Analysis Overview
SHA256
25d32aaaf985ce7bb19efb21c0c0cbfd71a454dc4d421131e9faf2e25bc1bba0
Threat Level: Shows suspicious behavior
The file SAMTOOLv2.1.1.2.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-04-09 18:18
Signatures
Analysis: behavioral8
Detonation Overview
Submitted
2023-04-09 18:18
Reported
2023-04-09 18:21
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe
"C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe"
C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe" version
C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe" start-server
C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
adb -L tcp:5037 fork-server server --reply-fd 564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 5.233.140.95.in-addr.arpa | udp |
| N/A | 127.0.0.1:5037 | tcp | |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| N/A | 127.0.0.1:5037 | tcp | |
| N/A | 127.0.0.1:49758 | tcp | |
| N/A | 127.0.0.1:5555 | tcp | |
| N/A | 127.0.0.1:5354 | tcp | |
| N/A | 127.0.0.1:49766 | tcp | |
| N/A | 127.0.0.1:5557 | tcp | |
| N/A | 127.0.0.1:5559 | tcp | |
| N/A | 127.0.0.1:5561 | tcp | |
| N/A | 127.0.0.1:5563 | tcp | |
| N/A | 127.0.0.1:5565 | tcp | |
| US | 52.152.108.96:443 | tcp | |
| N/A | 127.0.0.1:5567 | tcp | |
| N/A | 127.0.0.1:5569 | tcp | |
| N/A | 127.0.0.1:5571 | tcp | |
| FR | 40.79.141.154:443 | tcp | |
| N/A | 127.0.0.1:5573 | tcp | |
| N/A | 127.0.0.1:5575 | tcp | |
| N/A | 127.0.0.1:5577 | tcp | |
| N/A | 127.0.0.1:5579 | tcp | |
| N/A | 127.0.0.1:5581 | tcp | |
| N/A | 127.0.0.1:5583 | tcp | |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:5585 | tcp | |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
memory/4932-133-0x0000000000F20000-0x000000000142E000-memory.dmp
memory/4932-134-0x00000000065B0000-0x0000000006B54000-memory.dmp
memory/4932-135-0x0000000005EA0000-0x0000000005F32000-memory.dmp
memory/4932-136-0x0000000005FF0000-0x0000000006000000-memory.dmp
memory/4932-137-0x0000000006200000-0x000000000620A000-memory.dmp
memory/4932-138-0x0000000005FF0000-0x0000000006000000-memory.dmp
memory/4932-139-0x000000000EE20000-0x000000000EE86000-memory.dmp
memory/4932-141-0x000000000A910000-0x000000000A92A000-memory.dmp
memory/4932-142-0x0000000005FF0000-0x0000000006000000-memory.dmp
memory/4932-143-0x000000000AC50000-0x000000000AC58000-memory.dmp
memory/3944-144-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/4932-145-0x0000000005FF0000-0x0000000006000000-memory.dmp
memory/4932-146-0x0000000005FF0000-0x0000000006000000-memory.dmp
memory/4348-150-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/4932-151-0x0000000005FF0000-0x0000000006000000-memory.dmp
memory/4472-152-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/4472-153-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/4472-155-0x0000000000400000-0x00000000005E7000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-09 18:18
Reported
2023-04-09 18:19
Platform
win7-20230220-en
Max time kernel
26s
Max time network
31s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinApi.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinApi.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 252
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x310
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-04-09 18:18
Reported
2023-04-09 18:21
Platform
win10v2004-20230221-en
Max time kernel
158s
Max time network
172s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2136 wrote to memory of 1672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2136 wrote to memory of 1672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2136 wrote to memory of 1672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinUsbApi.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinUsbApi.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1672 -ip 1672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 20.44.10.123:443 | tcp | |
| US | 8.8.8.8:53 | 143.145.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-04-09 18:18
Reported
2023-04-09 18:21
Platform
win7-20230220-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe"
Network
Files
memory/1376-54-0x0000000000400000-0x00000000005E7000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-04-09 18:18
Reported
2023-04-09 18:21
Platform
win7-20230220-en
Max time kernel
143s
Max time network
33s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe
"C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe"
C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe" version
C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe" start-server
C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
adb -L tcp:5037 fork-server server --reply-fd 256
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:5037 | tcp | |
| N/A | 127.0.0.1:5037 | tcp | |
| N/A | 127.0.0.1:49184 | tcp | |
| N/A | 127.0.0.1:5555 | tcp | |
| N/A | 127.0.0.1:5354 | tcp | |
| N/A | 127.0.0.1:5557 | tcp | |
| N/A | 127.0.0.1:49192 | tcp | |
| N/A | 127.0.0.1:5559 | tcp | |
| N/A | 127.0.0.1:5561 | tcp | |
| N/A | 127.0.0.1:5563 | tcp | |
| N/A | 127.0.0.1:5565 | tcp | |
| N/A | 127.0.0.1:5567 | tcp | |
| N/A | 127.0.0.1:5569 | tcp | |
| N/A | 127.0.0.1:5571 | tcp | |
| N/A | 127.0.0.1:5573 | tcp | |
| N/A | 127.0.0.1:5575 | tcp | |
| N/A | 127.0.0.1:5577 | tcp | |
| N/A | 127.0.0.1:5579 | tcp | |
| N/A | 127.0.0.1:5581 | tcp | |
| N/A | 127.0.0.1:5583 | tcp | |
| N/A | 127.0.0.1:5585 | tcp |
Files
memory/1300-54-0x0000000000AE0000-0x0000000000FEE000-memory.dmp
memory/1300-55-0x0000000000440000-0x000000000045E000-memory.dmp
memory/1300-56-0x0000000004580000-0x00000000045EE000-memory.dmp
memory/1300-57-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1300-58-0x0000000000A60000-0x0000000000A7C000-memory.dmp
memory/1300-59-0x00000000049D0000-0x00000000049F0000-memory.dmp
memory/1300-60-0x00000000049F0000-0x0000000004A10000-memory.dmp
memory/1300-62-0x0000000004A10000-0x0000000004A1E000-memory.dmp
memory/1300-61-0x0000000004F50000-0x0000000004FAA000-memory.dmp
memory/1300-63-0x0000000004A20000-0x0000000004A3E000-memory.dmp
memory/1300-64-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/1300-65-0x00000000050F0000-0x000000000523E000-memory.dmp
memory/1300-66-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1300-67-0x0000000006060000-0x0000000006286000-memory.dmp
memory/1300-68-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1300-70-0x0000000009E80000-0x0000000009EAC000-memory.dmp
memory/1300-71-0x000000000D0A0000-0x000000000D0B0000-memory.dmp
memory/1300-72-0x000000000D120000-0x000000000D13A000-memory.dmp
memory/1300-73-0x0000000005F90000-0x0000000005F98000-memory.dmp
memory/1504-74-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/388-78-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/1300-79-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1300-80-0x0000000000400000-0x0000000000440000-memory.dmp
memory/852-81-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/1300-82-0x0000000000400000-0x0000000000440000-memory.dmp
memory/852-83-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/852-84-0x0000000000400000-0x00000000005E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-09 18:18
Reported
2023-04-09 18:21
Platform
win10v2004-20230220-en
Max time kernel
86s
Max time network
97s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 3336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 3336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 3336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinApi.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinApi.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3336 -ip 3336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 52.152.108.96:443 | tcp | |
| US | 20.189.173.12:443 | tcp | |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| NL | 8.238.20.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-04-09 18:18
Reported
2023-04-09 18:21
Platform
win7-20230220-en
Max time kernel
28s
Max time network
31s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1992 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1992 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1992 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1992 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1992 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1992 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1992 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinUsbApi.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinUsbApi.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-04-09 18:18
Reported
2023-04-09 18:21
Platform
win10v2004-20230220-en
Max time kernel
91s
Max time network
107s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 20.189.173.9:443 | tcp | |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
Files
memory/2856-133-0x0000000000400000-0x00000000005E7000-memory.dmp