Analysis
-
max time kernel
46s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 14:36
Static task
static1
Behavioral task
behavioral1
Sample
CounterBot.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
CounterBot.exe
Resource
win10v2004-20221111-en
General
-
Target
CounterBot.exe
-
Size
6.1MB
-
MD5
29a0c7e41c2eae96a374ca1316b5ed6b
-
SHA1
67e87e639dbd776da353d8f9899ad1365eef5c7c
-
SHA256
3a7d5a7fa3205b6c6f38546bc60d9c1cce42d75f5dba4ffb44e9b1fd5a419c2b
-
SHA512
bf7369c3667fe7a1d58d4a2cd233e91ce741aeaccb9054de0c177c036ac39a0808a2f3f90f30b5a22c22d0785e57e658ba613c0ffdd5950f7e98f8e28926abe4
-
SSDEEP
196608:PsoDXrAe5poqBuDQrO0OVDk9eZ00tJZ+8Qh:0oD8e5poqBud0OK463
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1972-54-0x0000000005CC0000-0x0000000006244000-memory.dmp agile_net -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2028 1972 WerFault.exe CounterBot.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
CounterBot.exepid process 1972 CounterBot.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CounterBot.exedescription pid process Token: SeDebugPrivilege 1972 CounterBot.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
CounterBot.exedescription pid process target process PID 1972 wrote to memory of 2028 1972 CounterBot.exe WerFault.exe PID 1972 wrote to memory of 2028 1972 CounterBot.exe WerFault.exe PID 1972 wrote to memory of 2028 1972 CounterBot.exe WerFault.exe PID 1972 wrote to memory of 2028 1972 CounterBot.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CounterBot.exe"C:\Users\Admin\AppData\Local\Temp\CounterBot.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 8082⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1972-54-0x0000000005CC0000-0x0000000006244000-memory.dmpFilesize
5.5MB
-
memory/1972-57-0x0000000075D71000-0x0000000075D73000-memory.dmpFilesize
8KB
-
memory/1972-58-0x000000000518B000-0x000000000519C000-memory.dmpFilesize
68KB
-
memory/1972-60-0x000000000518B000-0x000000000519C000-memory.dmpFilesize
68KB
-
memory/2028-59-0x0000000000000000-mapping.dmp