ff0c114c48cf142e42beecc998077c4b42cfa02e5abe6f6d15ca26c9a4ad3abd

Analysis

max time kernel
167s
max time network
145s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 06:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.5MB
MD5

45c89e6afa9ed5cd08ff925eebd0c99e
SHA1

f91248ca1378341665efc8053889d69003fcaff9
SHA256

ff0c114c48cf142e42beecc998077c4b42cfa02e5abe6f6d15ca26c9a4ad3abd
SHA512

8099c951a4a6095ea5d42c2084d6b19612dd751c1d4059b4ab80741e135affe06a19ca08a90845a7ea1889be510f74209371e80619dc2169e77806b7d5157683
SSDEEP

49152:5MZ+jZi8BM3FhpsO/a2JzALZg8hM+9aWT67XIYCFXIKpJ4A/hby:2qZi8BGFTsH2Jqo+9akcCFPpJ4/

Score

7^/10

persistence

Malware Config

Signatures

.NET Reactor proctector 19 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2660-40-0x0000000000310000-0x0000000000330000-memory.dmp	net_reactor
behavioral1/memory/2660-41-0x0000000000580000-0x000000000059E000-memory.dmp	net_reactor
behavioral1/memory/2660-42-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-43-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-45-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-47-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-49-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-51-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-53-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-55-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-57-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-59-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-61-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-67-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-69-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-71-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-73-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-65-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor
behavioral1/memory/2660-63-0x0000000000580000-0x0000000000598000-memory.dmp	net_reactor

Executes dropped EXE 4 IoCs

pid	Process
1112	Ck5XR65.exe
1744	SK1fv12.exe
2552	ln5wP75.exe
2660	1il10pQ9.exe

Loads dropped DLL 8 IoCs

pid	Process
2224	file.exe
1112	Ck5XR65.exe
1112	Ck5XR65.exe
1744	SK1fv12.exe
1744	SK1fv12.exe
2552	ln5wP75.exe
2552	ln5wP75.exe
2660	1il10pQ9.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ck5XR65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	SK1fv12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ln5wP75.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	1il10pQ9.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1112	2224	file.exe	29
PID 2224 wrote to memory of 1112	2224	file.exe	29
PID 2224 wrote to memory of 1112	2224	file.exe	29
PID 2224 wrote to memory of 1112	2224	file.exe	29
PID 2224 wrote to memory of 1112	2224	file.exe	29
PID 2224 wrote to memory of 1112	2224	file.exe	29
PID 2224 wrote to memory of 1112	2224	file.exe	29
PID 1112 wrote to memory of 1744	1112	Ck5XR65.exe	30
PID 1112 wrote to memory of 1744	1112	Ck5XR65.exe	30
PID 1112 wrote to memory of 1744	1112	Ck5XR65.exe	30
PID 1112 wrote to memory of 1744	1112	Ck5XR65.exe	30
PID 1112 wrote to memory of 1744	1112	Ck5XR65.exe	30
PID 1112 wrote to memory of 1744	1112	Ck5XR65.exe	30
PID 1112 wrote to memory of 1744	1112	Ck5XR65.exe	30
PID 1744 wrote to memory of 2552	1744	SK1fv12.exe	31
PID 1744 wrote to memory of 2552	1744	SK1fv12.exe	31
PID 1744 wrote to memory of 2552	1744	SK1fv12.exe	31
PID 1744 wrote to memory of 2552	1744	SK1fv12.exe	31
PID 1744 wrote to memory of 2552	1744	SK1fv12.exe	31
PID 1744 wrote to memory of 2552	1744	SK1fv12.exe	31
PID 1744 wrote to memory of 2552	1744	SK1fv12.exe	31
PID 2552 wrote to memory of 2660	2552	ln5wP75.exe	32
PID 2552 wrote to memory of 2660	2552	ln5wP75.exe	32
PID 2552 wrote to memory of 2660	2552	ln5wP75.exe	32
PID 2552 wrote to memory of 2660	2552	ln5wP75.exe	32
PID 2552 wrote to memory of 2660	2552	ln5wP75.exe	32
PID 2552 wrote to memory of 2660	2552	ln5wP75.exe	32
PID 2552 wrote to memory of 2660	2552	ln5wP75.exe	32

