2c7b219b88db48d004789b4bf56a37dc60885d332610251dd1db65b2ec315ca2

Analysis

max time kernel
1208s
max time network
1203s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F.Agent.exe
Size

5.1MB
MD5

8eb94c987e5a95fcfd3d26bb78059b6d
SHA1

b7180f0effac43a988e6a9651efb178ed75fdfb6
SHA256

2c7b219b88db48d004789b4bf56a37dc60885d332610251dd1db65b2ec315ca2
SHA512

eaacc9aa6101f7d28cab406ef7da3a80777b270ede21136eb72d991b887ae79dc62468e7ebce3a3a28e6af36a841a2d3acf2cfbf085ba592e3afecc1b4626d54
SSDEEP

98304:AVlOeta9YSH61kNawcDD0cA7oVLCkwr2AALL8yWHfbcvBQ7KBfML:LBeSH6yNcDD0FD4xLL8yWHfbcQ7KBfML

Score

8^/10

vmprotect

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	F.Agent.exe

Executes dropped EXE 1 IoCs

pid	Process
4768	nomutick.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/5452-0-0x00007FF6A1FE0000-0x00007FF6A2861000-memory.dmp	vmprotect
behavioral1/memory/5452-3-0x00007FF6A1FE0000-0x00007FF6A2861000-memory.dmp	vmprotect
behavioral1/memory/5452-4-0x00007FF6A1FE0000-0x00007FF6A2861000-memory.dmp	vmprotect

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\nomutick.exe	F.Agent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
4768	nomutick.exe
4768	nomutick.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe
5452	F.Agent.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5452 wrote to memory of 4768	5452	F.Agent.exe	109
PID 5452 wrote to memory of 4768	5452	F.Agent.exe	109

C:\Users\Admin\AppData\Local\Temp\F.Agent.exe
"C:\Users\Admin\AppData\Local\Temp\F.Agent.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5452
- C:\Windows\nomutick.exe
  "C:\Windows\nomutick.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:6068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\nomutick.exe

Filesize
621KB

MD5
37d16834aa61fddddf46e5cf2445880f

SHA1
01601362bb685f3cfdd4a4928fc5a478416be739

SHA256
f04fea50f8ab5394a35fbd118e3fa8d5bb703be24f168cf8a8045c847d50e865

SHA512
b2fcf62a4eafa02dc315567f07e1e3b65de65c2b0e16053f358d7c0131b51c9ba72193001fe6ccb32691213538858692a976c1057dbf25dab26ddd9969ff9998

Download Submit
C:\Windows\nomutick.exe

Filesize
1.5MB

MD5
2f95f43290f1e1bc4de12ade27b73f66

SHA1
9c84494a5dd6d5c2271b316d89128890f5246be7

SHA256
fce1b270833aff40e134f300ff3cb73a42529111b288608d27436cc633d4f8eb

SHA512
0ea94afd0d865bfe64fa7a3f383bc62eead69b9c599f35b1ea10b338d2574dd538661dd663946dbc1d7b17f109af22d64964066f54ba6d79282c12c5c0050237

Download Submit
memory/5452-0-0x00007FF6A1FE0000-0x00007FF6A2861000-memory.dmp

Filesize
8.5MB

Download
memory/5452-2-0x00007FFDA2C10000-0x00007FFDA2C12000-memory.dmp

Filesize
8KB

Download
memory/5452-3-0x00007FF6A1FE0000-0x00007FF6A2861000-memory.dmp

Filesize
8.5MB

Download
memory/5452-4-0x00007FF6A1FE0000-0x00007FF6A2861000-memory.dmp

Filesize
8.5MB

Download