Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-12-2023 12:10
Static task
static1
Behavioral task
behavioral1
Sample
ddd2e40f494855d4905395a7d989cf93.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ddd2e40f494855d4905395a7d989cf93.exe
Resource
win10v2004-20231222-en
General
-
Target
ddd2e40f494855d4905395a7d989cf93.exe
-
Size
448KB
-
MD5
ddd2e40f494855d4905395a7d989cf93
-
SHA1
d917f717be9df884c7f06987fb51db5167e8e0c5
-
SHA256
696c2ad4e3eb24171bc18b9502e5224c2817f6fc1d5d1646f497116f766ebc0d
-
SHA512
fac76974be904e370fb2a6e9134a81329d1d55e2f4b540e181dcfedc6f15b29c1840c5431e5c8329590067eb8c832a824e7897030b2ab78a22e922216c0db32c
-
SSDEEP
12288:QboBb/W9ANGBAFb5i0P6HfewKQLYg0yCx:4xBAiAHwfz
Malware Config
Signatures
-
Dave packer 2 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral1/memory/2248-8-0x0000000000260000-0x0000000000290000-memory.dmp dave behavioral1/memory/2248-3-0x00000000002E0000-0x0000000000312000-memory.dmp dave -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ddd2e40f494855d4905395a7d989cf93.exepid process 2248 ddd2e40f494855d4905395a7d989cf93.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2296 wermgr.exe Token: SeDebugPrivilege 2296 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ddd2e40f494855d4905395a7d989cf93.exedescription pid process target process PID 2248 wrote to memory of 2296 2248 ddd2e40f494855d4905395a7d989cf93.exe wermgr.exe PID 2248 wrote to memory of 2296 2248 ddd2e40f494855d4905395a7d989cf93.exe wermgr.exe PID 2248 wrote to memory of 2296 2248 ddd2e40f494855d4905395a7d989cf93.exe wermgr.exe PID 2248 wrote to memory of 2296 2248 ddd2e40f494855d4905395a7d989cf93.exe wermgr.exe PID 2248 wrote to memory of 2296 2248 ddd2e40f494855d4905395a7d989cf93.exe wermgr.exe PID 2248 wrote to memory of 2296 2248 ddd2e40f494855d4905395a7d989cf93.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddd2e40f494855d4905395a7d989cf93.exe"C:\Users\Admin\AppData\Local\Temp\ddd2e40f494855d4905395a7d989cf93.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2248-11-0x0000000000610000-0x000000000063F000-memory.dmpFilesize
188KB
-
memory/2248-10-0x0000000000320000-0x000000000034E000-memory.dmpFilesize
184KB
-
memory/2248-8-0x0000000000260000-0x0000000000290000-memory.dmpFilesize
192KB
-
memory/2248-7-0x0000000000610000-0x000000000063F000-memory.dmpFilesize
188KB
-
memory/2248-3-0x00000000002E0000-0x0000000000312000-memory.dmpFilesize
200KB
-
memory/2248-151-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/2248-150-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/2248-153-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/2248-155-0x0000000000610000-0x000000000063F000-memory.dmpFilesize
188KB
-
memory/2296-152-0x00000000000F0000-0x0000000000114000-memory.dmpFilesize
144KB
-
memory/2296-154-0x00000000000F0000-0x0000000000114000-memory.dmpFilesize
144KB