9012d01ae4d6db135651b4322c96846544d8e323ecafe5754026f7ea0c320d5e

General

Target

bde9b23fbe4f12e5ff686c17cc9d9490.exe
Size

16.0MB
MD5

bde9b23fbe4f12e5ff686c17cc9d9490
SHA1

f0a99fc9abe817705fcae04ec626abf263ffcc32
SHA256

9012d01ae4d6db135651b4322c96846544d8e323ecafe5754026f7ea0c320d5e
SHA512

6f6fcad5783c4c1ab309f4a8950026fd063de6059f98e24e3b460095a665b2d54168c07c3fd42f0644f002adb3a2f91f80fbabdd852a19205b45c5643e6ddfe1
SSDEEP

98304:J2nlZSn0kF9Eh5euL3iuSr0/r5CBTZ8o0xnbREEwegXnrMOiRwF:AnlZSn0kF9Eh5sr0Ny09bREEweanI6

Score

7^/10

Malware Config

Signatures

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/904-54-0x0000000000CC0000-0x0000000001CB4000-memory.dmp	net_reactor

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exebde9b23fbe4f12e5ff686c17cc9d9490.exe

pid	process
1416	powershell.exe
904	bde9b23fbe4f12e5ff686c17cc9d9490.exe
904	bde9b23fbe4f12e5ff686c17cc9d9490.exe
904	bde9b23fbe4f12e5ff686c17cc9d9490.exe
904	bde9b23fbe4f12e5ff686c17cc9d9490.exe
904	bde9b23fbe4f12e5ff686c17cc9d9490.exe
904	bde9b23fbe4f12e5ff686c17cc9d9490.exe
904	bde9b23fbe4f12e5ff686c17cc9d9490.exe
904	bde9b23fbe4f12e5ff686c17cc9d9490.exe
904	bde9b23fbe4f12e5ff686c17cc9d9490.exe
904	bde9b23fbe4f12e5ff686c17cc9d9490.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exebde9b23fbe4f12e5ff686c17cc9d9490.exe

description pid process

Token: SeDebugPrivilege 1416 powershell.exe
Token: SeDebugPrivilege 904 bde9b23fbe4f12e5ff686c17cc9d9490.exe

description	pid	process
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

bde9b23fbe4f12e5ff686c17cc9d9490.exe

C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
"C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
2⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
2⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
2⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
2⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
2⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
2⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
2⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
2⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
2⤵
PID:476

C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
C:\Users\Admin\AppData\Local\Temp\bde9b23fbe4f12e5ff686c17cc9d9490.exe
2⤵
PID:1224

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-54-0x0000000000CC0000-0x0000000001CB4000-memory.dmp

Filesize
16.0MB

Download
memory/904-55-0x000000001CE00000-0x000000001CE80000-memory.dmp

Filesize
512KB

Download
memory/904-56-0x000000001D2C0000-0x000000001D5BE000-memory.dmp

Filesize
3.0MB

Download
memory/904-57-0x000000001D5C0000-0x000000001D79C000-memory.dmp

Filesize
1.9MB

Download
memory/904-58-0x00000000008F0000-0x0000000000982000-memory.dmp

Filesize
584KB

Download
memory/1416-63-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/1416-65-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/1416-64-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/1416-66-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1416-67-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/1416-68-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/1416-69-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/1416-70-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/1416-71-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/1416-72-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download

description	pid	process	target process
PID 904 wrote to memory of 1416	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	powershell.exe
PID 904 wrote to memory of 1416	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	powershell.exe
PID 904 wrote to memory of 1416	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	powershell.exe
PID 904 wrote to memory of 632	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 632	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 632	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 2036	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 2036	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 2036	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1296	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1296	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1296	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1288	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1288	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1288	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1480	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1480	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1480	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 956	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 956	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 956	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1004	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1004	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1004	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 916	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 916	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 916	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 476	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 476	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 476	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1224	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1224	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe
PID 904 wrote to memory of 1224	904	bde9b23fbe4f12e5ff686c17cc9d9490.exe	bde9b23fbe4f12e5ff686c17cc9d9490.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads