Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16-05-2023 12:01
Static task
static1
Behavioral task
behavioral1
Sample
MavrodiBlack 2.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
MavrodiBlack 2.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
MavrodiBlack 2.exe
-
Size
592KB
-
MD5
a5f8768a97c74ecc4c26c402f2bcef11
-
SHA1
d234ce957544025614d49e1e18f3bac6352ca994
-
SHA256
679ecde4cd6afa60eaf6ab07179310def1cc22b0790b1efeb52ce1d80b06531c
-
SHA512
e425b6d9f19de18465af3ea438a9ec3ee9f0ca30608146f3094fa28960a841f5d3a9a2a13655c2123d93f5bcab79e57a37b10d7201ffddd8b8991c3f0eae6009
-
SSDEEP
6144:jS6d7abcho/OiptVSaPCpikafd5Y9k1WeR7LSxDxpaG6WiX22QbjMrgXScKl+mH1:W6dvhop3zlEyLeKXo8r2Kl+4mW/QKU6
Score
5/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
MavrodiBlack 2.exedescription pid process target process PID 1704 set thread context of 1688 1704 MavrodiBlack 2.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1164 1688 WerFault.exe AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 1688 AppLaunch.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
MavrodiBlack 2.exeAppLaunch.exedescription pid process target process PID 1704 wrote to memory of 1688 1704 MavrodiBlack 2.exe AppLaunch.exe PID 1704 wrote to memory of 1688 1704 MavrodiBlack 2.exe AppLaunch.exe PID 1704 wrote to memory of 1688 1704 MavrodiBlack 2.exe AppLaunch.exe PID 1704 wrote to memory of 1688 1704 MavrodiBlack 2.exe AppLaunch.exe PID 1704 wrote to memory of 1688 1704 MavrodiBlack 2.exe AppLaunch.exe PID 1704 wrote to memory of 1688 1704 MavrodiBlack 2.exe AppLaunch.exe PID 1704 wrote to memory of 1688 1704 MavrodiBlack 2.exe AppLaunch.exe PID 1704 wrote to memory of 1688 1704 MavrodiBlack 2.exe AppLaunch.exe PID 1704 wrote to memory of 1688 1704 MavrodiBlack 2.exe AppLaunch.exe PID 1688 wrote to memory of 1164 1688 AppLaunch.exe WerFault.exe PID 1688 wrote to memory of 1164 1688 AppLaunch.exe WerFault.exe PID 1688 wrote to memory of 1164 1688 AppLaunch.exe WerFault.exe PID 1688 wrote to memory of 1164 1688 AppLaunch.exe WerFault.exe PID 1688 wrote to memory of 1164 1688 AppLaunch.exe WerFault.exe PID 1688 wrote to memory of 1164 1688 AppLaunch.exe WerFault.exe PID 1688 wrote to memory of 1164 1688 AppLaunch.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MavrodiBlack 2.exe"C:\Users\Admin\AppData\Local\Temp\MavrodiBlack 2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 11083⤵
- Program crash
PID:1164
-
-