Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2023, 12:16

General

  • Target

    0e4cce351d50179ad135e2f12a52e9fb.exe

  • Size

    605KB

  • MD5

    0e4cce351d50179ad135e2f12a52e9fb

  • SHA1

    47a8a4562b95f29a273f7df4371149887e5ba238

  • SHA256

    362d8f8fcc698554a750a5dfb1e261eb3b5442fb4bfe4746c8ba9431ec944305

  • SHA512

    b8bbfb06c8c096d0c2a4930bae1ecc971eeab792064acf5a75c7dca27f918bf5828e92313d84a27b4ccd0793e34d3c49a0af29cbab8398b0a03e215ea62dd0e0

  • SSDEEP

    12288:RMrzy90jJGrOjVIWLI3SvuchyLB1upQ5L7QjLI3F+el+afqV2k:+yAJ0gVQ3VcGupQ5Ao35+afI

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • .NET Reactor proctector 19 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e4cce351d50179ad135e2f12a52e9fb.exe
    "C:\Users\Admin\AppData\Local\Temp\0e4cce351d50179ad135e2f12a52e9fb.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:284
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2416
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 268
            4⤵
            • Loads dropped DLL
            • Program crash
            PID:2408

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe

            Filesize

            421KB

            MD5

            6e3cd9806b164c57886af6ff6ccc026e

            SHA1

            e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a

            SHA256

            721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4

            SHA512

            083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe

            Filesize

            421KB

            MD5

            6e3cd9806b164c57886af6ff6ccc026e

            SHA1

            e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a

            SHA256

            721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4

            SHA512

            083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe

            Filesize

            188KB

            MD5

            425e2a994509280a8c1e2812dfaad929

            SHA1

            4d5eff2fb3835b761e2516a873b537cbaacea1fe

            SHA256

            6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

            SHA512

            080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe

            Filesize

            188KB

            MD5

            425e2a994509280a8c1e2812dfaad929

            SHA1

            4d5eff2fb3835b761e2516a873b537cbaacea1fe

            SHA256

            6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

            SHA512

            080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe

            Filesize

            295KB

            MD5

            c79db86d20bdc4c83a174ce0f3d620c3

            SHA1

            aff038016a6f4267990069b210bcf29316187457

            SHA256

            32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533

            SHA512

            38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe

            Filesize

            295KB

            MD5

            c79db86d20bdc4c83a174ce0f3d620c3

            SHA1

            aff038016a6f4267990069b210bcf29316187457

            SHA256

            32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533

            SHA512

            38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe

            Filesize

            295KB

            MD5

            c79db86d20bdc4c83a174ce0f3d620c3

            SHA1

            aff038016a6f4267990069b210bcf29316187457

            SHA256

            32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533

            SHA512

            38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623

          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe

            Filesize

            421KB

            MD5

            6e3cd9806b164c57886af6ff6ccc026e

            SHA1

            e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a

            SHA256

            721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4

            SHA512

            083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954

          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe

            Filesize

            421KB

            MD5

            6e3cd9806b164c57886af6ff6ccc026e

            SHA1

            e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a

            SHA256

            721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4

            SHA512

            083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954

          • \Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe

            Filesize

            188KB

            MD5

            425e2a994509280a8c1e2812dfaad929

            SHA1

            4d5eff2fb3835b761e2516a873b537cbaacea1fe

            SHA256

            6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

            SHA512

            080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

          • \Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe

            Filesize

            188KB

            MD5

            425e2a994509280a8c1e2812dfaad929

            SHA1

            4d5eff2fb3835b761e2516a873b537cbaacea1fe

            SHA256

            6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

            SHA512

            080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

          • \Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe

            Filesize

            295KB

            MD5

            c79db86d20bdc4c83a174ce0f3d620c3

            SHA1

            aff038016a6f4267990069b210bcf29316187457

            SHA256

            32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533

            SHA512

            38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623

          • \Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe

            Filesize

            295KB

            MD5

            c79db86d20bdc4c83a174ce0f3d620c3

            SHA1

            aff038016a6f4267990069b210bcf29316187457

            SHA256

            32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533

            SHA512

            38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623

          • \Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe

            Filesize

            295KB

            MD5

            c79db86d20bdc4c83a174ce0f3d620c3

            SHA1

            aff038016a6f4267990069b210bcf29316187457

            SHA256

            32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533

            SHA512

            38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623

          • \Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe

            Filesize

            295KB

            MD5

            c79db86d20bdc4c83a174ce0f3d620c3

            SHA1

            aff038016a6f4267990069b210bcf29316187457

            SHA256

            32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533

            SHA512

            38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623

          • \Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe

            Filesize

            295KB

            MD5

            c79db86d20bdc4c83a174ce0f3d620c3

            SHA1

            aff038016a6f4267990069b210bcf29316187457

            SHA256

            32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533

            SHA512

            38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623

          • \Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe

            Filesize

            295KB

            MD5

            c79db86d20bdc4c83a174ce0f3d620c3

            SHA1

            aff038016a6f4267990069b210bcf29316187457

            SHA256

            32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533

            SHA512

            38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623

          • \Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe

            Filesize

            295KB

            MD5

            c79db86d20bdc4c83a174ce0f3d620c3

            SHA1

            aff038016a6f4267990069b210bcf29316187457

            SHA256

            32904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533

            SHA512

            38fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623

          • memory/2416-77-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/2416-70-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/2416-69-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/2416-68-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/2416-67-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/2416-65-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/2416-63-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/2416-72-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/2416-74-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/2416-71-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

            Filesize

            4KB

          • memory/2416-76-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/2416-82-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/3000-25-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-53-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-51-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-49-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-47-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-45-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-43-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-41-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-39-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-37-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-35-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-33-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-31-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-29-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-27-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-22-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-23-0x0000000000980000-0x0000000000998000-memory.dmp

            Filesize

            96KB

          • memory/3000-21-0x0000000000980000-0x000000000099E000-memory.dmp

            Filesize

            120KB

          • memory/3000-20-0x0000000000500000-0x0000000000520000-memory.dmp

            Filesize

            128KB