5249a6c3b628626cb9c02b767a249b2422ebf3525ef6fadf668d2f68009c5baa

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05-02-2024 01:02

Target

b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe
Size

421KB
MD5

10a331a12ca40f3293dfadfcecb8d071
SHA1

ada41586d1366cf76c9a652a219a0e0562cc41af
SHA256

b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f
SHA512

1a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399
SSDEEP

12288:jh1Fk70TnvjcL8o0S86aZ+ldnqA1W0PeF7H:5k70TrcJX32ih1Re7H

Score

7^/10

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2136-0-0x0000000001DD0000-0x0000000001E24000-memory.dmp	net_reactor
behavioral1/memory/2136-3-0x0000000004910000-0x0000000004950000-memory.dmp	net_reactor
behavioral1/memory/2136-2-0x0000000004910000-0x0000000004950000-memory.dmp	net_reactor
behavioral1/memory/2136-5-0x0000000001FA0000-0x0000000001FF2000-memory.dmp	net_reactor
behavioral1/memory/2136-11-0x0000000004910000-0x0000000004950000-memory.dmp	net_reactor

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1940 2136 WerFault.exe b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe

pid	pid_target	process	target process
1940	2136	WerFault.exe	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe

description	pid	process	target process
PID 2136 wrote to memory of 1940	2136	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	WerFault.exe
PID 2136 wrote to memory of 1940	2136	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	WerFault.exe
PID 2136 wrote to memory of 1940	2136	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	WerFault.exe
PID 2136 wrote to memory of 1940	2136	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe
"C:\Users\Admin\AppData\Local\Temp\b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 600
  2⤵
  - Program crash
  PID:1940

memory/2136-1-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-0-0x0000000001DD0000-0x0000000001E24000-memory.dmp

Filesize
336KB

Download
memory/2136-3-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2136-2-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2136-4-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2136-5-0x0000000001FA0000-0x0000000001FF2000-memory.dmp

Filesize
328KB

Download
memory/2136-8-0x0000000002430000-0x0000000004430000-memory.dmp

Filesize
32.0MB

Download
memory/2136-9-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-10-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2136-11-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2136-12-0x0000000002430000-0x0000000004430000-memory.dmp

Filesize
32.0MB

Download