9e1dffbe4c8972181a53065138ee824127dcef0f9b86d3053f496e1ddb4f4144

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
21/02/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

2.3MB
MD5

ee9a10cc6bd9f7796059ae02ba639f1e
SHA1

23747dee593504e58b971aebe0c141ec6c731f06
SHA256

9e1dffbe4c8972181a53065138ee824127dcef0f9b86d3053f496e1ddb4f4144
SHA512

0ae1239ea582fb113e7598005835c40327dab40f4e4c72c2b18c1344cba32adc769d18f719c4ce92a2be6c9875379ca1c3f493c44c7a799f8078aff7ccf0efdc
SSDEEP

49152:DI10S/UlnJt37NunQ7Djx4Z1OeAps9EWwPgTRNMWhJve8IWye3bJAsjrXh1:DI10blJuGuZgeAp9WjNp5e1Wye3bO8Dz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4224	agentaez1y.exe
1968	intagext.exe

Loads dropped DLL 1 IoCs

pid	Process
1968	intagext.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	intagext.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	intagext.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\Local Settings	a.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3980	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4064	WINWORD.EXE
4064	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4024	a.exe
4024	a.exe
4224	agentaez1y.exe
4224	agentaez1y.exe
4224	agentaez1y.exe
4224	agentaez1y.exe
4224	agentaez1y.exe
4224	agentaez1y.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4024	a.exe
Token: SeDebugPrivilege	1968	intagext.exe
Token: SeDebugPrivilege	1968	intagext.exe
Token: SeDebugPrivilege	1968	intagext.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4064	WINWORD.EXE
4064	WINWORD.EXE
4064	WINWORD.EXE
4064	WINWORD.EXE
4064	WINWORD.EXE
4064	WINWORD.EXE
4064	WINWORD.EXE
4064	WINWORD.EXE
4064	WINWORD.EXE
4064	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 4064	4024	a.exe	79
PID 4024 wrote to memory of 4064	4024	a.exe	79
PID 4024 wrote to memory of 4224	4024	a.exe	80
PID 4024 wrote to memory of 4224	4024	a.exe	80
PID 4024 wrote to memory of 4224	4024	a.exe	80
PID 4024 wrote to memory of 2420	4024	a.exe	81
PID 4024 wrote to memory of 2420	4024	a.exe	81
PID 4024 wrote to memory of 2420	4024	a.exe	81
PID 4224 wrote to memory of 1968	4224	agentaez1y.exe	85
PID 4224 wrote to memory of 1968	4224	agentaez1y.exe	85
PID 4224 wrote to memory of 1968	4224	agentaez1y.exe	85
PID 4224 wrote to memory of 4008	4224	agentaez1y.exe	86
PID 4224 wrote to memory of 4008	4224	agentaez1y.exe	86
PID 4224 wrote to memory of 4008	4224	agentaez1y.exe	86
PID 4008 wrote to memory of 3980	4008	cmd.exe	88
PID 4008 wrote to memory of 3980	4008	cmd.exe	88
PID 4008 wrote to memory of 3980	4008	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\桂台两会提案.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4064
- C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe
  "C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\ProgramData\Microsoft\Windows\Accounts\intagext.exe
    "C:\ProgramData\Microsoft\Windows\Accounts\intagext.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 0.0.0.0 & del "C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe" >> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\SysWOW64\PING.EXE
      ping 0.0.0.0
      4⤵
      Runs ping.exe
      PID:3980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\a.exe > nul
  2⤵
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Accounts\goopdate.dll

Filesize
544KB

MD5
0b06c23090150af11511a2b8d2c80612

SHA1
a4561633c0e67210e63e10b5177eebb6213d6465

SHA256
84f7b9759a098ddbd0c6f624fc4f545efe128260a5fcfcd12d86b95ffe128a41

SHA512
3a5d5ade016ffcc2404d7763ca2eb604525f77508798fdefe8d75e84808ab914ea096202c8a85ad2381c6c05f015d441c43d6cd08bbed9f376e68155c73172a3

Download Submit
C:\ProgramData\Microsoft\Windows\Accounts\intagext.exe

Filesize
193KB

MD5
39342d0d279b0eb767292c3e01150da6

SHA1
69e26aaf3bf889df7f3c6c3d1b43099080ec6b76

SHA256
d2b417cf6a903c7154fe07fad1f5eaca9b0b3c5a7a7e80cf1bf16449fc7d24d9

SHA512
70e5d6f52a56bfc82c973694cf84a35663d61f262858e8152bf9aaf381ae1e1135cc3111a30c9d0aae6cdbf457a38780a5f860fe8706e7794987bc1e2248c429

Download Submit
C:\ProgramData\Microsoft\Windows\Accounts\theme.dat

Filesize
719KB

MD5
f72e56cad69213240dcd0562c8f97619

SHA1
beb2dd97adacd208f43c1b23bec50366a31ce1c6

SHA256
247358733d29e51ad4db53a375107592c449eb37fbc9e7c2e822de9ca00633bf

SHA512
2e930f34885bda0485f7b5166dbc12b08ae03da3a4ff8e007488876a41d37913a70899143e3bfdf3c7fd47458cdf9ede5f52b52719ef94c3e3ed5b7edac11d30

Download Submit
C:\ProgramData\Microsoft\eHome\thumbcache.dat

Filesize
14KB

MD5
082cfaf321e0585263cbc369f7b5ed6c

SHA1
7f8ad5a7d6eb31228ac89c51a1bf77e98b7579df

SHA256
7a4e62d44ad082b3efef12bdd605c64c927f5a9778456068f692f116070077e4

SHA512
055d7a575d9dfabff9eec2f4193929d19699e13d9c2aff93a6c784574c6505232886988158a9a2b6b8b5234ce5ab2c3f3996ed0d62fa64834f593bbb5c9720f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe

Filesize
1.4MB

MD5
86d180ea6ba4b97d3ef42d8ebe9c2891

SHA1
3c2de95609f1e92635e784feb2aa2f477a75c953

SHA256
16ce82fa2484a8c4b1a7422ba839bc4faabcc59c1a1d19b49b3051310bccf6c6

SHA512
c2ad17f3de4024f4ecb47a93d809ffe8e04ad2d666cb0d32dfae3700c3156c24c12093914160ea37cb26e3dc26e9a7bf9d20c1beefe0c4b6408725927cd6ee44

Download Submit
C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe

Filesize
64KB

MD5
b8a25578af8b6b5745cb745fada548b1

SHA1
933ac6b64cc55b823f126ed85e2ee3c898bc81cc

SHA256
9158596c23d9d112677d98115d5fb8f09cc896f680831bd3e2ee2f95284c1de6

SHA512
d46e5900564b47cd5ead3a9919e7dd74fd3730138ae9fe5a59529fc2a2553ec8c81bbcf8ab089bd626c3db5702788861a95ea3e4ec4f58b523f45189982513a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe

Filesize
139KB

MD5
1f4726b1d066dd893401b57bf878b00f

SHA1
03bdf859f7ed1774a3e4815f99f9b812fe509cf1

SHA256
45d73c9e89795a6f0d380d979db3b054abe4381414a23b89b21ea219cfcfb601

SHA512
93fa60c4ecbee3f87bde1973d4cfe93c6ebfec43f88cbea5df3adfd8f1af6483f0127b28dcc5169ee10491c58799b545fed9ed7d25f516416bd20c831aa9c543

Download Submit
C:\Users\Admin\AppData\Local\Temp\桂台两会提案.docx

Filesize
11KB

MD5
4363693fba849bb28412a957f2ab9be1

SHA1
9439d4bc731e970603eec1936eb338a3f32a324a

SHA256
4dc5394a0963dce4eb12f186ff47432ab121eb024bbc3cf40d60b21bcc3a0af2

SHA512
27c31791bddb37891ea064b1e3654880904cefe5d370ae93f26aaf52273ac1de5e811c389b44bdf06fb1767061a76b3fefa259f971382d71742415f3a9f206c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1968-121-0x0000000003160000-0x000000000320E000-memory.dmp

Filesize
696KB

Download
memory/1968-65-0x0000000010000000-0x00000000100AE000-memory.dmp

Filesize
696KB

Download
memory/4064-35-0x00007FFD39B40000-0x00007FFD39B50000-memory.dmp

Filesize
64KB

Download
memory/4064-24-0x00007FFD3C570000-0x00007FFD3C580000-memory.dmp

Filesize
64KB

Download
memory/4064-26-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-28-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-27-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-29-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-30-0x00007FFD39B40000-0x00007FFD39B50000-memory.dmp

Filesize
64KB

Download
memory/4064-31-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-32-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-33-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-36-0x00007FFD7B610000-0x00007FFD7B6CD000-memory.dmp

Filesize
756KB

Download
memory/4064-34-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-23-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-151-0x00007FFD7B610000-0x00007FFD7B6CD000-memory.dmp

Filesize
756KB

Download
memory/4064-37-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-25-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-55-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-150-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-21-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-17-0x00007FFD3C570000-0x00007FFD3C580000-memory.dmp

Filesize
64KB

Download
memory/4064-16-0x00007FFD7C4E0000-0x00007FFD7C6E9000-memory.dmp

Filesize
2.0MB

Download
memory/4064-20-0x00007FFD3C570000-0x00007FFD3C580000-memory.dmp

Filesize
64KB

Download
memory/4064-14-0x00007FFD3C570000-0x00007FFD3C580000-memory.dmp

Filesize
64KB

Download
memory/4064-149-0x00007FFD3C570000-0x00007FFD3C580000-memory.dmp

Filesize
64KB

Download
memory/4064-22-0x00007FFD3C570000-0x00007FFD3C580000-memory.dmp

Filesize
64KB

Download
memory/4064-146-0x00007FFD3C570000-0x00007FFD3C580000-memory.dmp

Filesize
64KB

Download
memory/4064-147-0x00007FFD3C570000-0x00007FFD3C580000-memory.dmp

Filesize
64KB

Download
memory/4064-148-0x00007FFD3C570000-0x00007FFD3C580000-memory.dmp

Filesize
64KB

Download
memory/4224-116-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/4224-56-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/4224-38-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download