Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 23:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a579c3c244c6d61a663d33552b5057b.exe
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
1a579c3c244c6d61a663d33552b5057b.exe
-
Size
1.0MB
-
MD5
1a579c3c244c6d61a663d33552b5057b
-
SHA1
8f8cad540acbc396c5fdca0f445af7af0bd4df89
-
SHA256
657ed0632158da9edb4f46a8086e9ec6167c332dc89e6a106e7891577845f574
-
SHA512
d68b8e6b5259f1664e83420fe0a6ff5e0bbe8bf15be432e427d25a16717a967c52a17dea289ac3072094c18f9655d47916c37054f4fbcb113af950deff07c3e6
-
SSDEEP
24576:XCla/6N1I2rXccaMf+VpfPQy2i9XKtG6y4gs:ylk6N1JQ9M63j0/
Score
9/10
Malware Config
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral1/memory/2692-3-0x0000000000410000-0x0000000000422000-memory.dmp CustAttr -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2692 1a579c3c244c6d61a663d33552b5057b.exe 2692 1a579c3c244c6d61a663d33552b5057b.exe 2692 1a579c3c244c6d61a663d33552b5057b.exe 2692 1a579c3c244c6d61a663d33552b5057b.exe 2692 1a579c3c244c6d61a663d33552b5057b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2692 1a579c3c244c6d61a663d33552b5057b.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2692 wrote to memory of 588 2692 1a579c3c244c6d61a663d33552b5057b.exe 29 PID 2692 wrote to memory of 588 2692 1a579c3c244c6d61a663d33552b5057b.exe 29 PID 2692 wrote to memory of 588 2692 1a579c3c244c6d61a663d33552b5057b.exe 29 PID 2692 wrote to memory of 588 2692 1a579c3c244c6d61a663d33552b5057b.exe 29 PID 2692 wrote to memory of 268 2692 1a579c3c244c6d61a663d33552b5057b.exe 30 PID 2692 wrote to memory of 268 2692 1a579c3c244c6d61a663d33552b5057b.exe 30 PID 2692 wrote to memory of 268 2692 1a579c3c244c6d61a663d33552b5057b.exe 30 PID 2692 wrote to memory of 268 2692 1a579c3c244c6d61a663d33552b5057b.exe 30 PID 2692 wrote to memory of 464 2692 1a579c3c244c6d61a663d33552b5057b.exe 31 PID 2692 wrote to memory of 464 2692 1a579c3c244c6d61a663d33552b5057b.exe 31 PID 2692 wrote to memory of 464 2692 1a579c3c244c6d61a663d33552b5057b.exe 31 PID 2692 wrote to memory of 464 2692 1a579c3c244c6d61a663d33552b5057b.exe 31 PID 2692 wrote to memory of 548 2692 1a579c3c244c6d61a663d33552b5057b.exe 32 PID 2692 wrote to memory of 548 2692 1a579c3c244c6d61a663d33552b5057b.exe 32 PID 2692 wrote to memory of 548 2692 1a579c3c244c6d61a663d33552b5057b.exe 32 PID 2692 wrote to memory of 548 2692 1a579c3c244c6d61a663d33552b5057b.exe 32 PID 2692 wrote to memory of 2908 2692 1a579c3c244c6d61a663d33552b5057b.exe 33 PID 2692 wrote to memory of 2908 2692 1a579c3c244c6d61a663d33552b5057b.exe 33 PID 2692 wrote to memory of 2908 2692 1a579c3c244c6d61a663d33552b5057b.exe 33 PID 2692 wrote to memory of 2908 2692 1a579c3c244c6d61a663d33552b5057b.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"2⤵PID:588
-
-
C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"2⤵PID:268
-
-
C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"2⤵PID:464
-
-
C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"2⤵PID:548
-
-
C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"2⤵PID:2908
-