Analysis
-
max time kernel
91s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 02:50
Behavioral task
behavioral1
Sample
DLL/IA2Marshal.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DLL/IA2Marshal.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
DLL/freebl3.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
DLL/freebl3.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Installer.exe
Resource
win7-20240729-en
General
-
Target
Installer.exe
-
Size
750.0MB
-
MD5
bb7d09d439c53be91a9d4202bc72a02c
-
SHA1
ec25d0f32b173d8320f701327034c03fcb3dfe96
-
SHA256
41fc449d947ab44170ca0acd8b63632ffcc690b3351fd3eb0fe0b72bd0061460
-
SHA512
6aea9f3aaab084b7eb2aa6148766249008a9b2b82735c8a66b4eb5ef8a52f77b4702186c0625d69db2a3ac8be9ceee81659c8bf7713acae4a9685350ec762d93
-
SSDEEP
3072:5aF6E9Ko9XPIYaKhzxlIFh1bhfZyHXMcf9618SEgxHhM1Zh/g:5hUKolPCKZxifZoMyY15e
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 5080 Installer.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral6/memory/5080-1-0x0000000000B10000-0x0000000000B38000-memory.dmp agile_net -
Program crash 1 IoCs
pid pid_target Process procid_target 1704 5080 WerFault.exe 80 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Installer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5080 Installer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 17282⤵
- Program crash
PID:1704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 5080 -ip 50801⤵PID:3052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5dfbb922abc575559fe4d9d7f2fd0d7b6
SHA117794751e3e258067b862a75f07fd62fcfd7a154
SHA256d2280254594d3e51d2616a960491b65b4f057aea7208a7eef7310c52ee95a6c2
SHA512a4f2e8f825ad1f291d6448a30ee08eef062d664986d22b7fde818aeceb94d4a052e86e091b3e940ea7707807c1b97190958c3cc17791ae3680de3056c49f2f52