d8d25028c5aa7d69857170924d3da52d3ce81a88f410ae7063d4ac3d749bcdf8

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
30/08/2023, 07:43

Target

SantaBox.exe
Size

198KB
MD5

410f23430bf8374110d812338923f8af
SHA1

10adf6e61f75af9a6b4bb869bdb62263d6ba10fa
SHA256

d8d25028c5aa7d69857170924d3da52d3ce81a88f410ae7063d4ac3d749bcdf8
SHA512

0e24a9944d98e9ca10df68892117ad38bccdc0660054d5b19d9ef41e9093d8ca1f90cd68b068484af61de41c6899e21940a8e549291587757dc395befe0464a1
SSDEEP

3072:LI3HAc7qfuIIWRPx3CRb9lP8C6hpzATCrNzOKLYbBgoQsCGmiEGnplFHDQNEYBM6:E3gc7q2E3eP16nTpzOK8aoyQzsNtBM

Score

7^/10

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1448-0-0x00000000002D0000-0x0000000000308000-memory.dmp	net_reactor

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1092	1448	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1092	1448	SantaBox.exe	28
PID 1448 wrote to memory of 1092	1448	SantaBox.exe	28
PID 1448 wrote to memory of 1092	1448	SantaBox.exe	28
PID 1448 wrote to memory of 1092	1448	SantaBox.exe	28

C:\Users\Admin\AppData\Local\Temp\SantaBox.exe
"C:\Users\Admin\AppData\Local\Temp\SantaBox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 536
  2⤵
  - Program crash
  PID:1092

memory/1448-0-0x00000000002D0000-0x0000000000308000-memory.dmp

Filesize
224KB

Download
memory/1448-1-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/1448-2-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download