Analysis

  • max time kernel
    343s
  • max time network
    400s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 09:49

General

  • Target

    NET Reactor v6.9.0.0_fu11/Help/REACTOR_HELP.exe

  • Size

    2.6MB

  • MD5

    db1c91c8d1d7573371cac6a51bf3a1b9

  • SHA1

    291fe96baeeca49fd4271f06b885477de284bf9c

  • SHA256

    a3f0cebda251dcf4ccb5915d8ead90771f76e0df9fbb35193b74e4687852d473

  • SHA512

    da066b919316ce98255562c41c4267dd3059695028d8c8b19ed1303a57b909efe0a333bb2d7a5020c5c0c88824e233242548d3673d7f8a01db11a393b92da3ca

  • SSDEEP

    49152:7REPdRPWz0aXp8YttmYTnPFVpqW3LPDt78wqqRL9q2mhUdot8fsgL6WnWNM:72I0opZfTnPJVPDt78wqqlrm6St8fYWz

Score
4/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe
    "C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe
      "C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:56733/help/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    ca81a50c990c02ca398de60e3a116493

    SHA1

    4d52d3c57e6bf00709c7ed876882b80836a46557

    SHA256

    a052ddd5ebf8c600db3b6ea4e50559de9e41ebfab9f8a1923ade2cc59bdc175b

    SHA512

    5c2f10f0b9a60c7e68cba903966023c9ec7bf0b4734c6bcc87547f7725067910a71e40bf03dd4d5d0bad13c24a3ce195007351995229cbec46204101bdfe2cfa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    b401f24c23d6903707df5da7791592fa

    SHA1

    63aad962834d968b57efc12173091e202b957bb4

    SHA256

    b97ebffb21c3573baa2bbf4596e00d9435696fea0d0e092a0f5fc2f081a64943

    SHA512

    b81e3c53510c4cfda7804f12e6f2086e6709f196584c1e678dccd64bc63e4feca8f08ee09a8630c389866e6b4a0f3df9e05895cef845384f2fdf08af82cb36e0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    214fb53cbf3514c3f969860bdacdb476

    SHA1

    2cefdf5e44e8e172d62434bc84358a45ea62da46

    SHA256

    b7cda16aaced4bffcdc8126903feb37d1ec59794f623e05026a051b53b90e630

    SHA512

    8b2d8363c918f69162e0cf38e20f32763f91f5a1186997853590c94da83fb4f38aba0295f686faaa8ff06cc5f7e11a8c5ff3209a05e20932db7f11c3f5df0e47

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    0cdc2246aafc472d22b7acc8db86e1cc

    SHA1

    ce0f10edff355f8838e601c69c16c90af0842be4

    SHA256

    8ad12d104c996abfd66ca956905d67154ba65a6a9262d4e997bbd8a226e941bc

    SHA512

    bed85fec1adf5e7ab3ba9ddaf8d0ab9b0a73e5b1919adb3425d54c4d91a09e4883792deeb6e9168d456dfe87d94cd7f8e75884bbe4b9b3cd9405b047111c7521

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    719fd9c0c656ca6da770072a7cadbdb9

    SHA1

    1e7896556cd928471e6dbc7a12f39b53d013ea98

    SHA256

    70bd75443a6d191e46435c966155c1f356b6149be63c5677c39ec59309c1fc21

    SHA512

    e950e57a12bcb51406c17c9fc063a4d397e3a4b4296ab6b09c3c6a6a3fb310d91a44c682d0980b1d5417ed6dc9a5aad5a390bb2fe3b437cf5de18f8623713f3b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    0968b5ad4e995289ae3478eafdff7ffa

    SHA1

    d5fd59e11addc6707bd0ffbc6da930e59f825683

    SHA256

    f86fc3dd500e6b5f56346c5c6e9f51e7aca4a94c5c85a6467025e4608db0f621

    SHA512

    70d96f96e70b810ec8d875104b25e0f3a535ece34ae1648b7bf37e51e9a248daa021e140b0aace0115b7ff34b864f5409fc28ebd1051688761e59fe4ec1f316f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    b90b29dc0c52348d3169ea5d334e013f

