4e2b116b2b07be8dc60364d7f67855815d3761ca853809752eeed3e21b84799b

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 10:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Samples/firefox.exe
Size

589KB
MD5

35bc361385c47db32e0ceeec5f132a3b
SHA1

431a3da4a9fb5054328c2e5a8ea260993ac7396c
SHA256

b52d5c780ea22dfd94c821feba507f35e43b3c3f4afbe3df69b12c929ab1894b
SHA512

b10e6bd794fb9ee751786b4d9dbe1474baaf8474b93fbb2f9827e4aab34b836df707fa9a60cb64e009e8f18c60264a8fed1382cc7d7961ce4df4c3e4a46bcb21
SSDEEP

12288:FNbPOCZeDscndmE0fWOzwHJem7OzwHJe0IhfsXn:FNjVeDsGL0fWkwpemIwpel0Xn

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 3600	1748	firefox.exe	85
PID 3600 set thread context of 4396	3600	more.com	89

Loads dropped DLL 1 IoCs

pid	Process
4396	dotNET_Reactor.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1748	firefox.exe
3600	more.com

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1748	firefox.exe
3600	more.com
3600	more.com

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 3600	1748	firefox.exe	85
PID 1748 wrote to memory of 3600	1748	firefox.exe	85
PID 1748 wrote to memory of 3600	1748	firefox.exe	85
PID 1748 wrote to memory of 3600	1748	firefox.exe	85
PID 3600 wrote to memory of 4396	3600	more.com	89
PID 3600 wrote to memory of 4396	3600	more.com	89
PID 3600 wrote to memory of 4396	3600	more.com	89
PID 3600 wrote to memory of 4396	3600	more.com	89
PID 3600 wrote to memory of 4396	3600	more.com	89

C:\Users\Admin\AppData\Local\Temp\Samples\firefox.exe
"C:\Users\Admin\AppData\Local\Temp\Samples\firefox.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\dotNET_Reactor.exe
    C:\Users\Admin\AppData\Local\Temp\dotNET_Reactor.exe
    3⤵
    - Loads dropped DLL
    PID:4396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13e090fa

Filesize
886KB

MD5
28b964485da4e34d6937f17e2da35ada

SHA1
5ded5bd7f6a8c79a882c197db89051bf652dc72d

SHA256
f944999703c7c163eae1f3f31b446c6d5c553c65766b316fab314cb7948b7f80

SHA512
259282f2e72433258f24213068e8db766019cadf582ac882cf69607ae033be17e25510736a302d510d5cef424176ad0cdf65ebbe30e8f074cc52899ab189b9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dotNET_Reactor.exe

Filesize
301KB

MD5
68cefdfbd2e1a35e8c4f144e37d77a76

SHA1
0a6637d5eb3c958a0136358d0290514c7309af73

SHA256
c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8

SHA512
88d79115a6a0c487bd39a00a202f2467f4e05991da780f29f33cfc1ca53d2c6489104d5fbbe7e70167eb20c958b0322690454aec9ab1776d265ab8c558e971f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dotNET_Reactor.exe

Filesize
301KB

MD5
68cefdfbd2e1a35e8c4f144e37d77a76

SHA1
0a6637d5eb3c958a0136358d0290514c7309af73

SHA256
c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8

SHA512
88d79115a6a0c487bd39a00a202f2467f4e05991da780f29f33cfc1ca53d2c6489104d5fbbe7e70167eb20c958b0322690454aec9ab1776d265ab8c558e971f6

Download Submit
memory/1748-0-0x0000000074740000-0x0000000075994000-memory.dmp

Filesize
18.3MB

Download
memory/1748-1-0x0000000074740000-0x0000000075994000-memory.dmp

Filesize
18.3MB

Download
memory/1748-2-0x0000000074740000-0x0000000075994000-memory.dmp

Filesize
18.3MB

Download
memory/3600-8-0x0000000074740000-0x0000000075994000-memory.dmp

Filesize
18.3MB

Download
memory/3600-10-0x0000000074740000-0x0000000075994000-memory.dmp

Filesize
18.3MB

Download
memory/3600-14-0x0000000074740000-0x0000000075994000-memory.dmp

Filesize
18.3MB

Download
memory/3600-6-0x00007FFAD8670000-0x00007FFAD8865000-memory.dmp

Filesize
2.0MB

Download
memory/3600-4-0x0000000074740000-0x0000000075994000-memory.dmp

Filesize
18.3MB

Download
memory/4396-12-0x0000000074740000-0x0000000075994000-memory.dmp

Filesize
18.3MB

Download
memory/4396-16-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4396-19-0x00007FFAD8670000-0x00007FFAD8865000-memory.dmp

Filesize
2.0MB

Download
memory/4396-20-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download