Overview

overview

10

Static

static

1

image_2025...99.png

windows7-x64

3

image_2025...99.png

windows10-2004-x64

Resubmissions

28/03/2025, 17:07 UTC

250328-vng79syxes 10

28/03/2025, 17:01 UTC

250328-vjwj4a1jt7 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    image_2025-03-28_170136899.png

  • Size

    253KB

  • Sample

    250328-vng79syxes

  • MD5

    2e0003e2bf5591f8e2ab3fbf939610b6

  • SHA1

    b2020e09179a81ce5fe0409c6b1958439ce599db

  • SHA256

    1031187bca73c151782d84b2c0f6efd74fd843071968351baa0b41b4bc59e939

  • SHA512

    c30cb129be0d67e13b1ff504dadd268b10ebd86cc1d62feb97aeaf609e428ecf40dab15908104cc038423cad96279f3e1ad5f4c0ef7b823411d4918589d34b2a

  • SSDEEP

    6144:b52wGQvtCDocvRj3csBfp2UrwyoSYUe/uS9lW:VVCBvRIsD2PyoScuelW

Score
10/10
agilenetdefense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Targets

    • Target

      image_2025-03-28_170136899.png

    • Size

      253KB

    • MD5

      2e0003e2bf5591f8e2ab3fbf939610b6

    • SHA1

      b2020e09179a81ce5fe0409c6b1958439ce599db

    • SHA256

      1031187bca73c151782d84b2c0f6efd74fd843071968351baa0b41b4bc59e939

    • SHA512

      c30cb129be0d67e13b1ff504dadd268b10ebd86cc1d62feb97aeaf609e428ecf40dab15908104cc038423cad96279f3e1ad5f4c0ef7b823411d4918589d34b2a

    • SSDEEP

      6144:b52wGQvtCDocvRj3csBfp2UrwyoSYUe/uS9lW:VVCBvRIsD2PyoScuelW

    Score
    10/10
    agilenetdefense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • UAC bypass

      defense_evasiontrojan

    • Disables RegEdit via registry modification

      defense_evasion

    • Disables Task Manager via registry modification

      defense_evasion

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.