952d7df4797bd5ecc451fe57c4e160242a111391d183e4713d3b3a9ac737be25

General

Target

Dork Searcher v3.exe
Size

63.7MB
MD5

a324c0d0f457a5cd86de81514605c0d2
SHA1

6137b3183d9dfcdd3f647a9f579079ebd88b5e5e
SHA256

952d7df4797bd5ecc451fe57c4e160242a111391d183e4713d3b3a9ac737be25
SHA512

1b93b37795d54f0b17407661bbdba357bad28ba22a885e9ba589976c455e6ab0f3c46cec27b18839a2693c80bca49bb2254b6e1757f771e2bdda9deafd50f495
SSDEEP

1572864:5zUKleXzeH+IwMvNG83xXcRKzLADd4jyyp287t71FeuIEGMTQtYkVs:5Z+itxsRKzKd4jq8tpsuIMTQtpVs

Score

7^/10

agilenet persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

Setup.exeSetup.exesvchost.exeDork Searcher v3 .exe

pid process

2888 Setup.exe
2576 Setup.exe
2444 svchost.exe
2672 Dork Searcher v3 .exe
Loads dropped DLL 1 IoCs

Processes:

Dork Searcher v3 .exe

pid process

2672 Dork Searcher v3 .exe

pid	process
2888	Setup.exe
2576	Setup.exe
2444	svchost.exe
2672	Dork Searcher v3 .exe

pid	process
2672	Dork Searcher v3 .exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2672-33-0x0000000000FF0000-0x0000000004F32000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Dork Searcher v3.exeSetup.exe

description	pid	process	target process
PID 1956 wrote to memory of 2888	1956	Dork Searcher v3.exe	Setup.exe
PID 1956 wrote to memory of 2888	1956	Dork Searcher v3.exe	Setup.exe
PID 1956 wrote to memory of 2888	1956	Dork Searcher v3.exe	Setup.exe
PID 1956 wrote to memory of 2576	1956	Dork Searcher v3.exe	Setup.exe
PID 1956 wrote to memory of 2576	1956	Dork Searcher v3.exe	Setup.exe
PID 1956 wrote to memory of 2576	1956	Dork Searcher v3.exe	Setup.exe
PID 2888 wrote to memory of 2444	2888	Setup.exe	svchost.exe
PID 2888 wrote to memory of 2444	2888	Setup.exe	svchost.exe
PID 2888 wrote to memory of 2444	2888	Setup.exe	svchost.exe
PID 1956 wrote to memory of 2672	1956	Dork Searcher v3.exe	Dork Searcher v3 .exe
PID 1956 wrote to memory of 2672	1956	Dork Searcher v3.exe	Dork Searcher v3 .exe
PID 1956 wrote to memory of 2672	1956	Dork Searcher v3.exe	Dork Searcher v3 .exe

C:\Users\Admin\AppData\Local\Temp\Dork Searcher v3.exe
"C:\Users\Admin\AppData\Local\Temp\Dork Searcher v3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
3⤵
- Executes dropped EXE
PID:2444

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
PID:2576

C:\Users\Admin\AppData\Local\Temp\Dork Searcher v3 .exe
"C:\Users\Admin\AppData\Local\Temp\Dork Searcher v3 .exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
\Users\Admin\AppData\Local\Temp\a42e6cb8-6f40-425a-a17c-89ddc5754217\AgileDotNetRT64.dll
Filesize
141KB

MD5
e8641f344213ca05d8b5264b5f4e2dee

SHA1
96729e31f9b805800b2248fd22a4b53e226c8309

SHA256
85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24

SHA512
3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109

Download Submit
memory/1956-2-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download
memory/1956-4-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download
memory/1956-0-0x000007FEF58CE000-0x000007FEF58CF000-memory.dmp

Filesize
4KB

Download
memory/1956-32-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download
memory/2444-24-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2672-40-0x000007FEFAAF0000-0x000007FEFAB18000-memory.dmp

Filesize
160KB

Download
memory/2672-33-0x0000000000FF0000-0x0000000004F32000-memory.dmp

Filesize
63.3MB

Download
memory/2672-41-0x000007FEF0CD0000-0x000007FEF0DFC000-memory.dmp

Filesize
1.2MB

Download
memory/2672-42-0x00000000336F0000-0x0000000037536000-memory.dmp

Filesize
62.3MB

Download
memory/2672-47-0x000007FEFAAF0000-0x000007FEFAB18000-memory.dmp

Filesize
160KB

Download
memory/2888-25-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-12-0x0000000000490000-0x00000000004BC000-memory.dmp

Filesize
176KB

Download
memory/2888-10-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads