cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3

General

Target

cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe
Size

4.2MB
MD5

1ef35e701432e20e684f81c34d23396f
SHA1

db4dbf0702c2830a4fd5f57b5bb61462864c0859
SHA256

cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3
SHA512

5f82b0215846026c32707bcc262616455add416de31aae51b72b025b3642f1854e2e0073324210e0e1d2ba32aee0b4a746ca5d9ef0a245624b7e5c41f12892a7

Score

9^/10

Malware Config

Signatures

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/388-54-0x0000000000CD0000-0x000000000110E000-memory.dmp	net_reactor

Executes dropped EXE 3 IoCs

Processes:

Sljpqqrmrkm.exeSljpqqrmrkm.exeSljpqqrmrkm.exe

pid process

1984 Sljpqqrmrkm.exe
1424 Sljpqqrmrkm.exe
324 Sljpqqrmrkm.exe
Loads dropped DLL 2 IoCs

Processes:

Sljpqqrmrkm.exeSljpqqrmrkm.exe

pid process

1984 Sljpqqrmrkm.exe
1424 Sljpqqrmrkm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

904 schtasks.exe

pid	process
1984	Sljpqqrmrkm.exe
1424	Sljpqqrmrkm.exe
324	Sljpqqrmrkm.exe

pid	process
1984	Sljpqqrmrkm.exe
1424	Sljpqqrmrkm.exe

pid	process
904	schtasks.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exeSljpqqrmrkm.execmd.exeSljpqqrmrkm.exe

description	pid	process	target process
PID 388 wrote to memory of 1984	388	cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe	Sljpqqrmrkm.exe
PID 388 wrote to memory of 1984	388	cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe	Sljpqqrmrkm.exe
PID 388 wrote to memory of 1984	388	cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe	Sljpqqrmrkm.exe
PID 388 wrote to memory of 1984	388	cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe	Sljpqqrmrkm.exe
PID 1984 wrote to memory of 984	1984	Sljpqqrmrkm.exe	cmd.exe
PID 1984 wrote to memory of 984	1984	Sljpqqrmrkm.exe	cmd.exe
PID 1984 wrote to memory of 984	1984	Sljpqqrmrkm.exe	cmd.exe
PID 1984 wrote to memory of 984	1984	Sljpqqrmrkm.exe	cmd.exe
PID 984 wrote to memory of 904	984	cmd.exe	schtasks.exe
PID 984 wrote to memory of 904	984	cmd.exe	schtasks.exe
PID 984 wrote to memory of 904	984	cmd.exe	schtasks.exe
PID 984 wrote to memory of 904	984	cmd.exe	schtasks.exe
PID 1984 wrote to memory of 1424	1984	Sljpqqrmrkm.exe	Sljpqqrmrkm.exe
PID 1984 wrote to memory of 1424	1984	Sljpqqrmrkm.exe	Sljpqqrmrkm.exe
PID 1984 wrote to memory of 1424	1984	Sljpqqrmrkm.exe	Sljpqqrmrkm.exe
PID 1984 wrote to memory of 1424	1984	Sljpqqrmrkm.exe	Sljpqqrmrkm.exe
PID 1424 wrote to memory of 324	1424	Sljpqqrmrkm.exe	Sljpqqrmrkm.exe
PID 1424 wrote to memory of 324	1424	Sljpqqrmrkm.exe	Sljpqqrmrkm.exe
PID 1424 wrote to memory of 324	1424	Sljpqqrmrkm.exe	Sljpqqrmrkm.exe
PID 1424 wrote to memory of 324	1424	Sljpqqrmrkm.exe	Sljpqqrmrkm.exe

C:\Users\Admin\AppData\Local\Temp\cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe
"C:\Users\Admin\AppData\Local\Temp\cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe
"C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN BitBuild.exe /XML "C:\Users\Admin\AppData\Local\Temp\29d310674f82412e9cef9c078896a87e.xml"
3⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN BitBuild.exe /XML "C:\Users\Admin\AppData\Local\Temp\29d310674f82412e9cef9c078896a87e.xml"
4⤵
- Creates scheduled task(s)
PID:904

C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe
"C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe
"C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe"
4⤵
- Executes dropped EXE
PID:324

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29d310674f82412e9cef9c078896a87e.xml
Filesize
1KB

