Malware Analysis Report

2025-05-05 22:19

Sample ID 231012-xlbntahd4x
Target 967548928.exe
SHA256 4381d4a66eb1f618508864f87c6da09c67cfea42e21070823326f1ee45fb7b36
Tags
agilenet
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4381d4a66eb1f618508864f87c6da09c67cfea42e21070823326f1ee45fb7b36

Threat Level: Likely malicious

The file 967548928.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 18:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 18:56

Reported

2023-10-17 12:23

Platform

win7-20230831-en

Max time kernel

152s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\967548928.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\967548928.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\967548928.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\967548928.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\967548928.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\967548928.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\967548928.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\967548928.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\967548928.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\967548928.exe

"C:\Users\Admin\AppData\Local\Temp\967548928.exe"

C:\Users\Admin\AppData\Local\Temp\967548928.exe

"C:\Users\Admin\AppData\Local\Temp\967548928.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C timeout /T 3 & del "C:\Users\Admin\AppData\Local\Temp\*.tmp"

C:\Windows\SysWOW64\timeout.exe

timeout /T 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.aptitude.pub udp
US 104.26.8.188:443 www.aptitude.pub tcp
US 8.8.8.8:53 aptitude.pub udp
US 104.26.9.188:443 aptitude.pub tcp

Files

memory/3028-0-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/3028-1-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/3028-2-0x0000000074720000-0x000000007476A000-memory.dmp

memory/3028-3-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/3028-4-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/3028-5-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3028-6-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/3028-8-0x0000000075F90000-0x000000007603C000-memory.dmp

memory/3028-10-0x00000000769C0000-0x0000000076A07000-memory.dmp

memory/3028-11-0x0000000076960000-0x00000000769B7000-memory.dmp

memory/3028-12-0x00000000745F0000-0x00000000745F9000-memory.dmp

memory/3028-13-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/3028-15-0x0000000075740000-0x000000007589C000-memory.dmp

memory/3028-16-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/3028-17-0x0000000075EF0000-0x0000000075F7F000-memory.dmp

memory/3028-18-0x0000000073C40000-0x0000000073CC0000-memory.dmp

memory/3028-19-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/3028-20-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/3028-21-0x0000000002C30000-0x0000000002C70000-memory.dmp

memory/3028-22-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/3028-23-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/3028-24-0x0000000009CA0000-0x000000000A772000-memory.dmp

memory/3028-25-0x000000000B770000-0x000000000BA34000-memory.dmp

memory/3028-27-0x000000000BA40000-0x000000000BB59000-memory.dmp

memory/3028-26-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/3028-28-0x000000000BA40000-0x000000000BB59000-memory.dmp

memory/3028-29-0x00000000769C0000-0x0000000076A07000-memory.dmp

memory/3028-30-0x000000000BA40000-0x000000000BB59000-memory.dmp

memory/3028-32-0x0000000075F90000-0x000000007603C000-memory.dmp

memory/3028-36-0x0000000076960000-0x00000000769B7000-memory.dmp

memory/3028-38-0x0000000074720000-0x000000007476A000-memory.dmp

memory/3028-40-0x0000000075740000-0x000000007589C000-memory.dmp

memory/3028-42-0x0000000074600000-0x000000007467D000-memory.dmp

memory/3028-47-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/3028-48-0x0000000010000000-0x0000000010005000-memory.dmp

memory/3028-51-0x0000000010000000-0x0000000010005000-memory.dmp

memory/3028-54-0x0000000010000000-0x0000000010005000-memory.dmp

memory/3028-57-0x0000000010000000-0x0000000010005000-memory.dmp

memory/3028-60-0x0000000010000000-0x0000000010005000-memory.dmp

memory/3028-49-0x00000000744F0000-0x00000000745E5000-memory.dmp

memory/3028-65-0x0000000073C40000-0x0000000073CC0000-memory.dmp

memory/3028-63-0x00000000744E0000-0x00000000744E3000-memory.dmp

memory/3028-67-0x0000000073B50000-0x0000000073C38000-memory.dmp

memory/3028-69-0x0000000073B30000-0x0000000073B43000-memory.dmp

memory/3028-70-0x000000000BA40000-0x000000000BB59000-memory.dmp

memory/3028-71-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/3028-72-0x0000000076E90000-0x0000000076E91000-memory.dmp

