9732f930cd31110f63aaf92cc17895b65303bb06a4968b127f4687270941acdd

General

Target

dcf2ceb7faa5754e5fb0b7db1cc23637.exe
Size

33KB
MD5

dcf2ceb7faa5754e5fb0b7db1cc23637
SHA1

0259609ed1ec649f797869ca14a7aef9f2029ffb
SHA256

9732f930cd31110f63aaf92cc17895b65303bb06a4968b127f4687270941acdd
SHA512

2f2347bf1fffe021deaae8a77695026498d8d9c8e715ed991cdaa4086c4df9196d4592855947912c27b7bb56f1567f92fe1cfaf324d2d41291618009b26fb487
SSDEEP

384:dHjYE/8qnRY1yoY4CTj0MiKSFp9paTqjkSdKrA+5WmC9NAkYIbdkK8oy10jq4ryj:ZEi7/iKSBpaPL0XY0jSSfOf876sNfpE

Score

7^/10

agilenet persistence

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3008-1-0x0000000000C50000-0x0000000000C5E000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dcf2ceb7faa5754e5fb0b7db1cc23637 = "C:\\Users\\Admin\\Documents\\dcf2ceb7faa5754e5fb0b7db1cc23637.pif"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

dcf2ceb7faa5754e5fb0b7db1cc23637.exeRegAsm.exefindstr.exe

description	pid	process	target process
PID 3008 set thread context of 4912	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	RegAsm.exe
PID 4912 set thread context of 3444	4912	RegAsm.exe	Explorer.EXE
PID 4912 set thread context of 912	4912	RegAsm.exe	findstr.exe
PID 912 set thread context of 3444	912	findstr.exe	Explorer.EXE
PID 912 set thread context of 3908	912	findstr.exe	Firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

findstr.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	findstr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dcf2ceb7faa5754e5fb0b7db1cc23637.exeRegAsm.exefindstr.exe

pid	process
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegAsm.exeExplorer.EXEfindstr.exe

pid process

4912 RegAsm.exe
3444 Explorer.EXE
3444 Explorer.EXE
912 findstr.exe
912 findstr.exe
912 findstr.exe
912 findstr.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dcf2ceb7faa5754e5fb0b7db1cc23637.exe

description pid process

Token: SeDebugPrivilege 3008 dcf2ceb7faa5754e5fb0b7db1cc23637.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3444 Explorer.EXE

pid	process
4912	RegAsm.exe
3444	Explorer.EXE
3444	Explorer.EXE
912	findstr.exe
912	findstr.exe
912	findstr.exe
912	findstr.exe

description	pid	process
Token: SeDebugPrivilege	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe

pid	process
3444	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

dcf2ceb7faa5754e5fb0b7db1cc23637.execmd.exeExplorer.EXEfindstr.exe

description	pid	process	target process
PID 3008 wrote to memory of 2856	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	cmd.exe
PID 3008 wrote to memory of 2856	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	cmd.exe
PID 3008 wrote to memory of 2856	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	cmd.exe
PID 2856 wrote to memory of 3536	2856	cmd.exe	reg.exe
PID 2856 wrote to memory of 3536	2856	cmd.exe	reg.exe
PID 2856 wrote to memory of 3536	2856	cmd.exe	reg.exe
PID 3008 wrote to memory of 4312	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	cmd.exe
PID 3008 wrote to memory of 4312	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	cmd.exe
PID 3008 wrote to memory of 4312	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	cmd.exe
PID 3008 wrote to memory of 4912	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	RegAsm.exe
PID 3008 wrote to memory of 4912	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	RegAsm.exe
PID 3008 wrote to memory of 4912	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	RegAsm.exe
PID 3008 wrote to memory of 4912	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	RegAsm.exe
PID 3008 wrote to memory of 4912	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	RegAsm.exe
PID 3008 wrote to memory of 4912	3008	dcf2ceb7faa5754e5fb0b7db1cc23637.exe	RegAsm.exe
PID 3444 wrote to memory of 912	3444	Explorer.EXE	findstr.exe
PID 3444 wrote to memory of 912	3444	Explorer.EXE	findstr.exe
PID 3444 wrote to memory of 912	3444	Explorer.EXE	findstr.exe
PID 912 wrote to memory of 3908	912	findstr.exe	Firefox.exe
PID 912 wrote to memory of 3908	912	findstr.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Local\Temp\dcf2ceb7faa5754e5fb0b7db1cc23637.exe
"C:\Users\Admin\AppData\Local\Temp\dcf2ceb7faa5754e5fb0b7db1cc23637.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dcf2ceb7faa5754e5fb0b7db1cc23637" /t REG_SZ /F /D "C:\Users\Admin\Documents\dcf2ceb7faa5754e5fb0b7db1cc23637.pif"
3⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dcf2ceb7faa5754e5fb0b7db1cc23637" /t REG_SZ /F /D "C:\Users\Admin\Documents\dcf2ceb7faa5754e5fb0b7db1cc23637.pif"
4⤵
- Adds Run key to start application
PID:3536

C:\Windows\SysWOW64\cmd.exe
cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\dcf2ceb7faa5754e5fb0b7db1cc23637.exe" "C:\Users\Admin\Documents\dcf2ceb7faa5754e5fb0b7db1cc23637.pif"
3⤵
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4912

C:\Windows\SysWOW64\findstr.exe
"C:\Windows\SysWOW64\findstr.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:912

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-22-0x0000000000350000-0x000000000038F000-memory.dmp

Filesize
252KB

Download
memory/912-30-0x0000000000350000-0x000000000038F000-memory.dmp

Filesize
252KB

Download
memory/912-27-0x0000000000350000-0x000000000038F000-memory.dmp

Filesize
252KB

Download
memory/912-26-0x0000000000F60000-0x00000000012AA000-memory.dmp

Filesize
3.3MB

Download
memory/912-23-0x0000000000350000-0x000000000038F000-memory.dmp

Filesize
252KB

Download
memory/3008-7-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

Filesize
120KB

Download
memory/3008-3-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/3008-0-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/3008-8-0x0000000006C30000-0x0000000006CC6000-memory.dmp

Filesize
600KB

Download
memory/3008-9-0x0000000006D60000-0x0000000006DFC000-memory.dmp

Filesize
624KB

Download
memory/3008-10-0x0000000006F00000-0x0000000006F66000-memory.dmp

Filesize
408KB

Download
memory/3008-1-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/3008-14-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3008-2-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/3008-6-0x0000000005920000-0x0000000005996000-memory.dmp

Filesize
472KB

Download
memory/3008-4-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3008-5-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/3444-28-0x0000000008B50000-0x0000000008C52000-memory.dmp

Filesize
1.0MB

Download
memory/3444-21-0x000000000C5A0000-0x000000000D9E6000-memory.dmp

Filesize
20.3MB

Download
memory/3444-29-0x000000000C5A0000-0x000000000D9E6000-memory.dmp

Filesize
20.3MB

Download
memory/3908-37-0x00000278FF9B0000-0x00000278FFAC8000-memory.dmp

Filesize
1.1MB

Download
memory/4912-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-25-0x0000000002990000-0x00000000029AD000-memory.dmp

Filesize
116KB

Download
memory/4912-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-16-0x0000000002AF0000-0x0000000002E3A000-memory.dmp

Filesize
3.3MB

Download
memory/4912-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-20-0x0000000002990000-0x00000000029AD000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads