Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
19/10/2023, 12:16
Static task
static1
Behavioral task
behavioral1
Sample
0e4cce351d50179ad135e2f12a52e9fb.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
0e4cce351d50179ad135e2f12a52e9fb.exe
Resource
win10v2004-20230915-en
General
-
Target
0e4cce351d50179ad135e2f12a52e9fb.exe
-
Size
605KB
-
MD5
0e4cce351d50179ad135e2f12a52e9fb
-
SHA1
47a8a4562b95f29a273f7df4371149887e5ba238
-
SHA256
362d8f8fcc698554a750a5dfb1e261eb3b5442fb4bfe4746c8ba9431ec944305
-
SHA512
b8bbfb06c8c096d0c2a4930bae1ecc971eeab792064acf5a75c7dca27f918bf5828e92313d84a27b4ccd0793e34d3c49a0af29cbab8398b0a03e215ea62dd0e0
-
SSDEEP
12288:RMrzy90jJGrOjVIWLI3SvuchyLB1upQ5L7QjLI3F+el+afqV2k:+yAJ0gVQ3VcGupQ5Ao35+afI
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 1Ia10Wm4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1Ia10Wm4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1Ia10Wm4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1Ia10Wm4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1Ia10Wm4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1Ia10Wm4.exe -
.NET Reactor proctector 19 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/3000-20-0x0000000000500000-0x0000000000520000-memory.dmp net_reactor behavioral1/memory/3000-21-0x0000000000980000-0x000000000099E000-memory.dmp net_reactor behavioral1/memory/3000-23-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-22-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-25-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-27-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-29-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-31-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-33-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-35-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-37-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-39-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-41-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-43-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-45-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-47-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-49-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-51-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor behavioral1/memory/3000-53-0x0000000000980000-0x0000000000998000-memory.dmp net_reactor -
Executes dropped EXE 3 IoCs
pid Process 284 gJ7xN43.exe 3000 1Ia10Wm4.exe 2512 2Fw9428.exe -
Loads dropped DLL 11 IoCs
pid Process 2196 0e4cce351d50179ad135e2f12a52e9fb.exe 284 gJ7xN43.exe 284 gJ7xN43.exe 3000 1Ia10Wm4.exe 284 gJ7xN43.exe 284 gJ7xN43.exe 2512 2Fw9428.exe 2408 WerFault.exe 2408 WerFault.exe 2408 WerFault.exe 2408 WerFault.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 1Ia10Wm4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1Ia10Wm4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0e4cce351d50179ad135e2f12a52e9fb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" gJ7xN43.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2512 set thread context of 2416 2512 2Fw9428.exe 32 -
Program crash 1 IoCs
pid pid_target Process procid_target 2408 2512 WerFault.exe 30 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3000 1Ia10Wm4.exe 3000 1Ia10Wm4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3000 1Ia10Wm4.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2196 wrote to memory of 284 2196 0e4cce351d50179ad135e2f12a52e9fb.exe 28 PID 2196 wrote to memory of 284 2196 0e4cce351d50179ad135e2f12a52e9fb.exe 28 PID 2196 wrote to memory of 284 2196 0e4cce351d50179ad135e2f12a52e9fb.exe 28 PID 2196 wrote to memory of 284 2196 0e4cce351d50179ad135e2f12a52e9fb.exe 28 PID 2196 wrote to memory of 284 2196 0e4cce351d50179ad135e2f12a52e9fb.exe 28 PID 2196 wrote to memory of 284 2196 0e4cce351d50179ad135e2f12a52e9fb.exe 28 PID 2196 wrote to memory of 284 2196 0e4cce351d50179ad135e2f12a52e9fb.exe 28 PID 284 wrote to memory of 3000 284 gJ7xN43.exe 29 PID 284 wrote to memory of 3000 284 gJ7xN43.exe 29 PID 284 wrote to memory of 3000 284 gJ7xN43.exe 29 PID 284 wrote to memory of 3000 284 gJ7xN43.exe 29 PID 284 wrote to memory of 3000 284 gJ7xN43.exe 29 PID 284 wrote to memory of 3000 284 gJ7xN43.exe 29 PID 284 wrote to memory of 3000 284 gJ7xN43.exe 29 PID 284 wrote to memory of 2512 284 gJ7xN43.exe 30 PID 284 wrote to memory of 2512 284 gJ7xN43.exe 30 PID 284 wrote to memory of 2512 284 gJ7xN43.exe 30 PID 284 wrote to memory of 2512 284 gJ7xN43.exe 30 PID 284 wrote to memory of 2512 284 gJ7xN43.exe 30 PID 284 wrote to memory of 2512 284 gJ7xN43.exe 30 PID 284 wrote to memory of 2512 284 gJ7xN43.exe 30 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2416 2512 2Fw9428.exe 32 PID 2512 wrote to memory of 2408 2512 2Fw9428.exe 33 PID 2512 wrote to memory of 2408 2512 2Fw9428.exe 33 PID 2512 wrote to memory of 2408 2512 2Fw9428.exe 33 PID 2512 wrote to memory of 2408 2512 2Fw9428.exe 33 PID 2512 wrote to memory of 2408 2512 2Fw9428.exe 33 PID 2512 wrote to memory of 2408 2512 2Fw9428.exe 33 PID 2512 wrote to memory of 2408 2512 2Fw9428.