agenda | 21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010

Resubmissions

22-02-2024 11:51

240222-n1a66agf8t 10

15-01-2024 10:30

240115-mjzmrafbc2 10

15-01-2024 10:22

240115-meastseabm 10

26-12-2023 04:42

231226-fb3acafcdq 10

Analysis

max time kernel
252s
max time network
262s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
15-01-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
Size

4.0MB
MD5

390b8c1bf2838bff01edcf34f9420990
SHA1

8a28ec5aeaf8e96b0d72115b589bc38eb153b3b1
SHA256

21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010
SHA512

3838a35dade4f16f07f7f5e384c868038b1abd5b03589563df6f6dbf63a1b33e270f81f97daea1231d4f1139fd44ddc6788b90ab558ebd3ca1c14df843b320a2
SSDEEP

98304:OytVc8V5odJBN4SIQLp468SI/JTpjaYDQ7toz/ngwa:OCO8EJBN4SJLp4b7VWYDQ7toz/Za

Score

10^/10

agenda ransomware

Malware Config

Extracted

Family

agenda

Attributes

company_id
Y4aYnqmoKD
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: Y4aYnqmoKD Domain: mc3lcg4lqmwcrk34geaqokyjyhvjeh2alsiklpgnaqe25466isopv3id.onion login: R5ZHFB-RiA_94UGXxYDObv6Xriy7JCxb password:

rsa_pubkey.plain

Signatures

Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
ransomware agenda

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 4664	4288	cmd.exe	79
PID 4288 wrote to memory of 4664	4288	cmd.exe	79
PID 4288 wrote to memory of 4664	4288	cmd.exe	79
PID 4288 wrote to memory of 2768	4288	cmd.exe	80
PID 4288 wrote to memory of 2768	4288	cmd.exe	80
PID 4288 wrote to memory of 2768	4288	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
"C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe"
1⤵
PID:996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
  21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe -password Y4aYnqmoKD
  2⤵
  PID:4664
- C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
  21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe -password AgendaPass
  2⤵
  PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(1).LOG

Filesize
187B

MD5
4ced05a22037a2e49540f6ba25573e48

SHA1
7937d44a2d9008290b1a75972a4de10b16c7c2c9

SHA256
21d364e83c5b795c9fe28e46bef7d57b8fe32f51cb358580bb4d191b19053a40

SHA512
0a8f9f7b23db787ed2489eb2d03811ad465f44dd7be626799bc53776455a7e2788e0fb2351043d97730f4a4e2f426e28bd8ed61b4786474b03c2db15b55a57bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(1).LOG

Filesize
591B

MD5
b2f87ca1222c0fb6ad9ba106bc91de56

SHA1
69d879fb0af8d18b2b7a667f5d9140b5bb907f5b

SHA256
7cb77e24cc2dbe08cb6efe6fabc7b715335ae2f72d4165280238fa331c8ea43f

SHA512
c0d310cd181d62cfd0279508d1288c812779d1ab9f3a82d94076da58a765da7ea08fd120e17175735ecba901bd1f1e8f331464b9d12ea4e644a1354e9692fc31

Download Submit
memory/996-0-0x0000000010000000-0x00000000103B3000-memory.dmp

Filesize
3.7MB

Download
memory/996-10-0x0000000000930000-0x0000000000D35000-memory.dmp

Filesize
4.0MB

Download
memory/2768-42-0x0000000000930000-0x0000000000D35000-memory.dmp

Filesize
4.0MB

Download
memory/4664-11-0x0000000010000000-0x00000000103B3000-memory.dmp

Filesize
3.7MB

Download
memory/4664-26-0x0000000000930000-0x0000000000D35000-memory.dmp

Filesize
4.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads