c282afd656f68dafccdf65e3d08b43be8c6c42c601e7c0a544791ce08884fe21

Analysis

max time kernel
142s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AgogoVideo2iPod.exe
Size

4.6MB
MD5

a722b2cde169b98f68632f477e1627c7
SHA1

0cb08ec4bd639f2912eba860b41bd08261993bd1
SHA256

72eb409c2dedecfc8f2f9f5535ec7e11566614e7ba85bf9b42b90b537afa53bc
SHA512

72638d94158305db9553dec0e4c392f907bcca952c068d32816465b88137d21660878cc0acdcb8bef67712919ee162cd28b8c3dca46bafe69e774f225deed62f
SSDEEP

98304:55RQ0Gd5aJ3w2OKYZDSJAHqajj2ADSDBLWKXqKY9Yqh7JPFTmXdU:rinaJffumJoqaKQJ6q99/h75hmXdU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2208	is-6B80M.tmp
2148	crverify.exe

Loads dropped DLL 7 IoCs

pid	Process
824	AgogoVideo2iPod.exe
2208	is-6B80M.tmp
2208	is-6B80M.tmp
2208	is-6B80M.tmp
2208	is-6B80M.tmp
2148	crverify.exe
2208	is-6B80M.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2148	crverify.exe
2148	crverify.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2208	is-6B80M.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2148	crverify.exe
2148	crverify.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2208	824	AgogoVideo2iPod.exe	30
PID 824 wrote to memory of 2208	824	AgogoVideo2iPod.exe	30
PID 824 wrote to memory of 2208	824	AgogoVideo2iPod.exe	30
PID 824 wrote to memory of 2208	824	AgogoVideo2iPod.exe	30
PID 824 wrote to memory of 2208	824	AgogoVideo2iPod.exe	30
PID 824 wrote to memory of 2208	824	AgogoVideo2iPod.exe	30
PID 824 wrote to memory of 2208	824	AgogoVideo2iPod.exe	30
PID 2208 wrote to memory of 2148	2208	is-6B80M.tmp	31
PID 2208 wrote to memory of 2148	2208	is-6B80M.tmp	31
PID 2208 wrote to memory of 2148	2208	is-6B80M.tmp	31
PID 2208 wrote to memory of 2148	2208	is-6B80M.tmp	31

C:\Users\Admin\AppData\Local\Temp\AgogoVideo2iPod.exe
"C:\Users\Admin\AppData\Local\Temp\AgogoVideo2iPod.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\is-Q68D8.tmp\is-6B80M.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q68D8.tmp\is-6B80M.tmp" /SL4 $50150 "C:\Users\Admin\AppData\Local\Temp\AgogoVideo2iPod.exe" 4511097 65536
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\is-UNQED.tmp\crverify.exe
    "C:\Users\Admin\AppData\Local\Temp\is-UNQED.tmp\crverify.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\CSM1E2B.tmp

Filesize
152KB

MD5
f3d97ec757d024ab5c61ebf5b160ffd0

SHA1
0c2dd856392100a708d001d519468ff4cc930b93

SHA256
9a51aaca7f67bf7e4b3a2bd203723620c63e04870a8a3eb601c0ffdf5c901749

SHA512
9c55a7ee6af16b42e34eb668e4f7b475bb4e81b84596fcbbee2a7c36f49d3d9edd8394aa7af3b0bafabdd2247dbd412bed4ea71250c49e339692bb758f7ceb38

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q68D8.tmp\is-6B80M.tmp

Filesize
668KB

MD5
cbd6ef790696a87a35a70fd82449fbbe

SHA1
0057b3e93a400fad02a22aacfd5ab937cb0283ad

SHA256
eea6a5f0afbed59b5af72dba09de2cfa5d46a5af8eb50ea4c5152c420512c256

SHA512
39b49ec526c263f1d141465e865a44904597cffb9d555cf9bda6bfb8607b39d36f0d7a849b91c8c559648e1bb5ade32715dc3e561f111a7092603eec056c6a88

Download Submit
\Users\Admin\AppData\Local\Temp\is-UNQED.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-UNQED.tmp\crverify.exe

Filesize
232KB

MD5
29b8e3b307c864596c85fcb2887a9109

SHA1
ebe2723044af8fc4628a317eae7d06545746e84c

SHA256
5a93f4e174ecdf4ae5398c94b660640b9f5f18562c78cb64f409956d39e24289

SHA512
eeb01fdc6e561aa5299da8ffa1743a2f6f38a97166b84d9e04211a26e1dfe6df7582f08dc5e724fa3890982d7ca355d2eb79026035936b377cc41ebd80ab8bd5

Download Submit
memory/824-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/824-3-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/824-33-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2208-11-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2208-32-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download