d0be29109f3ccf8129a7d7a1ad7d30ba085e2ca57945afc2aa56c706123aeaee

Analysis

max time kernel
63s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de4dot.7z
Size

1.5MB
MD5

b9fcb0ca9df2e16c4d58ea2ec90f624a
SHA1

1f71e1b3928a8dda0a9b40fa003a38bccd80b33f
SHA256

d0be29109f3ccf8129a7d7a1ad7d30ba085e2ca57945afc2aa56c706123aeaee
SHA512

013425a8625bc4b90a9bf8d44e87d887db0f4f1d7255911955cd2561cfcf3b4473ce1cc81bf66b33348b91b7b82416bce77857b074c90df12b1f01dd6cd2f305
SSDEEP

24576:ODiN38BqKBVH55ZmdT4oGziImlVAHGK3T7KcQt4vCtpkIKGjoec4rot7KZm2QZYB:OK38BqyZ6/tlNsTW4vCtpxljQCot70QG

Score

8^/10

agilenet execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3376 powershell.exe
2916 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

gaysense.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation gaysense.exe
Executes dropped EXE 2 IoCs

Processes:

de4dot.exegaysense.exe

pid process

2336 de4dot.exe
4200 gaysense.exe

pid	process
3376	powershell.exe
2916	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	gaysense.exe

Loads dropped DLL 10 IoCs

Processes:

de4dot.exe

pid	process
2336	de4dot.exe
2336	de4dot.exe
2336	de4dot.exe
2336	de4dot.exe
2336	de4dot.exe
2336	de4dot.exe
2336	de4dot.exe
2336	de4dot.exe
2336	de4dot.exe
2336	de4dot.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\de4dot\de4dot.code.dll	agile_net
behavioral1/memory/2336-74-0x00000000059E0000-0x0000000005AFE000-memory.dmp	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4032 4200 WerFault.exe gaysense.exe

pid	pid_target	process	target process
4032	4200	WerFault.exe	gaysense.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3376 powershell.exe
3376 powershell.exe
2916 powershell.exe
2916 powershell.exe
3480 powershell.exe
3480 powershell.exe

pid	process
3376	powershell.exe
3376	powershell.exe
2916	powershell.exe
2916	powershell.exe
3480	powershell.exe
3480	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

7zFM.exegaysense.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	2416	7zFM.exe
Token: 35	2416	7zFM.exe
Token: SeSecurityPrivilege	2416	7zFM.exe
Token: SeDebugPrivilege	4200	gaysense.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

2416 7zFM.exe
2416 7zFM.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4164 OpenWith.exe

pid	process
2416	7zFM.exe
2416	7zFM.exe

pid	process
4164	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exegaysense.exe

description	pid	process	target process
PID 2620 wrote to memory of 2336	2620	cmd.exe	de4dot.exe
PID 2620 wrote to memory of 2336	2620	cmd.exe	de4dot.exe
PID 2620 wrote to memory of 2336	2620	cmd.exe	de4dot.exe
PID 4200 wrote to memory of 3376	4200	gaysense.exe	powershell.exe
PID 4200 wrote to memory of 3376	4200	gaysense.exe	powershell.exe
PID 4200 wrote to memory of 3376	4200	gaysense.exe	powershell.exe
PID 4200 wrote to memory of 2916	4200	gaysense.exe	powershell.exe
PID 4200 wrote to memory of 2916	4200	gaysense.exe	powershell.exe
PID 4200 wrote to memory of 2916	4200	gaysense.exe	powershell.exe
PID 4200 wrote to memory of 3480	4200	gaysense.exe	powershell.exe
PID 4200 wrote to memory of 3480	4200	gaysense.exe	powershell.exe
PID 4200 wrote to memory of 3480	4200	gaysense.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\de4dot.7z
1⤵
- Modifies registry class
PID:1812

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\de4dot.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\Desktop\de4dot\de4dot.exe
de4dot C:\Users\Admin\Desktop\gaysense.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336

C:\Users\Admin\Desktop\gaysense.exe
"C:\Users\Admin\Desktop\gaysense.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,F:\
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess 'gaysense.exe',powershell.exe,Wscript.exe,cmd.exe,conhost.exe
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set - MpPreference - DisableRealtimeMonitoring $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1628
2⤵
- Program crash
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4200 -ip 4200
1⤵
PID:3632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
95a68e3107b32ad035968b1abebc0533

SHA1
a10d216f79a67bd432b245dfbe9c395f6072b63a

SHA256
bf9c0f0321eaade8e9c5f03976137cada8e7c1acabeb2c6740408f02549e0a29

SHA512
832638708a633086b3dcd59ad9aab9b6a5dd45817d0e3ea99b9c47e99cc69293d7cfd7c8ed620ebaeca88459e679632e248dcc1ff7875da49398f352651549c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
2ed8a7a3b3cbae6bddb21a41632890fc

SHA1
e54461cbe1cd6e7006057a883c87777e437694c0

SHA256
da4582376920450c777998317f86a8ee03ea395b9882e6cea424cc53025f6c19

SHA512
c05e89b57ada6fadf7bf2ecf43e57a211debcb5d5997ac5989dff2ceaa2ab4f2b4a7775e763c651b17e284b031379b7beff003b31c827ec5472b527298043307

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmzq15uf.2d0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\de4dot\AssemblyData.dll
Filesize
59KB

MD5
35608b6c0a49b438967ba2455f699ce3

SHA1
efe99463b2e188a9f27d6c9d74171ad1ff20d00e

SHA256
84ad4edd7804bb0de7df08b2614b5b47652d8129aa32220eda1d3e7d8a248152

SHA512
260bd71561438510f4c4c29b02430516c08ffc9db6d092f6a707f234a4038c220c8248508fb787532fae27a8a4ef1337c490919fc39ddb110a39e83f57997991

Download Submit
C:\Users\Admin\Desktop\de4dot\de4dot.blocks.dll
Filesize
142KB

MD5
3954ecec3e27d339b698937a26f0947f

SHA1
4f4d852820e1e44756326a97351f1c5f8fc7b237

SHA256
b706920dcadad4e3a73e82e09e3bbf031c2c84940715b341d03abfc1af89b704

SHA512
b54e2de3839f2bdb29ef77d05de450faad8be1590dd6fe16556b5d3837f0e0e94d7810439459aa3a83ade232de252d586d3032280f5f378fc81f22cd94065917

Download Submit
C:\Users\Admin\Desktop\de4dot\de4dot.code.dll
Filesize
1.1MB

MD5
2ad123905035ec9f0b7f957da52d8895

SHA1
dac1d6e34d43118a327879067d81a3b5eb714a42

SHA256
78c0a5b2da386fd7cc5d6713171fd6f4950a05a9821c81be51189e9b7494b184

SHA512
b536b89bf4f7167df093b2f0b7634675fdaa9c3a09863325f9d5975dc36a0c6f6e9547566220692c42a9e1ec5454127a57d02611b423a6bdf35a4de47f104ba1

Download Submit
C:\Users\Admin\Desktop\de4dot\de4dot.cui.dll
Filesize
42KB

MD5
c612e77746db9466156d7f53d8456309

SHA1
969ec793ea5759fb7a43f91cc2603e26b9d324ab

SHA256
3ed5eb99a9eda2dabed8074cdbcaea1709b05021e7a6e89d9ba03f84bb86bc84

SHA512
518d19c4c00fade92d8f8c69a5012753ccea82d19f5ebf0bb00eebc2b21d3b5a80dd3f16636b6b3d8a15b5c55a72bc8c834199d6d9e9cb46e608ebe4fbbb8fa9

Download Submit
C:\Users\Admin\Desktop\de4dot\de4dot.exe
Filesize
4KB

MD5
1a820caac60b368e3e3b247a9f8f1d07

SHA1
8cb68d7ed3d8a7386abb9201494ef64d3c1d5a81

SHA256
652f310f2649c83f0625645d1d9a420ab6893b575d92dfb1d7b1408e12b4a63d

SHA512
c4c4eff170e9b19de91e0e1335a173aedbbac45355fdef5c789b309875e9e3d2885978f90432c16e86fe87b5a7727d92552306add64a8ef50d7c04bf192409cd

Download Submit
C:\Users\Admin\Desktop\de4dot\de4dot.exe.config
Filesize
386B

MD5
7d85bf81018e3346cc1360ab54891b53

SHA1
39a189f5eb68c9d7ddc83eff779bf0097f4a485a

SHA256
6ac7546263b4c4805085897b4d871e46dfbe9b2e52a19b0e23ae7bc37f473bc1

SHA512
ab6c2dc32b926b4b1c5a683caa5c2971bac6860907fb5204b6a30c49d1decb0d41d0d1f3f9e4b1aa6e3096e25691d285440c3c74172d20b148ad527dc91132e2