    SHA1

    2584d226d1a9c7bb98cc4c7d0bcaa3fc470a00b0

    SHA256

    2edf3715c83082cddcab7bdd907df569ed2f58495d027eeb1dc88825b96f86df

    SHA512

    006a7143858cf981a552942f94ef29515ec703032581b234aaf81d1dc958fe99fb9c2394e2793f977f4ec23e53cfea0467a35785c5bc1187031d6cba2ed8f53e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    61074a5fce61d2997acb99a27fa7df30

    SHA1

    58a92d53124a730aaadfe77c193f35310eca3418

    SHA256

    616e990e2393826df10a9dbe4d9e062fd22c08bcbf547ffa2be71e9ef87b2533

    SHA512

    d3012691f7470d4fde008b6873175c9ed740d87473e44760fab3317ff574fa5c9809b52491f87073f8fe23466f141b21b48f505676cf25eac8947f5cdde88960

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    47303f1f3b6e33ffdcc242663df03e77

    SHA1

    2799911ada594bff0eb7c72b9dab390b11bba5b8

    SHA256

    f0a8ccb9bc4d3c1a1dc510b6db65fa6d4160006eb4be87d1fc4520b1925f2456

    SHA512

    3087a7cde5d6e3a22b931ec419cb9a062862400b24d1d28b1728150e422478e6c88ab23ae7ad4d0ac42abe2174d12be6712516959527e431487b724782836021

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    6af29e6e0571331b60e0f838464ece8c

    SHA1

    932cb5a80581006ad3552f01550932b59e13ac90

    SHA256

    8c105639a027b77b81e252f441c03281fce33cccb2f6a455b6d3f877b95f2ac5

    SHA512

    276c9d0f1392d317cdd11440637130358e29b66c15a226aba3629f132101ad34ce6dbc9e64ce78c1b964c595539130cae2bb1ff51480b0c7b01e4894de342751

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    49fe343f820af75ec461535d25543bc4

    SHA1

    a871f8ffa2b4b92ba49c9b3ce19b7e5e2d4a78f1

    SHA256

    e801a9ac81332420d4d435609198e53365c6926f1c573000243ab4f5302fb0d6

    SHA512

    be075beeca016ba8d1b59a91fc3594564094937b67f3761282292f0d880d7a294b0c7da2a5d33a735a2efb175f7e88e7af32652d5635b1fbf7755295846b0c6b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    f702ea41ed4e23b5c0c074105b3d824b

    SHA1

    1aa99b072dba9a66725305a522ef0b45d28d32b6

    SHA256

    0a0de9cec527a333a8f30093c4e5d76a60d69406e96d14dcee48002aef128d88

    SHA512

    3b7b008e46bd80d8da0ec0817e00358ad5056a52a29d7179859f7dda64f615f8a83a56cec875fcbbba700b0412ba4e200079c261a7d6995864f0b95f208c0da8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    df9be290d94ec2fbb5fffb13a48c58ca

    SHA1

    10142d8f881fb55f3bc614962370f667bdcbd80a

    SHA256

    1b8c8b1ad02354a374beebd84b1b8a793badb0e670e76424b92de05a8e4a3480

    SHA512

    ad7370a2fd6c438ee57463ba8c753ca1d34c794fc9812438156ecd77146c9949b0c5a87e6ae95ae1d17391f5c64388c14cac6cf6bc4ec9f971ca7df5274100af

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    8dd8c69d94181efb00ca493c3349d7d5

    SHA1

    92e0b1b6d5bf2039a03bf9b4d4a0fc68a8184d53

    SHA256

    97dd41783f9c986ec4af081bc698e4ef4c469e646641eca05a4d1fbcb9c74844

    SHA512

    4cfe233fc0f8726d294f294fe198aeda99cf3f9307b33eacf46e292d79e55768c9e84e9c3dc1eef84cddda814b1610425f6f3186a959c180292fa885486974bf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    bef80853632f5c93bbc38f7bc730556d

    SHA1

    63339da4449ffc24bd3a52f37e61fc0e04980969

    SHA256

    f3370f9408149e40e3e3ead2d9c0b30a32afbecb95cc4dcaa5593d814e4770a0

    SHA512

    75a6e14fbb7ec14b24e15e3f86ca93e200025958fff0104f0fa244e17befca73f49adb09258c001b8b7948d5dac1a692b258b704b8f23ff069f57e8d8247d4f9