MD5
089515ee7640734a96466c18dea2c504

SHA1
741bf48b5f2e1f47e742e5dfd215eea13d6d02dd

SHA256
9e7e2337500b95c47397bc058a9741a9bb96513b0b9740825e64d5154f661366

SHA512
8ee65bcc24e3a5ee54923f1f8fea0f4d1f439d0ed87e0fa737113548c8dca82bcf9fcef25e90c060f23b8d68e159d0aaccb1b3e41c3829a24cf5e58ac26dace8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe
Filesize
3.9MB

MD5
07aa71fa31e15543e9708c499f28c56a

SHA1
065ba94095d063ec5d77d6ee020c5cf6f4595502

SHA256
036ad0ba21ca4e5d292e9dd302d0498ffd85bb969a8f398405c14b490148d4b9

SHA512
f21d4708566c87d401647cf047dc3edfffa142f1ff27e6628146a905a0d6118b78034b18979d7312d1f6182e44834fc302582a21f3bba98cdeeb450d9c64bb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe
Filesize
3.9MB

MD5
07aa71fa31e15543e9708c499f28c56a

SHA1
065ba94095d063ec5d77d6ee020c5cf6f4595502

SHA256
036ad0ba21ca4e5d292e9dd302d0498ffd85bb969a8f398405c14b490148d4b9

SHA512
f21d4708566c87d401647cf047dc3edfffa142f1ff27e6628146a905a0d6118b78034b18979d7312d1f6182e44834fc302582a21f3bba98cdeeb450d9c64bb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe
Filesize
3.9MB

MD5
07aa71fa31e15543e9708c499f28c56a

SHA1
065ba94095d063ec5d77d6ee020c5cf6f4595502

SHA256
036ad0ba21ca4e5d292e9dd302d0498ffd85bb969a8f398405c14b490148d4b9

SHA512
f21d4708566c87d401647cf047dc3edfffa142f1ff27e6628146a905a0d6118b78034b18979d7312d1f6182e44834fc302582a21f3bba98cdeeb450d9c64bb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe
Filesize
3.9MB

MD5
07aa71fa31e15543e9708c499f28c56a

SHA1
065ba94095d063ec5d77d6ee020c5cf6f4595502

SHA256
036ad0ba21ca4e5d292e9dd302d0498ffd85bb969a8f398405c14b490148d4b9

SHA512
f21d4708566c87d401647cf047dc3edfffa142f1ff27e6628146a905a0d6118b78034b18979d7312d1f6182e44834fc302582a21f3bba98cdeeb450d9c64bb7f

Download Submit
\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe
Filesize
3.9MB

MD5
07aa71fa31e15543e9708c499f28c56a

SHA1
065ba94095d063ec5d77d6ee020c5cf6f4595502

SHA256
036ad0ba21ca4e5d292e9dd302d0498ffd85bb969a8f398405c14b490148d4b9

SHA512
f21d4708566c87d401647cf047dc3edfffa142f1ff27e6628146a905a0d6118b78034b18979d7312d1f6182e44834fc302582a21f3bba98cdeeb450d9c64bb7f

Download Submit
\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe
Filesize
3.9MB

MD5
07aa71fa31e15543e9708c499f28c56a

SHA1
065ba94095d063ec5d77d6ee020c5cf6f4595502

SHA256
036ad0ba21ca4e5d292e9dd302d0498ffd85bb969a8f398405c14b490148d4b9

SHA512
f21d4708566c87d401647cf047dc3edfffa142f1ff27e6628146a905a0d6118b78034b18979d7312d1f6182e44834fc302582a21f3bba98cdeeb450d9c64bb7f

Download Submit
memory/324-71-0x0000000000000000-mapping.dmp

Download
memory/324-74-0x000000000045B000-0x0000000000460000-memory.dmp

Filesize
20KB

Download
memory/388-55-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download
memory/388-54-0x0000000000CD0000-0x000000000110E000-memory.dmp

Filesize
4.2MB

Download
memory/904-62-0x0000000000000000-mapping.dmp

Download
memory/984-60-0x0000000000000000-mapping.dmp

Download
memory/1424-73-0x000000000037B000-0x0000000000380000-memory.dmp

Filesize
20KB

Download
memory/1424-64-0x0000000000000000-mapping.dmp

Download
memory/1424-68-0x000000000037B000-0x0000000000380000-memory.dmp

Filesize
20KB

Download
memory/1984-66-0x00000000003EB000-0x00000000003F0000-memory.dmp

Filesize
20KB

Download
memory/1984-56-0x0000000000000000-mapping.dmp

Download
memory/1984-58-0x00000000003EB000-0x00000000003F0000-memory.dmp

Filesize
20KB

Download
memory/1984-61-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads