Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 18:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0afe819fb6bd54d591e7b5b368920793.exe
Resource
win7-20231129-en
4 signatures
150 seconds
General
-
Target
0afe819fb6bd54d591e7b5b368920793.exe
-
Size
1.2MB
-
MD5
0afe819fb6bd54d591e7b5b368920793
-
SHA1
e353c08baaaedd5155a9f972cdd9c0deca5eae4f
-
SHA256
68a5258c5c468efc0102b57b21cf9b641032d37746f510b2876d93a3271b10f2
-
SHA512
611484b3c0a3131788931304cfddcff402e06a9d73dbe021b2f0cc00794ced7d5631cfe22d6597813942a24c8ad83d811c17cedbe6cf722e4a17b5864e05da00
-
SSDEEP
24576:MYRTCmt2OsBgo0q4wMlay98EmOfWzY8d:MQ/oHMlaRJ8Sbd
Score
9/10
Malware Config
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral1/memory/2724-3-0x0000000000350000-0x0000000000362000-memory.dmp CustAttr -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2724 0afe819fb6bd54d591e7b5b368920793.exe 2724 0afe819fb6bd54d591e7b5b368920793.exe 2724 0afe819fb6bd54d591e7b5b368920793.exe 2724 0afe819fb6bd54d591e7b5b368920793.exe 2724 0afe819fb6bd54d591e7b5b368920793.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2724 0afe819fb6bd54d591e7b5b368920793.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2688 2724 0afe819fb6bd54d591e7b5b368920793.exe 28 PID 2724 wrote to memory of 2688 2724 0afe819fb6bd54d591e7b5b368920793.exe 28 PID 2724 wrote to memory of 2688 2724 0afe819fb6bd54d591e7b5b368920793.exe 28 PID 2724 wrote to memory of 2688 2724 0afe819fb6bd54d591e7b5b368920793.exe 28 PID 2724 wrote to memory of 2680 2724 0afe819fb6bd54d591e7b5b368920793.exe 29 PID 2724 wrote to memory of 2680 2724 0afe819fb6bd54d591e7b5b368920793.exe 29 PID 2724 wrote to memory of 2680 2724 0afe819fb6bd54d591e7b5b368920793.exe 29 PID 2724 wrote to memory of 2680 2724 0afe819fb6bd54d591e7b5b368920793.exe 29 PID 2724 wrote to memory of 2640 2724 0afe819fb6bd54d591e7b5b368920793.exe 30 PID 2724 wrote to memory of 2640 2724 0afe819fb6bd54d591e7b5b368920793.exe 30 PID 2724 wrote to memory of 2640 2724 0afe819fb6bd54d591e7b5b368920793.exe 30 PID 2724 wrote to memory of 2640 2724 0afe819fb6bd54d591e7b5b368920793.exe 30 PID 2724 wrote to memory of 2596 2724 0afe819fb6bd54d591e7b5b368920793.exe 31 PID 2724 wrote to memory of 2596 2724 0afe819fb6bd54d591e7b5b368920793.exe 31 PID 2724 wrote to memory of 2596 2724 0afe819fb6bd54d591e7b5b368920793.exe 31 PID 2724 wrote to memory of 2596 2724 0afe819fb6bd54d591e7b5b368920793.exe 31 PID 2724 wrote to memory of 2564 2724 0afe819fb6bd54d591e7b5b368920793.exe 32 PID 2724 wrote to memory of 2564 2724 0afe819fb6bd54d591e7b5b368920793.exe 32 PID 2724 wrote to memory of 2564 2724 0afe819fb6bd54d591e7b5b368920793.exe 32 PID 2724 wrote to memory of 2564 2724 0afe819fb6bd54d591e7b5b368920793.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"2⤵PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"2⤵PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"2⤵PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"2⤵PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"2⤵PID:2564
-