4381d4a66eb1f618508864f87c6da09c67cfea42e21070823326f1ee45fb7b36

Analysis

max time kernel
152s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

967548928.exe
Size

7.5MB
MD5

848186a88b0b2698fc6966c129b3f988
SHA1

47d48802379460ab5ee2e31f57b7b4ecf88846f6
SHA256

4381d4a66eb1f618508864f87c6da09c67cfea42e21070823326f1ee45fb7b36
SHA512

50c59689cda8bfa0f85faf957db895dc65013511630ba9978d8c7024f083db8248d9ea47b7e8a54e500a8b120e7b6032f9735961cf2c480226c20432a13e46a8
SSDEEP

98304:TOkNKDlogmxjvwTNWF+oVQVbsYb7smpc1aT9GvrVMv/cLUpJl7pUhGaZmCCTQJx+:at+gmxjvwTNh/hpL0KvZlWhGwjEQS

Score

8^/10

agilenet

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2924	967548928.exe

Loads dropped DLL 1 IoCs

pid	Process
3028	967548928.exe

Obfuscated with Agile.Net obfuscator 7 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/3028-4-0x0000000000400000-0x0000000000FA3000-memory.dmp	agile_net
behavioral1/memory/3028-16-0x0000000000400000-0x0000000000FA3000-memory.dmp	agile_net
behavioral1/memory/3028-19-0x0000000000400000-0x0000000000FA3000-memory.dmp	agile_net
behavioral1/memory/3028-20-0x0000000000400000-0x0000000000FA3000-memory.dmp	agile_net
behavioral1/memory/3028-23-0x0000000000400000-0x0000000000FA3000-memory.dmp	agile_net
behavioral1/memory/3028-26-0x0000000000400000-0x0000000000FA3000-memory.dmp	agile_net
behavioral1/memory/2924-250-0x0000000000400000-0x0000000000FA9000-memory.dmp	agile_net

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3028	967548928.exe
2924	967548928.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2044	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3028	967548928.exe
2924	967548928.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3028	967548928.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	967548928.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2924	3028	967548928.exe	30
PID 3028 wrote to memory of 2924	3028	967548928.exe	30
PID 3028 wrote to memory of 2924	3028	967548928.exe	30
PID 3028 wrote to memory of 2924	3028	967548928.exe	30
PID 3028 wrote to memory of 1852	3028	967548928.exe	31
PID 3028 wrote to memory of 1852	3028	967548928.exe	31
PID 3028 wrote to memory of 1852	3028	967548928.exe	31
PID 3028 wrote to memory of 1852	3028	967548928.exe	31
PID 1852 wrote to memory of 2044	1852	cmd.exe	33
PID 1852 wrote to memory of 2044	1852	cmd.exe	33
PID 1852 wrote to memory of 2044	1852	cmd.exe	33
PID 1852 wrote to memory of 2044	1852	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\967548928.exe
"C:\Users\Admin\AppData\Local\Temp\967548928.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\967548928.exe
  "C:\Users\Admin\AppData\Local\Temp\967548928.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /T 3 & del "C:\Users\Admin\AppData\Local\Temp\*.tmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\967548928.exe

Filesize
7.5MB

MD5
c779dc49ccf55ca8d382e1ab646cf383

SHA1
73a5fc3cf86a26b57b28f6b340f9e6194c38bd21

SHA256
0a816f8479cbccb30ae2ae6a693a3ac60c49614414a59b155b1063e582f3b92e

SHA512
73aaee51f494fb6742a3f46b66c25cca04b3d8fb04af4eb70b04ab3a9663d5b434219c639c88dc9d4059c69e4174c603fb55d9840262c9fd8430e18ce7e510c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\967548928.exe

Filesize
7.5MB

MD5
c779dc49ccf55ca8d382e1ab646cf383

SHA1
73a5fc3cf86a26b57b28f6b340f9e6194c38bd21

SHA256
0a816f8479cbccb30ae2ae6a693a3ac60c49614414a59b155b1063e582f3b92e

SHA512
73aaee51f494fb6742a3f46b66c25cca04b3d8fb04af4eb70b04ab3a9663d5b434219c639c88dc9d4059c69e4174c603fb55d9840262c9fd8430e18ce7e510c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\967548928.exe

Filesize
7.5MB

MD5
c779dc49ccf55ca8d382e1ab646cf383

SHA1
73a5fc3cf86a26b57b28f6b340f9e6194c38bd21

SHA256
0a816f8479cbccb30ae2ae6a693a3ac60c49614414a59b155b1063e582f3b92e

SHA512
73aaee51f494fb6742a3f46b66c25cca04b3d8fb04af4eb70b04ab3a9663d5b434219c639c88dc9d4059c69e4174c603fb55d9840262c9fd8430e18ce7e510c3

Download Submit
\Users\Admin\AppData\Local\Temp\967548928.exe

Filesize
7.5MB

MD5
c779dc49ccf55ca8d382e1ab646cf383

SHA1
73a5fc3cf86a26b57b28f6b340f9e6194c38bd21

SHA256
0a816f8479cbccb30ae2ae6a693a3ac60c49614414a59b155b1063e582f3b92e

SHA512
73aaee51f494fb6742a3f46b66c25cca04b3d8fb04af4eb70b04ab3a9663d5b434219c639c88dc9d4059c69e4174c603fb55d9840262c9fd8430e18ce7e510c3

Download Submit
memory/2924-250-0x0000000000400000-0x0000000000FA9000-memory.dmp

Filesize
11.7MB

Download
memory/2924-251-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/3028-57-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/3028-67-0x0000000073B50000-0x0000000073C38000-memory.dmp

Filesize
928KB

Download
memory/3028-3-0x0000000000400000-0x0000000000FA3000-memory.dmp

Filesize
11.6MB

Download
memory/3028-4-0x0000000000400000-0x0000000000FA3000-memory.dmp

Filesize
11.6MB

Download
memory/3028-5-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3028-6-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/3028-8-0x0000000075F90000-0x000000007603C000-memory.dmp

Filesize
688KB

Download
memory/3028-10-0x00000000769C0000-0x0000000076A07000-memory.dmp

Filesize
284KB

Download
memory/3028-11-0x0000000076960000-0x00000000769B7000-memory.dmp

Filesize
348KB

Download
memory/3028-12-0x00000000745F0000-0x00000000745F9000-memory.dmp

Filesize
36KB

Download
memory/3028-13-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-15-0x0000000075740000-0x000000007589C000-memory.dmp

Filesize
1.4MB

Download
memory/3028-16-0x0000000000400000-0x0000000000FA3000-memory.dmp

Filesize
11.6MB

Download
memory/3028-17-0x0000000075EF0000-0x0000000075F7F000-memory.dmp

Filesize
572KB

Download
memory/3028-18-0x0000000073C40000-0x0000000073CC0000-memory.dmp

Filesize
512KB

Download
memory/3028-19-0x0000000000400000-0x0000000000FA3000-memory.dmp

Filesize
11.6MB

Download
memory/3028-49-0x00000000744F0000-0x00000000745E5000-memory.dmp

Filesize
980KB

Download
memory/3028-21-0x0000000002C30000-0x0000000002C70000-memory.dmp

Filesize
256KB

Download
memory/3028-22-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/3028-23-0x0000000000400000-0x0000000000FA3000-memory.dmp

Filesize
11.6MB

Download
memory/3028-24-0x0000000009CA0000-0x000000000A772000-memory.dmp

Filesize
10.8MB

Download
memory/3028-25-0x000000000B770000-0x000000000BA34000-memory.dmp

Filesize
2.8MB

Download
memory/3028-27-0x000000000BA40000-0x000000000BB59000-memory.dmp

Filesize
1.1MB

Download
memory/3028-26-0x0000000000400000-0x0000000000FA3000-memory.dmp

Filesize
11.6MB

Download
memory/3028-63-0x00000000744E0000-0x00000000744E3000-memory.dmp

Filesize
12KB

Download
memory/3028-29-0x00000000769C0000-0x0000000076A07000-memory.dmp

Filesize
284KB

Download
memory/3028-30-0x000000000BA40000-0x000000000BB59000-memory.dmp

Filesize
1.1MB

Download
memory/3028-32-0x0000000075F90000-0x000000007603C000-memory.dmp

Filesize
688KB

Download
memory/3028-36-0x0000000076960000-0x00000000769B7000-memory.dmp

Filesize
348KB

Download
memory/3028-38-0x0000000074720000-0x000000007476A000-memory.dmp

Filesize
296KB

Download
memory/3028-40-0x0000000075740000-0x000000007589C000-memory.dmp

Filesize
1.4MB

Download
memory/3028-42-0x0000000074600000-0x000000007467D000-memory.dmp

Filesize
500KB

Download
memory/3028-47-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-48-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/3028-51-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/3028-54-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/3028-1-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/3028-60-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/3028-20-0x0000000000400000-0x0000000000FA3000-memory.dmp

Filesize
11.6MB

Download
memory/3028-2-0x0000000074720000-0x000000007476A000-memory.dmp

Filesize
296KB

Download
memory/3028-28-0x000000000BA40000-0x000000000BB59000-memory.dmp

Filesize
1.1MB

Download
memory/3028-65-0x0000000073C40000-0x0000000073CC0000-memory.dmp

Filesize
512KB

Download
memory/3028-69-0x0000000073B30000-0x0000000073B43000-memory.dmp

Filesize
76KB

Download
memory/3028-70-0x000000000BA40000-0x000000000BB59000-memory.dmp

Filesize
1.1MB

Download
memory/3028-71-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/3028-72-0x0000000076E90000-0x0000000076E91000-memory.dmp

Filesize
4KB

Download
memory/3028-73-0x0000000076840000-0x0000000076841000-memory.dmp

Filesize
4KB

Download
memory/3028-74-0x0000000076780000-0x0000000076781000-memory.dmp

Filesize
4KB

Download
memory/3028-75-0x0000000076EA0000-0x0000000076EA1000-memory.dmp

Filesize
4KB

Download
memory/3028-76-0x0000000076790000-0x0000000076791000-memory.dmp

Filesize
4KB

Download
memory/3028-77-0x00000000767A0000-0x00000000767A1000-memory.dmp

Filesize
4KB

Download
memory/3028-78-0x00000000767C0000-0x00000000767C1000-memory.dmp

Filesize
4KB

Download
memory/3028-79-0x00000000767E0000-0x00000000767E1000-memory.dmp

Filesize
4KB

Download
memory/3028-80-0x00000000767B0000-0x00000000767B1000-memory.dmp

Filesize
4KB

Download
memory/3028-81-0x0000000076850000-0x0000000076851000-memory.dmp

Filesize
4KB

Download
memory/3028-82-0x0000000002BB0000-0x0000000002BB5000-memory.dmp

Filesize
20KB

Download
memory/3028-68-0x0000000074930000-0x000000007557A000-memory.dmp

Filesize
12.3MB

Download
memory/3028-83-0x00000000769C0000-0x0000000076A07000-memory.dmp

Filesize
284KB

Download
memory/3028-86-0x0000000076820000-0x0000000076821000-memory.dmp

Filesize
4KB

Download
memory/3028-87-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-85-0x0000000076810000-0x0000000076811000-memory.dmp

Filesize
4KB

Download
memory/3028-84-0x0000000076E80000-0x0000000076E81000-memory.dmp

Filesize
4KB

Download
memory/3028-88-0x000000006E7D0000-0x000000006E7E7000-memory.dmp

Filesize
92KB

Download
memory/3028-89-0x000000000F510000-0x000000000F545000-memory.dmp

Filesize
212KB

Download
memory/3028-90-0x000000006E750000-0x000000006E765000-memory.dmp

Filesize
84KB

Download
memory/3028-91-0x000000006E770000-0x000000006E7C2000-memory.dmp

Filesize
328KB

Download
memory/3028-92-0x000000000F510000-0x000000000F545000-memory.dmp

Filesize
212KB

Download
memory/3028-93-0x000000006E740000-0x000000006E74D000-memory.dmp

Filesize
52KB

Download
memory/3028-94-0x00000000761B0000-0x00000000761C9000-memory.dmp

Filesize
100KB

Download
memory/3028-95-0x000000006E630000-0x000000006E67F000-memory.dmp

Filesize
316KB

Download
memory/3028-96-0x000000006E680000-0x000000006E6D8000-memory.dmp

Filesize
352KB

Download
memory/3028-97-0x000000006E680000-0x000000006E6D8000-memory.dmp

Filesize
352KB

Download
memory/3028-98-0x00000000748C0000-0x00000000748CC000-memory.dmp

Filesize
48KB

Download
memory/3028-0-0x0000000000400000-0x0000000000FA3000-memory.dmp

Filesize
11.6MB

Download
memory/3028-104-0x00000000767D0000-0x00000000767D1000-memory.dmp

Filesize
4KB

Download
memory/3028-139-0x0000000002C30000-0x0000000002C70000-memory.dmp

Filesize
256KB

Download
memory/3028-140-0x000000000BA40000-0x000000000BB59000-memory.dmp

Filesize
1.1MB

Download
memory/3028-148-0x000000006E680000-0x000000006E6D8000-memory.dmp

Filesize
352KB

Download
memory/3028-191-0x0000000076830000-0x0000000076831000-memory.dmp

Filesize
4KB

Download
memory/3028-317-0x0000000011AA0000-0x0000000012649000-memory.dmp

Filesize
11.7MB

Download