Analysis
-
max time kernel
143s -
max time network
79s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 05:20
Behavioral task
behavioral1
Sample
9E7DE6D79CCC935FA7C1B629155CA2EF.exe
Resource
win7-20231129-en
9 signatures
150 seconds
General
-
Target
9E7DE6D79CCC935FA7C1B629155CA2EF.exe
-
Size
203KB
-
MD5
9e7de6d79ccc935fa7c1b629155ca2ef
-
SHA1
09e1a1d16d81e0c7213cd2664bc47e5ce69165ed
-
SHA256
52bed4d9c0fdb81bdc4abfd46b47b8f8fa2dcdd570fcdc94f300f087c8b3aa65
-
SHA512
58f320b34ee14c21fb69e25afab572a3c91d8f78817c365b49d35b969d5b95cf4298d34a9a437b7e2d1f3113ecdad13d63e05dbfbe50925b3c780e69664d7853
-
SSDEEP
6144:sLV6Bta6dtJmakIM5qDr7rb2Wdkytz9spP:sLV6Btpmk7mWltY
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe" 9E7DE6D79CCC935FA7C1B629155CA2EF.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9E7DE6D79CCC935FA7C1B629155CA2EF.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\AGP Manager\agpmgr.exe 9E7DE6D79CCC935FA7C1B629155CA2EF.exe File opened for modification C:\Program Files (x86)\AGP Manager\agpmgr.exe 9E7DE6D79CCC935FA7C1B629155CA2EF.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4752 schtasks.exe 3588 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4944 9E7DE6D79CCC935FA7C1B629155CA2EF.exe 4944 9E7DE6D79CCC935FA7C1B629155CA2EF.exe 4944 9E7DE6D79CCC935FA7C1B629155CA2EF.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4944 9E7DE6D79CCC935FA7C1B629155CA2EF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4944 9E7DE6D79CCC935FA7C1B629155CA2EF.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4944 wrote to memory of 3588 4944 9E7DE6D79CCC935FA7C1B629155CA2EF.exe 24 PID 4944 wrote to memory of 3588 4944 9E7DE6D79CCC935FA7C1B629155CA2EF.exe 24 PID 4944 wrote to memory of 3588 4944 9E7DE6D79CCC935FA7C1B629155CA2EF.exe 24 PID 4944 wrote to memory of 4752 4944 9E7DE6D79CCC935FA7C1B629155CA2EF.exe 23 PID 4944 wrote to memory of 4752 4944 9E7DE6D79CCC935FA7C1B629155CA2EF.exe 23 PID 4944 wrote to memory of 4752 4944 9E7DE6D79CCC935FA7C1B629155CA2EF.exe 23
Processes
-
C:\Users\Admin\AppData\Local\Temp\9E7DE6D79CCC935FA7C1B629155CA2EF.exe"C:\Users\Admin\AppData\Local\Temp\9E7DE6D79CCC935FA7C1B629155CA2EF.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4046.tmp"2⤵
- Creates scheduled task(s)
PID:4752
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3FF7.tmp"2⤵
- Creates scheduled task(s)
PID:3588
-