Analysis
-
max time kernel
16s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe
-
Size
592KB
-
MD5
b63b90d3af7597a04d5ffe3d9063c7b8
-
SHA1
321be5044cd8243232920dd34657c0cc4ed8fc0f
-
SHA256
2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39
-
SHA512
860ff673136c16c2cee0bf66705fd0342e29fbfa61886a507862d735032fc6d06e96151a491022801fe2981bd90f1b20375c6efa60a1a0a94bad212c57675473
-
SSDEEP
12288:/fNYNjOGJ/USJi02fxLCiWsJBnn43wWuGdj64ZsBLHFz/Hd3t1X:nyNyDSJiJksJBnn7lisBRrhX
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 2528 cmd.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2032-6-0x000000001BBE0000-0x000000001BD20000-memory.dmp agile_net behavioral1/memory/2032-8-0x0000000000C70000-0x0000000000CF0000-memory.dmp agile_net behavioral1/memory/2032-9-0x0000000000C70000-0x0000000000CF0000-memory.dmp agile_net behavioral1/files/0x000c000000012241-11.dat agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exepid Process 2032 2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exepid Process 2032 2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe 2032 2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exeshutdown.exedescription pid Process Token: SeDebugPrivilege 2032 2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe Token: SeShutdownPrivilege 2536 shutdown.exe Token: SeRemoteShutdownPrivilege 2536 shutdown.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.execmd.exedescription pid Process procid_target PID 2032 wrote to memory of 2536 2032 2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe 29 PID 2032 wrote to memory of 2536 2032 2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe 29 PID 2032 wrote to memory of 2536 2032 2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe 29 PID 2032 wrote to memory of 2528 2032 2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe 32 PID 2032 wrote to memory of 2528 2032 2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe 32 PID 2032 wrote to memory of 2528 2032 2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe 32 PID 2528 wrote to memory of 2428 2528 cmd.exe 34 PID 2528 wrote to memory of 2428 2528 cmd.exe 34 PID 2528 wrote to memory of 2428 2528 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe"C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 102⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:2428
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2564
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569KB
MD55991b35b8d42d8c3ad6437c981d08151
SHA1bebe225bf296bda4e7f5e1f98995311bb49a8381
SHA256a73e34d7fdf69e8e7f3ba45e8801ebd5d00ae008a68c8a20ab753c9e1ee88513
SHA51210a83a6545821a074766b3d2849169bd053e86d5c6dc702de7b9cba8d4545469d22e7634ffbcb9669daec8156c32f65d984f6ecb765de93ca116188927beb87c