Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-03-2024 07:25
Behavioral task
behavioral1
Sample
b6d90e592d3532767d011392c389ae46.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
b6d90e592d3532767d011392c389ae46.exe
-
Size
420KB
-
MD5
b6d90e592d3532767d011392c389ae46
-
SHA1
906bcf4b19066914409cf1d1ab852e3b016b23b0
-
SHA256
3c55294e7636d99fb91c92a7dbfa1f5be3ad0e9774dbdcaca05be1c8f0f786fa
-
SHA512
7e1e4bca803e9c196a02e721f6ee6ff7d41caa331729188df7711c45fb926dc4ee571094d4f527c063f7748ca27c763ca169c9ee800856bdea692e21a057bdd2
-
SSDEEP
6144:D9g5p/aJJL7XJAnY7jioSgBK0Ru115xTcYeEknZJJAVAeG:DgUJHX+nOjhBq1j2AWZ
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1988-2-0x0000000000360000-0x0000000000376000-memory.dmp agile_net -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2616 1988 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b6d90e592d3532767d011392c389ae46.exepid Process 1988 b6d90e592d3532767d011392c389ae46.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b6d90e592d3532767d011392c389ae46.exedescription pid Process Token: SeDebugPrivilege 1988 b6d90e592d3532767d011392c389ae46.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b6d90e592d3532767d011392c389ae46.exedescription pid Process procid_target PID 1988 wrote to memory of 2616 1988 b6d90e592d3532767d011392c389ae46.exe 28 PID 1988 wrote to memory of 2616 1988 b6d90e592d3532767d011392c389ae46.exe 28 PID 1988 wrote to memory of 2616 1988 b6d90e592d3532767d011392c389ae46.exe 28 PID 1988 wrote to memory of 2616 1988 b6d90e592d3532767d011392c389ae46.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6d90e592d3532767d011392c389ae46.exe"C:\Users\Admin\AppData\Local\Temp\b6d90e592d3532767d011392c389ae46.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 7842⤵
- Program crash
PID:2616
-