56f44707456eb8cfd4d7ab6c63c62015515a4a6154ff5e92e92e576b133003d1

Analysis

max time kernel
32s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VЕGАS Prо.exe
Size

101.7MB
MD5

cd5df5f6e86bdd5408d11b6204053c21
SHA1

ea20629b9db077aa6bfe46e16bd22bfdc580d380
SHA256

56f44707456eb8cfd4d7ab6c63c62015515a4a6154ff5e92e92e576b133003d1
SHA512

bf57afe5f6aa6a4affb3bb0a805399eda06d07e170a1d09804cf9b190f53a81d14bea07e421d0991c514e22af3a55077d3d8bf2eb5b7f12b7ad2725c9778448c
SSDEEP

1572864:GRWWlH8DHsD6tzKii6a3/1pY1rSVhFIYUT/zdylJMos/hhQ147FyixHX0w:GwHO53DTFIYUTZyl5ohQrMj

Score

7^/10

agilenet

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VЕGАS Prо.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	VЕGАS Prо.exe

Executes dropped EXE 1 IoCs

Processes:

VЕGАSPrо.EXE

pid process

2064 VЕGАSPrо.EXE

pid	process
2064	VЕGАSPrо.EXE

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3580-1-0x0000000000690000-0x0000000001690000-memory.dmp	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

VЕGАS Prо.exe

description pid process

Token: SeDebugPrivilege 3580 VЕGАS Prо.exe

description	pid	process
Token: SeDebugPrivilege	3580	VЕGАS Prо.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

VЕGАS Prо.exe

description	pid	process	target process
PID 3580 wrote to memory of 2064	3580	VЕGАS Prо.exe	VЕGАSPrо.EXE
PID 3580 wrote to memory of 2064	3580	VЕGАS Prо.exe	VЕGАSPrо.EXE

C:\Users\Admin\AppData\Local\Temp\VЕGАS Prо.exe
"C:\Users\Admin\AppData\Local\Temp\VЕGАS Prо.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\Temp\VЕGАSPrо.EXE
"C:\Windows\Temp\VЕGАSPrо.EXE"
2⤵
- Executes dropped EXE
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3580-0-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/3580-1-0x0000000000690000-0x0000000001690000-memory.dmp

Filesize
16.0MB

Download
memory/3580-2-0x000000000B5C0000-0x000000000B626000-memory.dmp

Filesize
408KB

Download
memory/3580-3-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/3580-4-0x00000000302B0000-0x00000000312B0000-memory.dmp

Filesize
16.0MB

Download
memory/3580-5-0x0000000009060000-0x0000000009086000-memory.dmp

Filesize
152KB

Download
memory/3580-6-0x0000000012EB0000-0x0000000012F26000-memory.dmp

Filesize
472KB

Download
memory/3580-7-0x000000000B630000-0x000000000B63A000-memory.dmp

Filesize
40KB

Download
memory/3580-8-0x000000000C640000-0x000000000C65E000-memory.dmp

Filesize
120KB

Download
memory/3580-20-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download