787604212120703df96b630a7a66041622ca5ff07f604ad5545685e3e0b4d5ed

Analysis

max time kernel
38s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21-12-2022 19:52

Target

applicationsetup.exe
Size

550.0MB
MD5

53d777239c457304f3d48f7f8392a3c0
SHA1

1b6190b8f6bbb1e43b5f401a5c290f46f4fcc16f
SHA256

b0131f3937eb232a8a1d00db4bd33b7edb74edf04d864f185520a1340fad4b38
SHA512

2950bdd6fcacda31a1510f6a78e5dd24c10f5ed68c2fc7693923f0407ce88040d1af8056d7f8aa8a1c34cab0d2d1c2cfdb61ee8221dd12ce1f657f2c07702423
SSDEEP

24576:EPbJIaHB3lCH6RmGNsSMyBe0KWCQKUKc4uEsZJIaHB3lCH6RmGNsSMyBe0KWCQzt:EPlIAfRtsSpYs/KtWXIAfRtsSpYsx

Score

7^/10

agilenet

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

Processes:

resource	yara_rule
behavioral1/memory/1516-54-0x0000000000280000-0x00000000003B2000-memory.dmp	agile_net

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

268 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 268 powershell.exe

pid	process
268	powershell.exe

description	pid	process
Token: SeDebugPrivilege	268	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

applicationsetup.exe

description	pid	process	target process
PID 1516 wrote to memory of 268	1516	applicationsetup.exe	powershell.exe
PID 1516 wrote to memory of 268	1516	applicationsetup.exe	powershell.exe
PID 1516 wrote to memory of 268	1516	applicationsetup.exe	powershell.exe
PID 1516 wrote to memory of 268	1516	applicationsetup.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\applicationsetup.exe
"C:\Users\Admin\AppData\Local\Temp\applicationsetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516

memory/268-56-0x0000000000000000-mapping.dmp

Download
memory/268-58-0x000000006F190000-0x000000006F73B000-memory.dmp

Filesize
5.7MB

Download
memory/268-59-0x000000006F190000-0x000000006F73B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-54-0x0000000000280000-0x00000000003B2000-memory.dmp

Filesize
1.2MB

Download
memory/1516-55-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download