Analysis
-
max time kernel
13s -
max time network
14s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 02:24
Static task
static1
Behavioral task
behavioral1
Sample
a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe
-
Size
772KB
-
MD5
097368301fe272b83dc295f43721bd5e
-
SHA1
b966d8c4b6537c35e1512c156076d9f00e141731
-
SHA256
a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0
-
SHA512
183f661a6b8903bab1b43f92a0e1c4b4db7742caf337fa5be712a2aff6d6c73724d4ef5cd23efa6978cd99ab375757ae66cb909383cc21b327348f61b2015b87
-
SSDEEP
24576:lvkM33lp1MIblv0UgDN3g8Yr1/14tCdk/x+E30Da73/hJykOds+tRgV5I:lX3ZokQ35JisVq
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2664 cmd.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2428-6-0x000000001B330000-0x000000001B488000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\68146310.dll agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exepid process 2428 a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exepid process 2428 a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe 2428 a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exeshutdown.exedescription pid process Token: SeDebugPrivilege 2428 a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe Token: SeShutdownPrivilege 1680 shutdown.exe Token: SeRemoteShutdownPrivilege 1680 shutdown.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.execmd.exedescription pid process target process PID 2428 wrote to memory of 1680 2428 a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe shutdown.exe PID 2428 wrote to memory of 1680 2428 a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe shutdown.exe PID 2428 wrote to memory of 1680 2428 a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe shutdown.exe PID 2428 wrote to memory of 2664 2428 a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe cmd.exe PID 2428 wrote to memory of 2664 2428 a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe cmd.exe PID 2428 wrote to memory of 2664 2428 a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe cmd.exe PID 2664 wrote to memory of 3020 2664 cmd.exe PING.EXE PID 2664 wrote to memory of 3020 2664 cmd.exe PING.EXE PID 2664 wrote to memory of 3020 2664 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe"C:\Users\Admin\AppData\Local\Temp\a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 102⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a0f0b0c54bd7216f76f1181605c6b384c0f4eb97f7e9dfeb378a64774017cba0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:3020
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2680
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\68146310.dllFilesize
614KB
MD5591fb53294de5493023abcec06afa08c
SHA1d162a4bbdd60effd83487788fcab77f37abc60c8
SHA2569ec37b6b8631c9c88e2bdec67ad99fea848d44ef10d2e1260a8ce683cd3687fa
SHA512e4947403be45bd5365545a2cdceca9c359fadbcd38ca37097566fda7fad05ecb7f333617c06d0b81fb70f06ebf19d6af9729690df27569616107f854909cd7ec
-
memory/2428-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmpFilesize
4KB
-
memory/2428-1-0x00000000009A0000-0x0000000000A6A000-memory.dmpFilesize
808KB
-
memory/2428-4-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2428-6-0x000000001B330000-0x000000001B488000-memory.dmpFilesize
1.3MB
-
memory/2428-8-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2428-9-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2428-10-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2428-11-0x0000000000380000-0x0000000000386000-memory.dmpFilesize
24KB
-
memory/2428-13-0x0000000000370000-0x0000000000376000-memory.dmpFilesize
24KB
-
memory/2428-14-0x0000000002290000-0x00000000022AA000-memory.dmpFilesize
104KB
-
memory/2428-15-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB