66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73

General

Target

66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
Size

1.3MB
MD5

672c168d4320323398943d1cd1e489df
SHA1

bf8df765b16c756e2f6d0ea4034d7c8366eb3794
SHA256

66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73
SHA512

c2e67c8b8a0c91401bc497eca04196b5f0d9a91bf64d97d2bc186c88438d8abc945cb82cc9639ee0a5573858c943beebe7fdf72118b2bdb397a104426d71c0cc

Score

9^/10

agilenet

Malware Config

Signatures

ServiceHost packer 4 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/1648-15-0x000000000043FA98-mapping.dmp	servicehost
behavioral2/memory/1648-14-0x000000000043FA98-mapping.dmp	servicehost
behavioral2/memory/1648-17-0x000000000043FA98-mapping.dmp	servicehost
behavioral2/memory/1648-16-0x000000000043FA98-mapping.dmp	servicehost

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2432-3-0x00000000029C0000-0x00000000029CF000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe

description	pid	process	target process
PID 2432 set thread context of 1648	2432	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1512 1648 WerFault.exe 66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe

pid	pid_target	process	target process
1512	1648	WerFault.exe	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exeWerFault.exe

pid	process
2432	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2432	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
Token: SeRestorePrivilege	1512	WerFault.exe
Token: SeBackupPrivilege	1512	WerFault.exe
Token: SeDebugPrivilege	1512	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe

description	pid	process	target process
PID 2432 wrote to memory of 1648	2432	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
PID 2432 wrote to memory of 1648	2432	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
PID 2432 wrote to memory of 1648	2432	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
PID 2432 wrote to memory of 1648	2432	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
PID 2432 wrote to memory of 1648	2432	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
PID 2432 wrote to memory of 1648	2432	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
PID 2432 wrote to memory of 1648	2432	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
PID 2432 wrote to memory of 1648	2432	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
PID 2432 wrote to memory of 1648	2432	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe	66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe

C:\Users\Admin\AppData\Local\Temp\66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
"C:\Users\Admin\AppData\Local\Temp\66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Local\Temp\66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe
"C:\Users\Admin\AppData\Local\Temp\66b1580426a8b8bcfa79ffcbdc1f8e94bd22cf6643dd3f3ff519d30712e4db73.exe"
2⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 544
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-18-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1512-11-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/1648-10-0x0000000000540000-0x00000000005D3000-memory.dmp

Filesize
588KB

Download
memory/1648-16-0x000000000043FA98-mapping.dmp

Download
memory/1648-17-0x000000000043FA98-mapping.dmp

Download
memory/1648-14-0x000000000043FA98-mapping.dmp

Download
memory/1648-15-0x000000000043FA98-mapping.dmp

Download
memory/1648-9-0x000000000043FA98-mapping.dmp

Download
memory/2432-4-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/2432-7-0x0000000005670000-0x0000000005676000-memory.dmp

Filesize
24KB

Download
memory/2432-6-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/2432-5-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/2432-0-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-3-0x00000000029C0000-0x00000000029CF000-memory.dmp

Filesize
60KB

Download
memory/2432-1-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads