Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 00:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
-
Size
1.2MB
-
MD5
1dce0fc0bcc3ed4f7af74bdaeef37a5f
-
SHA1
44db74becdf78474e7b4418cd24274b88410c02f
-
SHA256
e8bb9e81ed75437b45f90b1c65e3100c618090d66d7fa37f5208fedc6972f142
-
SHA512
55770eaac58703a98bb05f8da7b7357cd09b747de3dbb89f41fae380d6fa50ad5302398c8b8fffa18257b234e5f3e7a7a315bd0470f379720d34fd8b1e317f46
-
SSDEEP
24576:cxOsBgo0q4wMMBmCmTOUd+L6kLXWGmHUdR6B8w5+lx/2:cIoHMUmCm6Ud+zLXbmHVB8Bx+
Score
9/10
Malware Config
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral1/memory/1924-3-0x0000000000260000-0x0000000000272000-memory.dmp CustAttr -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2796 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 28 PID 1924 wrote to memory of 2796 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 28 PID 1924 wrote to memory of 2796 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 28 PID 1924 wrote to memory of 2796 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 28 PID 1924 wrote to memory of 2760 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 32 PID 1924 wrote to memory of 2760 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 32 PID 1924 wrote to memory of 2760 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 32 PID 1924 wrote to memory of 2760 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 32 PID 1924 wrote to memory of 2732 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 31 PID 1924 wrote to memory of 2732 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 31 PID 1924 wrote to memory of 2732 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 31 PID 1924 wrote to memory of 2732 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 31 PID 1924 wrote to memory of 2376 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 30 PID 1924 wrote to memory of 2376 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 30 PID 1924 wrote to memory of 2376 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 30 PID 1924 wrote to memory of 2376 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 30 PID 1924 wrote to memory of 1344 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 29 PID 1924 wrote to memory of 1344 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 29 PID 1924 wrote to memory of 1344 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 29 PID 1924 wrote to memory of 1344 1924 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"2⤵PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"2⤵PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"2⤵PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"2⤵PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"2⤵PID:2760
-