Analysis
-
max time kernel
12s -
max time network
12s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe
-
Size
595KB
-
MD5
853318cb2529e92d934162db0a05a90d
-
SHA1
591fb7c75fbdca21ef5e5205d5256f039f059916
-
SHA256
2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae
-
SHA512
2a77afb55a38aaac22aa44b24295d8ebec411e48f0ed41826b96497e6bca7eecf09df86fca1358b7acb709ff266355a6e0e6483a1a873fa35f083519c6cbbcd0
-
SSDEEP
12288:+VaaczJt9d4lMOWNXEwq5mvArmQUDEdUYOPhTR3aDisbNPe:+/czUedq5Y9gdUVPhTFaWee
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 2472 cmd.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2220-6-0x000000001BF00000-0x000000001C022000-memory.dmp agile_net behavioral1/files/0x000c00000001231a-12.dat agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exepid Process 2220 2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exepid Process 2220 2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe 2220 2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exeshutdown.exedescription pid Process Token: SeDebugPrivilege 2220 2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe Token: SeShutdownPrivilege 2248 shutdown.exe Token: SeRemoteShutdownPrivilege 2248 shutdown.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.execmd.exedescription pid Process procid_target PID 2220 wrote to memory of 2248 2220 2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe 29 PID 2220 wrote to memory of 2248 2220 2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe 29 PID 2220 wrote to memory of 2248 2220 2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe 29 PID 2220 wrote to memory of 2472 2220 2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe 32 PID 2220 wrote to memory of 2472 2220 2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe 32 PID 2220 wrote to memory of 2472 2220 2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe 32 PID 2472 wrote to memory of 2740 2472 cmd.exe 34 PID 2472 wrote to memory of 2740 2472 cmd.exe 34 PID 2472 wrote to memory of 2740 2472 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe"C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 102⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:2740
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2732
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
518KB
MD5260ad92d3a2891e6a93abbfa4fd72aab
SHA1c4465333c0341c9345726947473bc11cc7660ee0
SHA256c82d4be824a05f31db90806ba031b5d75d94414583d100ef53db18096ba61c7f
SHA512aa9c1213f1d631a5bad0520783150fbf71ebf91012040ddb700743cddbdf0f40047ea973c95124cd0107fe480c1fd282409a53b2c6b34e752e0e5a2d59ede8ae