9e1dffbe4c8972181a53065138ee824127dcef0f9b86d3053f496e1ddb4f4144

Analysis

max time kernel
135s
max time network
139s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
21/02/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

2.3MB
MD5

ee9a10cc6bd9f7796059ae02ba639f1e
SHA1

23747dee593504e58b971aebe0c141ec6c731f06
SHA256

9e1dffbe4c8972181a53065138ee824127dcef0f9b86d3053f496e1ddb4f4144
SHA512

0ae1239ea582fb113e7598005835c40327dab40f4e4c72c2b18c1344cba32adc769d18f719c4ce92a2be6c9875379ca1c3f493c44c7a799f8078aff7ccf0efdc
SSDEEP

49152:DI10S/UlnJt37NunQ7Djx4Z1OeAps9EWwPgTRNMWhJve8IWye3bJAsjrXh1:DI10blJuGuZgeAp9WjNp5e1Wye3bO8Dz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
212	agentaez1y.exe
2712	intagext.exe

Loads dropped DLL 1 IoCs

pid	Process
2712	intagext.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	intagext.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	intagext.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings	a.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3724	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4780	WINWORD.EXE
4780	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4772	a.exe
4772	a.exe
212	agentaez1y.exe
212	agentaez1y.exe
212	agentaez1y.exe
212	agentaez1y.exe
212	agentaez1y.exe
212	agentaez1y.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4772	a.exe
Token: SeDebugPrivilege	2712	intagext.exe
Token: SeDebugPrivilege	2712	intagext.exe
Token: SeDebugPrivilege	2712	intagext.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4780	4772	a.exe	74
PID 4772 wrote to memory of 4780	4772	a.exe	74
PID 4772 wrote to memory of 212	4772	a.exe	75
PID 4772 wrote to memory of 212	4772	a.exe	75
PID 4772 wrote to memory of 212	4772	a.exe	75
PID 4772 wrote to memory of 4808	4772	a.exe	76
PID 4772 wrote to memory of 4808	4772	a.exe	76
PID 4772 wrote to memory of 4808	4772	a.exe	76
PID 212 wrote to memory of 2712	212	agentaez1y.exe	80
PID 212 wrote to memory of 2712	212	agentaez1y.exe	80
PID 212 wrote to memory of 2712	212	agentaez1y.exe	80
PID 212 wrote to memory of 4572	212	agentaez1y.exe	81
PID 212 wrote to memory of 4572	212	agentaez1y.exe	81
PID 212 wrote to memory of 4572	212	agentaez1y.exe	81
PID 4572 wrote to memory of 3724	4572	cmd.exe	83
PID 4572 wrote to memory of 3724	4572	cmd.exe	83
PID 4572 wrote to memory of 3724	4572	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\桂台两会提案.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe
  "C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\ProgramData\Microsoft\Windows\Accounts\intagext.exe
    "C:\ProgramData\Microsoft\Windows\Accounts\intagext.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 0.0.0.0 & del "C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe" >> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\SysWOW64\PING.EXE
      ping 0.0.0.0
      4⤵
      Runs ping.exe
      PID:3724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\a.exe > nul
  2⤵
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Accounts\goopdate.dll

Filesize
544KB

MD5
0b06c23090150af11511a2b8d2c80612

SHA1
a4561633c0e67210e63e10b5177eebb6213d6465

SHA256
84f7b9759a098ddbd0c6f624fc4f545efe128260a5fcfcd12d86b95ffe128a41

SHA512
3a5d5ade016ffcc2404d7763ca2eb604525f77508798fdefe8d75e84808ab914ea096202c8a85ad2381c6c05f015d441c43d6cd08bbed9f376e68155c73172a3

Download Submit
C:\ProgramData\Microsoft\Windows\Accounts\intagext.exe

Filesize
193KB

MD5
39342d0d279b0eb767292c3e01150da6

SHA1
69e26aaf3bf889df7f3c6c3d1b43099080ec6b76

SHA256
d2b417cf6a903c7154fe07fad1f5eaca9b0b3c5a7a7e80cf1bf16449fc7d24d9

SHA512
70e5d6f52a56bfc82c973694cf84a35663d61f262858e8152bf9aaf381ae1e1135cc3111a30c9d0aae6cdbf457a38780a5f860fe8706e7794987bc1e2248c429

Download Submit
C:\ProgramData\Microsoft\Windows\Accounts\theme.dat

Filesize
719KB

MD5
4b205e71499fa2d886348ec719d1c50f

SHA1
afe62f0f410b516ccc05e8eecb876f5caa7a7118

SHA256
1ac59fbb16c5fc2a5f61afc4f0b409eb5ab0e91b0a4390b52eff208f0a204850

SHA512
749a71f717c76ce88b8e984c6bb6495b0538897215161ad1cfb746b0b1c07bcfba958219f687e8fe3067340f066c4b0ae8a52ec7345d49c517f2286d71192899

Download Submit
C:\ProgramData\Microsoft\eHome\thumbcache.dat

Filesize
14KB

MD5
a85debe5b5a1a1089858e3aa1e7f2207

SHA1
21683a48bbdfef0478d2307bf2af54476e4ac3a1

SHA256
c87134eaa2f623044cfc598dae72d1ffc770d0f541814f4ceb2748777386f825

SHA512
4723408a0753cf20e7f5c42d8f9d804269b58803ba37620fad535389171d89920ceeade55d5832427e5ea06ac3cf57628fc1c2c8f0c1a663369e3fccd3a6c5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe

Filesize
2.2MB

MD5
1161070b198d3a360bb699a58197c102

SHA1
f2872fc4101fa4781c6f7206e50eae3d1c5e79e2

SHA256
30f58490b5ac155bd5fab3a72e2d112dbfa599670b3d6fcdf9150aee0f9c4810

SHA512
da99f707f0d462592135161dfd80978e229fa0ec672dffcfa8c7b63c2518111cfcee144861385528b92c3ec112010acf46096b31fddfdcfdfa878c7b91eaa6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\桂台两会提案.docx

Filesize
11KB

MD5
4363693fba849bb28412a957f2ab9be1

SHA1
9439d4bc731e970603eec1936eb338a3f32a324a

SHA256
4dc5394a0963dce4eb12f186ff47432ab121eb024bbc3cf40d60b21bcc3a0af2

SHA512
27c31791bddb37891ea064b1e3654880904cefe5d370ae93f26aaf52273ac1de5e811c389b44bdf06fb1767061a76b3fefa259f971382d71742415f3a9f206c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/212-304-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/212-14-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/212-209-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/2712-316-0x00000000022B0000-0x000000000235E000-memory.dmp

Filesize
696KB

Download
memory/2712-218-0x0000000010000000-0x00000000100AE000-memory.dmp

Filesize
696KB

Download
memory/4780-19-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-306-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-22-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-25-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-28-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-26-0x00007FF8BE690000-0x00007FF8BE73E000-memory.dmp

Filesize
696KB

Download
memory/4780-27-0x00007FF87C690000-0x00007FF87C6A0000-memory.dmp

Filesize
64KB

Download
memory/4780-29-0x00007FF87C690000-0x00007FF87C6A0000-memory.dmp

Filesize
64KB

Download
memory/4780-20-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-17-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-18-0x00007FF87F520000-0x00007FF87F530000-memory.dmp

Filesize
64KB

Download
memory/4780-16-0x00007FF8BE690000-0x00007FF8BE73E000-memory.dmp

Filesize
696KB

Download
memory/4780-15-0x00007FF87F520000-0x00007FF87F530000-memory.dmp

Filesize
64KB

Download
memory/4780-13-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-12-0x00007FF87F520000-0x00007FF87F530000-memory.dmp

Filesize
64KB

Download
memory/4780-11-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-305-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-24-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-307-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-308-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-309-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-310-0x00007FF8BE690000-0x00007FF8BE73E000-memory.dmp

Filesize
696KB

Download
memory/4780-311-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-10-0x00007FF87F520000-0x00007FF87F530000-memory.dmp

Filesize
64KB

Download
memory/4780-389-0x00007FF87F520000-0x00007FF87F530000-memory.dmp

Filesize
64KB

Download
memory/4780-390-0x00007FF87F520000-0x00007FF87F530000-memory.dmp

Filesize
64KB

Download
memory/4780-393-0x00007FF87F520000-0x00007FF87F530000-memory.dmp

Filesize
64KB

Download
memory/4780-392-0x00007FF8BE690000-0x00007FF8BE73E000-memory.dmp

Filesize
696KB

Download
memory/4780-391-0x00007FF87F520000-0x00007FF87F530000-memory.dmp

Filesize
64KB

Download
memory/4780-394-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-396-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-395-0x00007FF8BF490000-0x00007FF8BF66B000-memory.dmp

Filesize
1.9MB

Download
memory/4780-397-0x00007FF8BE690000-0x00007FF8BE73E000-memory.dmp

Filesize
696KB

Download