8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0

Analysis

max time kernel
143s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bunifu.UI.WinForms.BunifuFormDock.dll
Size

102KB
MD5

fff8d46f94011c5bfa4bc1d1fbde3eaa
SHA1

c5e978eb89e9646423c3b2a1d7d2651cdbee90f0
SHA256

f8052b4641fea785ef643bc06d0e5383555c0845bbe695099bc41ab09a180ef6
SHA512

61af0253c05bd33d43d34799eb74d97ae9e3e700281273895026d690f39e3de97034ee51511284a4b6a4150d31977f7ac6fbf4047aa19825564a15eae8be079a
SSDEEP

3072:wVypYUOJdOb8UD8m1PxGFXflE2BHjvZKDq6CN:wVypYUSXdbBjvZKDq1N

Score

7^/10

agilenet

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral10/memory/368-2-0x000001A24B6B0000-0x000001A24B6D0000-memory.dmp	agile_net
behavioral10/memory/368-3-0x000001A24B6D0000-0x000001A24B6F0000-memory.dmp	agile_net
behavioral10/memory/368-4-0x000001A265770000-0x000001A2657DE000-memory.dmp	agile_net
behavioral10/memory/368-7-0x000001A24CFC0000-0x000001A24CFD0000-memory.dmp	agile_net
behavioral10/memory/368-6-0x000001A2659E0000-0x000001A265A3A000-memory.dmp	agile_net
behavioral10/memory/368-5-0x000001A24B6F0000-0x000001A24B6FE000-memory.dmp	agile_net
behavioral10/memory/368-8-0x000001A2656D0000-0x000001A2656EE000-memory.dmp	agile_net
behavioral10/memory/368-10-0x000001A265B90000-0x000001A265CDA000-memory.dmp	agile_net

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Umbral.builder.exe

pid	process
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe
368	Umbral.builder.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Umbral.builder.exe

description pid process

Token: SeDebugPrivilege 368 Umbral.builder.exe

description	pid	process
Token: SeDebugPrivilege	368	Umbral.builder.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bunifu.UI.WinForms.BunifuFormDock.dll,#1
1⤵
PID:5004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/368-0-0x00007FF83FC33000-0x00007FF83FC35000-memory.dmp

Filesize
8KB

Download
memory/368-1-0x000001A24B220000-0x000001A24B242000-memory.dmp

Filesize
136KB

Download
memory/368-2-0x000001A24B6B0000-0x000001A24B6D0000-memory.dmp

Filesize
128KB

Download
memory/368-3-0x000001A24B6D0000-0x000001A24B6F0000-memory.dmp

Filesize
128KB

Download
memory/368-4-0x000001A265770000-0x000001A2657DE000-memory.dmp

Filesize
440KB

Download
memory/368-7-0x000001A24CFC0000-0x000001A24CFD0000-memory.dmp

Filesize
64KB

Download
memory/368-6-0x000001A2659E0000-0x000001A265A3A000-memory.dmp

Filesize
360KB

Download
memory/368-5-0x000001A24B6F0000-0x000001A24B6FE000-memory.dmp

Filesize
56KB

Download
memory/368-8-0x000001A2656D0000-0x000001A2656EE000-memory.dmp

Filesize
120KB

Download
memory/368-9-0x00007FF83FC30000-0x00007FF8406F1000-memory.dmp

Filesize
10.8MB

Download
memory/368-10-0x000001A265B90000-0x000001A265CDA000-memory.dmp

Filesize
1.3MB

Download
memory/368-11-0x000001A265A40000-0x000001A265B56000-memory.dmp

Filesize
1.1MB

Download
memory/368-12-0x000001A24CFD0000-0x000001A24D000000-memory.dmp

Filesize
192KB

Download
memory/368-13-0x00007FF83FC30000-0x00007FF8406F1000-memory.dmp

Filesize
10.8MB

Download
memory/368-14-0x00007FF83FC30000-0x00007FF8406F1000-memory.dmp

Filesize
10.8MB

Download
memory/368-15-0x00007FF83FC33000-0x00007FF83FC35000-memory.dmp

Filesize
8KB

Download
memory/368-16-0x00007FF83FC30000-0x00007FF8406F1000-memory.dmp

Filesize
10.8MB

Download
memory/368-17-0x00007FF83FC30000-0x00007FF8406F1000-memory.dmp

Filesize
10.8MB

Download
memory/368-18-0x00007FF83FC30000-0x00007FF8406F1000-memory.dmp

Filesize
10.8MB

Download