Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-03-2024 16:39
Static task
static1
Behavioral task
behavioral1
Sample
bf17900c0dc35b51818e25e46eb17208.exe
Resource
win7-20240221-en
General
-
Target
bf17900c0dc35b51818e25e46eb17208.exe
-
Size
448KB
-
MD5
bf17900c0dc35b51818e25e46eb17208
-
SHA1
21562902363beae4a0ed1c2a9ef4c90aa4c3e3af
-
SHA256
b42cc7a4303bb42b02067de424bd857540da854f0e71d5c8c987d72c05e16e3d
-
SHA512
b83ce91f1b9960dba74af310bd6a0e633cede85df6751bd352dcb10b47434e2bb0c0388e487e231952c0672e56d12d0b4a8b09b95c0d470f93738603756b4036
-
SSDEEP
12288:QboBb/W9ANGBAFb5i0P6HfewKQLYg0yCxf:4xBAiAHwfzc
Malware Config
Signatures
-
Dave packer 2 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral1/memory/2740-3-0x0000000000360000-0x0000000000392000-memory.dmp dave behavioral1/memory/2740-7-0x0000000000250000-0x0000000000280000-memory.dmp dave -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
bf17900c0dc35b51818e25e46eb17208.exepid process 2740 bf17900c0dc35b51818e25e46eb17208.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1300 wermgr.exe Token: SeDebugPrivilege 1300 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
bf17900c0dc35b51818e25e46eb17208.exedescription pid process target process PID 2740 wrote to memory of 1300 2740 bf17900c0dc35b51818e25e46eb17208.exe wermgr.exe PID 2740 wrote to memory of 1300 2740 bf17900c0dc35b51818e25e46eb17208.exe wermgr.exe PID 2740 wrote to memory of 1300 2740 bf17900c0dc35b51818e25e46eb17208.exe wermgr.exe PID 2740 wrote to memory of 1300 2740 bf17900c0dc35b51818e25e46eb17208.exe wermgr.exe PID 2740 wrote to memory of 1300 2740 bf17900c0dc35b51818e25e46eb17208.exe wermgr.exe PID 2740 wrote to memory of 1300 2740 bf17900c0dc35b51818e25e46eb17208.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf17900c0dc35b51818e25e46eb17208.exe"C:\Users\Admin\AppData\Local\Temp\bf17900c0dc35b51818e25e46eb17208.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1300-164-0x00000000000F0000-0x0000000000114000-memory.dmpFilesize
144KB
-
memory/1300-166-0x00000000000F0000-0x0000000000114000-memory.dmpFilesize
144KB
-
memory/2740-3-0x0000000000360000-0x0000000000392000-memory.dmpFilesize
200KB
-
memory/2740-8-0x0000000001E90000-0x0000000001EBF000-memory.dmpFilesize
188KB
-
memory/2740-7-0x0000000000250000-0x0000000000280000-memory.dmpFilesize
192KB
-
memory/2740-11-0x00000000003D0000-0x00000000003FE000-memory.dmpFilesize
184KB
-
memory/2740-9-0x0000000001E90000-0x0000000001EBF000-memory.dmpFilesize
188KB
-
memory/2740-90-0x0000000001E90000-0x0000000001EBF000-memory.dmpFilesize
188KB
-
memory/2740-162-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2740-163-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/2740-165-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/2740-167-0x0000000001E90000-0x0000000001EBF000-memory.dmpFilesize
188KB