memory/3028-73-0x0000000076840000-0x0000000076841000-memory.dmp

memory/3028-74-0x0000000076780000-0x0000000076781000-memory.dmp

memory/3028-75-0x0000000076EA0000-0x0000000076EA1000-memory.dmp

memory/3028-76-0x0000000076790000-0x0000000076791000-memory.dmp

memory/3028-77-0x00000000767A0000-0x00000000767A1000-memory.dmp

memory/3028-78-0x00000000767C0000-0x00000000767C1000-memory.dmp

memory/3028-79-0x00000000767E0000-0x00000000767E1000-memory.dmp

memory/3028-80-0x00000000767B0000-0x00000000767B1000-memory.dmp

memory/3028-81-0x0000000076850000-0x0000000076851000-memory.dmp

memory/3028-82-0x0000000002BB0000-0x0000000002BB5000-memory.dmp

memory/3028-68-0x0000000074930000-0x000000007557A000-memory.dmp

memory/3028-83-0x00000000769C0000-0x0000000076A07000-memory.dmp

memory/3028-86-0x0000000076820000-0x0000000076821000-memory.dmp

memory/3028-87-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/3028-85-0x0000000076810000-0x0000000076811000-memory.dmp

memory/3028-84-0x0000000076E80000-0x0000000076E81000-memory.dmp

memory/3028-88-0x000000006E7D0000-0x000000006E7E7000-memory.dmp

memory/3028-89-0x000000000F510000-0x000000000F545000-memory.dmp

memory/3028-90-0x000000006E750000-0x000000006E765000-memory.dmp

memory/3028-91-0x000000006E770000-0x000000006E7C2000-memory.dmp

memory/3028-92-0x000000000F510000-0x000000000F545000-memory.dmp

memory/3028-93-0x000000006E740000-0x000000006E74D000-memory.dmp

memory/3028-94-0x00000000761B0000-0x00000000761C9000-memory.dmp

memory/3028-95-0x000000006E630000-0x000000006E67F000-memory.dmp

memory/3028-96-0x000000006E680000-0x000000006E6D8000-memory.dmp

memory/3028-97-0x000000006E680000-0x000000006E6D8000-memory.dmp

memory/3028-98-0x00000000748C0000-0x00000000748CC000-memory.dmp

memory/3028-104-0x00000000767D0000-0x00000000767D1000-memory.dmp

memory/3028-139-0x0000000002C30000-0x0000000002C70000-memory.dmp

memory/3028-140-0x000000000BA40000-0x000000000BB59000-memory.dmp

memory/3028-148-0x000000006E680000-0x000000006E6D8000-memory.dmp

memory/3028-191-0x0000000076830000-0x0000000076831000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\967548928.exe

MD5 c779dc49ccf55ca8d382e1ab646cf383
SHA1 73a5fc3cf86a26b57b28f6b340f9e6194c38bd21
SHA256 0a816f8479cbccb30ae2ae6a693a3ac60c49614414a59b155b1063e582f3b92e
SHA512 73aaee51f494fb6742a3f46b66c25cca04b3d8fb04af4eb70b04ab3a9663d5b434219c639c88dc9d4059c69e4174c603fb55d9840262c9fd8430e18ce7e510c3

\Users\Admin\AppData\Local\Temp\967548928.exe

MD5 c779dc49ccf55ca8d382e1ab646cf383
SHA1 73a5fc3cf86a26b57b28f6b340f9e6194c38bd21
SHA256 0a816f8479cbccb30ae2ae6a693a3ac60c49614414a59b155b1063e582f3b92e
SHA512 73aaee51f494fb6742a3f46b66c25cca04b3d8fb04af4eb70b04ab3a9663d5b434219c639c88dc9d4059c69e4174c603fb55d9840262c9fd8430e18ce7e510c3

C:\Users\Admin\AppData\Local\Temp\967548928.exe

MD5 c779dc49ccf55ca8d382e1ab646cf383
SHA1 73a5fc3cf86a26b57b28f6b340f9e6194c38bd21
SHA256 0a816f8479cbccb30ae2ae6a693a3ac60c49614414a59b155b1063e582f3b92e
SHA512 73aaee51f494fb6742a3f46b66c25cca04b3d8fb04af4eb70b04ab3a9663d5b434219c639c88dc9d4059c69e4174c603fb55d9840262c9fd8430e18ce7e510c3

C:\Users\Admin\AppData\Local\Temp\967548928.exe

MD5 c779dc49ccf55ca8d382e1ab646cf383
SHA1 73a5fc3cf86a26b57b28f6b340f9e6194c38bd21
SHA256 0a816f8479cbccb30ae2ae6a693a3ac60c49614414a59b155b1063e582f3b92e
SHA512 73aaee51f494fb6742a3f46b66c25cca04b3d8fb04af4eb70b04ab3a9663d5b434219c639c88dc9d4059c69e4174c603fb55d9840262c9fd8430e18ce7e510c3

memory/2924-250-0x0000000000400000-0x0000000000FA9000-memory.dmp

memory/2924-251-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/3028-317-0x0000000011AA0000-0x0000000012649000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 18:56

Reported

2023-10-17 12:22

Platform

win10v2004-20230915-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\967548928.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\967548928.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\967548928.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\967548928.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\967548928.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\967548928.exe

"C:\Users\Admin\AppData\Local\Temp\967548928.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.aptitude.pub udp
US 104.26.8.188:443 www.aptitude.pub tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 188.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/4676-0-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/4676-1-0x0000000002D00000-0x0000000002D40000-memory.dmp

memory/4676-2-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/4676-3-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/4676-4-0x0000000002D60000-0x0000000002D61000-memory.dmp

memory/4676-5-0x0000000002D00000-0x0000000002D40000-memory.dmp

memory/4676-6-0x0000000076630000-0x0000000076845000-memory.dmp

memory/4676-7-0x0000000077020000-0x00000000772A1000-memory.dmp

memory/4676-8-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/4676-9-0x0000000075C50000-0x0000000075D33000-memory.dmp

memory/4676-10-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/4676-11-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/4676-12-0x0000000073600000-0x0000000073689000-memory.dmp

memory/4676-13-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/4676-14-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/4676-15-0x0000000076630000-0x0000000076845000-memory.dmp

memory/4676-16-0x0000000076EF0000-0x0000000076F14000-memory.dmp

memory/4676-17-0x0000000076320000-0x0000000076440000-memory.dmp

memory/4676-18-0x0000000077BE0000-0x0000000077C9F000-memory.dmp

memory/4676-19-0x00000000761E0000-0x000000007629F000-memory.dmp

memory/4676-20-0x0000000075AC0000-0x0000000075B12000-memory.dmp

memory/4676-21-0x0000000077020000-0x00000000772A1000-memory.dmp

memory/4676-22-0x0000000077A60000-0x0000000077AF6000-memory.dmp

memory/4676-23-0x0000000076190000-0x00000000761D5000-memory.dmp

memory/4676-24-0x0000000075340000-0x00000000753CD000-memory.dmp

memory/4676-26-0x0000000075320000-0x0000000075328000-memory.dmp

memory/4676-25-0x0000000075330000-0x000000007533F000-memory.dmp

memory/4676-27-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/4676-28-0x0000000074B50000-0x0000000074B64000-memory.dmp

memory/4676-29-0x0000000074AA0000-0x0000000074B4B000-memory.dmp

memory/4676-31-0x0000000073600000-0x0000000073689000-memory.dmp

memory/4676-32-0x00000000734F0000-0x00000000735F5000-memory.dmp

memory/4676-33-0x0000000002D00000-0x0000000002D40000-memory.dmp

memory/4676-34-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/4676-35-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/4676-54-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/4676-55-0x0000000007BF0000-0x0000000007C00000-memory.dmp

memory/4676-56-0x000000000A2D0000-0x000000000ADA2000-memory.dmp

memory/4676-57-0x000000000C230000-0x000000000C4F4000-memory.dmp

memory/4676-58-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/4676-59-0x0000000076630000-0x0000000076845000-memory.dmp

memory/4676-61-0x0000000076320000-0x0000000076440000-memory.dmp

memory/4676-63-0x000000000A0E0000-0x000000000A1F9000-memory.dmp

memory/4676-62-0x0000000077BE0000-0x0000000077C9F000-memory.dmp

memory/4676-65-0x0000000075AC0000-0x0000000075B12000-memory.dmp

memory/4676-68-0x0000000075400000-0x0000000075424000-memory.dmp

memory/4676-70-0x0000000075340000-0x00000000753CD000-memory.dmp

memory/4676-71-0x000000000A0E0000-0x000000000A1F9000-memory.dmp

memory/4676-73-0x000000000A0E0000-0x000000000A1F9000-memory.dmp

memory/4676-75-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/4676-89-0x00000000031A0000-0x00000000031A1000-memory.dmp

memory/4676-92-0x0000000077D60000-0x0000000077D61000-memory.dmp

memory/4676-94-0x0000000077D30000-0x0000000077D31000-memory.dmp

memory/4676-96-0x0000000077D70000-0x0000000077D71000-memory.dmp

memory/4676-98-0x0000000007BF0000-0x0000000007C00000-memory.dmp

memory/4676-107-0x0000000077B20000-0x0000000077B21000-memory.dmp

memory/4676-110-0x0000000077B40000-0x0000000077B41000-memory.dmp

memory/4676-111-0x0000000077B60000-0x0000000077B61000-memory.dmp

memory/4676-112-0x0000000077B30000-0x0000000077B31000-memory.dmp

memory/4676-113-0x0000000077D40000-0x0000000077D41000-memory.dmp

memory/4676-115-0x000000000A0E0000-0x000000000A1F9000-memory.dmp

memory/4676-116-0x0000000077D50000-0x0000000077D51000-memory.dmp

memory/4676-117-0x0000000077BA0000-0x0000000077BA1000-memory.dmp

memory/4676-118-0x0000000077B90000-0x0000000077B91000-memory.dmp

memory/4676-144-0x0000000077CA0000-0x0000000077CA1000-memory.dmp

memory/4676-195-0x0000000000400000-0x0000000000FA3000-memory.dmp

memory/4676-196-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/4676-197-0x000000000A0E0000-0x000000000A1F9000-memory.dmp