ea8779bb436427af92289d75ee7510e1784bf6772729091abcc350cdf773058c

Resubmissions

22/09/2024, 09:23

240922-lcmh6ssclm 9

21/09/2024, 08:10

21/09/2024, 07:38

28/07/2024, 17:11

18/06/2024, 14:08

Analysis

max time kernel
135s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WZAgent.exe
Size

26.2MB
MD5

4cf978f2749291d8d9a722cf8bd9d9ea
SHA1

2580a9be8bc6994987cc4951a4690efd7077ea92
SHA256

ea8779bb436427af92289d75ee7510e1784bf6772729091abcc350cdf773058c
SHA512

d1ba2ea6a06cf5241bd26319b7bd2da7cb3ca0453496703fa66413cc56edf9893414a970dfb67451cfb85ef735305986958ba852287b3dc63b7cf28ab351d61d
SSDEEP

786432:Ov1EWULlsocwpd3XHEquH6rdEePFG/7vG43EY6:Ov1EWusor8j6r714

Score

9^/10

agilenet evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WZAgent.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WZAgent.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WZAgent.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WZAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ZipExtractor.exe

Executes dropped EXE 2 IoCs

pid	Process
4212	ZipExtractor.exe
3656	WZAgent.exe

Loads dropped DLL 2 IoCs

pid	Process
3508	WZAgent.exe
3656	WZAgent.exe

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/3508-7-0x0000000000400000-0x0000000002606000-memory.dmp	agile_net
behavioral2/memory/3508-8-0x0000000000400000-0x0000000002606000-memory.dmp	agile_net
behavioral2/memory/3508-50-0x0000000000400000-0x0000000002606000-memory.dmp	agile_net
behavioral2/memory/3656-67-0x0000000000400000-0x00000000027EC000-memory.dmp	agile_net
behavioral2/memory/3656-72-0x0000000000400000-0x00000000027EC000-memory.dmp	agile_net
behavioral2/memory/3656-73-0x0000000000400000-0x00000000027EC000-memory.dmp	agile_net
behavioral2/memory/3656-86-0x0000000000400000-0x00000000027EC000-memory.dmp	agile_net
behavioral2/memory/3656-96-0x0000000000400000-0x00000000027EC000-memory.dmp	agile_net

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3508-7-0x0000000000400000-0x0000000002606000-memory.dmp	themida
behavioral2/memory/3508-8-0x0000000000400000-0x0000000002606000-memory.dmp	themida
behavioral2/files/0x000700000002361d-13.dat	themida
behavioral2/memory/3508-16-0x00007FF88D570000-0x00007FF88E099000-memory.dmp	themida
behavioral2/memory/3508-19-0x00007FF88D570000-0x00007FF88E099000-memory.dmp	themida
behavioral2/memory/3508-28-0x00007FF88D570000-0x00007FF88E099000-memory.dmp	themida
behavioral2/memory/3508-31-0x00007FF88D570000-0x00007FF88E099000-memory.dmp	themida
behavioral2/memory/3508-48-0x00007FF88D570000-0x00007FF88E099000-memory.dmp	themida
behavioral2/memory/3508-50-0x0000000000400000-0x0000000002606000-memory.dmp	themida
behavioral2/files/0x000700000002361b-58.dat	themida
behavioral2/memory/3656-72-0x0000000000400000-0x00000000027EC000-memory.dmp	themida
behavioral2/memory/3656-73-0x0000000000400000-0x00000000027EC000-memory.dmp	themida
behavioral2/memory/3656-80-0x00007FF88C2D0000-0x00007FF88CDF9000-memory.dmp	themida
behavioral2/memory/3656-82-0x00007FF88C2D0000-0x00007FF88CDF9000-memory.dmp	themida
behavioral2/memory/3656-84-0x00007FF88C2D0000-0x00007FF88CDF9000-memory.dmp	themida
behavioral2/memory/3656-89-0x00007FF88C2D0000-0x00007FF88CDF9000-memory.dmp	themida
behavioral2/memory/3656-93-0x00007FF88C2D0000-0x00007FF88CDF9000-memory.dmp	themida
behavioral2/memory/3656-95-0x00007FF88C2D0000-0x00007FF88CDF9000-memory.dmp	themida
behavioral2/memory/3656-96-0x0000000000400000-0x00000000027EC000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WZAgent.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3508	WZAgent.exe
3508	WZAgent.exe
3656	WZAgent.exe
3656	WZAgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3508	WZAgent.exe
3508	WZAgent.exe
3508	WZAgent.exe
4212	ZipExtractor.exe
4212	ZipExtractor.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3508	WZAgent.exe
Token: SeDebugPrivilege	4212	ZipExtractor.exe
Token: SeDebugPrivilege	3656	WZAgent.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4212	3508	WZAgent.exe	98
PID 3508 wrote to memory of 4212	3508	WZAgent.exe	98
PID 4212 wrote to memory of 3656	4212	ZipExtractor.exe	99
PID 4212 wrote to memory of 3656	4212	ZipExtractor.exe	99

