Analysis Overview
SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
Threat Level: Known bad
The file 117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464 was found to be: Known bad.
Malicious Activity Summary
Agenda family
Deletes shadow copies
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Uses Volume Shadow Copy service COM API
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-11-14 03:15
Signatures
Agenda family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-14 03:15
Reported
2023-11-14 03:18
Platform
win7-20231023-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Deletes shadow copies
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*aster = "C:\\Users\\Public\\enc.exe" | C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
"C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
Files
memory/820-3-0x00000000001A0000-0x00000000001A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-14 03:15
Reported
2023-11-14 03:18
Platform
win10v2004-20231020-en
Max time kernel
2s
Max time network
116s
Command Line
Signatures
Deletes shadow copies
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4140 wrote to memory of 3160 | N/A | C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe | C:\Windows\System32\cmd.exe |
| PID 4140 wrote to memory of 3160 | N/A | C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe | C:\Windows\System32\cmd.exe |
| PID 3160 wrote to memory of 1808 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 3160 wrote to memory of 1808 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
"C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |