Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-03-2024 21:52
Static task
static1
Behavioral task
behavioral1
Sample
cf2a89e27ffdb1441bc84d1bda960054.exe
Resource
win7-20240221-en
General
-
Target
cf2a89e27ffdb1441bc84d1bda960054.exe
-
Size
244KB
-
MD5
cf2a89e27ffdb1441bc84d1bda960054
-
SHA1
8d2fdf83dd325ce164082901723fe2675c605c31
-
SHA256
c589d74bf8ceb9c413dcfe36fab5cb3b9af13f1ae0a1659b4db318cca299e60a
-
SHA512
88f18be465b8aa33c4f25c2aecad61515be2c6a65202e78089785a182a742e8784470ef06acc3fa20c45fe520a739b8d45a75809edd64a254d492b96759b0423
-
SSDEEP
3072:O3qrAujDQRuyCX/zidnB4VHqmx9pahr6G5eky7gO1hK/EuVRKlbIrFb1qIsFGPBr:O3yqRm0BwHqmx9pW6u6gAXuTKMXqW85E
Malware Config
Signatures
-
Dave packer 2 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral1/memory/2928-0-0x0000000000270000-0x000000000029D000-memory.dmp dave behavioral1/memory/2928-5-0x00000000001C0000-0x00000000001EB000-memory.dmp dave -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
cf2a89e27ffdb1441bc84d1bda960054.exepid process 2928 cf2a89e27ffdb1441bc84d1bda960054.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1668 wermgr.exe Token: SeDebugPrivilege 1668 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cf2a89e27ffdb1441bc84d1bda960054.exedescription pid process target process PID 2928 wrote to memory of 1668 2928 cf2a89e27ffdb1441bc84d1bda960054.exe wermgr.exe PID 2928 wrote to memory of 1668 2928 cf2a89e27ffdb1441bc84d1bda960054.exe wermgr.exe PID 2928 wrote to memory of 1668 2928 cf2a89e27ffdb1441bc84d1bda960054.exe wermgr.exe PID 2928 wrote to memory of 1668 2928 cf2a89e27ffdb1441bc84d1bda960054.exe wermgr.exe PID 2928 wrote to memory of 1668 2928 cf2a89e27ffdb1441bc84d1bda960054.exe wermgr.exe PID 2928 wrote to memory of 1668 2928 cf2a89e27ffdb1441bc84d1bda960054.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf2a89e27ffdb1441bc84d1bda960054.exe"C:\Users\Admin\AppData\Local\Temp\cf2a89e27ffdb1441bc84d1bda960054.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1668-167-0x0000000000060000-0x000000000007F000-memory.dmpFilesize
124KB
-
memory/1668-169-0x0000000000060000-0x000000000007F000-memory.dmpFilesize
124KB
-
memory/2928-0-0x0000000000270000-0x000000000029D000-memory.dmpFilesize
180KB
-
memory/2928-4-0x00000000004B0000-0x00000000004D9000-memory.dmpFilesize
164KB
-
memory/2928-5-0x00000000001C0000-0x00000000001EB000-memory.dmpFilesize
172KB
-
memory/2928-7-0x00000000003B0000-0x00000000003D9000-memory.dmpFilesize
164KB
-
memory/2928-8-0x00000000004B0000-0x00000000004D9000-memory.dmpFilesize
164KB
-
memory/2928-165-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2928-166-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/2928-168-0x00000000004B0000-0x00000000004D9000-memory.dmpFilesize
164KB