C:\Users\Admin\AppData\Local\Temp\WZAgent.exe
"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe
  "C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe" --input C:\Users\Admin\AppData\Local\Temp\WZAgent.zip --output C:\Users\Admin\AppData\Local\Temp --current-exe C:\Users\Admin\AppData\Local\Temp\WZAgent.exe --updated-exe WZAgent.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Users\Admin\AppData\Local\Temp\WZAgent.exe
    "C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4452,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
1⤵
PID:2776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WZAgent.exe.log

Filesize
2KB

MD5
c8f9bb079b95f0f981f33f1ac3058078

SHA1
51c811e8e50c47fac5710f3282eed71614069b3b

SHA256
9128311603d540106ceede1f308e42360a43e6021fec575d2d5505365007b2fa

SHA512
c2b2c425812a6c3fe5886198e1d757a0ff706937847035f7ba99707946122f39717ea0eae3c41642632ca9d1ca2901ab5a04b7db26aa35a5d769a1f1e91669dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\883e7960-a7ed-4b7f-b414-8446eabbb7d5\AgileDotNetRT64.dll

Filesize
4.0MB

MD5
8e839b26c5efed6f41d6e854e5e97f5b

SHA1
5cb71374f72bf6a63ff65a6cda57ff66c3e54836

SHA256
1f2489fcd11f85db723f977f068988e81ed28581a4aec352ba4a2dc31419a011

SHA512
92446d7c2ccf41408d0a6be604b9aba3050192b40be887c2cee8f9aea0bd855503d6b827a8bdd554addd8d7c8ec947033f49060db493f756c3b2b70c04a17093

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZAgent.exe

Filesize
28.3MB

MD5
1b31864d1dd63f9ebb768da2cd340e9c

SHA1
2d56fff3f73bc880e614467341fdeab9474ffae7

SHA256
4b91eb1c4d27fee6d634c73e0d550024c144ca8eff9f64d03f87011fe35cd3eb

SHA512
4c9423460476835d15ec57d0571e35ad7551f11181063b1730d5f0ad88c841ad22aeda1f1311089335892e52456f322cf0ac5d1df86209cd9e6b6f004fe9b856

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZAgent.zip

Filesize
28.1MB

MD5
7908d2ae983310b8d30bd332c00189b4

SHA1
874b30d386ba1f6644ff1287e2eeb782d9a9e759

SHA256
15d8b52eb4181b1c4ab1b2ba78898f9eb50de78d1c22d5d6281cb07e6f6f91b8

SHA512
a6f9d4dd82c97afc6238c9408fa9c27dcaffca36f5dbf60efd8a32918a0e2ff42eb21fe0feb2c5de480bd8a9996d4ba21a9e47643faea0c41de3277a4d8d4b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe

Filesize
99KB

MD5
6c8a405b8243837682378cfbefa92001

SHA1
21a120c6fcca8aff536cb896586131376497bc86

SHA256
a76c4d20c78a6b0e563567a215e14a05525c316bf4eb92e7d11de7e24ae0b7c2

SHA512
12a75d7c4f9af4209a673c994609a15f464368e24eb61e8251a3f8c32a371825809f8197ea47428a150bc0c8ca7b5278c88c63cf9c20a7e60a95f4f98eea3de7

Download Submit
memory/3508-22-0x00007FF8AE124000-0x00007FF8AE125000-memory.dmp

Filesize
4KB

Download
memory/3508-26-0x000000001FB80000-0x000000001FD72000-memory.dmp

Filesize
1.9MB

Download
memory/3508-9-0x00007FF8AE0C0000-0x00007FF8AE389000-memory.dmp

Filesize
2.8MB

Download
memory/3508-7-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/3508-16-0x00007FF88D570000-0x00007FF88E099000-memory.dmp

