5c455e1ac195be85dc6f1d528a5796e4132e9cc380d345e2d670488fb0247d86

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 08:37

Target

Client.exe
Size

8.4MB
MD5

b4f79cc7175d2a255998f884bd6a79ef
SHA1

21e94c467fc0e584424d38fe107f7ee467ea05f7
SHA256

5c455e1ac195be85dc6f1d528a5796e4132e9cc380d345e2d670488fb0247d86
SHA512

a74a8b9ce1453423561e06e30b18a8769f8a5bc6b87eb4a598e04946df7cfeda80a54aa01d77591aa9e1ff1504da3e1e14c223d2112753925b0cfe342345d1f9
SSDEEP

98304:mvB2pC6XG4HNkq5UKPhc24Y1/QPldHV7gPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJf:ZcUG4raKu24YY7HV74hV0AD6QgqKRgX

Score

7^/10

agilenet

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

Processes:

resource	yara_rule
behavioral1/memory/1676-0-0x0000000000940000-0x00000000011B0000-memory.dmp	agile_net

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Client.exe

description	pid	process	target process
PID 1676 wrote to memory of 2848	1676	Client.exe	WerFault.exe
PID 1676 wrote to memory of 2848	1676	Client.exe	WerFault.exe
PID 1676 wrote to memory of 2848	1676	Client.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1676 -s 504
2⤵
PID:2848

memory/1676-0-0x0000000000940000-0x00000000011B0000-memory.dmp

Filesize
8.4MB

Download
memory/1676-1-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1676-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download