Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-12-2021 17:38
Static task
static1
Behavioral task
behavioral1
Sample
925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
Resource
win10-en-20211208
General
-
Target
925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
-
Size
3.1MB
-
MD5
12ce65e1f2d26ed8e7a0eb842d5447bb
-
SHA1
36cbaea66bfc57c159ca3b13e367eb3c1762738c
-
SHA256
925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980
-
SHA512
9f941208d0435e5a4f1d2243ac8beab0696e89beb65acda6ba3f3b72a2099f2265d72f4768c7679cbad5f57129b5b1ed7521ea77466e6cb958135fefd4016782
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/3032-121-0x0000000005C20000-0x0000000005C41000-memory.dmp agile_net behavioral1/memory/3032-124-0x0000000005970000-0x0000000005E6E000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exedescription pid process target process PID 3032 set thread context of 2180 3032 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3872 2180 WerFault.exe 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exeWerFault.exepid process 3032 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe 3032 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3032 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe Token: SeRestorePrivilege 3872 WerFault.exe Token: SeBackupPrivilege 3872 WerFault.exe Token: SeDebugPrivilege 3872 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exedescription pid process target process PID 3032 wrote to memory of 2180 3032 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe PID 3032 wrote to memory of 2180 3032 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe PID 3032 wrote to memory of 2180 3032 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe PID 3032 wrote to memory of 2180 3032 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe PID 3032 wrote to memory of 2180 3032 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe PID 3032 wrote to memory of 2180 3032 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe PID 3032 wrote to memory of 2180 3032 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe PID 3032 wrote to memory of 2180 3032 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe"C:\Users\Admin\AppData\Local\Temp\925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe"C:\Users\Admin\AppData\Local\Temp\925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 4603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2180-127-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2180-132-0x0000000000990000-0x0000000000995000-memory.dmpFilesize
20KB
-
memory/2180-129-0x0000000000990000-0x0000000000995000-memory.dmpFilesize
20KB
-
memory/2180-128-0x00000000004019E4-mapping.dmp
-
memory/3032-122-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/3032-121-0x0000000005C20000-0x0000000005C41000-memory.dmpFilesize
132KB
-
memory/3032-115-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/3032-123-0x0000000006B50000-0x0000000006B51000-memory.dmpFilesize
4KB
-
memory/3032-124-0x0000000005970000-0x0000000005E6E000-memory.dmpFilesize
5.0MB
-
memory/3032-125-0x00000000073B0000-0x00000000073BB000-memory.dmpFilesize
44KB
-
memory/3032-126-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/3032-120-0x0000000005970000-0x0000000005E6E000-memory.dmpFilesize
5.0MB
-
memory/3032-119-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/3032-118-0x0000000005970000-0x0000000005971000-memory.dmpFilesize
4KB
-
memory/3032-117-0x0000000005E70000-0x0000000005E71000-memory.dmpFilesize
4KB