Analysis
-
max time kernel
5s -
max time network
1s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
30-08-2024 18:34
Static task
static1
Behavioral task
behavioral1
Sample
luythen-0.5.4.exe
Resource
win7-20240705-en
General
-
Target
luythen-0.5.4.exe
-
Size
2.5MB
-
MD5
5b40e0db4e86ed3666f2ba8eda665c20
-
SHA1
d5d18673b312dba25244e162925fded54e599040
-
SHA256
4edad8582c9e616cfb6b6ef3b968d99dd5ae5f3c8d25eeafaa58e484c8c0956e
-
SHA512
da8d1f1f237e3fa5f21be2529d5c39cad7cb219cc0587b792d96f8d0ce833dbd3009b290bc0411d8c31b64c6d440e58672ea03e084391b3c06357b9eae70e9a9
-
SSDEEP
49152:fkR26rfBsTYLH/L7xVmFCOsaYjUaNsFYlW42h+:f82yZsofL7xbOsBjUaNsv+
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2064-6-0x0000000004B50000-0x0000000004BD6000-memory.dmp agile_net -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2772 2064 WerFault.exe luythen-0.5.4.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
luythen-0.5.4.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language luythen-0.5.4.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
luythen-0.5.4.exepid process 2064 luythen-0.5.4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
luythen-0.5.4.exedescription pid process Token: SeDebugPrivilege 2064 luythen-0.5.4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
luythen-0.5.4.exedescription pid process target process PID 2064 wrote to memory of 2772 2064 luythen-0.5.4.exe WerFault.exe PID 2064 wrote to memory of 2772 2064 luythen-0.5.4.exe WerFault.exe PID 2064 wrote to memory of 2772 2064 luythen-0.5.4.exe WerFault.exe PID 2064 wrote to memory of 2772 2064 luythen-0.5.4.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\luythen-0.5.4.exe"C:\Users\Admin\AppData\Local\Temp\luythen-0.5.4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 7602⤵
- Program crash
PID:2772
-