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e4cce351d50179ad135e2f12a52e9fb.exe"C:\Users\Admin\AppData\Local\Temp\0e4cce351d50179ad135e2f12a52e9fb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gJ7xN43.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ia10Wm4.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Fw9428.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 2684⤵
- Loads dropped DLL
- Program crash
PID:2408
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
421KB
MD56e3cd9806b164c57886af6ff6ccc026e
SHA1e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a
SHA256721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4
SHA512083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954
-
Filesize
421KB
MD56e3cd9806b164c57886af6ff6ccc026e
SHA1e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a
SHA256721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4
SHA512083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
295KB
MD5c79db86d20bdc4c83a174ce0f3d620c3
SHA1aff038016a6f4267990069b210bcf29316187457
SHA25632904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533
SHA51238fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623
-
Filesize
295KB
MD5c79db86d20bdc4c83a174ce0f3d620c3
SHA1aff038016a6f4267990069b210bcf29316187457
SHA25632904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533
SHA51238fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623
-
Filesize
295KB
MD5c79db86d20bdc4c83a174ce0f3d620c3
SHA1aff038016a6f4267990069b210bcf29316187457
SHA25632904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533
SHA51238fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623
-
Filesize
421KB
MD56e3cd9806b164c57886af6ff6ccc026e
SHA1e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a
SHA256721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4
SHA512083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954
-
Filesize
421KB
MD56e3cd9806b164c57886af6ff6ccc026e
SHA1e5ce7f9f0d62acc32a8b6c33c0c1aaa726bf821a
SHA256721c533c120abc0c97da5df0583edc9ffedcb437678824f5ac6aaabfe510bfe4
SHA512083dd012e888026ba44660ad65f69baae2c1cda81f60d4720a2c5c0a2f850b88470f7886b2521e83ee68221825f530378a6419afb2d13f19b34ef925b33ce954
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
295KB
MD5c79db86d20bdc4c83a174ce0f3d620c3
SHA1aff038016a6f4267990069b210bcf29316187457
SHA25632904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533
SHA51238fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623
-
Filesize
295KB
MD5c79db86d20bdc4c83a174ce0f3d620c3
SHA1aff038016a6f4267990069b210bcf29316187457
SHA25632904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533
SHA51238fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623
-
Filesize
295KB
MD5c79db86d20bdc4c83a174ce0f3d620c3
SHA1aff038016a6f4267990069b210bcf29316187457
SHA25632904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533
SHA51238fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623
-
Filesize
295KB
MD5c79db86d20bdc4c83a174ce0f3d620c3
SHA1aff038016a6f4267990069b210bcf29316187457
SHA25632904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533
SHA51238fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623
-
Filesize
295KB
MD5c79db86d20bdc4c83a174ce0f3d620c3
SHA1aff038016a6f4267990069b210bcf29316187457
SHA25632904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533
SHA51238fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623
-
Filesize
295KB
MD5c79db86d20bdc4c83a174ce0f3d620c3
SHA1aff038016a6f4267990069b210bcf29316187457
SHA25632904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533
SHA51238fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623
-
Filesize
295KB
MD5c79db86d20bdc4c83a174ce0f3d620c3
SHA1aff038016a6f4267990069b210bcf29316187457
SHA25632904003b81a13673d52dc7a42e713bebe4eed19346ebacb069d854bab390533
SHA51238fa5624c8b024d4c8be586014f1229db2b1c04e48fd51a152ba81a099c40dd9fe99a6fa4cb8f4a1593d194dfcd66c442f4ca8b72a0fcf8fa49f113667bdd623