Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03-01-2024 14:37
Static task
static1
Behavioral task
behavioral1
Sample
3eb62e11acf8e604d7d5f02392e35a92.exe
Resource
win7-20231215-en
General
-
Target
3eb62e11acf8e604d7d5f02392e35a92.exe
-
Size
364KB
-
MD5
3eb62e11acf8e604d7d5f02392e35a92
-
SHA1
4023db2f616077a6c3eb288ce6a6d2eafa43dfdb
-
SHA256
d898c7bba5e263b0683156e2d65cd5d0ef0a125951bfffc18aee5157e352f164
-
SHA512
b9fd86e08e24d9c9575ada01423299d14088cb41b4357dc8631b3dd3870aaaa9704f0a788bbd3fd9601cdf5da1af3796b4c25f36af834eff403ccdd86298bac3
-
SSDEEP
6144:WBOO856a60r+UogID97/IXjBE7SL+MEXxtSbsP6AN5:WBOO3VKID90TBEhx4O6a5
Malware Config
Signatures
-
Dave packer 2 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral1/memory/2220-3-0x00000000002A0000-0x00000000002D2000-memory.dmp dave behavioral1/memory/2220-4-0x0000000000230000-0x0000000000260000-memory.dmp dave -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
3eb62e11acf8e604d7d5f02392e35a92.exepid process 2220 3eb62e11acf8e604d7d5f02392e35a92.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1288 wermgr.exe Token: SeDebugPrivilege 1288 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3eb62e11acf8e604d7d5f02392e35a92.exedescription pid process target process PID 2220 wrote to memory of 1288 2220 3eb62e11acf8e604d7d5f02392e35a92.exe wermgr.exe PID 2220 wrote to memory of 1288 2220 3eb62e11acf8e604d7d5f02392e35a92.exe wermgr.exe PID 2220 wrote to memory of 1288 2220 3eb62e11acf8e604d7d5f02392e35a92.exe wermgr.exe PID 2220 wrote to memory of 1288 2220 3eb62e11acf8e604d7d5f02392e35a92.exe wermgr.exe PID 2220 wrote to memory of 1288 2220 3eb62e11acf8e604d7d5f02392e35a92.exe wermgr.exe PID 2220 wrote to memory of 1288 2220 3eb62e11acf8e604d7d5f02392e35a92.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3eb62e11acf8e604d7d5f02392e35a92.exe"C:\Users\Admin\AppData\Local\Temp\3eb62e11acf8e604d7d5f02392e35a92.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1288-162-0x00000000000F0000-0x0000000000114000-memory.dmpFilesize
144KB
-
memory/1288-164-0x00000000000F0000-0x0000000000114000-memory.dmpFilesize
144KB
-
memory/2220-3-0x00000000002A0000-0x00000000002D2000-memory.dmpFilesize
200KB
-
memory/2220-4-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/2220-8-0x0000000000390000-0x00000000003BF000-memory.dmpFilesize
188KB
-
memory/2220-9-0x00000000002E0000-0x000000000030E000-memory.dmpFilesize
184KB
-
memory/2220-10-0x0000000000390000-0x00000000003BF000-memory.dmpFilesize
188KB
-
memory/2220-83-0x0000000000390000-0x00000000003BF000-memory.dmpFilesize
188KB
-
memory/2220-160-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/2220-161-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/2220-163-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/2220-165-0x0000000000390000-0x00000000003BF000-memory.dmpFilesize
188KB