Overview

overview

7

Static

static

3

contract A...nt.exe

windows11-21h2-x64

7

Resubmissions

29-08-2024 09:33

240829-ljkyxswhmk 5

29-08-2024 09:07

240829-k3rp5swaqp 7

Analysis

  • max time kernel
    92s
  • max time network
    203s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-08-2024 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    contract Agreement.exe

  • Size

    2.1MB

  • MD5

    947d5d54bcb0bb3401571e68125c05d1

  • SHA1

    85b930cbf4d7a86ec4887915e1bec9912039c63b

  • SHA256

    374170efee6359fe5776db7b9d8cfea1cbb92478b110bd851852102130147ca3

  • SHA512

    de280efa3b7f309784f6c18de9e5339e96811781d71589c2763ec687cdb8063148e36eb2af5e32899ad804869d8376f0628a00ae1cce7d566667da171ed93eea

  • SSDEEP

    49152:U5Dg3sJDRZo8DYpK/2sFq6r5o9quvlCZT1PXJWpFcLB8c4j:3s46LBmj

Score
7/10

Malware Config

Signatures

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\contract Agreement.exe
    "C:\Users\Admin\AppData\Local\Temp\contract Agreement.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3688
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
      2⤵
        PID:4640
      • C:\Windows\System32\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
          PID:1092
        • C:\Windows\regedit.exe
          "C:\Windows\regedit.exe"
          2⤵
          • Runs regedit.exe
          PID:2268
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:5116

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/5116-0-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download

      • memory/5116-1-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download

      • memory/5116-2-0x00000000012E0000-0x0000000001636000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/5116-3-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download