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\6gi47o3\imagestore.dat

    Filesize

    8KB

    MD5

    2851e29d97e1e237f7281f3ddedce6d4

    SHA1

    974766e35a81ae1046a929c87d848a0eaf337726

    SHA256

    28972f7b12040aecc8b851723a5f94d078e5cd648a80a34bcd8a60c9d125ac5a

    SHA512

    3a95574c69279e00bfadcf87ca3f44b2eda6be4b667f266b8121138b81e85dec11810797a982d03057cb76da9a6a973ac19f511586b6b11826d293ff1b88ea6c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O2X6Y6U3\reactor[1].ico

    Filesize

    7KB

    MD5

    1399728083fae334b8d8a6de0aebb821

    SHA1

    cf2fb4f60cd53565f787164d8b58e05528250078

    SHA256

    bd98ef83d92712dd1351beeabe7c4223a8ca8ce87ff9d9a5371d006a83578392

    SHA512

    fb3d073edccc36afd8f76568bc027850e2e27c78104cd6c4a6735ee0d40ddf9c349af6bc613dd84f4f1671ea3fb0baa1d7cf7683abc78cc25cc68cc04fae1de9

  • C:\Users\Admin\AppData\Local\Temp\CabF4CC.tmp

    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

  • C:\Users\Admin\AppData\Local\Temp\TarF953.tmp

    Filesize

    163KB

    MD5

    9441737383d21192400eca82fda910ec

    SHA1

    725e0d606a4fc9ba44aa8ffde65bed15e65367e4

    SHA256

    bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

    SHA512

    7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

  • C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe

    Filesize

    2.6MB

    MD5

    db1c91c8d1d7573371cac6a51bf3a1b9

    SHA1

    291fe96baeeca49fd4271f06b885477de284bf9c

    SHA256

    a3f0cebda251dcf4ccb5915d8ead90771f76e0df9fbb35193b74e4687852d473

    SHA512

    da066b919316ce98255562c41c4267dd3059695028d8c8b19ed1303a57b909efe0a333bb2d7a5020c5c0c88824e233242548d3673d7f8a01db11a393b92da3ca

  • C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe

    Filesize

    2.6MB

    MD5

    db1c91c8d1d7573371cac6a51bf3a1b9

    SHA1

    291fe96baeeca49fd4271f06b885477de284bf9c

    SHA256

    a3f0cebda251dcf4ccb5915d8ead90771f76e0df9fbb35193b74e4687852d473

    SHA512

    da066b919316ce98255562c41c4267dd3059695028d8c8b19ed1303a57b909efe0a333bb2d7a5020c5c0c88824e233242548d3673d7f8a01db11a393b92da3ca

  • \Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe

    Filesize

    2.6MB

    MD5

    db1c91c8d1d7573371cac6a51bf3a1b9

    SHA1

    291fe96baeeca49fd4271f06b885477de284bf9c

    SHA256

    a3f0cebda251dcf4ccb5915d8ead90771f76e0df9fbb35193b74e4687852d473

    SHA512

    da066b919316ce98255562c41c4267dd3059695028d8c8b19ed1303a57b909efe0a333bb2d7a5020c5c0c88824e233242548d3673d7f8a01db11a393b92da3ca

  • memory/2480-15-0x0000000000520000-0x0000000000560000-memory.dmp

    Filesize

    256KB

  • memory/2480-14-0x0000000074BC0000-0x00000000752AE000-memory.dmp

    Filesize

    6.9MB

  • memory/2480-12-0x0000000000520000-0x0000000000560000-memory.dmp

    Filesize

    256KB

  • memory/2480-10-0x0000000000180000-0x0000000000422000-memory.dmp

    Filesize

    2.6MB

  • memory/2480-11-0x0000000074BC0000-0x00000000752AE000-memory.dmp

    Filesize

    6.9MB

  • memory/2896-0-0x00000000008B0000-0x0000000000B52000-memory.dmp

    Filesize

    2.6MB

  • memory/2896-9-0x0000000074BC0000-0x00000000752AE000-memory.dmp

    Filesize

    6.9MB

  • memory/2896-1-0x0000000074BC0000-0x00000000752AE000-memory.dmp

    Filesize

    6.9MB