Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 23:02
Behavioral task
behavioral1
Sample
6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe
Resource
win7-20240221-en
General
-
Target
6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe
-
Size
2.6MB
-
MD5
27e5fd6b179cc604a92ad40a401f4aec
-
SHA1
f8a7cd307bb1acfa2ed83d2c9d511bc2891b4332
-
SHA256
6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34
-
SHA512
99a2c3a5696751ca1936f2333ac4eca1c3c614b8371dab9c6cf65f0c7fbdc7f2ffb19342cd2b22e99fd4e35ca6a048f4d6494ae2bcecbed639c23fc0a76d28d8
-
SSDEEP
49152:vCwaz70YMUaqZTbeSAmshGCOljXu0rTuEysKob19dFuAw+W7SCbcZM:nq0mLZBV+GCORXxTuEF/b1/s7ue
Malware Config
Signatures
-
Detects executables (downlaoders) containing URLs to raw contents of a paste 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4660-0-0x000002079C960000-0x000002079CD50000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawPaste_URL -
Detects executables Discord URL observed in first stage droppers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4660-0-0x000002079C960000-0x000002079CD50000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables manipulated with Fody 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4660-0-0x000002079C960000-0x000002079CD50000-memory.dmp INDICATOR_EXE_Packed_Fody -
Detects executables packed with Agile.NET / CliSecure 34 IoCs
Processes:
resource yara_rule behavioral2/memory/4660-3-0x00000207B73D0000-0x00000207B759A000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet C:\Users\Admin\AppData\Local\Temp\c10786eb-9d72-4fbb-b0e8-a0d43e5e6ee1\AgileDotNetRT64.dll INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-12-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-11-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-14-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-16-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-18-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-20-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-22-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-24-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-26-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-28-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-30-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-32-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-34-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-36-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-38-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-40-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-42-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-44-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-46-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-48-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-50-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-52-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-54-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-56-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-58-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-60-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-62-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-64-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-66-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-68-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-70-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral2/memory/4660-72-0x00000207B73D0000-0x00000207B7596000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet -
Detects executables packed with VMProtect. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4660-0-0x000002079C960000-0x000002079CD50000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Loads dropped DLL 1 IoCs
Processes:
6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exepid process 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe -
Obfuscated with Agile.Net obfuscator 33 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4660-3-0x00000207B73D0000-0x00000207B759A000-memory.dmp agile_net behavioral2/memory/4660-12-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-11-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-14-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-16-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-18-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-20-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-22-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-24-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-26-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-28-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-30-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-32-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-34-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-36-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-38-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-40-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-42-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-44-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-46-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-48-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-50-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-52-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-54-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-56-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-58-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-60-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-62-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-64-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-66-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-68-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-70-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net behavioral2/memory/4660-72-0x00000207B73D0000-0x00000207B7596000-memory.dmp agile_net -
Processes:
resource yara_rule behavioral2/memory/4660-0-0x000002079C960000-0x000002079CD50000-memory.dmp vmprotect -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exepid process 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exedescription pid process Token: SeDebugPrivilege 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe -
Suspicious use of SetWindowsHookEx 44 IoCs
Processes:
6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exepid process 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe 4660 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe"C:\Users\Admin\AppData\Local\Temp\6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:4288
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:4392
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81