210219eaf6e35c0666e4ed8a397e2873d23c37b828a395932a57ad4dad51a886

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 14:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

WD KILLER.exe
Size

2.2MB
MD5

82fb7b69fded56e017f1c39367a20192
SHA1

e7fcc3be3b884e2a57c1e0d0da3b815853a99e9a
SHA256

210219eaf6e35c0666e4ed8a397e2873d23c37b828a395932a57ad4dad51a886
SHA512

84cc83f82007574a2a986d510c9cd9971653e9a958a50b73c0587baa66b7ea68f4cd8723af052770bd72e18e1781e73a3440453fdbd34d68afeb23f3f791c80f
SSDEEP

24576:taduS0M58twz1Ain0hSqK1c4BCMy/rPJuRnMUE8Sh4Rt:0cSk+HADwCjGMUa4

Score

7^/10

Malware Config

Signatures

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2104-1-0x0000000001080000-0x00000000012B2000-memory.dmp	net_reactor

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
6	pastebin.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2320	2104	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	WD KILLER.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2320	2104	WD KILLER.exe	28
PID 2104 wrote to memory of 2320	2104	WD KILLER.exe	28
PID 2104 wrote to memory of 2320	2104	WD KILLER.exe	28
PID 2104 wrote to memory of 2320	2104	WD KILLER.exe	28

C:\Users\Admin\AppData\Local\Temp\WD KILLER.exe
"C:\Users\Admin\AppData\Local\Temp\WD KILLER.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1704
  2⤵
  - Program crash
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2104-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/2104-1-0x0000000001080000-0x00000000012B2000-memory.dmp

Filesize
2.2MB

Download
memory/2104-2-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-3-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-4-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-5-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/2104-6-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download