Analysis
-
max time kernel
38s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
21-12-2022 19:52
Static task
static1
Behavioral task
behavioral1
Sample
applicationsetup.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
applicationsetup.exe
Resource
win10v2004-20221111-en
General
-
Target
applicationsetup.exe
-
Size
550.0MB
-
MD5
53d777239c457304f3d48f7f8392a3c0
-
SHA1
1b6190b8f6bbb1e43b5f401a5c290f46f4fcc16f
-
SHA256
b0131f3937eb232a8a1d00db4bd33b7edb74edf04d864f185520a1340fad4b38
-
SHA512
2950bdd6fcacda31a1510f6a78e5dd24c10f5ed68c2fc7693923f0407ce88040d1af8056d7f8aa8a1c34cab0d2d1c2cfdb61ee8221dd12ce1f657f2c07702423
-
SSDEEP
24576:EPbJIaHB3lCH6RmGNsSMyBe0KWCQKUKc4uEsZJIaHB3lCH6RmGNsSMyBe0KWCQzt:EPlIAfRtsSpYs/KtWXIAfRtsSpYsx
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1516-54-0x0000000000280000-0x00000000003B2000-memory.dmp agile_net -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 268 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
applicationsetup.exedescription pid process target process PID 1516 wrote to memory of 268 1516 applicationsetup.exe powershell.exe PID 1516 wrote to memory of 268 1516 applicationsetup.exe powershell.exe PID 1516 wrote to memory of 268 1516 applicationsetup.exe powershell.exe PID 1516 wrote to memory of 268 1516 applicationsetup.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\applicationsetup.exe"C:\Users\Admin\AppData\Local\Temp\applicationsetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-56-0x0000000000000000-mapping.dmp
-
memory/268-58-0x000000006F190000-0x000000006F73B000-memory.dmpFilesize
5.7MB
-
memory/268-59-0x000000006F190000-0x000000006F73B000-memory.dmpFilesize
5.7MB
-
memory/1516-54-0x0000000000280000-0x00000000003B2000-memory.dmpFilesize
1.2MB
-
memory/1516-55-0x0000000075111000-0x0000000075113000-memory.dmpFilesize
8KB