a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0

Reason

Machine shutdown

General

Target

a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe
Size

772KB
MD5

097368301fe272b83dc295f43721bd5e
SHA1

b966d8c4b6537c35e1512c156076d9f00e141731
SHA256

a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0
SHA512

183f661a6b8903bab1b43f92a0e1c4b4db7742caf337fa5be712a2aff6d6c73724d4ef5cd23efa6978cd99ab375757ae66cb909383cc21b327348f61b2015b87
SSDEEP

24576:lvkM33lp1MIblv0UgDN3g8Yr1/14tCdk/x+E30Da73/hJykOds+tRgV5I:lX3ZokQ35JisVq

Score

7^/10

agilenet

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2664 cmd.exe

pid	process
2664	cmd.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2428-6-0x000000001B330000-0x000000001B488000-memory.dmp	agile_net
C:\Users\Admin\AppData\Local\Temp\68146310.dll	agile_net

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe

pid process

2428 a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3020 PING.EXE

pid	process
3020	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe

pid	process
2428	a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe
2428	a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	2428	a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe
Token: SeShutdownPrivilege	1680	shutdown.exe
Token: SeRemoteShutdownPrivilege	1680	shutdown.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.execmd.exe

description	pid	process	target process
PID 2428 wrote to memory of 1680	2428	a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe	shutdown.exe
PID 2428 wrote to memory of 1680	2428	a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe	shutdown.exe
PID 2428 wrote to memory of 1680	2428	a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe	shutdown.exe
PID 2428 wrote to memory of 2664	2428	a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe	cmd.exe
PID 2428 wrote to memory of 2664	2428	a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe	cmd.exe
PID 2428 wrote to memory of 2664	2428	a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe	cmd.exe
PID 2664 wrote to memory of 3020	2664	cmd.exe	PING.EXE
PID 2664 wrote to memory of 3020	2664	cmd.exe	PING.EXE
PID 2664 wrote to memory of 3020	2664	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe
"C:\Users\Admin\AppData\Local\Temp\a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /s /t 10
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:3020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2388

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68146310.dll
Filesize
614KB

MD5
591fb53294de5493023abcec06afa08c

SHA1
d162a4bbdd60effd83487788fcab77f37abc60c8

SHA256
9ec37b6b8631c9c88e2bdec67ad99fea848d44ef10d2e1260a8ce683cd3687fa

SHA512
e4947403be45bd5365545a2cdceca9c359fadbcd38ca37097566fda7fad05ecb7f333617c06d0b81fb70f06ebf19d6af9729690df27569616107f854909cd7ec

Download Submit
memory/2428-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

Filesize
4KB

Download
memory/2428-1-0x00000000009A0000-0x0000000000A6A000-memory.dmp

Filesize
808KB

Download
memory/2428-4-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2428-6-0x000000001B330000-0x000000001B488000-memory.dmp

Filesize
1.3MB

Download
memory/2428-8-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2428-9-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2428-10-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2428-11-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2428-13-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2428-14-0x0000000002290000-0x00000000022AA000-memory.dmp

Filesize
104KB

Download
memory/2428-15-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads