Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 07:24
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.Agent.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.Win32.Agent.exe
Resource
win10v2004-20240226-en
General
-
Target
HEUR-Trojan.Win32.Agent.exe
-
Size
205KB
-
MD5
00865701d63e7cfb69ec05f5af2243ae
-
SHA1
f05431c81b908601c48ad6e2582b4cff280e97e2
-
SHA256
c80800ba815c9a0d125222656af33c1028691da1be6988985cbb18dc806660fe
-
SHA512
378a8e69870d8a10d3781acb820592ef11e56eb6e42ef15d087a4fc0261968d56be08564a11700cb79839700af643f6e136e3a5140189ba0811b8f364ed27354
-
SSDEEP
6144:y8LuYnRrkkz2I7qWZIO1EWln3kLGqpXiK:1LuY2Uv7qWL1j6XiK
Malware Config
Signatures
-
Detects executables packed with ASPack 6 IoCs
resource yara_rule behavioral1/memory/3028-0-0x0000000000400000-0x0000000000469000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/3028-1-0x0000000000400000-0x0000000000469000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/3028-2-0x0000000000400000-0x0000000000469000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x000b00000001431b-7.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/2548-9-0x0000000000400000-0x0000000000469000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2548-10-0x0000000000400000-0x0000000000469000-memory.dmp INDICATOR_EXE_Packed_ASPack -
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x000b00000001431b-7.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2548 wrvdfyg.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\wrvdfyg.exe HEUR-Trojan.Win32.Agent.exe File created C:\PROGRA~3\Mozilla\klztrnd.dll wrvdfyg.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3028 HEUR-Trojan.Win32.Agent.exe 2548 wrvdfyg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1212 wrote to memory of 2548 1212 taskeng.exe 29 PID 1212 wrote to memory of 2548 1212 taskeng.exe 29 PID 1212 wrote to memory of 2548 1212 taskeng.exe 29 PID 1212 wrote to memory of 2548 1212 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Agent.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Agent.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:3028
-
C:\Windows\system32\taskeng.exetaskeng.exe {C15209D7-CF94-48BE-93CC-193592C5932B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\PROGRA~3\Mozilla\wrvdfyg.exeC:\PROGRA~3\Mozilla\wrvdfyg.exe -hzyjzia2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD533df1b7161e268ea11038d00e7bb81bd
SHA12afe857db4b25f8617f90a34f5c87c62e3908c4f
SHA2568ddfeb2dea4ff2dbcca92d2de05fc1367cf828ff9faa30ef00ed232d964369f8
SHA512345067f917d2dc0e7412693eb2039232cba0644a2ebfcb4fe73fe7d1286e769871a7c2e30c17e477d9e3a48ae89bd3bf7d1aa9932e6536f0cfe3516652d2cfc1