91c3b2b0be1ba25c0234fed681c1506e6396624d019c4e8626da7fd7d55c3694

Analysis

max time kernel
144s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ykuBL9i61d.exe
Size

729KB
MD5

5a6e2372cf092d16435162af7b23de62
SHA1

e4c1e54aca0eacc3675bd7db4ec92f11979aefcb
SHA256

91c3b2b0be1ba25c0234fed681c1506e6396624d019c4e8626da7fd7d55c3694
SHA512

d5029c0e6d31d9e8526e7ef3cd28743c45ae0971bbc642bcbb73e8a9f99a5dc6174598542e93b49bb38651a0c11dc3e9fe0fc759e40a0e5564cb5e7ef29dbb60
SSDEEP

12288:srto7EbSb958GjpjDK4i0oAGqj+3hPebgB2iFnDT+bKOwONz5J5JrRjH:srtoYbSb958gjugoAGZhPGgIubAd9Jrd

Score

7^/10

collection

Malware Config

Signatures

.NET Reactor proctector 31 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/5004-144-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-145-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-147-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-149-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-151-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-153-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-155-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-157-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-159-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-161-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-163-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-165-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-167-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-169-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-171-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-173-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-175-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-177-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-179-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-181-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-183-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-185-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-187-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-189-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-191-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-193-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-195-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-197-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-199-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-201-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor
behavioral2/memory/5004-203-0x0000000005840000-0x00000000058D9000-memory.dmp	net_reactor

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ykuBL9i61d.exe

description pid process target process

PID 772 set thread context of 5004 772 ykuBL9i61d.exe AddInProcess32.exe

description	pid	process	target process
PID 772 set thread context of 5004	772	ykuBL9i61d.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

ykuBL9i61d.exe

pid	process
772	ykuBL9i61d.exe
772	ykuBL9i61d.exe
772	ykuBL9i61d.exe
772	ykuBL9i61d.exe
772	ykuBL9i61d.exe
772	ykuBL9i61d.exe
772	ykuBL9i61d.exe
772	ykuBL9i61d.exe
772	ykuBL9i61d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ykuBL9i61d.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 772 ykuBL9i61d.exe
Token: SeDebugPrivilege 5004 AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	772	ykuBL9i61d.exe
Token: SeDebugPrivilege	5004	AddInProcess32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ykuBL9i61d.exe

description	pid	process	target process
PID 772 wrote to memory of 848	772	ykuBL9i61d.exe	CasPol.exe
PID 772 wrote to memory of 848	772	ykuBL9i61d.exe	CasPol.exe
PID 772 wrote to memory of 752	772	ykuBL9i61d.exe	aspnet_state.exe
PID 772 wrote to memory of 752	772	ykuBL9i61d.exe	aspnet_state.exe
PID 772 wrote to memory of 1456	772	ykuBL9i61d.exe	cvtres.exe
PID 772 wrote to memory of 1456	772	ykuBL9i61d.exe	cvtres.exe
PID 772 wrote to memory of 3848	772	ykuBL9i61d.exe	EdmGen.exe
PID 772 wrote to memory of 3848	772	ykuBL9i61d.exe	EdmGen.exe
PID 772 wrote to memory of 5004	772	ykuBL9i61d.exe	AddInProcess32.exe
PID 772 wrote to memory of 5004	772	ykuBL9i61d.exe	AddInProcess32.exe
PID 772 wrote to memory of 5004	772	ykuBL9i61d.exe	AddInProcess32.exe
PID 772 wrote to memory of 5004	772	ykuBL9i61d.exe	AddInProcess32.exe
PID 772 wrote to memory of 5004	772	ykuBL9i61d.exe	AddInProcess32.exe
PID 772 wrote to memory of 5004	772	ykuBL9i61d.exe	AddInProcess32.exe
PID 772 wrote to memory of 5004	772	ykuBL9i61d.exe	AddInProcess32.exe
PID 772 wrote to memory of 5004	772	ykuBL9i61d.exe	AddInProcess32.exe
PID 772 wrote to memory of 5004	772	ykuBL9i61d.exe	AddInProcess32.exe

outlook_office_path 1 IoCs

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

outlook_win_path 1 IoCs

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\ykuBL9i61d.exe
"C:\Users\Admin\AppData\Local\Temp\ykuBL9i61d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:1456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
  2⤵
  PID:3848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:5004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/772-133-0x000001FAD52D0000-0x000001FAD538A000-memory.dmp

Filesize
744KB

Download
memory/772-134-0x000001FAF0210000-0x000001FAF0220000-memory.dmp

Filesize
64KB

Download
memory/5004-135-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5004-137-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5004-138-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5004-139-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5004-140-0x0000000005F20000-0x00000000064C4000-memory.dmp

Filesize
5.6MB

Download
memory/5004-142-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/5004-141-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/5004-143-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/5004-144-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-145-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-147-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-149-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-151-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-153-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-155-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-157-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-159-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-161-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-163-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-165-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-167-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-169-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-171-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-173-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-175-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-177-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-179-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-181-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-183-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-185-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-187-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-189-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-191-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-193-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-195-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-197-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-199-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-201-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-203-0x0000000005840000-0x00000000058D9000-memory.dmp

Filesize
612KB

Download
memory/5004-2080-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/5004-2082-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/5004-3420-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/5004-3421-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/5004-3422-0x0000000006A50000-0x0000000006AE2000-memory.dmp

Filesize
584KB

Download
memory/5004-3423-0x0000000006A10000-0x0000000006A1A000-memory.dmp

Filesize
40KB

Download
memory/5004-3424-0x0000000006C60000-0x0000000006CB0000-memory.dmp

Filesize
320KB

Download
memory/5004-3425-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download