Malware Analysis Report

2025-05-28 16:49

Sample ID 250116-djkn6azlgq
Target Desktop.rar
SHA256 c7a83f87a794a496f0274ea9809496c5f1f765ac7ea9c7d90bc9b9dbcb99b0d5
Tags
agilenet discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c7a83f87a794a496f0274ea9809496c5f1f765ac7ea9c7d90bc9b9dbcb99b0d5

Threat Level: Shows suspicious behavior

The file Desktop.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet discovery

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

.NET Reactor proctector

Executes dropped EXE

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-16 03:02

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-16 03:02

Reported

2025-01-16 03:08

Platform

win10ltsc2021-20250113-en

Max time kernel

303s

Max time network

305s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Desktop.rar"

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Desktop.rar"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap11113:120:7zEvent28800

C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe

"C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.69.228:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).zip

MD5 d4aa41c14abe64b83d8e279e3c9bd6d2
SHA1 906a64ae9de3778e0bbf5d332028950adc1496aa
SHA256 82c06f2d952865069324c02cdcd247eabcb708e05206026ea423db17945f56a5
SHA512 e9a5447da0b2dd0b79612762940c3a772cdd5ddd93d806b6a2c713d935690f1bbad4f5f762230b958287535971de952b937a328ca9b4053d805663bac751c5b0

C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe

MD5 a5a51b2c774125314b8c5d0f8d44ebc5
SHA1 ff5ffabb88fff1b8c3761ffbe05f9e6b62673bbf
SHA256 156e5c2a195616afbbdd8b676b35d3d3df97d3fad967a6700ca4e79fa6e1a747
SHA512 f7794cb36bbe22cbb54eed7dd811e978d64b0e5c5f2e2becf9a841ba01986c13a5aec2ddb988f3e6c1522fae763689e92c592b7cb44c56cdd81c9d60a64dcb03

memory/3336-11-0x000000007519E000-0x000000007519F000-memory.dmp

memory/3336-12-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

memory/3336-13-0x0000000006080000-0x0000000006626000-memory.dmp

memory/3336-14-0x00000000059B0000-0x0000000005A42000-memory.dmp

memory/3336-15-0x0000000075190000-0x0000000075941000-memory.dmp

memory/3336-16-0x0000000005A60000-0x0000000005A6A000-memory.dmp

memory/3336-17-0x000000007519E000-0x000000007519F000-memory.dmp

memory/3336-18-0x0000000075190000-0x0000000075941000-memory.dmp

C:\Users\Admin\Desktop\dnlib.dll

MD5 4c9210f604923f03b1167dad7a45a0ca
SHA1 23560893a0ac7c1c6bee12ae37c4f5de5d711d61
SHA256 1ad463b80a08a6698ec3fe3fec1d081ad3250ee6d0bdb3abdbb122be59b836b2
SHA512 c6634d61cbc849e8c99e6e3d9781f406f6a2fd09e5ce5820999033350252b6bb22da085bea97e703aefddb7508312226827fc5ed2a04733135a47c900e204393

memory/3336-22-0x0000000009A90000-0x0000000009BAA000-memory.dmp

C:\Users\Admin\Desktop\disk spoofer.dump_Slayed.exe

MD5 bd970b9af58a8446643ac53a257bc328
SHA1 55c72ab6d08e0f109655ddd25dbeda361aede1b9
SHA256 86c8184edce60828dedf25d3f4c10ac1cbb2ac9f26f63e32f8082fbfec7cd756
SHA512 aa5f4416278da08b4ff6450f4c97db15d4c14644a7a3d4121544d254340630cd75bfc763cd3c3bcd59cc1fbd23380920f7d0f9b384dd71dbbbfb48af35ad6610

memory/3336-25-0x0000000075190000-0x0000000075941000-memory.dmp