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ck5XR65.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ck5XR65.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SK1fv12.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SK1fv12.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ln5wP75.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ln5wP75.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1il10pQ9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1il10pQ9.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ck5XR65.exe

Filesize
1.4MB

MD5
7afc7101a2ec84b5f592e95c20abe6bb

SHA1
4174fee6bfb14d314d58fcddee3b86693faa30f8

SHA256
0d5206f5052cd632ad4fa18c017748cbad6b940d3919a35a0241a029300960cc

SHA512
1edf04c580da87f07d6cb352345a86a7b5d982d0218de03bd5ba8d482d117254057fc19c5fdb9df960b54cc97825fdd56f3502dd48208dd54eed09801be46e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ck5XR65.exe

Filesize
1.4MB

MD5
7afc7101a2ec84b5f592e95c20abe6bb

SHA1
4174fee6bfb14d314d58fcddee3b86693faa30f8

SHA256
0d5206f5052cd632ad4fa18c017748cbad6b940d3919a35a0241a029300960cc

SHA512
1edf04c580da87f07d6cb352345a86a7b5d982d0218de03bd5ba8d482d117254057fc19c5fdb9df960b54cc97825fdd56f3502dd48208dd54eed09801be46e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SK1fv12.exe

Filesize
1006KB

MD5
f301cef1bacdb509b7d944713e9ed293

SHA1
921ff415e41da54c742cd78b4fffb94bcc4d563c

SHA256
56691de54ae2cbf4cda5ae6c662f330c4fe99918f5163d4dd9ca1be6e9884fcf

SHA512
6240955964a8218e021623b3f234f90444b2840ead0b2b45e96605e0e365a2195aefe9fb0451bf334e4fe83e652989b5002ebcd5f97de7d354f1953d41bd9dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SK1fv12.exe

Filesize
1006KB

MD5
f301cef1bacdb509b7d944713e9ed293

SHA1
921ff415e41da54c742cd78b4fffb94bcc4d563c

SHA256
56691de54ae2cbf4cda5ae6c662f330c4fe99918f5163d4dd9ca1be6e9884fcf

SHA512
6240955964a8218e021623b3f234f90444b2840ead0b2b45e96605e0e365a2195aefe9fb0451bf334e4fe83e652989b5002ebcd5f97de7d354f1953d41bd9dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ln5wP75.exe

Filesize
621KB

MD5
a41ce950fafaf0195c72ce23aa861516

SHA1
07e7ae4fbd326d5feefc1a079ae1d459626a7841

SHA256
3bb587a309614fe8fe01bd7c060ca4be8d426827eecb07b8119ff651a322f441

SHA512
83ab98d08704dc44f62ae4f84c9859cdc646109c4c86bde6fc0f7d9fdc00d6595843db5efbe8dfe8b820c278fbaa60211288a1cf7b3fd10ac30991af11f64463

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ln5wP75.exe

Filesize
621KB

MD5
a41ce950fafaf0195c72ce23aa861516

SHA1
07e7ae4fbd326d5feefc1a079ae1d459626a7841

SHA256
3bb587a309614fe8fe01bd7c060ca4be8d426827eecb07b8119ff651a322f441

SHA512
83ab98d08704dc44f62ae4f84c9859cdc646109c4c86bde6fc0f7d9fdc00d6595843db5efbe8dfe8b820c278fbaa60211288a1cf7b3fd10ac30991af11f64463

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1il10pQ9.exe

Filesize
195KB

MD5
7f726f7dac36a27880ea545866534dda

SHA1
a644a86f8ffe8497101eb2c8ef69b859fb51119d

SHA256
7d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a

SHA512
8d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1il10pQ9.exe

Filesize
195KB

MD5
7f726f7dac36a27880ea545866534dda

SHA1
a644a86f8ffe8497101eb2c8ef69b859fb51119d

SHA256
7d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a

SHA512
8d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ck5XR65.exe

Filesize
1.4MB

MD5
7afc7101a2ec84b5f592e95c20abe6bb

SHA1
4174fee6bfb14d314d58fcddee3b86693faa30f8

SHA256
0d5206f5052cd632ad4fa18c017748cbad6b940d3919a35a0241a029300960cc

SHA512
1edf04c580da87f07d6cb352345a86a7b5d982d0218de03bd5ba8d482d117254057fc19c5fdb9df960b54cc97825fdd56f3502dd48208dd54eed09801be46e3c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ck5XR65.exe