Download Submit
C:\Users\Admin\Desktop\de4dot\dnlib.dll
Filesize
1.1MB

MD5
de0069c4097c987bd30ebe8155a8af35

SHA1
aced007f4d852d7b84c689a92d9c36e24381d375

SHA256
83445595d38a8e33513b33dfc201983af4746e5327c9bed470a6282d91d539b6

SHA512
66c45818e5c555e5250f8250ea704bc4ca32ddb4d5824c852ae5dc0f264b009af73c7c1e0db1b74c14ee6b612608d939386da23b56520cac415cd5a8f60a5502

Download Submit
C:\Users\Admin\Desktop\gaysense.exe
Filesize
793KB

MD5
cb3026e814a780cf4ea8806a378eb28f

SHA1
8c651081c4e2675f6b15f1490dc6854cb15fcd28

SHA256
683f8f26daeb4a6320fbea9e5d42f2f2f1e58fbf2aec60a9f4dddab72bb8e215

SHA512
fe394c77f87410a36dd3435d7195554c782d1b27fc0ccb2b42e38ba34dfac0e6087049544e64861129b7846f5d5bb2e43843960979643844891795644d804e09

Download Submit
memory/2336-82-0x0000000005950000-0x0000000005966000-memory.dmp

Filesize
88KB

Download
memory/2336-86-0x00000000059A0000-0x00000000059CA000-memory.dmp

Filesize
168KB

Download
memory/2336-78-0x0000000005B00000-0x0000000005C1E000-memory.dmp

Filesize
1.1MB

Download
memory/2336-74-0x00000000059E0000-0x0000000005AFE000-memory.dmp

Filesize
1.1MB

Download
memory/2336-70-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/2336-66-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

Filesize
32KB

Download
memory/2916-146-0x000000006FA00000-0x000000006FA4C000-memory.dmp

Filesize
304KB

Download
memory/2916-144-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/3376-97-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/3376-125-0x0000000007B60000-0x0000000007B6A000-memory.dmp

Filesize
40KB

Download
memory/3376-107-0x0000000006220000-0x0000000006574000-memory.dmp

Filesize
3.3MB

Download
memory/3376-108-0x00000000067D0000-0x00000000067EE000-memory.dmp

Filesize
120KB

Download
memory/3376-109-0x00000000067F0000-0x000000000683C000-memory.dmp

Filesize
304KB

Download
memory/3376-110-0x0000000006D90000-0x0000000006DC2000-memory.dmp

Filesize
200KB

Download
memory/3376-111-0x000000006FA00000-0x000000006FA4C000-memory.dmp

Filesize
304KB

Download
memory/3376-121-0x0000000007990000-0x00000000079AE000-memory.dmp

Filesize
120KB

Download
memory/3376-122-0x00000000079C0000-0x0000000007A63000-memory.dmp

Filesize
652KB

Download
memory/3376-123-0x0000000008140000-0x00000000087BA000-memory.dmp

Filesize
6.5MB

Download
memory/3376-124-0x0000000007B00000-0x0000000007B1A000-memory.dmp

Filesize
104KB

Download
memory/3376-96-0x00000000056F0000-0x0000000005712000-memory.dmp

Filesize
136KB

Download
memory/3376-126-0x0000000007D90000-0x0000000007E26000-memory.dmp

Filesize
600KB

Download
memory/3376-127-0x0000000007D00000-0x0000000007D11000-memory.dmp

Filesize
68KB

Download
memory/3376-128-0x0000000007D30000-0x0000000007D3E000-memory.dmp

Filesize
56KB

Download
memory/3376-129-0x0000000007D40000-0x0000000007D54000-memory.dmp

Filesize
80KB

Download
memory/3376-130-0x0000000007E50000-0x0000000007E6A000-memory.dmp

Filesize
104KB

Download
memory/3376-131-0x0000000007D80000-0x0000000007D88000-memory.dmp

Filesize
32KB

Download
memory/3376-95-0x00000000059B0000-0x0000000005FD8000-memory.dmp

Filesize
6.2MB

Download
memory/3376-94-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

Filesize
216KB

Download
memory/4200-93-0x0000000007670000-0x00000000076D6000-memory.dmp

Filesize
408KB

Download
memory/4200-92-0x0000000005050000-0x000000000510C000-memory.dmp

Filesize
752KB

Download
memory/4200-91-0x00000000006D0000-0x00000000007A0000-memory.dmp

Filesize
832KB

Download