Analysis

  • max time kernel
    91s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2024, 02:50

General

  • Target

    Installer.exe

  • Size

    750.0MB

  • MD5

    bb7d09d439c53be91a9d4202bc72a02c

  • SHA1

    ec25d0f32b173d8320f701327034c03fcb3dfe96

  • SHA256

    41fc449d947ab44170ca0acd8b63632ffcc690b3351fd3eb0fe0b72bd0061460

  • SHA512

    6aea9f3aaab084b7eb2aa6148766249008a9b2b82735c8a66b4eb5ef8a52f77b4702186c0625d69db2a3ac8be9ceee81659c8bf7713acae4a9685350ec762d93

  • SSDEEP

    3072:5aF6E9Ko9XPIYaKhzxlIFh1bhfZyHXMcf9618SEgxHhM1Zh/g:5hUKolPCKZxifZoMyY15e

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:5080
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1728
      2⤵
      • Program crash
      PID:1704
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 5080 -ip 5080
    1⤵
      PID:3052

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\df077ad1-1a58-4579-91f0-e17cef744ccf\Module.dll

      Filesize

      88KB

      MD5

      dfbb922abc575559fe4d9d7f2fd0d7b6

      SHA1

      17794751e3e258067b862a75f07fd62fcfd7a154

      SHA256

      d2280254594d3e51d2616a960491b65b4f057aea7208a7eef7310c52ee95a6c2

      SHA512

      a4f2e8f825ad1f291d6448a30ee08eef062d664986d22b7fde818aeceb94d4a052e86e091b3e940ea7707807c1b97190958c3cc17791ae3680de3056c49f2f52

    • memory/5080-0-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

      Filesize

      4KB

    • memory/5080-1-0x0000000000B10000-0x0000000000B38000-memory.dmp

      Filesize

      160KB

    • memory/5080-9-0x0000000073900000-0x0000000073989000-memory.dmp

      Filesize

      548KB

    • memory/5080-10-0x0000000074EF0000-0x00000000756A0000-memory.dmp

      Filesize

      7.7MB

    • memory/5080-11-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

      Filesize

      4KB

    • memory/5080-12-0x0000000074EF0000-0x00000000756A0000-memory.dmp

      Filesize

      7.7MB

    • memory/5080-13-0x0000000074EF0000-0x00000000756A0000-memory.dmp

      Filesize

      7.7MB