Filesize
1.4MB

MD5
7afc7101a2ec84b5f592e95c20abe6bb

SHA1
4174fee6bfb14d314d58fcddee3b86693faa30f8

SHA256
0d5206f5052cd632ad4fa18c017748cbad6b940d3919a35a0241a029300960cc

SHA512
1edf04c580da87f07d6cb352345a86a7b5d982d0218de03bd5ba8d482d117254057fc19c5fdb9df960b54cc97825fdd56f3502dd48208dd54eed09801be46e3c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\SK1fv12.exe

Filesize
1006KB

MD5
f301cef1bacdb509b7d944713e9ed293

SHA1
921ff415e41da54c742cd78b4fffb94bcc4d563c

SHA256
56691de54ae2cbf4cda5ae6c662f330c4fe99918f5163d4dd9ca1be6e9884fcf

SHA512
6240955964a8218e021623b3f234f90444b2840ead0b2b45e96605e0e365a2195aefe9fb0451bf334e4fe83e652989b5002ebcd5f97de7d354f1953d41bd9dbf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\SK1fv12.exe

Filesize
1006KB

MD5
f301cef1bacdb509b7d944713e9ed293

SHA1
921ff415e41da54c742cd78b4fffb94bcc4d563c

SHA256
56691de54ae2cbf4cda5ae6c662f330c4fe99918f5163d4dd9ca1be6e9884fcf

SHA512
6240955964a8218e021623b3f234f90444b2840ead0b2b45e96605e0e365a2195aefe9fb0451bf334e4fe83e652989b5002ebcd5f97de7d354f1953d41bd9dbf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\ln5wP75.exe

Filesize
621KB

MD5
a41ce950fafaf0195c72ce23aa861516

SHA1
07e7ae4fbd326d5feefc1a079ae1d459626a7841

SHA256
3bb587a309614fe8fe01bd7c060ca4be8d426827eecb07b8119ff651a322f441

SHA512
83ab98d08704dc44f62ae4f84c9859cdc646109c4c86bde6fc0f7d9fdc00d6595843db5efbe8dfe8b820c278fbaa60211288a1cf7b3fd10ac30991af11f64463

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\ln5wP75.exe

Filesize
621KB

MD5
a41ce950fafaf0195c72ce23aa861516

SHA1
07e7ae4fbd326d5feefc1a079ae1d459626a7841

SHA256
3bb587a309614fe8fe01bd7c060ca4be8d426827eecb07b8119ff651a322f441

SHA512
83ab98d08704dc44f62ae4f84c9859cdc646109c4c86bde6fc0f7d9fdc00d6595843db5efbe8dfe8b820c278fbaa60211288a1cf7b3fd10ac30991af11f64463

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1il10pQ9.exe

Filesize
195KB

MD5
7f726f7dac36a27880ea545866534dda

SHA1
a644a86f8ffe8497101eb2c8ef69b859fb51119d

SHA256
7d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a

SHA512
8d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1il10pQ9.exe

Filesize
195KB

MD5
7f726f7dac36a27880ea545866534dda

SHA1
a644a86f8ffe8497101eb2c8ef69b859fb51119d

SHA256
7d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a

SHA512
8d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775

Download Submit
memory/2660-40-0x0000000000310000-0x0000000000330000-memory.dmp

Filesize
128KB

Download
memory/2660-41-0x0000000000580000-0x000000000059E000-memory.dmp

Filesize
120KB

Download
memory/2660-42-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-43-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-45-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-47-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-49-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-51-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-53-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-55-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-57-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-59-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-61-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-67-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-69-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-71-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-73-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-65-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2660-63-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads