Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 02:50
Behavioral task
behavioral1
Sample
DLL/IA2Marshal.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DLL/IA2Marshal.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
DLL/freebl3.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
DLL/freebl3.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Installer.exe
Resource
win7-20240729-en
General
-
Target
Installer.exe
-
Size
750.0MB
-
MD5
bb7d09d439c53be91a9d4202bc72a02c
-
SHA1
ec25d0f32b173d8320f701327034c03fcb3dfe96
-
SHA256
41fc449d947ab44170ca0acd8b63632ffcc690b3351fd3eb0fe0b72bd0061460
-
SHA512
6aea9f3aaab084b7eb2aa6148766249008a9b2b82735c8a66b4eb5ef8a52f77b4702186c0625d69db2a3ac8be9ceee81659c8bf7713acae4a9685350ec762d93
-
SSDEEP
3072:5aF6E9Ko9XPIYaKhzxlIFh1bhfZyHXMcf9618SEgxHhM1Zh/g:5hUKolPCKZxifZoMyY15e
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2756 Installer.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral5/memory/2756-1-0x00000000013A0000-0x00000000013C8000-memory.dmp agile_net -
Program crash 1 IoCs
pid pid_target Process procid_target 1896 2756 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Installer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2756 Installer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2756 wrote to memory of 1896 2756 Installer.exe 31 PID 2756 wrote to memory of 1896 2756 Installer.exe 31 PID 2756 wrote to memory of 1896 2756 Installer.exe 31 PID 2756 wrote to memory of 1896 2756 Installer.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 12762⤵
- Program crash
PID:1896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5dfbb922abc575559fe4d9d7f2fd0d7b6
SHA117794751e3e258067b862a75f07fd62fcfd7a154
SHA256d2280254594d3e51d2616a960491b65b4f057aea7208a7eef7310c52ee95a6c2
SHA512a4f2e8f825ad1f291d6448a30ee08eef062d664986d22b7fde818aeceb94d4a052e86e091b3e940ea7707807c1b97190958c3cc17791ae3680de3056c49f2f52