Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 04:28
Static task
static1
Behavioral task
behavioral1
Sample
6425d2a508b8a9399fa2e99f536e4dba.exe
Resource
win7-20231215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
6425d2a508b8a9399fa2e99f536e4dba.exe
-
Size
3.6MB
-
MD5
6425d2a508b8a9399fa2e99f536e4dba
-
SHA1
53749733ccd6a49cd6951bb9e4d0a676eeb72b11
-
SHA256
0a8d06e600d240b442089a927590cc564a921884e130cc2d0d962be7463cec4e
-
SHA512
ff4ada7de78ca947b4bd60965748b0a141b756477c1d3c74c52a154d3a10edee268e0c75159a929a16cbd2440d36f5bcf16a4382a39fc9f010dd32b495b4de31
-
SSDEEP
49152:gLL9wqXFZAuJbEdSqXcZAuJbEdZ/FluraLxTsEStIxvoLZ:gLyQ3ISz3IZbur8kt
Malware Config
Extracted
Family
arkei
Botnet
Default
C2
185.87.49.30/flat.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 972 set thread context of 3712 972 6425d2a508b8a9399fa2e99f536e4dba.exe 94 -
Program crash 2 IoCs
pid pid_target Process procid_target 4876 972 WerFault.exe 14 1640 972 WerFault.exe 14 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 972 6425d2a508b8a9399fa2e99f536e4dba.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 972 wrote to memory of 3712 972 6425d2a508b8a9399fa2e99f536e4dba.exe 94 PID 972 wrote to memory of 3712 972 6425d2a508b8a9399fa2e99f536e4dba.exe 94 PID 972 wrote to memory of 3712 972 6425d2a508b8a9399fa2e99f536e4dba.exe 94 PID 972 wrote to memory of 3712 972 6425d2a508b8a9399fa2e99f536e4dba.exe 94 PID 972 wrote to memory of 3712 972 6425d2a508b8a9399fa2e99f536e4dba.exe 94 PID 972 wrote to memory of 3712 972 6425d2a508b8a9399fa2e99f536e4dba.exe 94 PID 972 wrote to memory of 3712 972 6425d2a508b8a9399fa2e99f536e4dba.exe 94 PID 972 wrote to memory of 3712 972 6425d2a508b8a9399fa2e99f536e4dba.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\6425d2a508b8a9399fa2e99f536e4dba.exe"C:\Users\Admin\AppData\Local\Temp\6425d2a508b8a9399fa2e99f536e4dba.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 12642⤵
- Program crash
PID:4876
-
-
C:\Users\Admin\AppData\Local\Temp\6425d2a508b8a9399fa2e99f536e4dba.exe"C:\Users\Admin\AppData\Local\Temp\6425d2a508b8a9399fa2e99f536e4dba.exe"2⤵PID:3712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 12642⤵
- Program crash
PID:1640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 972 -ip 9721⤵PID:5028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 972 -ip 9721⤵PID:4672