5960253ae6a1fc106096740cc06205816c81f7a38569988a67d7eb7a9536c33f

Analysis

max time kernel
11s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b56af89e00c588d0f807fcdcdab80cdf.exe
Size

416KB
MD5

b56af89e00c588d0f807fcdcdab80cdf
SHA1

f25aacf61b478f056119f4d10cca74a5d6ff6462
SHA256

5960253ae6a1fc106096740cc06205816c81f7a38569988a67d7eb7a9536c33f
SHA512

12913b95e6cc81a00871cae56c99c39231c87122dc620fe0988c648563c6027f22ed72e9353d0767c285c82b92773dc053b97d15e9c0695d706b48ed73f3d476
SSDEEP

12288:U9iEGOh63LY9AWp3tQYDJi0BHk++++FN++z+C/LZQ:Fmhd9ZpiXIk++++FN++z+u

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1332	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
4308	update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchosts.exe = "C:\\WINDOWS\\msagent\\agtintl\\svchosts.exe"	b56af89e00c588d0f807fcdcdab80cdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pcn.exe = "C:\\WINDOWS\\pcn.exe"	b56af89e00c588d0f807fcdcdab80cdf.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\juca.bat	b56af89e00c588d0f807fcdcdab80cdf.exe
File created	C:\WINDOWS\msagent\agtintl\update.exe	b56af89e00c588d0f807fcdcdab80cdf.exe
File opened for modification	C:\WINDOWS\msagent\agtintl\update.exe	b56af89e00c588d0f807fcdcdab80cdf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 5088	3504	b56af89e00c588d0f807fcdcdab80cdf.exe	97
PID 3504 wrote to memory of 5088	3504	b56af89e00c588d0f807fcdcdab80cdf.exe	97
PID 3504 wrote to memory of 5088	3504	b56af89e00c588d0f807fcdcdab80cdf.exe	97
PID 5088 wrote to memory of 1332	5088	cmd.exe	99
PID 5088 wrote to memory of 1332	5088	cmd.exe	99
PID 5088 wrote to memory of 1332	5088	cmd.exe	99
PID 3504 wrote to memory of 4308	3504	b56af89e00c588d0f807fcdcdab80cdf.exe	100
PID 3504 wrote to memory of 4308	3504	b56af89e00c588d0f807fcdcdab80cdf.exe	100
PID 3504 wrote to memory of 4308	3504	b56af89e00c588d0f807fcdcdab80cdf.exe	100

C:\Users\Admin\AppData\Local\Temp\b56af89e00c588d0f807fcdcdab80cdf.exe
"C:\Users\Admin\AppData\Local\Temp\b56af89e00c588d0f807fcdcdab80cdf.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\WINDOWS\juca.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set notifications Disable
    3⤵
    - Modifies Windows Firewall
    PID:1332
- C:\WINDOWS\msagent\agtintl\update.exe
  C:\WINDOWS\msagent\agtintl\update.exe
  2⤵
  - Executes dropped EXE
  PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\juca.bat

Filesize
223B

MD5
1604ad01e735f096a9494f3d1590865e

SHA1
8894a9efeb44f1c1af4bc09c7d13b19718edfc16

SHA256
d40c23e8e65973f2c387e268a0ac7dd3a4358f724cbe3aa51e1fb05c8a837dcf

SHA512
58cfb7cb142d0507990f7e60d2cb83eb0395466feba2985569189ea1b62063cd261647a002fcc89af423a12a6ea498735a0887f19498129d7e257e71e289819c

Download Submit
C:\Windows\msagent\agtintl\update.exe

Filesize
416KB

MD5
b56af89e00c588d0f807fcdcdab80cdf

SHA1
f25aacf61b478f056119f4d10cca74a5d6ff6462

SHA256
5960253ae6a1fc106096740cc06205816c81f7a38569988a67d7eb7a9536c33f

SHA512
12913b95e6cc81a00871cae56c99c39231c87122dc620fe0988c648563c6027f22ed72e9353d0767c285c82b92773dc053b97d15e9c0695d706b48ed73f3d476

Download Submit
memory/3504-0-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads