1f62b8e0d6b7340c7b9d82153c69006ab446b29df4e0ca4df44e9b850a8367ef

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MegaDownloader.exe
Size

5.8MB
MD5

159ec5b2998e5b7c030860c5810926b8
SHA1

ed26fbc1f348222347bff125a2869051a1b80703
SHA256

f1d28cf27891791b0b8f45612642be6ff62da691d726e23802c0471364251b89
SHA512

a8006271f35141dc9c2c39f9ad364e283e4dcdd032a86539a3e5685dacf1e1c51cd7104402d74df0b44b65c516e0b7d1236516dbc53d172c769f96de583e7126
SSDEEP

98304:AbW/CQrd9ttwvJm+BaN6tC3Lo9NdD5x/rKUjFNxvLWB:Abvu9t+v0+Bqp3LONdD5NeUjFNxvLW

Score

7^/10

agilenet

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2008-8-0x00000201F96C0000-0x00000201F971A000-memory.dmp	agile_net

Modifies registry class 7 IoCs

Processes:

MegaDownloader.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mega\ = "URL: mega Protocol"	MegaDownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mega\URL Protocol	MegaDownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell\open\command	MegaDownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell	MegaDownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell\open	MegaDownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MegaDownloader.exe\" %1"	MegaDownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mega	MegaDownloader.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

MegaDownloader.exe

pid process

2008 MegaDownloader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MegaDownloader.exe

pid	process
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe
2008	MegaDownloader.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

MegaDownloader.exe

description	pid	process
Token: SeDebugPrivilege	2008	MegaDownloader.exe
Token: 33	2008	MegaDownloader.exe
Token: SeIncBasePriorityPrivilege	2008	MegaDownloader.exe
Token: 33	2008	MegaDownloader.exe
Token: SeIncBasePriorityPrivilege	2008	MegaDownloader.exe
Token: 33	2008	MegaDownloader.exe
Token: SeIncBasePriorityPrivilege	2008	MegaDownloader.exe

C:\Users\Admin\AppData\Local\Temp\MegaDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\MegaDownloader.exe"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MegaDownloader\Language\en-US.xml

Filesize
32KB

MD5
93e68a613f33169bc0ef56c39f8e5b66

SHA1
80e3d00cbd49791703098ff6fa683b5be81238aa

SHA256
bc758d067d03984110c21cc76115807be4831bbd0fec92ca4076773d5417f51e

SHA512
2b6e65853ad27130797f7f765d8b68b353ac9946d8893eae80a9e213ee680f4b4619bf5bf747f1e7570e494f73ffdf445b3cb4a4d7207d904d28115004da8eb0

Download Submit
memory/2008-10-0x00000201FDE30000-0x00000201FE604000-memory.dmp

Filesize
7.8MB

Download
memory/2008-5-0x00000201FC0B0000-0x00000201FD646000-memory.dmp

Filesize
21.6MB

Download
memory/2008-11-0x00000201FE610000-0x00000201FECC4000-memory.dmp

Filesize
6.7MB

Download
memory/2008-24-0x00007FF8DFCD0000-0x00007FF8E0791000-memory.dmp

Filesize
10.8MB

Download
memory/2008-12-0x00000201FAF10000-0x00000201FAF8C000-memory.dmp

Filesize
496KB

Download
memory/2008-6-0x00000201F86C0000-0x00000201F87AA000-memory.dmp

Filesize
936KB

Download
memory/2008-7-0x00000201F87B0000-0x00000201F8898000-memory.dmp

Filesize
928KB

Download
memory/2008-8-0x00000201F96C0000-0x00000201F971A000-memory.dmp

Filesize
360KB

Download
memory/2008-9-0x00000201FAEA0000-0x00000201FAF0E000-memory.dmp

Filesize
440KB

Download
memory/2008-0-0x00007FF8DFCD3000-0x00007FF8DFCD5000-memory.dmp

Filesize
8KB

Download
memory/2008-3-0x00000201F9750000-0x00000201FAB02000-memory.dmp

Filesize
19.7MB

Download
memory/2008-2-0x00007FF8DFCD0000-0x00007FF8E0791000-memory.dmp

Filesize
10.8MB

Download
memory/2008-4-0x00000201F89E0000-0x00000201F8F30000-memory.dmp

Filesize
5.3MB

Download
memory/2008-25-0x00007FF8DFCD0000-0x00007FF8E0791000-memory.dmp

Filesize
10.8MB

Download
memory/2008-37-0x00007FF8DFCD0000-0x00007FF8E0791000-memory.dmp

Filesize
10.8MB

Download
memory/2008-38-0x00007FF8DFCD3000-0x00007FF8DFCD5000-memory.dmp

Filesize
8KB

Download
memory/2008-39-0x00007FF8DFCD0000-0x00007FF8E0791000-memory.dmp

Filesize
10.8MB

Download
memory/2008-41-0x00000201FD870000-0x00000201FD8C0000-memory.dmp

Filesize
320KB

Download
memory/2008-43-0x00007FF8DFCD0000-0x00007FF8E0791000-memory.dmp

Filesize
10.8MB

Download
memory/2008-1-0x00000201DD670000-0x00000201DDC4C000-memory.dmp

Filesize
5.9MB

Download
memory/2008-55-0x00007FF8DFCD0000-0x00007FF8E0791000-memory.dmp

Filesize
10.8MB

Download