b9bbb255f94436d22dbbcaa5a1493162e3bee1dd143109d2864136136cb30813

Analysis

max time kernel
56s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2023, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xClientcrypt.exe
Size

1.6MB
MD5

2af36b688493efeccf83eb290ef85c13
SHA1

38e104c47b85e258f893e49d92221cc54a33d992
SHA256

b9bbb255f94436d22dbbcaa5a1493162e3bee1dd143109d2864136136cb30813
SHA512

d7e715fdd6d53cf1172c2479cac5ba9fde15ae573612c41fd49e2a08034e36ff18058c0d1f8c3322d903d74a84f5c3f4de876d52e8faa969ffae692c23c48885
SSDEEP

49152:rkQTA33tHV9yesrAWm77KrX9mnJijcZ2JbpQIu:ranlyes8WmuraijK2RpQIu

Score

7^/10

Malware Config

Signatures

.NET Reactor proctector 33 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1188-137-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-139-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-142-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-144-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-146-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-148-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-150-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-152-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-154-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-156-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-158-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-160-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-162-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-164-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-166-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-168-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-170-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-172-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-174-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-176-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-178-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-180-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-182-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-184-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-186-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-188-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-190-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-192-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-194-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-196-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-198-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-200-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor
behavioral1/memory/1188-202-0x0000000004F30000-0x00000000050E3000-memory.dmp	net_reactor

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4116	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1188	xClientcrypt.exe

C:\Users\Admin\AppData\Local\Temp\xClientcrypt.exe
"C:\Users\Admin\AppData\Local\Temp\xClientcrypt.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SearchWatch.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-133-0x00000000052B0000-0x0000000005854000-memory.dmp

Filesize
5.6MB

Download
memory/1188-134-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/1188-135-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1188-137-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-139-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-140-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1188-138-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1188-142-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-136-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1188-144-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-146-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-148-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-150-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-152-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-154-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-156-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-158-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-160-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-162-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-164-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-166-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-168-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-170-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-172-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-174-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-176-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-178-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-180-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-182-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-184-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-186-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-188-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-190-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-192-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-194-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-196-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-198-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-200-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-202-0x0000000004F30000-0x00000000050E3000-memory.dmp

Filesize
1.7MB

Download
memory/1188-791-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1188-792-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1188-794-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1188-797-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1188-3957-0x0000000005C20000-0x0000000005CB2000-memory.dmp

Filesize
584KB

Download