Analysis
-
max time kernel
13s -
max time network
13s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 01:34
Static task
static1
Behavioral task
behavioral1
Sample
5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe
Resource
win10v2004-20240419-en
Errors
General
-
Target
5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe
-
Size
591KB
-
MD5
a277d4581da659a1c6c6b043d58b6e58
-
SHA1
eb9f5cfd8ae33b9ed5c8284f68cfe0fda847827f
-
SHA256
5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd
-
SHA512
744b40c35482a1bb11ac99bd3ccce5f2af17ecf7bbb01dc6473f3febf51e52cc3620915626152fc8cc5cd5d20d3b265019f4efff1b7ac8763a61ed6f5148244d
-
SSDEEP
12288:miMQ7iIo7bn8se3d48UW/fhQT3E5zUizEXslNdkdrZvHGk:7i+N48PRQL8xgXslk3mk
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2440 cmd.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2972-6-0x000000001B8D0000-0x000000001BA12000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\2F4C1828.dll agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exepid process 2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exepid process 2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe 2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exeshutdown.exedescription pid process Token: SeDebugPrivilege 2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe Token: SeShutdownPrivilege 2544 shutdown.exe Token: SeRemoteShutdownPrivilege 2544 shutdown.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.execmd.exedescription pid process target process PID 2972 wrote to memory of 2544 2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe shutdown.exe PID 2972 wrote to memory of 2544 2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe shutdown.exe PID 2972 wrote to memory of 2544 2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe shutdown.exe PID 2972 wrote to memory of 2440 2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe cmd.exe PID 2972 wrote to memory of 2440 2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe cmd.exe PID 2972 wrote to memory of 2440 2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe cmd.exe PID 2440 wrote to memory of 2372 2440 cmd.exe PING.EXE PID 2440 wrote to memory of 2372 2440 cmd.exe PING.EXE PID 2440 wrote to memory of 2372 2440 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe"C:\Users\Admin\AppData\Local\Temp\5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 102⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2F4C1828.dllFilesize
575KB
MD54e3d34de082615762e35f37693f0e318
SHA101015c8850dafdfd69544473f0dfb2b59dbab8a9
SHA2563fddeca5f0ec15e11d23e6847ee14ccf9c9a15c785a88cf62589f46a5b107755
SHA5127bbd44b209b7a82cb2616475a978e116b8b183b6bd51c1098bb44eb734664587cdb1af4a5990762295a35940af4cd73d5b6dc76b0b40540d4027251919e96eef
-
memory/2972-0-0x0000000000940000-0x00000000009D8000-memory.dmpFilesize
608KB
-
memory/2972-1-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmpFilesize
9.9MB
-
memory/2972-2-0x000000001BA20000-0x000000001BAA0000-memory.dmpFilesize
512KB
-
memory/2972-6-0x000000001B8D0000-0x000000001BA12000-memory.dmpFilesize
1.3MB
-
memory/2972-8-0x000000001BA20000-0x000000001BAA0000-memory.dmpFilesize
512KB
-
memory/2972-9-0x000000001BA20000-0x000000001BAA0000-memory.dmpFilesize
512KB
-
memory/2972-10-0x000000001BA20000-0x000000001BAA0000-memory.dmpFilesize
512KB
-
memory/2972-11-0x0000000000900000-0x0000000000906000-memory.dmpFilesize
24KB
-
memory/2972-13-0x00000000008F0000-0x00000000008F6000-memory.dmpFilesize
24KB
-
memory/2972-14-0x0000000000B70000-0x0000000000B8A000-memory.dmpFilesize
104KB
-
memory/2972-15-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmpFilesize
9.9MB