55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691

Analysis

max time kernel
120s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2023, 23:37

Target

55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe
Size

131KB
MD5

925a33d545b81303f95076ca52264c0a
SHA1

81674cc002e4c98d59480e6365adaa4c4733e170
SHA256

55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691
SHA512

c286defab0a46e3393510d6efd80756fe7495e15fc4980b367ce5f4b718f24e336b474b7f2ff9ed24973d119a0abdebfe43db351b39d40cdf406509b96213f1c
SSDEEP

1536:0kwLskUVwPaELiamqLzBP3og6EoYt9KtL0g6su15vmKWz6ej/Hvc+XHeLjuBwyPH:9wiuJl3og6e9KtQ915ovc+u0wY

Score

7^/10

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/1168-133-0x0000000000E80000-0x0000000000EA6000-memory.dmp	net_reactor

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1168 set thread context of 4168	1168	55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe	89

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 4168	1168	55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe	89
PID 1168 wrote to memory of 4168	1168	55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe	89
PID 1168 wrote to memory of 4168	1168	55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe	89
PID 1168 wrote to memory of 4168	1168	55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe	89
PID 1168 wrote to memory of 4168	1168	55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe	89
PID 1168 wrote to memory of 4168	1168	55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe	89
PID 1168 wrote to memory of 4168	1168	55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe	89
PID 1168 wrote to memory of 4168	1168	55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe	89

C:\Users\Admin\AppData\Local\Temp\55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe
"C:\Users\Admin\AppData\Local\Temp\55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe
  "C:\Users\Admin\AppData\Local\Temp\55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe"
  2⤵
  - Drops startup file
  PID:4168

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\55e1190786eb6c0a8c69827849af9b21ec8ece3936622f9c45ea074f4ee39691.exe.log

Filesize
1KB

MD5
fb3264819f05b468156e37fecd7ca1e7

SHA1
8461be627ec2c21766472ac5a9215204f6cd03d6

SHA256
902e22368b4d29d67c78eb445d67c7e36001a79c7701a1e171a9c7af457a739c

SHA512
ddcb2a199799dc30a5627d6bb2aff30aca350b52e15f574ecc9e9e9e4d388fd1fe808b5fd2a8ea7015c91e369a06f045be455bf070c6d20d8c3b1c06de8ef964

Download Submit
memory/1168-133-0x0000000000E80000-0x0000000000EA6000-memory.dmp

Filesize
152KB

Download
memory/1168-134-0x0000000005FA0000-0x0000000006544000-memory.dmp

Filesize
5.6MB

Download
memory/1168-135-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/1168-136-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/1168-137-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/1168-138-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/1168-139-0x0000000005B60000-0x0000000005BD6000-memory.dmp

Filesize
472KB

Download
memory/1168-140-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/1168-141-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

Filesize
120KB

Download
memory/4168-142-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download