aae9e126f03798f15445e8f308bbf43e9bda6a9e1ffaa9fe2dfd75eb65fef74c

General

Target

1f90151f3470f316a645a6617534a0be.exe
Size

26KB
MD5

1f90151f3470f316a645a6617534a0be
SHA1

80dd3641418ff22c353b2d1f0f4c86990cfdaee1
SHA256

aae9e126f03798f15445e8f308bbf43e9bda6a9e1ffaa9fe2dfd75eb65fef74c
SHA512

5609219d6a7ece553032589d9765e7fcf394253fa4df5d64539e231a4350bf9c8b3bfd2ec5ca1904a6584b793f3a174353261e23983f7ac428b7957379eccbcf
SSDEEP

384:YJwutFK4KLt/WFg46SL4E3y3jBPc3jrUGjC/8wLSV6f3pRLXjjF:kFK4ueF/xAWj4YCEUSK9jjF

Score

7^/10

agilenet execution

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f90151f3470f316a645a6617534a0be.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f90151f3470f316a645a6617534a0be.exe	Powershell.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2436-3-0x0000000005C60000-0x0000000005D34000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

1f90151f3470f316a645a6617534a0be.exe

description pid process target process

PID 2436 set thread context of 2576 2436 1f90151f3470f316a645a6617534a0be.exe 1f90151f3470f316a645a6617534a0be.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

Powershell.exe

pid process

2596 Powershell.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

1f90151f3470f316a645a6617534a0be.exe

pid process

2576 1f90151f3470f316a645a6617534a0be.exe

description	pid	process	target process
PID 2436 set thread context of 2576	2436	1f90151f3470f316a645a6617534a0be.exe	1f90151f3470f316a645a6617534a0be.exe

pid	process
2596	Powershell.exe

pid	process
2576	1f90151f3470f316a645a6617534a0be.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

1f90151f3470f316a645a6617534a0be.exePowershell.exe

pid	process
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2596	Powershell.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe
2436	1f90151f3470f316a645a6617534a0be.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1f90151f3470f316a645a6617534a0be.exePowershell.exe1f90151f3470f316a645a6617534a0be.exe

description	pid	process
Token: SeDebugPrivilege	2436	1f90151f3470f316a645a6617534a0be.exe
Token: SeDebugPrivilege	2596	Powershell.exe
Token: SeDebugPrivilege	2576	1f90151f3470f316a645a6617534a0be.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

1f90151f3470f316a645a6617534a0be.exe

description	pid	process	target process
PID 2436 wrote to memory of 2596	2436	1f90151f3470f316a645a6617534a0be.exe	Powershell.exe
PID 2436 wrote to memory of 2596	2436	1f90151f3470f316a645a6617534a0be.exe	Powershell.exe
PID 2436 wrote to memory of 2596	2436	1f90151f3470f316a645a6617534a0be.exe	Powershell.exe
PID 2436 wrote to memory of 2596	2436	1f90151f3470f316a645a6617534a0be.exe	Powershell.exe
PID 2436 wrote to memory of 2576	2436	1f90151f3470f316a645a6617534a0be.exe	1f90151f3470f316a645a6617534a0be.exe
PID 2436 wrote to memory of 2576	2436	1f90151f3470f316a645a6617534a0be.exe	1f90151f3470f316a645a6617534a0be.exe
PID 2436 wrote to memory of 2576	2436	1f90151f3470f316a645a6617534a0be.exe	1f90151f3470f316a645a6617534a0be.exe
PID 2436 wrote to memory of 2576	2436	1f90151f3470f316a645a6617534a0be.exe	1f90151f3470f316a645a6617534a0be.exe
PID 2436 wrote to memory of 2576	2436	1f90151f3470f316a645a6617534a0be.exe	1f90151f3470f316a645a6617534a0be.exe
PID 2436 wrote to memory of 2576	2436	1f90151f3470f316a645a6617534a0be.exe	1f90151f3470f316a645a6617534a0be.exe
PID 2436 wrote to memory of 2576	2436	1f90151f3470f316a645a6617534a0be.exe	1f90151f3470f316a645a6617534a0be.exe
PID 2436 wrote to memory of 2576	2436	1f90151f3470f316a645a6617534a0be.exe	1f90151f3470f316a645a6617534a0be.exe
PID 2436 wrote to memory of 2576	2436	1f90151f3470f316a645a6617534a0be.exe	1f90151f3470f316a645a6617534a0be.exe

C:\Users\Admin\AppData\Local\Temp\1f90151f3470f316a645a6617534a0be.exe
"C:\Users\Admin\AppData\Local\Temp\1f90151f3470f316a645a6617534a0be.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\1f90151f3470f316a645a6617534a0be.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f90151f3470f316a645a6617534a0be.exe' -Force
2⤵
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Users\Admin\AppData\Local\Temp\1f90151f3470f316a645a6617534a0be.exe
"C:\Users\Admin\AppData\Local\Temp\1f90151f3470f316a645a6617534a0be.exe"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2436-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/2436-1-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2436-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2436-3-0x0000000005C60000-0x0000000005D34000-memory.dmp

Filesize
848KB

Download
memory/2436-30-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2576-54-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-42-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-15-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-17-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-13-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-19-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-26-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-50-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-72-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-70-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-68-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-66-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-64-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-58-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-884-0x00000000006A0000-0x00000000006EC000-memory.dmp

Filesize
304KB

Download
memory/2576-883-0x0000000004B40000-0x0000000004B96000-memory.dmp

Filesize
344KB

Download
memory/2576-56-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-53-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-46-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-44-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-23-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-40-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-78-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-76-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-74-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-62-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-60-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-48-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-38-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-36-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-34-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-32-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-31-0x0000000004630000-0x00000000046F0000-memory.dmp

Filesize
768KB

Download
memory/2576-28-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-29-0x0000000004630000-0x00000000046F6000-memory.dmp

Filesize
792KB

Download
memory/2596-6-0x000000006EB31000-0x000000006EB32000-memory.dmp

Filesize
4KB

Download
memory/2596-8-0x000000006EB30000-0x000000006F0DB000-memory.dmp

Filesize
5.7MB

Download
memory/2596-7-0x000000006EB30000-0x000000006F0DB000-memory.dmp

Filesize
5.7MB

Download
memory/2596-12-0x000000006EB30000-0x000000006F0DB000-memory.dmp

Filesize
5.7MB

Download
memory/2596-9-0x000000006EB30000-0x000000006F0DB000-memory.dmp

Filesize
5.7MB

Download
memory/2596-10-0x000000006EB30000-0x000000006F0DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads