5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd

Analysis

max time kernel
13s
max time network
13s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 01:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe
Size

591KB
MD5

a277d4581da659a1c6c6b043d58b6e58
SHA1

eb9f5cfd8ae33b9ed5c8284f68cfe0fda847827f
SHA256

5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd
SHA512

744b40c35482a1bb11ac99bd3ccce5f2af17ecf7bbb01dc6473f3febf51e52cc3620915626152fc8cc5cd5d20d3b265019f4efff1b7ac8763a61ed6f5148244d
SSDEEP

12288:miMQ7iIo7bn8se3d48UW/fhQT3E5zUizEXslNdkdrZvHGk:7i+N48PRQL8xgXslk3mk

Score

7^/10

agilenet

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2440 cmd.exe
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral1/memory/2972-6-0x000000001B8D0000-0x000000001BA12000-memory.dmp agile_net
C:\Users\Admin\AppData\Local\Temp\2F4C1828.dll agile_net
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe

pid process

2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2372 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe

pid process

2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe
2972 5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe

pid	process
2440	cmd.exe

resource	yara_rule
behavioral1/memory/2972-6-0x000000001B8D0000-0x000000001BA12000-memory.dmp	agile_net
C:\Users\Admin\AppData\Local\Temp\2F4C1828.dll	agile_net

pid	process
2972	5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe

pid	process
2372	PING.EXE

pid	process
2972	5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe
2972	5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	2972	5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe
Token: SeShutdownPrivilege	2544	shutdown.exe
Token: SeRemoteShutdownPrivilege	2544	shutdown.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.execmd.exe

description	pid	process	target process
PID 2972 wrote to memory of 2544	2972	5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe	shutdown.exe
PID 2972 wrote to memory of 2544	2972	5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe	shutdown.exe
PID 2972 wrote to memory of 2544	2972	5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe	shutdown.exe
PID 2972 wrote to memory of 2440	2972	5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe	cmd.exe
PID 2972 wrote to memory of 2440	2972	5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe	cmd.exe
PID 2972 wrote to memory of 2440	2972	5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe	cmd.exe
PID 2440 wrote to memory of 2372	2440	cmd.exe	PING.EXE
PID 2440 wrote to memory of 2372	2440	cmd.exe	PING.EXE
PID 2440 wrote to memory of 2372	2440	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe
"C:\Users\Admin\AppData\Local\Temp\5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /s /t 10
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\5bbbc71308bec5f2060cc886298c14c0aef3380e2f36f7ad1c640a48b9fc8edd.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:2372

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2788

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2F4C1828.dll
Filesize
575KB

MD5
4e3d34de082615762e35f37693f0e318

SHA1
01015c8850dafdfd69544473f0dfb2b59dbab8a9

SHA256
3fddeca5f0ec15e11d23e6847ee14ccf9c9a15c785a88cf62589f46a5b107755

SHA512
7bbd44b209b7a82cb2616475a978e116b8b183b6bd51c1098bb44eb734664587cdb1af4a5990762295a35940af4cd73d5b6dc76b0b40540d4027251919e96eef

Download Submit
memory/2972-0-0x0000000000940000-0x00000000009D8000-memory.dmp

Filesize
608KB

Download
memory/2972-1-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-2-0x000000001BA20000-0x000000001BAA0000-memory.dmp

Filesize
512KB

Download
memory/2972-6-0x000000001B8D0000-0x000000001BA12000-memory.dmp

Filesize
1.3MB

Download
memory/2972-8-0x000000001BA20000-0x000000001BAA0000-memory.dmp

Filesize
512KB

Download
memory/2972-9-0x000000001BA20000-0x000000001BAA0000-memory.dmp

Filesize
512KB

Download
memory/2972-10-0x000000001BA20000-0x000000001BAA0000-memory.dmp

Filesize
512KB

Download
memory/2972-11-0x0000000000900000-0x0000000000906000-memory.dmp

Filesize
24KB

Download
memory/2972-13-0x00000000008F0000-0x00000000008F6000-memory.dmp

Filesize
24KB

Download
memory/2972-14-0x0000000000B70000-0x0000000000B8A000-memory.dmp

Filesize
104KB

Download
memory/2972-15-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download