Overview

overview

7

Static

static

7

tmp.exe

windows7-x64

7

tmp.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2023 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    6.0MB

  • MD5

    0c299719b5de524a7694f553e7958334

  • SHA1

    ccf292e8b79dc4c0a82bfa45117f4fe660bf58ac

  • SHA256

    152515d944171b93908d577c7497dec57bbac78f18df0cb5e094b590d397dfa8

  • SHA512

    1f8182c6313f2d084057af81f4a2d60ef401f6a1aad8a0815b95ff9425676c81cfadadd862b521ad877bcd1770c576d20a0f8f0d1f5ac68087dbbd655e272f0c

  • SSDEEP

    49152:3w3U0rW+RzXtpR548WTt9kUHdvAmZL0Th+1n9fr2flQChRigKwQw3UvSACGrW+Rw:1sH4JErh0gzyxL

Score
7/10
agilenet

Malware Config

Signatures

  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 552
      2⤵
      • Program crash
      PID:1600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1740-54-0x0000000000320000-0x0000000000928000-memory.dmp
    Filesize

    6.0MB

    Download