925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980

General

Target

925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
Size

3.1MB
MD5

12ce65e1f2d26ed8e7a0eb842d5447bb
SHA1

36cbaea66bfc57c159ca3b13e367eb3c1762738c
SHA256

925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980
SHA512

9f941208d0435e5a4f1d2243ac8beab0696e89beb65acda6ba3f3b72a2099f2265d72f4768c7679cbad5f57129b5b1ed7521ea77466e6cb958135fefd4016782

Score

7^/10

agilenet

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3032-121-0x0000000005C20000-0x0000000005C41000-memory.dmp	agile_net
behavioral1/memory/3032-124-0x0000000005970000-0x0000000005E6E000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe

description	pid	process	target process
PID 3032 set thread context of 2180	3032	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3872 2180 WerFault.exe 925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe

pid	pid_target	process	target process
3872	2180	WerFault.exe	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exeWerFault.exe

pid	process
3032	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
3032	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3032	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
Token: SeRestorePrivilege	3872	WerFault.exe
Token: SeBackupPrivilege	3872	WerFault.exe
Token: SeDebugPrivilege	3872	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe

description	pid	process	target process
PID 3032 wrote to memory of 2180	3032	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
PID 3032 wrote to memory of 2180	3032	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
PID 3032 wrote to memory of 2180	3032	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
PID 3032 wrote to memory of 2180	3032	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
PID 3032 wrote to memory of 2180	3032	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
PID 3032 wrote to memory of 2180	3032	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
PID 3032 wrote to memory of 2180	3032	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
PID 3032 wrote to memory of 2180	3032	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe	925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe

C:\Users\Admin\AppData\Local\Temp\925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
"C:\Users\Admin\AppData\Local\Temp\925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe
"C:\Users\Admin\AppData\Local\Temp\925b7b38868675725656b93e6d7349048a3702fc13b8fd62b305155e332b8980.exe"
2⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 460
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-127-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2180-132-0x0000000000990000-0x0000000000995000-memory.dmp

Filesize
20KB

Download
memory/2180-129-0x0000000000990000-0x0000000000995000-memory.dmp

Filesize
20KB

Download
memory/2180-128-0x00000000004019E4-mapping.dmp

Download
memory/3032-122-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/3032-121-0x0000000005C20000-0x0000000005C41000-memory.dmp

Filesize
132KB

Download
memory/3032-115-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3032-123-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/3032-124-0x0000000005970000-0x0000000005E6E000-memory.dmp

Filesize
5.0MB

Download
memory/3032-125-0x00000000073B0000-0x00000000073BB000-memory.dmp

Filesize
44KB

Download
memory/3032-126-0x0000000009960000-0x0000000009961000-memory.dmp

Filesize
4KB

Download
memory/3032-120-0x0000000005970000-0x0000000005E6E000-memory.dmp

Filesize
5.0MB

Download
memory/3032-119-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/3032-118-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/3032-117-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads