816d4fd6ca3b5dcba1a2a355e5198f413aae21af5d8e53bff74b02e59345f9c9

General

Target

816d4fd6ca3b5dcba1a2a355e5198f413aae21af5d8e53bff74b02e59345f9c9.exe
Size

1002KB
MD5

2ba0dd909834cf4c4eb4e3a94b17b149
SHA1

7e0f8c499a6a567abb1a0d003300ba90ca7f373b
SHA256

816d4fd6ca3b5dcba1a2a355e5198f413aae21af5d8e53bff74b02e59345f9c9
SHA512

9dd65989c4e26d40b949d9cf280c2d1291d05ac6326d2e0160d86fe14ff5d1bc3f7814c1d0547cda106cbf44fa3a2ce813bd44259ac4f910d8ec261a8f8ded04
SSDEEP

24576:9y3jr1ELLw03ZJWFEmT2m217y6Qzt8KO7i:Y3/GLLbJyEmT2mEyLZ7k

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

.NET Reactor proctector 19 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/4792-36-0x0000000006C40000-0x0000000006C60000-memory.dmp	net_reactor
behavioral2/memory/4792-39-0x0000000009370000-0x000000000938E000-memory.dmp	net_reactor
behavioral2/memory/4792-40-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-41-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-43-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-45-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-47-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-49-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-51-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-53-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-55-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-57-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-59-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-61-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-65-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-63-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-67-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-69-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor
behavioral2/memory/4792-71-0x0000000009370000-0x0000000009388000-memory.dmp	net_reactor

Executes dropped EXE 4 IoCs

pid	Process
4140	cu4Ao98.exe
4660	Dk1iX71.exe
4436	iG5cU40.exe
3948	1El01FQ8.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	816d4fd6ca3b5dcba1a2a355e5198f413aae21af5d8e53bff74b02e59345f9c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cu4Ao98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Dk1iX71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	iG5cU40.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3948 set thread context of 4792	3948	1El01FQ8.exe	73

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4252	3948	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4792	AppLaunch.exe
4792	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 4140	1344	816d4fd6ca3b5dcba1a2a355e5198f413aae21af5d8e53bff74b02e59345f9c9.exe	69
PID 1344 wrote to memory of 4140	1344	816d4fd6ca3b5dcba1a2a355e5198f413aae21af5d8e53bff74b02e59345f9c9.exe	69
PID 1344 wrote to memory of 4140	1344	816d4fd6ca3b5dcba1a2a355e5198f413aae21af5d8e53bff74b02e59345f9c9.exe	69
PID 4140 wrote to memory of 4660	4140	cu4Ao98.exe	70
PID 4140 wrote to memory of 4660	4140	cu4Ao98.exe	70
PID 4140 wrote to memory of 4660	4140	cu4Ao98.exe	70
PID 4660 wrote to memory of 4436	4660	Dk1iX71.exe	71
PID 4660 wrote to memory of 4436	4660	Dk1iX71.exe	71
PID 4660 wrote to memory of 4436	4660	Dk1iX71.exe	71
PID 4436 wrote to memory of 3948	4436	iG5cU40.exe	72
PID 4436 wrote to memory of 3948	4436	iG5cU40.exe	72
PID 4436 wrote to memory of 3948	4436	iG5cU40.exe	72
PID 3948 wrote to memory of 4792	3948	1El01FQ8.exe	73
PID 3948 wrote to memory of 4792	3948	1El01FQ8.exe	73
PID 3948 wrote to memory of 4792	3948	1El01FQ8.exe	73
PID 3948 wrote to memory of 4792	3948	1El01FQ8.exe	73
PID 3948 wrote to memory of 4792	3948	1El01FQ8.exe	73
PID 3948 wrote to memory of 4792	3948	1El01FQ8.exe	73
PID 3948 wrote to memory of 4792	3948	1El01FQ8.exe	73
PID 3948 wrote to memory of 4792	3948	1El01FQ8.exe	73
PID 3948 wrote to memory of 4792	3948	1El01FQ8.exe	73

C:\Users\Admin\AppData\Local\Temp\816d4fd6ca3b5dcba1a2a355e5198f413aae21af5d8e53bff74b02e59345f9c9.exe
"C:\Users\Admin\AppData\Local\Temp\816d4fd6ca3b5dcba1a2a355e5198f413aae21af5d8e53bff74b02e59345f9c9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cu4Ao98.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cu4Ao98.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dk1iX71.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dk1iX71.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iG5cU40.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iG5cU40.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1El01FQ8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1El01FQ8.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3948
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 188
        6⤵
        Program crash
        
        PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cu4Ao98.exe

Filesize
863KB

MD5
114b264fcbafebb60aa6f9015677d38c

SHA1
a2a005661072fe4add56be92c23b8e5a61444d4a

SHA256
5dc0edffbeecf7b2efcc8aef83dbe2169fdb5d433544e7a7c036a55c10a7f535

SHA512
78c6de23ff145731ff84d041f8be1415431aae5ea7adbcd3c4266947998c80fb6c22bd1af51b02ecd6c481bf3331c7ca7f2f3efa61ed672e3493f2fb5bd09196

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cu4Ao98.exe

Filesize
863KB

MD5
114b264fcbafebb60aa6f9015677d38c

SHA1
a2a005661072fe4add56be92c23b8e5a61444d4a

SHA256
5dc0edffbeecf7b2efcc8aef83dbe2169fdb5d433544e7a7c036a55c10a7f535

SHA512
78c6de23ff145731ff84d041f8be1415431aae5ea7adbcd3c4266947998c80fb6c22bd1af51b02ecd6c481bf3331c7ca7f2f3efa61ed672e3493f2fb5bd09196

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dk1iX71.exe

Filesize
629KB

MD5
c626fec8c4e728828c1d037fc1c99d01

SHA1
d8aba4cc654c927314d3fb144bc2de277147f412

SHA256
523747f865e57bf80bc9dab45a118a846e3362f1a6675c33e4e165790ddc791b

SHA512
3ab5f2ed2797c320dfb7dc5e5d95d750a821d6fe7a46b90ae19b9d4b74ec4cebb45f8fd29f7a4cfc2585bfa5283a2af9c179b55c742a123fa2cd71dc9e6c8ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dk1iX71.exe

Filesize
629KB

MD5
c626fec8c4e728828c1d037fc1c99d01

SHA1
d8aba4cc654c927314d3fb144bc2de277147f412

SHA256
523747f865e57bf80bc9dab45a118a846e3362f1a6675c33e4e165790ddc791b

SHA512
3ab5f2ed2797c320dfb7dc5e5d95d750a821d6fe7a46b90ae19b9d4b74ec4cebb45f8fd29f7a4cfc2585bfa5283a2af9c179b55c742a123fa2cd71dc9e6c8ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iG5cU40.exe

Filesize
444KB

MD5
7ed0c93698e8bef0a0d594884c6ac85a

SHA1
bf02a5fc4a918a8c7c18c146909eb6b386df47c3

SHA256
2dee5de62828a5b382c2e9d80cb8174499a00b3b057a6130d59066194f361066

SHA512
2877736157244db8b3e13ebc6bd047479b8e61fa2c55db0c982322cfa1fcf810c4b68124a9fc67e8a1fb8a8cd0b6c9ebee6a158f38fa2ee3c49665fcd36a45dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iG5cU40.exe

Filesize
444KB

MD5
7ed0c93698e8bef0a0d594884c6ac85a

SHA1
bf02a5fc4a918a8c7c18c146909eb6b386df47c3

SHA256
2dee5de62828a5b382c2e9d80cb8174499a00b3b057a6130d59066194f361066

SHA512
2877736157244db8b3e13ebc6bd047479b8e61fa2c55db0c982322cfa1fcf810c4b68124a9fc67e8a1fb8a8cd0b6c9ebee6a158f38fa2ee3c49665fcd36a45dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1El01FQ8.exe

Filesize
306KB

MD5
cffbf89be9b8ebbba9a11ea60f0be22e

SHA1
86269fe003ca2411781daf149ea2d8b91503c663

SHA256
824399351186817a2c12df4e401bcae384ce66add003c01e4a3a8e25e48b7b62

SHA512
3690bdca96918ae9ed0baa7d564d0edbdc83ec996c126ff3fb88a160046b14b1de22043fc39e8bdb25f6d96f5cc866ebf58afe30506ba502dfa83a8a5ae4a273

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1El01FQ8.exe

Filesize
306KB

MD5
cffbf89be9b8ebbba9a11ea60f0be22e

SHA1
86269fe003ca2411781daf149ea2d8b91503c663

SHA256
824399351186817a2c12df4e401bcae384ce66add003c01e4a3a8e25e48b7b62

SHA512
3690bdca96918ae9ed0baa7d564d0edbdc83ec996c126ff3fb88a160046b14b1de22043fc39e8bdb25f6d96f5cc866ebf58afe30506ba502dfa83a8a5ae4a273

Download Submit
memory/4792-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-36-0x0000000006C40000-0x0000000006C60000-memory.dmp

Filesize
128KB

Download
memory/4792-37-0x0000000072AB0000-0x000000007319E000-memory.dmp

Filesize
6.9MB

Download
memory/4792-38-0x0000000009910000-0x0000000009E0E000-memory.dmp

Filesize
5.0MB

Download
memory/4792-39-0x0000000009370000-0x000000000938E000-memory.dmp

Filesize
120KB

Download
memory/4792-40-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-41-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-43-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-45-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-47-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-49-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-51-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-53-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-55-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-57-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-59-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-61-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-65-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-63-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-67-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-69-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-71-0x0000000009370000-0x0000000009388000-memory.dmp

Filesize
96KB

Download
memory/4792-80-0x0000000072AB0000-0x000000007319E000-memory.dmp

Filesize
6.9MB

Download
memory/4792-95-0x0000000072AB0000-0x000000007319E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads