Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 00:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a0b72b85949f962c6078005d4185c9f6.exe
Resource
win7-20240221-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
a0b72b85949f962c6078005d4185c9f6.exe
Resource
win10v2004-20240221-en
7 signatures
150 seconds
General
-
Target
a0b72b85949f962c6078005d4185c9f6.exe
-
Size
1.3MB
-
MD5
a0b72b85949f962c6078005d4185c9f6
-
SHA1
ea4d2b93ac51e38e458aa8cd9f18969507bccf04
-
SHA256
f7d694848aa9a76e2b8a3ba86ffa69357af5b60f8b8e68653ea422b6f1c743d2
-
SHA512
8e8977a792e48ee1c45b0b82032db6442218627a824369167cb949ae2aacbef6f1b2b74b5677daebe3cfb56d019cd6fe0b95bb992648b10851f04f2956b89310
-
SSDEEP
12288:ChfkOzs2K+B95GWvzq/DKjSOChXkEjvXmm95mAEG8dwInwoZ1zl/+RHRVbUxjgv/:mbvSa1CRjzsGmOebhchkeW35
Score
10/10
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ImeFajla.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ImeFajla.exe\"" a0b72b85949f962c6078005d4185c9f6.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1724 set thread context of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 -
Program crash 1 IoCs
pid pid_target Process procid_target 224 232 WerFault.exe 90 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1724 a0b72b85949f962c6078005d4185c9f6.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90 PID 1724 wrote to memory of 232 1724 a0b72b85949f962c6078005d4185c9f6.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0b72b85949f962c6078005d4185c9f6.exe"C:\Users\Admin\AppData\Local\Temp\a0b72b85949f962c6078005d4185c9f6.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵PID:232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 123⤵
- Program crash
PID:224
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 232 -ip 2321⤵PID:3848