| File name: | amagent.exe |
| Full analysis: | https://app.any.run/tasks/e2ee0349-cc19-4b72-9c3a-a9c0f4093104 |
| Verdict: | Malicious activity |
| Analysis date: | March 05, 2024, 21:02:13 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5: | 112E3E78BBFC095908F07704F6BF5BCA |
| SHA1: | F09F326221608C520A4B65DEBDA1C1B8EA7970A8 |
| SHA256: | 863D014128A0C1A85860CD9572DAD8537DE40B668C0D47DB301AC7C9D9255844 |
| SSDEEP: | 98304:d1KHRMfXHdXE65nbxn/v1K4G+Dm4EiWeH6DcjZ4ZrHakDJ+35:sSKQ |
MALICIOUS
Drops the executable file immediately after the start
- amagent.exe (PID: 3656)
SUSPICIOUS
Uses WMIC.EXE to obtain Windows Installer data
- amagent.exe (PID: 3656)
Reads the Internet Settings
- WMIC.exe (PID: 3892)
- WMIC.exe (PID: 1876)
- WMIC.exe (PID: 2328)
- WMIC.exe (PID: 120)
- WMIC.exe (PID: 1696)
- WMIC.exe (PID: 2152)
- WMIC.exe (PID: 2572)
- WMIC.exe (PID: 4044)
- WMIC.exe (PID: 2756)
- WMIC.exe (PID: 2064)
- WMIC.exe (PID: 2440)
- WMIC.exe (PID: 3508)
Accesses product unique identifier via WMI (SCRIPT)
- WMIC.exe (PID: 3892)
- WMIC.exe (PID: 4044)
Uses WMIC.EXE to obtain CPU information
- amagent.exe (PID: 3656)
Uses WMIC.EXE to obtain memory chip information
- amagent.exe (PID: 3656)
Uses WMIC.EXE to obtain BIOS management information
- amagent.exe (PID: 3656)
Uses WMIC.EXE to obtain computer system information
- amagent.exe (PID: 3656)
Accesses domain name via WMI (SCRIPT)
- WMIC.exe (PID: 1696)
- WMIC.exe (PID: 2152)
Accesses computer name via WMI (SCRIPT)
- WMIC.exe (PID: 1696)
- WMIC.exe (PID: 2152)
Uses WMIC.EXE to obtain physical disk drive information
- amagent.exe (PID: 3656)
Accesses current user name via WMI (SCRIPT)
- WMIC.exe (PID: 2152)
- WMIC.exe (PID: 1696)
INFO
Checks supported languages
- amagent.exe (PID: 3656)
- wmpnscfg.exe (PID: 3308)
Reads the computer name
- amagent.exe (PID: 3656)
- wmpnscfg.exe (PID: 3308)
Reads product name
- amagent.exe (PID: 3656)
Reads Environment values
- amagent.exe (PID: 3656)
Creates files or folders in the user directory
- amagent.exe (PID: 3656)
Creates files in the program directory
- amagent.exe (PID: 3656)
Manual execution by a user
- wmpnscfg.exe (PID: 3308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:03:13 17:06:32+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit, No debug |
| PEType: | PE32 |
| LinkerVersion: | 2.35 |
| CodeSize: | 3979776 |
| InitializedDataSize: | 7692800 |
| UninitializedDataSize: | 156672 |
| EntryPoint: | 0x14c0 |
| OSVersion: | 6.1 |
| ImageVersion: | 1 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows command line |
Total processes
50
Monitored processes
14
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | C:\Windows\System32\wbem\wmic.exe bios list brief | C:\Windows\System32\wbem\WMIC.exe | — | amagent.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1696 | C:\Windows\System32\wbem\wmic.exe computersystem list brief | C:\Windows\System32\wbem\WMIC.exe | — | amagent.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1876 | C:\Windows\System32\wbem\wmic.exe cpu list brief | C:\Windows\System32\wbem\WMIC.exe | — | amagent.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2064 | C:\Windows\System32\wbem\wmic.exe memorychip list brief | C:\Windows\System32\wbem\WMIC.exe | — | amagent.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2152 | C:\Windows\System32\wbem\wmic.exe computersystem list brief | C:\Windows\System32\wbem\WMIC.exe | — | amagent.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2328 | C:\Windows\System32\wbem\wmic.exe memorychip list brief | C:\Windows\System32\wbem\WMIC.exe | — | amagent.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2440 | C:\Windows\System32\wbem\wmic.exe bios list brief | C:\Windows\System32\wbem\WMIC.exe | — | amagent.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2572 | C:\Windows\System32\wbem\wmic.exe diskdrive list brief | C:\Windows\System32\wbem\WMIC.exe | — | amagent.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2756 | C:\Windows\System32\wbem\wmic.exe cpu list brief | C:\Windows\System32\wbem\WMIC.exe | — | amagent.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3308 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
2 417
Read events
2 417
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
9
Text files
1
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3656 | amagent.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Automox\amagent.db-journal | binary | |
MD5:7EBD1EA79B983CF777DBB6D7CFA80FD5 | SHA256:D5248321C19349FC395E8227CE0883C239B2CAF41CDB81F7932371402ECCC822 | |||
| 3656 | amagent.exe | C:\ProgramData\amagent\amagent.log | text | |
MD5:A33645A20879AE5289CC3B5B6F53064F | SHA256:52A4BE99CE532102677428EC5205370E37A131513DF455F6A9DDC16519A8E712 | |||
| 3656 | amagent.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Automox\amagent.db | sqlite | |
MD5:479E83C37C2A6400DD9751C0BC91D618 | SHA256:C34040FB8546C94831C17C942959C9352B6109D9A73B3D468795D612CE8B310D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |