Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 05:42
Static task
static1
Behavioral task
behavioral1
Sample
c51ec8e328606ddafdb936bc5d65e524.exe
Resource
win7-20240221-en
General
-
Target
c51ec8e328606ddafdb936bc5d65e524.exe
-
Size
448KB
-
MD5
c51ec8e328606ddafdb936bc5d65e524
-
SHA1
f35e90c91aaafae03895d436a3865b2e6fb1c889
-
SHA256
630dd4719397b68ecee7da2350d592eff2705bf89464f651abbeb329166ad5cf
-
SHA512
a1e5b5386366954963baefb4f29e0ae9cce0eec42cc3fffef634b8781018d9b65e892ea6058e56fcb10b04a996c25e6d8836b899a20a479fa9bae69367ed4652
-
SSDEEP
12288:QboBb/W9ANGBAFb5i0P6HfewKQLYg0yCxi:4xBAiAHwfzj
Malware Config
Signatures
-
Dave packer 2 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral1/memory/2512-3-0x0000000000370000-0x00000000003A2000-memory.dmp dave behavioral1/memory/2512-4-0x0000000000250000-0x0000000000280000-memory.dmp dave -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c51ec8e328606ddafdb936bc5d65e524.exepid process 2512 c51ec8e328606ddafdb936bc5d65e524.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2604 wermgr.exe Token: SeDebugPrivilege 2604 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c51ec8e328606ddafdb936bc5d65e524.exedescription pid process target process PID 2512 wrote to memory of 2604 2512 c51ec8e328606ddafdb936bc5d65e524.exe wermgr.exe PID 2512 wrote to memory of 2604 2512 c51ec8e328606ddafdb936bc5d65e524.exe wermgr.exe PID 2512 wrote to memory of 2604 2512 c51ec8e328606ddafdb936bc5d65e524.exe wermgr.exe PID 2512 wrote to memory of 2604 2512 c51ec8e328606ddafdb936bc5d65e524.exe wermgr.exe PID 2512 wrote to memory of 2604 2512 c51ec8e328606ddafdb936bc5d65e524.exe wermgr.exe PID 2512 wrote to memory of 2604 2512 c51ec8e328606ddafdb936bc5d65e524.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c51ec8e328606ddafdb936bc5d65e524.exe"C:\Users\Admin\AppData\Local\Temp\c51ec8e328606ddafdb936bc5d65e524.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2512-3-0x0000000000370000-0x00000000003A2000-memory.dmpFilesize
200KB
-
memory/2512-4-0x0000000000250000-0x0000000000280000-memory.dmpFilesize
192KB
-
memory/2512-10-0x0000000000280000-0x00000000002AE000-memory.dmpFilesize
184KB
-
memory/2512-8-0x00000000003B0000-0x00000000003DF000-memory.dmpFilesize
188KB
-
memory/2512-11-0x00000000003B0000-0x00000000003DF000-memory.dmpFilesize
188KB
-
memory/2512-74-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/2512-73-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2512-76-0x00000000003B0000-0x00000000003DF000-memory.dmpFilesize
188KB
-
memory/2512-77-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/2604-75-0x0000000000060000-0x0000000000084000-memory.dmpFilesize
144KB
-
memory/2604-78-0x0000000000060000-0x0000000000084000-memory.dmpFilesize
144KB