Filesize
11.2MB

Download
memory/3508-17-0x00007FF8AE0C0000-0x00007FF8AE389000-memory.dmp

Filesize
2.8MB

Download
memory/3508-19-0x00007FF88D570000-0x00007FF88E099000-memory.dmp

Filesize
11.2MB

Download
memory/3508-20-0x00007FF88FFD0000-0x00007FF89011E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-21-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/3508-6-0x00007FF8AE0C0000-0x00007FF8AE389000-memory.dmp

Filesize
2.8MB

Download
memory/3508-23-0x00007FF8AE0C0000-0x00007FF8AE389000-memory.dmp

Filesize
2.8MB

Download
memory/3508-24-0x0000000020850000-0x00000000216A8000-memory.dmp

Filesize
14.3MB

Download
memory/3508-25-0x000000001DC80000-0x000000001DCF6000-memory.dmp

Filesize
472KB

Download
memory/3508-8-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/3508-28-0x00007FF88D570000-0x00007FF88E099000-memory.dmp

Filesize
11.2MB

Download
memory/3508-29-0x00007FF8AE0C0000-0x00007FF8AE389000-memory.dmp

Filesize
2.8MB

Download
memory/3508-31-0x00007FF88D570000-0x00007FF88E099000-memory.dmp

Filesize
11.2MB

Download
memory/3508-30-0x00007FF8AE0C0000-0x00007FF8AE389000-memory.dmp

Filesize
2.8MB

Download
memory/3508-3-0x00007FF8AE0C0000-0x00007FF8AE389000-memory.dmp

Filesize
2.8MB

Download
memory/3508-0-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/3508-48-0x00007FF88D570000-0x00007FF88E099000-memory.dmp

Filesize
11.2MB

Download
memory/3508-49-0x00007FF8AE0C0000-0x00007FF8AE389000-memory.dmp

Filesize
2.8MB

Download
memory/3508-50-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/3508-2-0x00007FF8AE0C0000-0x00007FF8AE389000-memory.dmp

Filesize
2.8MB

Download
memory/3508-1-0x00007FF8AE124000-0x00007FF8AE125000-memory.dmp

Filesize
4KB

Download
memory/3656-80-0x00007FF88C2D0000-0x00007FF88CDF9000-memory.dmp

Filesize
11.2MB

Download
memory/3656-85-0x00007FF88FFD0000-0x00007FF89011E000-memory.dmp

Filesize
1.3MB

Download
memory/3656-67-0x0000000000400000-0x00000000027EC000-memory.dmp

Filesize
35.9MB

Download
memory/3656-96-0x0000000000400000-0x00000000027EC000-memory.dmp

Filesize
35.9MB

Download
memory/3656-72-0x0000000000400000-0x00000000027EC000-memory.dmp

Filesize
35.9MB

Download
memory/3656-73-0x0000000000400000-0x00000000027EC000-memory.dmp

Filesize
35.9MB

Download
memory/3656-95-0x00007FF88C2D0000-0x00007FF88CDF9000-memory.dmp

Filesize
11.2MB

Download
memory/3656-82-0x00007FF88C2D0000-0x00007FF88CDF9000-memory.dmp

Filesize
11.2MB

Download
memory/3656-84-0x00007FF88C2D0000-0x00007FF88CDF9000-memory.dmp

Filesize
11.2MB

Download
memory/3656-93-0x00007FF88C2D0000-0x00007FF88CDF9000-memory.dmp

Filesize
11.2MB

Download
memory/3656-86-0x0000000000400000-0x00000000027EC000-memory.dmp

Filesize
35.9MB

Download
memory/3656-87-0x00000000209A0000-0x0000000021A00000-memory.dmp

Filesize
16.4MB

Download
memory/3656-89-0x00007FF88C2D0000-0x00007FF88CDF9000-memory.dmp

Filesize
11.2MB

Download
memory/3656-90-0x00000000264E0000-0x0000000026592000-memory.dmp

Filesize
712KB

Download
memory/3656-91-0x0000000026610000-0x0000000026686000-memory.dmp

Filesize
472KB

Download
memory/4212-52-0x000001DF36FB0000-0x000001DF36FBA000-memory.dmp

Filesize
40KB

Download
memory/4212-45-0x000001DF1CA80000-0x000001DF1CA9E000-memory.dmp

Filesize
120KB

Download
memory/4212-51-0x000001DF39520000-0x000001DF39532000-memory.dmp

Filesize
72KB

Download