Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 05:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b158c924678cd5bac37bfd7bfc9d8781.exe
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
b158c924678cd5bac37bfd7bfc9d8781.exe
Resource
win10v2004-20240226-en
10 signatures
150 seconds
General
-
Target
b158c924678cd5bac37bfd7bfc9d8781.exe
-
Size
1.2MB
-
MD5
b158c924678cd5bac37bfd7bfc9d8781
-
SHA1
cee45ad78360c3665af73184471b05e12a73dd5d
-
SHA256
7213e683d974ed27c90dea93b40caa5c497ca4ab9834e159adb69f7be5d2081e
-
SHA512
54cbcd44c677a305ad20d9eddead46adcbdf4aa1f132845ddc8b0d7e362c6367a98d8af606ba0cc2c896e0eec738f8d39df16cb81ef51f941378c41e8a172024
-
SSDEEP
24576:KvS/d3MKzksWks+5h9D1Rf0jNr27X7Jy8jh8N6ZN5Z:IKtxhmBK7NuN6ZN5
Score
9/10
Malware Config
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral1/memory/1400-3-0x00000000005C0000-0x00000000005D2000-memory.dmp CustAttr -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 1400 b158c924678cd5bac37bfd7bfc9d8781.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1400 b158c924678cd5bac37bfd7bfc9d8781.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1400 wrote to memory of 2388 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 30 PID 1400 wrote to memory of 2388 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 30 PID 1400 wrote to memory of 2388 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 30 PID 1400 wrote to memory of 2388 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 30 PID 1400 wrote to memory of 2444 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 31 PID 1400 wrote to memory of 2444 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 31 PID 1400 wrote to memory of 2444 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 31 PID 1400 wrote to memory of 2444 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 31 PID 1400 wrote to memory of 2332 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 32 PID 1400 wrote to memory of 2332 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 32 PID 1400 wrote to memory of 2332 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 32 PID 1400 wrote to memory of 2332 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 32 PID 1400 wrote to memory of 2328 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 33 PID 1400 wrote to memory of 2328 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 33 PID 1400 wrote to memory of 2328 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 33 PID 1400 wrote to memory of 2328 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 33 PID 1400 wrote to memory of 2348 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 34 PID 1400 wrote to memory of 2348 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 34 PID 1400 wrote to memory of 2348 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 34 PID 1400 wrote to memory of 2348 1400 b158c924678cd5bac37bfd7bfc9d8781.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\b158c924678cd5bac37bfd7bfc9d8781.exe"C:\Users\Admin\AppData\Local\Temp\b158c924678cd5bac37bfd7bfc9d8781.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\b158c924678cd5bac37bfd7bfc9d8781.exe"C:\Users\Admin\AppData\Local\Temp\b158c924678cd5bac37bfd7bfc9d8781.exe"2⤵PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\b158c924678cd5bac37bfd7bfc9d8781.exe"C:\Users\Admin\AppData\Local\Temp\b158c924678cd5bac37bfd7bfc9d8781.exe"2⤵PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\b158c924678cd5bac37bfd7bfc9d8781.exe"C:\Users\Admin\AppData\Local\Temp\b158c924678cd5bac37bfd7bfc9d8781.exe"2⤵PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\b158c924678cd5bac37bfd7bfc9d8781.exe"C:\Users\Admin\AppData\Local\Temp\b158c924678cd5bac37bfd7bfc9d8781.exe"2⤵PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\b158c924678cd5bac37bfd7bfc9d8781.exe"C:\Users\Admin\AppData\Local\Temp\b158c924678cd5bac37bfd7bfc9d8781.exe"2⤵PID:2348
-