39a33f73741118aa05511c1524ad3da573d7fe94a929cc0660c7719a13d335b0

Analysis

max time kernel
124s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tool qM6wr Private v1.exe
Size

28.9MB
MD5

90ca79ee599a1b09eb943920f3082c20
SHA1

0cc10d064322b98adcd51dad213c19d4f9098b15
SHA256

fa61d4fd3f67c8d1683a5690cf4b7a32aa45bb972fb72a16f8e8795fba9b408b
SHA512

2d8a6705416d83636210aa5995c4da698aa236657a3362f3ae0cb5a769a0fd952105d4e5925c7f8996a3bad9e157c128ee3cb8714470f51e72c9d7616122f204
SSDEEP

393216:Kyyhyp9FO5XQXQXUMSecOvuOvQkNSJW6sGfusGfusGfusGfusGfpcsjPqf72QaP0:Kyyh+hMSliSJWNG5G5G5G5GGnKGZ

Score

7^/10

agilenet discovery

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral8/memory/1616-5-0x0000000007150000-0x00000000071D0000-memory.dmp	agile_net

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tool qM6wr Private v1.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1616	Tool qM6wr Private v1.exe
1616	Tool qM6wr Private v1.exe
1616	Tool qM6wr Private v1.exe
1616	Tool qM6wr Private v1.exe
1616	Tool qM6wr Private v1.exe
1616	Tool qM6wr Private v1.exe
1616	Tool qM6wr Private v1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	Tool qM6wr Private v1.exe

C:\Users\Admin\AppData\Local\Temp\Tool qM6wr Private v1.exe
"C:\Users\Admin\AppData\Local\Temp\Tool qM6wr Private v1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
1⤵
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-0-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/1616-1-0x00000000005C0000-0x00000000022B2000-memory.dmp

Filesize
28.9MB

Download
memory/1616-2-0x0000000007200000-0x00000000077A4000-memory.dmp

Filesize
5.6MB

Download
memory/1616-3-0x0000000006C00000-0x0000000006C28000-memory.dmp

Filesize
160KB

Download
memory/1616-4-0x00000000070B0000-0x0000000007142000-memory.dmp

Filesize
584KB

Download
memory/1616-5-0x0000000007150000-0x00000000071D0000-memory.dmp

Filesize
512KB

Download
memory/1616-6-0x0000000007050000-0x000000000705A000-memory.dmp

Filesize
40KB

Download
memory/1616-7-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/1616-8-0x0000000007880000-0x000000000788A000-memory.dmp

Filesize
40KB

Download
memory/1616-9-0x00000000090D0000-0x0000000009424000-memory.dmp

Filesize
3.3MB

Download
memory/1616-10-0x0000000008970000-0x0000000008992000-memory.dmp

Filesize
136KB

Download
memory/1616-11-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/1616-12-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/1616-13-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/1616-14-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/1616-15-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download