aec3d30b3d0b684e97a5820db21dd64df2208b86eb19433a26d9aba08b2ac655

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06-06-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aec3d30b3d0b684e97a5820db21dd64df2208b86eb19433a26d9aba08b2ac655.exe
Size

553KB
MD5

bd855bfca47e55fe6501719a6efe3358
SHA1

7842b2b75624d1b60e7802d5382514969ed0fa7d
SHA256

aec3d30b3d0b684e97a5820db21dd64df2208b86eb19433a26d9aba08b2ac655
SHA512

3ce2c748fa78d5e7e0d64811d84f4b082a1db50db14d7f964b12110ab9bfe93ecc6882e76ca9cc8b1e6f27318f6c51b6be629a9b32a2df33727ddacf4c32ea46
SSDEEP

12288:w0tCSx8YwSzqwf6ciciAVDklq5Dv1D9hNkZrMP/:wUCqwoViTAqkPDfNSr+

Score

7^/10

agilenet

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2848-6-0x000000001BA60000-0x000000001BB7E000-memory.dmp	agile_net
behavioral1/files/0x000d00000001226b-11.dat	agile_net

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2848	aec3d30b3d0b684e97a5820db21dd64df2208b86eb19433a26d9aba08b2ac655.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	aec3d30b3d0b684e97a5820db21dd64df2208b86eb19433a26d9aba08b2ac655.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2736	2848	aec3d30b3d0b684e97a5820db21dd64df2208b86eb19433a26d9aba08b2ac655.exe	29
PID 2848 wrote to memory of 2736	2848	aec3d30b3d0b684e97a5820db21dd64df2208b86eb19433a26d9aba08b2ac655.exe	29
PID 2848 wrote to memory of 2736	2848	aec3d30b3d0b684e97a5820db21dd64df2208b86eb19433a26d9aba08b2ac655.exe	29
PID 2736 wrote to memory of 2724	2736	cmd.exe	31
PID 2736 wrote to memory of 2724	2736	cmd.exe	31
PID 2736 wrote to memory of 2724	2736	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\aec3d30b3d0b684e97a5820db21dd64df2208b86eb19433a26d9aba08b2ac655.exe
"C:\Users\Admin\AppData\Local\Temp\aec3d30b3d0b684e97a5820db21dd64df2208b86eb19433a26d9aba08b2ac655.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\104D3570.dll" /A:H
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\104D3570.dll

Filesize
500KB

MD5
df107bd3a89d30ed9252275fe1b894dd

SHA1
91d8c92f7a1a3b8b37e2a8740ec8f58d971217dc

SHA256
8348bf2a42eb6a618eaf401fcf304408d91c0d37cc1a81f07e5fb770adddef61

SHA512
0a9ac058460796d67cf08182440763e8323b217192c0635f9a6951c114ecc7d566a74bb39cc17771053a4c267bc624e197bb6292f986307d3a3af217a3c768f1

Download Submit
memory/2848-0-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000000AB0000-0x0000000000B40000-memory.dmp

Filesize
576KB

Download
memory/2848-4-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-6-0x000000001BA60000-0x000000001BB7E000-memory.dmp

Filesize
1.1MB

Download
memory/2848-8-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-9-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-10-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/2848-12-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-13-0x0000000000840000-0x000000000085A000-memory.dmp

Filesize
104KB

Download
memory/2848-14-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download