Analysis
-
max time kernel
29s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
25-03-2023 23:01
General
-
Target
agiledotnetinstaller.exe
-
Size
13.8MB
-
MD5
b18e08cd76a64f4311ede5dc0e094420
-
SHA1
d4f015004fbaeeed2e7a90ef859d4b9f04b3dc20
-
SHA256
7faf552bacfc8174d2e02142b7379948158c2eac09e4f1872f5dd5f847f8075b
-
SHA512
f04fc41e0f15d84d45745f78e8eca629f037355be957c99643b3f7d2709a0063102369c7ca54e1b33dbba419770cbdc9a628be798dcbdb09e131fcc8f6c656c6
-
SSDEEP
393216:PJmTb23oYK6+RF05k/NxDFKZQ0gzkb8HZDozeM2Zwb32n2KTeY:PJ+b24YMKS/NRu10Zz62n2/Y
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Obfuscated with Agile.Net obfuscator 6 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 36 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\agiledotnetinstaller.exe"C:\Users\Admin\AppData\Local\Temp\agiledotnetinstaller.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-U4U84.tmp\agiledotnetinstaller.tmp"C:\Users\Admin\AppData\Local\Temp\is-U4U84.tmp\agiledotnetinstaller.tmp" /SL5="$801C4,14128505,74752,C:\Users\Admin\AppData\Local\Temp\agiledotnetinstaller.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\SecureTeam\AgileDotNet.exe"C:\Program Files (x86)\SecureTeam\AgileDotNet.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SecureTeam\AgileDotNet.Console.VMRuntime.dllFilesize
1.4MB
MD5344925e2ce673d621661052aeb9e9eeb
SHA1d06460b9b424fc5556f4c62d7651065f39544689
SHA256311b0f2c2075056548fa36bb6bd2f6c8e2bfa799a8138278fed2030596934038
SHA512808b48d5c2c2d305fc22fe577be2ce795a275096ff0b5aa714fe8f19624ef152912963d32d352761164af359caa54fedb1baf681bb72f6a1aed6d83326a73a5a
-
C:\Program Files (x86)\SecureTeam\AgileDotNet.Console.exeFilesize
1.8MB
MD5059cb5027d4ef6b79c638f2a29f3b56b
SHA123aa18e865a5e38bab487e300391c9d8b81e4440
SHA25613cd32aa9116bdd83258747b2597db8b47304bebdd80fae44499752ef44f2ab9
SHA512e016fd2f1a4ae4e2d12bbbca11f9035176294e461236479c1ea43d6b5d6067c5c7d4dee54fcfe4b33974b09a6b98fcfd8d21f72dacec29f5f9b22bfa165e692b
-
C:\Program Files (x86)\SecureTeam\AgileDotNet.exeFilesize
1.0MB
MD5e7d5bd6bc49f3b2ea88ac1dc36e477c2
SHA1125ec9a45346db2cdeb14f7037823a79829d21e4
SHA25659b4c6de0d6df7c58bc2db3dedfb0adeb2cda86871f7fb67dd2d3a77dc54d499
SHA5122a4d59f3a309dff5c86ea49600d8db5babc4c4b22fcc94b47ff2e9318e9077ba2f577515bbb1415ba7fbfea9581589cd71d79666927ffca9ed42fe46265e745f
-
C:\Program Files (x86)\SecureTeam\AgileDotNet.exeFilesize
1.0MB
MD5e7d5bd6bc49f3b2ea88ac1dc36e477c2
SHA1125ec9a45346db2cdeb14f7037823a79829d21e4
SHA25659b4c6de0d6df7c58bc2db3dedfb0adeb2cda86871f7fb67dd2d3a77dc54d499
SHA5122a4d59f3a309dff5c86ea49600d8db5babc4c4b22fcc94b47ff2e9318e9077ba2f577515bbb1415ba7fbfea9581589cd71d79666927ffca9ed42fe46265e745f
-
C:\Program Files (x86)\SecureTeam\AgileDotNet.exeFilesize
1.0MB
MD5e7d5bd6bc49f3b2ea88ac1dc36e477c2
SHA1125ec9a45346db2cdeb14f7037823a79829d21e4
SHA25659b4c6de0d6df7c58bc2db3dedfb0adeb2cda86871f7fb67dd2d3a77dc54d499
SHA5122a4d59f3a309dff5c86ea49600d8db5babc4c4b22fcc94b47ff2e9318e9077ba2f577515bbb1415ba7fbfea9581589cd71d79666927ffca9ed42fe46265e745f
-
C:\Program Files (x86)\SecureTeam\AgileDotNetRT64Pro.dllFilesize
1.4MB
MD5843637d9086531f0399662ccde15f110
SHA14e0402b47f4d42d3b2e51f80682474b33fe70ef8
SHA2565ff6e56b3aae64d9dbf1cadea9d72361cc0c724321fc604f1a165c9ab1ae8daa
SHA5121948344374b8fb04d7a0c7c6c7a90d2113cdb380b7b864dab40f682c2a9b1d14d50d51487e9f758d28e8c21e8a555b031332081f608630fce0f159f1db19d815
-
C:\Program Files (x86)\SecureTeam\AgileDotNetRT64Pro.dllFilesize
1.4MB
MD5843637d9086531f0399662ccde15f110
SHA14e0402b47f4d42d3b2e51f80682474b33fe70ef8
SHA2565ff6e56b3aae64d9dbf1cadea9d72361cc0c724321fc604f1a165c9ab1ae8daa
SHA5121948344374b8fb04d7a0c7c6c7a90d2113cdb380b7b864dab40f682c2a9b1d14d50d51487e9f758d28e8c21e8a555b031332081f608630fce0f159f1db19d815
-
C:\Program Files (x86)\SecureTeam\DevExpress.XtraBars.v12.2.dllFilesize
1024KB
MD59b7635baa52aa7b5038731e210ab6a96
SHA10352cdf751b0d1b78fa8d0127027f3e50af2b461
SHA2562c3827063bb6b2697baa5c8fafb03da29ff3d06378360d867de0985cdf8ee80e
SHA512970d6eff261af35b15c4c9c945064a34de4b417db422565b66ab5670858860676bce10922ec28b0dfce18b2d3fcd95ef2cb7b9e425f219c85f58938387f55a88
-
C:\Users\Admin\AppData\Local\Temp\is-39F1G.tmp\AgileDotNet.cjstylesFilesize
433KB
MD5f3d1652de0ad6b02926bff7d7bb0ac02
SHA141427cb7ee3c263296911f1b153e1d3b6d749afb
SHA25604b58f7e8a622498657672abafe8efa21605796fb29be78df7199da7dbcdf759
SHA5124d6e2caa411a3fc2f91854363fc07898248d9ae9bfb310c98913f657ea6b6a6a41f7fa10274efb025b8bc836b0f760b8f59f9d2fd6191f8caa417dcbed6ff972
-
C:\Users\Admin\AppData\Local\Temp\is-39F1G.tmp\AgileDotNet.cjstylesFilesize
433KB
MD5f3d1652de0ad6b02926bff7d7bb0ac02
SHA141427cb7ee3c263296911f1b153e1d3b6d749afb
SHA25604b58f7e8a622498657672abafe8efa21605796fb29be78df7199da7dbcdf759
SHA5124d6e2caa411a3fc2f91854363fc07898248d9ae9bfb310c98913f657ea6b6a6a41f7fa10274efb025b8bc836b0f760b8f59f9d2fd6191f8caa417dcbed6ff972
-
C:\Users\Admin\AppData\Local\Temp\is-39F1G.tmp\isskin.dllFilesize
385KB
MD592c2e247392e0e02261dea67e1bb1a5e
SHA1db72fed8771364bf8039b2bc83ed01dda2908554
SHA25625fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68
SHA512e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5
-
C:\Users\Admin\AppData\Local\Temp\is-39F1G.tmp\isskin.dllFilesize
385KB
MD592c2e247392e0e02261dea67e1bb1a5e
SHA1db72fed8771364bf8039b2bc83ed01dda2908554
SHA25625fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68
SHA512e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5
-
C:\Users\Admin\AppData\Local\Temp\is-39F1G.tmp\isxdl.dllFilesize
121KB
MD548ad1a1c893ce7bf456277a0a085ed01
SHA1803997ef17eedf50969115c529a2bf8de585dc91
SHA256b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3
SHA5127c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4
-
C:\Users\Admin\AppData\Local\Temp\is-U4U84.tmp\agiledotnetinstaller.tmpFilesize
708KB
MD535b3f9a516ad4aefa79f71b0841ff6e0
SHA1eb1a56a11e8354873fe541753bf176842523e4e2
SHA2567ffbb10d03cdbf83f31b92f5e4ee424a3672392da0852ac8333c73fcd594c510
SHA51208904a7b2872dd2f81538904e17182bbe9fb533184cfbbca0b955713911b089fcb40a9c39343572c53c75cff6d891a3a58dbe530697746c87ed007ee550234b2
-
C:\Users\Admin\AppData\Local\Temp\is-U4U84.tmp\agiledotnetinstaller.tmpFilesize
708KB
MD535b3f9a516ad4aefa79f71b0841ff6e0
SHA1eb1a56a11e8354873fe541753bf176842523e4e2
SHA2567ffbb10d03cdbf83f31b92f5e4ee424a3672392da0852ac8333c73fcd594c510
SHA51208904a7b2872dd2f81538904e17182bbe9fb533184cfbbca0b955713911b089fcb40a9c39343572c53c75cff6d891a3a58dbe530697746c87ed007ee550234b2
-
memory/704-133-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/704-222-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1984-196-0x0000000075020000-0x0000000075230000-memory.dmpFilesize
2.1MB
-
memory/1984-204-0x0000000074FA0000-0x0000000075014000-memory.dmpFilesize
464KB
-
memory/1984-173-0x0000000075850000-0x00000000758CA000-memory.dmpFilesize
488KB
-
memory/1984-174-0x00000000763F0000-0x0000000076415000-memory.dmpFilesize
148KB
-
memory/1984-175-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-176-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-177-0x00000000763F0000-0x0000000076415000-memory.dmpFilesize
148KB
-
memory/1984-178-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-179-0x00000000744E0000-0x0000000074604000-memory.dmpFilesize
1.1MB
-
memory/1984-180-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-181-0x0000000075990000-0x0000000075A73000-memory.dmpFilesize
908KB
-
memory/1984-182-0x00000000766C0000-0x0000000076C73000-memory.dmpFilesize
5.7MB
-
memory/1984-183-0x0000000077350000-0x00000000773FF000-memory.dmpFilesize
700KB
-
memory/1984-184-0x0000000075020000-0x0000000075230000-memory.dmpFilesize
2.1MB
-
memory/1984-185-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-187-0x0000000075990000-0x0000000075A73000-memory.dmpFilesize
908KB
-
memory/1984-186-0x00000000762B0000-0x000000007638C000-memory.dmpFilesize
880KB
-
memory/1984-188-0x00000000766C0000-0x0000000076C73000-memory.dmpFilesize
5.7MB
-
memory/1984-190-0x0000000075020000-0x0000000075230000-memory.dmpFilesize
2.1MB
-
memory/1984-189-0x0000000077350000-0x00000000773FF000-memory.dmpFilesize
700KB
-
memory/1984-191-0x0000000074FA0000-0x0000000075014000-memory.dmpFilesize
464KB
-
memory/1984-192-0x00000000744E0000-0x0000000074604000-memory.dmpFilesize
1.1MB
-
memory/1984-193-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-194-0x00000000766C0000-0x0000000076C73000-memory.dmpFilesize
5.7MB
-
memory/1984-195-0x0000000077350000-0x00000000773FF000-memory.dmpFilesize
700KB
-
memory/1984-171-0x00000000763F0000-0x0000000076415000-memory.dmpFilesize
148KB
-
memory/1984-197-0x0000000074FA0000-0x0000000075014000-memory.dmpFilesize
464KB
-
memory/1984-199-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-198-0x00000000744E0000-0x0000000074604000-memory.dmpFilesize
