Malware Analysis Report

2024-09-11 01:38

Sample ID 240115-meastseabm
Target 21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010
SHA256 21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010
Tags
agenda ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010

Threat Level: Known bad

The file 21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010 was found to be: Known bad.

Malicious Activity Summary

agenda ransomware

Agenda Ransomware

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-15 10:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 10:22

Reported

2024-01-15 10:26

Platform

win10-20231215-en

Max time kernel

252s

Max time network

262s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe"

Signatures

Agenda Ransomware

ransomware agenda

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 4664 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
PID 4288 wrote to memory of 4664 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
PID 4288 wrote to memory of 4664 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
PID 4288 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
PID 4288 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
PID 4288 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe

Processes

C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe

"C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe

21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe -password Y4aYnqmoKD

C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe

21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe -password AgendaPass

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

memory/996-0-0x0000000010000000-0x00000000103B3000-memory.dmp

memory/996-10-0x0000000000930000-0x0000000000D35000-memory.dmp

memory/4664-11-0x0000000010000000-0x00000000103B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(1).LOG

MD5 4ced05a22037a2e49540f6ba25573e48
SHA1 7937d44a2d9008290b1a75972a4de10b16c7c2c9
SHA256 21d364e83c5b795c9fe28e46bef7d57b8fe32f51cb358580bb4d191b19053a40
SHA512 0a8f9f7b23db787ed2489eb2d03811ad465f44dd7be626799bc53776455a7e2788e0fb2351043d97730f4a4e2f426e28bd8ed61b4786474b03c2db15b55a57bf

memory/4664-26-0x0000000000930000-0x0000000000D35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(1).LOG

MD5 b2f87ca1222c0fb6ad9ba106bc91de56
SHA1 69d879fb0af8d18b2b7a667f5d9140b5bb907f5b
SHA256 7cb77e24cc2dbe08cb6efe6fabc7b715335ae2f72d4165280238fa331c8ea43f
SHA512 c0d310cd181d62cfd0279508d1288c812779d1ab9f3a82d94076da58a765da7ea08fd120e17175735ecba901bd1f1e8f331464b9d12ea4e644a1354e9692fc31

memory/2768-42-0x0000000000930000-0x0000000000D35000-memory.dmp