Analysis
-
max time kernel
16s -
max time network
26s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 01:20
Static task
static1
Behavioral task
behavioral1
Sample
466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe
-
Size
593KB
-
MD5
a87ee49ce1a1e3e91ce2a64ce7afe4f6
-
SHA1
7353f88065dcea94df6d3e1342240a492c2cba7e
-
SHA256
466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5
-
SHA512
1d288436e62d27e806daa004c6f8a6cfc961e6cd65a22a20b6e59c0b63db40330a988262f41cafb0cad5999149929c5cd3b238f9e038dd9b837b98261779f5e0
-
SSDEEP
12288:S0KXtBO2yxr6o049ArrqJtctQg5cNf5zOHWdwLKJUYrnXQTsnAh:W9IWrrqJOtx5Q5vdwUUY7ATlh
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 3012 cmd.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2140-6-0x000000001BD10000-0x000000001BE50000-memory.dmp agile_net behavioral1/files/0x000b000000014b34-12.dat agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exepid Process 2140 466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exepid Process 2140 466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe 2140 466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exeshutdown.exedescription pid Process Token: SeDebugPrivilege 2140 466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe Token: SeShutdownPrivilege 2660 shutdown.exe Token: SeRemoteShutdownPrivilege 2660 shutdown.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.execmd.exedescription pid Process procid_target PID 2140 wrote to memory of 2660 2140 466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe 29 PID 2140 wrote to memory of 2660 2140 466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe 29 PID 2140 wrote to memory of 2660 2140 466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe 29 PID 2140 wrote to memory of 3012 2140 466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe 32 PID 2140 wrote to memory of 3012 2140 466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe 32 PID 2140 wrote to memory of 3012 2140 466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe 32 PID 3012 wrote to memory of 2460 3012 cmd.exe 34 PID 3012 wrote to memory of 2460 3012 cmd.exe 34 PID 3012 wrote to memory of 2460 3012 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe"C:\Users\Admin\AppData\Local\Temp\466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 102⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\466aac6ffc5f07a1545bd69d45d30ca781570aba4a0ef45b592bb5aee92f91c5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:2460
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2468
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
568KB
MD5523369adf6445701a77c69879a873ba9
SHA1176d2d54f6daeb1058076218d21d61f49970d68f
SHA2562bb539ffbb858c43e31c502d523f61f21c323daff2cee5f2a413311a1eae8100
SHA5128c4b1b27dc906e33540005592a1b853c4ab8f7c1f7cf7dc58ad5ee51aee3031b8b07baca3e964ea439af46b01b37d190e344d5a526f8323e66d3f4e15176f8ca