Overview

overview

10

Static

static

3

21ab6e4cfe...10.exe

windows10-1703-x64

10

Resubmissions

22-02-2024 11:51

240222-n1a66agf8t 10

15-01-2024 10:30

240115-mjzmrafbc2 10

15-01-2024 10:22

240115-meastseabm 10

26-12-2023 04:42

231226-fb3acafcdq 10

Analysis

  • max time kernel
    126s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-01-2024 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe

  • Size

    4.0MB

  • MD5

    390b8c1bf2838bff01edcf34f9420990

  • SHA1

    8a28ec5aeaf8e96b0d72115b589bc38eb153b3b1

  • SHA256

    21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010

  • SHA512

    3838a35dade4f16f07f7f5e384c868038b1abd5b03589563df6f6dbf63a1b33e270f81f97daea1231d4f1139fd44ddc6788b90ab558ebd3ca1c14df843b320a2

  • SSDEEP

    98304:OytVc8V5odJBN4SIQLp468SI/JTpjaYDQ7toz/ngwa:OCO8EJBN4SJLp4b7VWYDQ7toz/Za

Score
10/10
agendaransomware

Malware Config

Extracted

Family

agenda

Attributes
  • company_id

    Y4aYnqmoKD

  • note

    -- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: Y4aYnqmoKD Domain: mc3lcg4lqmwcrk34geaqokyjyhvjeh2alsiklpgnaqe25466isopv3id.onion login: R5ZHFB-RiA_94UGXxYDObv6Xriy7JCxb password:

rsa_pubkey.plain

Signatures

  • Agenda Ransomware

    A ransomware with multiple variants written in Golang and Rust first seen in August 2022.

    ransomwareagenda
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
    "C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe"
    1⤵
      PID:3628
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3900
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
          21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe -password AgendaPass
          2⤵
            PID:3364
          • C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
            21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe --password AgendaPass
            2⤵
              PID:4720

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(1).LOG
            Filesize

            187B

            MD5

            010069f4e6a1b1a8a86694a059d5be03

            SHA1

            a91207db467e3b4197c85503d8a45305a380be7c

            SHA256

            920662f12fd1833f3464b42337d11efb82a4b50153c3c4904bf52dff91d37ab7

            SHA512

            206bdc9ce40fafbca799bf6e07d43045ccdc764d935a375565788a7c7ae1369006b27cabace9b62a1e2e05b5e2422f97fd26060c6c8ea63bb25c352a29703d3b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(1).LOG
            Filesize

            591B

            MD5

            2108f0dc921ab153960fe9aa23392539

            SHA1

            62a36f1af59774f342a261f5878f79362f1a38f5

            SHA256

            432ad3f661d33be475932a77c3cf2fe6cd27c8659be8d211ae77b0bf55ee23b0

            SHA512

            0e0aae09f4183de065668a06c246242300a573ebdcbc9df51282481725c3975986edab52dee2f22c91c2f3f1e0c2b6accf81a4a3b8cf66d672bdc9c211b86072

            Download Submit

          • memory/3364-11-0x0000000010000000-0x00000000103B3000-memory.dmp

            Filesize

            3.7MB

            Download

          • memory/3364-26-0x0000000000810000-0x0000000000C15000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/3628-0-0x0000000010000000-0x00000000103B3000-memory.dmp

            Filesize

            3.7MB

            Download

          • memory/3628-10-0x0000000000810000-0x0000000000C15000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/4720-41-0x0000000000810000-0x0000000000C15000-memory.dmp

            Filesize

            4.0MB

            Download