agenda | 21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010

Resubmissions

22-02-2024 11:51

240222-n1a66agf8t 10

15-01-2024 10:30

240115-mjzmrafbc2 10

15-01-2024 10:22

240115-meastseabm 10

26-12-2023 04:42

231226-fb3acafcdq 10

Analysis

max time kernel
126s
max time network
136s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
15-01-2024 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
Size

4.0MB
MD5

390b8c1bf2838bff01edcf34f9420990
SHA1

8a28ec5aeaf8e96b0d72115b589bc38eb153b3b1
SHA256

21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010
SHA512

3838a35dade4f16f07f7f5e384c868038b1abd5b03589563df6f6dbf63a1b33e270f81f97daea1231d4f1139fd44ddc6788b90ab558ebd3ca1c14df843b320a2
SSDEEP

98304:OytVc8V5odJBN4SIQLp468SI/JTpjaYDQ7toz/ngwa:OCO8EJBN4SJLp4b7VWYDQ7toz/Za

Score

10^/10

agenda ransomware

Malware Config

Extracted

Family

agenda

Attributes

company_id
Y4aYnqmoKD
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: Y4aYnqmoKD Domain: mc3lcg4lqmwcrk34geaqokyjyhvjeh2alsiklpgnaqe25466isopv3id.onion login: R5ZHFB-RiA_94UGXxYDObv6Xriy7JCxb password:

rsa_pubkey.plain

Signatures

Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
ransomware agenda

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 3364	1564	cmd.exe	79
PID 1564 wrote to memory of 3364	1564	cmd.exe	79
PID 1564 wrote to memory of 3364	1564	cmd.exe	79
PID 1564 wrote to memory of 4720	1564	cmd.exe	80
PID 1564 wrote to memory of 4720	1564	cmd.exe	80
PID 1564 wrote to memory of 4720	1564	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
"C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe"
1⤵
PID:3628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
  21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe -password AgendaPass
  2⤵
  PID:3364
- C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
  21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe --password AgendaPass
  2⤵
  PID:4720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(1).LOG

Filesize
187B

MD5
010069f4e6a1b1a8a86694a059d5be03

SHA1
a91207db467e3b4197c85503d8a45305a380be7c

SHA256
920662f12fd1833f3464b42337d11efb82a4b50153c3c4904bf52dff91d37ab7

SHA512
206bdc9ce40fafbca799bf6e07d43045ccdc764d935a375565788a7c7ae1369006b27cabace9b62a1e2e05b5e2422f97fd26060c6c8ea63bb25c352a29703d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(1).LOG

Filesize
591B

MD5
2108f0dc921ab153960fe9aa23392539

SHA1
62a36f1af59774f342a261f5878f79362f1a38f5

SHA256
432ad3f661d33be475932a77c3cf2fe6cd27c8659be8d211ae77b0bf55ee23b0

SHA512
0e0aae09f4183de065668a06c246242300a573ebdcbc9df51282481725c3975986edab52dee2f22c91c2f3f1e0c2b6accf81a4a3b8cf66d672bdc9c211b86072

Download Submit
memory/3364-11-0x0000000010000000-0x00000000103B3000-memory.dmp

Filesize
3.7MB

Download
memory/3364-26-0x0000000000810000-0x0000000000C15000-memory.dmp

Filesize
4.0MB

Download
memory/3628-0-0x0000000010000000-0x00000000103B3000-memory.dmp

Filesize
3.7MB

Download
memory/3628-10-0x0000000000810000-0x0000000000C15000-memory.dmp

Filesize
4.0MB

Download
memory/4720-41-0x0000000000810000-0x0000000000C15000-memory.dmp

Filesize
4.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads