Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 01:01
Static task
static1
Behavioral task
behavioral1
Sample
1efaca81cc2f95850a1d8b1728c866f37f1ce5bc74ff439a1dae9ce5b4e950fb.exe
Resource
win7-20240903-en
General
-
Target
1efaca81cc2f95850a1d8b1728c866f37f1ce5bc74ff439a1dae9ce5b4e950fb.exe
-
Size
22.3MB
-
MD5
ddd9abe3b6c165dca62da949ee2f4084
-
SHA1
5fc389f190857fb7f4a55f04037c94404dabf7d5
-
SHA256
1efaca81cc2f95850a1d8b1728c866f37f1ce5bc74ff439a1dae9ce5b4e950fb
-
SHA512
b838f73cc7fe968346893d93cc8b29a583d5be9f63b4a57fee063390395de5171901ebbdf9ac76afcf0aff2dd3e6555d02a9c9ad66e914704a9be384fa9a9084
-
SSDEEP
393216:qYM4xYPYE4/5jpC1FhK+sQ4oy6OntgiOGIUrc7Cwrc2G/Ui6pBt/a9:9E4F4s3SOOiOdUrcprzG/Ul+
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/4656-33-0x0000000007A50000-0x0000000007A6E000-memory.dmp agile_net behavioral2/memory/4656-34-0x0000000008880000-0x00000000089CA000-memory.dmp agile_net -
Program crash 1 IoCs
pid pid_target Process procid_target 316 4656 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1efaca81cc2f95850a1d8b1728c866f37f1ce5bc74ff439a1dae9ce5b4e950fb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4656 1efaca81cc2f95850a1d8b1728c866f37f1ce5bc74ff439a1dae9ce5b4e950fb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1efaca81cc2f95850a1d8b1728c866f37f1ce5bc74ff439a1dae9ce5b4e950fb.exe"C:\Users\Admin\AppData\Local\Temp\1efaca81cc2f95850a1d8b1728c866f37f1ce5bc74ff439a1dae9ce5b4e950fb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 17922⤵
- Program crash
PID:316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4656 -ip 46561⤵PID:4820