1.1MB
-
memory/1984-201-0x0000000077350000-0x00000000773FF000-memory.dmpFilesize
700KB
-
memory/1984-202-0x0000000075020000-0x0000000075230000-memory.dmpFilesize
2.1MB
-
memory/1984-203-0x00000000763F0000-0x0000000076415000-memory.dmpFilesize
148KB
-
memory/1984-200-0x00000000766C0000-0x0000000076C73000-memory.dmpFilesize
5.7MB
-
memory/1984-172-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-205-0x00000000744E0000-0x0000000074604000-memory.dmpFilesize
1.1MB
-
memory/1984-206-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-207-0x00000000766C0000-0x0000000076C73000-memory.dmpFilesize
5.7MB
-
memory/1984-209-0x0000000075020000-0x0000000075230000-memory.dmpFilesize
2.1MB
-
memory/1984-208-0x0000000077350000-0x00000000773FF000-memory.dmpFilesize
700KB
-
memory/1984-210-0x0000000074FA0000-0x0000000075014000-memory.dmpFilesize
464KB
-
memory/1984-211-0x00000000744E0000-0x0000000074604000-memory.dmpFilesize
1.1MB
-
memory/1984-212-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-213-0x00000000762B0000-0x000000007638C000-memory.dmpFilesize
880KB
-
memory/1984-214-0x0000000075990000-0x0000000075A73000-memory.dmpFilesize
908KB
-
memory/1984-215-0x00000000766C0000-0x0000000076C73000-memory.dmpFilesize
5.7MB
-
memory/1984-216-0x0000000077350000-0x00000000773FF000-memory.dmpFilesize
700KB
-
memory/1984-217-0x0000000075020000-0x0000000075230000-memory.dmpFilesize
2.1MB
-
memory/1984-218-0x0000000074FA0000-0x0000000075014000-memory.dmpFilesize
464KB
-
memory/1984-219-0x00000000744E0000-0x0000000074604000-memory.dmpFilesize
1.1MB
-
memory/1984-220-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-170-0x0000000075850000-0x00000000758CA000-memory.dmpFilesize
488KB
-
memory/1984-223-0x0000000075020000-0x0000000075230000-memory.dmpFilesize
2.1MB
-
memory/1984-221-0x00000000766C0000-0x0000000076C73000-memory.dmpFilesize
5.7MB
-
memory/1984-169-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-168-0x0000000075850000-0x00000000758CA000-memory.dmpFilesize
488KB
-
memory/1984-167-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-144-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/1984-166-0x0000000075850000-0x00000000758CA000-memory.dmpFilesize
488KB
-
memory/1984-165-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-154-0x0000000003A80000-0x0000000003AE0000-memory.dmpFilesize
384KB
-
memory/1984-164-0x0000000075850000-0x00000000758CA000-memory.dmpFilesize
488KB
-
memory/3496-391-0x000000001E040000-0x000000001E214000-memory.dmpFilesize
1.8MB
-
memory/3496-388-0x00007FFB04D00000-0x00007FFB05119000-memory.dmpFilesize
4.1MB
-
memory/3496-387-0x00000000010B0000-0x00000000010C0000-memory.dmpFilesize
64KB
-
memory/3496-397-0x000000001E670000-0x000000001E8BC000-memory.dmpFilesize
2.3MB
-
memory/3496-403-0x000000001F0D0000-0x000000001F48C000-memory.dmpFilesize
3.7MB
-
memory/3496-384-0x0000000000590000-0x000000000069C000-memory.dmpFilesize
1.0MB