp

Filesize
19.7MB

Download
memory/2664-176-0x0000000180000000-0x000000018272B000-memory.dmp

Filesize
39.2MB

Download
memory/2664-175-0x0000000000F20000-0x00000000022CA000-memory.dmp

Filesize
19.7MB

Download
memory/2664-174-0x0000000000F20000-0x00000000022CA000-memory.dmp

Filesize
19.7MB

Download
memory/2664-162-0x0000000180000000-0x000000018272B000-memory.dmp

Filesize
39.2MB

Download
memory/2664-168-0x00007FFAF0680000-0x00007FFAF0682000-memory.dmp

Filesize
8KB

Download
memory/2664-143-0x0000000180000000-0x000000018272B000-memory.dmp

Filesize
39.2MB

Download
memory/3488-152-0x000001A9DE380000-0x000001A9DE381000-memory.dmp

Filesize
4KB

Download
memory/3488-163-0x000001A9DE380000-0x000001A9DE381000-memory.dmp

Filesize
4KB

Download
memory/3488-164-0x000001A9DE380000-0x000001A9DE381000-memory.dmp

Filesize
4KB

Download
memory/3488-165-0x000001A9DE380000-0x000001A9DE381000-memory.dmp

Filesize
4KB

Download
memory/3488-161-0x000001A9DE380000-0x000001A9DE381000-memory.dmp

Filesize
4KB

Download
memory/3488-158-0x000001A9DE380000-0x000001A9DE381000-memory.dmp

Filesize
4KB

Download
memory/3488-160-0x000001A9DE380000-0x000001A9DE381000-memory.dmp

Filesize
4KB

Download
memory/3488-159-0x000001A9DE380000-0x000001A9DE381000-memory.dmp

Filesize
4KB

Download
memory/3488-154-0x000001A9DE380000-0x000001A9DE381000-memory.dmp

Filesize
4KB

Download
memory/3488-153-0x000001A9DE380000-0x000001A9DE381000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads