Analysis
-
max time kernel
29s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/04/2023, 07:56
Behavioral task
behavioral1
Sample
a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe
Resource
win10v2004-20230221-en
General
-
Target
a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe
-
Size
7.9MB
-
MD5
4c42f0902775f4798fe2a632731e4c9b
-
SHA1
030a8969eaa5ef46583811402d6839e66939413f
-
SHA256
a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4
-
SHA512
1bb7d01dfc0b75bc535bb2723d6a97a41020325017036c9f65bcab33e78e670f0062f11f260074aa4e88d84ac5db3eb1deee2f2edfe6c4ff41864b84f2ca726c
-
SSDEEP
196608:A1lNa8RXSehxqJlFfyfdvZXwyuUa4pI7/u:A1ntCTfyfdvRla4pm/u
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/1412-59-0x00000000006C0000-0x000000000070E000-memory.dmp agile_net behavioral1/memory/1412-60-0x0000000005E70000-0x0000000005FBA000-memory.dmp agile_net -
resource yara_rule behavioral1/memory/1412-54-0x0000000000CC0000-0x0000000001CAE000-memory.dmp vmprotect -
Program crash 1 IoCs
pid pid_target Process procid_target 1900 1412 WerFault.exe 27 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1412 wrote to memory of 1900 1412 a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe 28 PID 1412 wrote to memory of 1900 1412 a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe 28 PID 1412 wrote to memory of 1900 1412 a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe 28 PID 1412 wrote to memory of 1900 1412 a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe"C:\Users\Admin\AppData\Local\Temp\a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 10202⤵
- Program crash
PID:1900
-