Analysis Overview
SHA256
abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c
Threat Level: Known bad
The file abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c was found to be: Known bad.
Malicious Activity Summary
RisePro
.NET Reactor proctector
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-04 10:46
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 10:46
Reported
2024-06-04 10:49
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
RisePro
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1020 set thread context of 5716 | N/A | C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe
"C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1020-0-0x0000000074F8E000-0x0000000074F8F000-memory.dmp
memory/1020-1-0x0000000000380000-0x000000000089A000-memory.dmp
memory/1020-2-0x00000000053C0000-0x000000000545C000-memory.dmp
memory/1020-3-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/1020-4-0x0000000005460000-0x00000000056B0000-memory.dmp
memory/1020-5-0x0000000006820000-0x0000000006A4A000-memory.dmp
memory/1020-6-0x0000000002B70000-0x0000000002B8C000-memory.dmp
memory/1020-58-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-8-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-66-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-64-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/5716-67-0x0000000000400000-0x0000000000596000-memory.dmp
memory/1020-62-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-60-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-56-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-54-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-52-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-50-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-48-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-46-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-44-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-40-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-39-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-36-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-34-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-32-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-30-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-28-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-24-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-23-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-20-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-18-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-16-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/5716-69-0x0000000000400000-0x0000000000596000-memory.dmp
memory/5716-70-0x0000000000400000-0x0000000000596000-memory.dmp
memory/1020-14-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-12-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-10-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-42-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-26-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/1020-7-0x0000000002B70000-0x0000000002B85000-memory.dmp
memory/5716-72-0x0000000000400000-0x0000000000596000-memory.dmp
memory/1020-73-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/1020-74-0x0000000074F80000-0x0000000075730000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 10:46
Reported
2024-06-04 10:49
Platform
win11-20240426-en
Max time kernel
90s
Max time network
94s
Command Line
Signatures
RisePro
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1784 set thread context of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe
"C:\Users\Admin\AppData\Local\Temp\abed6f09999c18d12d84a49fb67b12cd4a2ca7a79fa365cecd9d955c3364ff5c.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
Files
memory/1784-0-0x000000007513E000-0x000000007513F000-memory.dmp
memory/1784-1-0x0000000000B10000-0x000000000102A000-memory.dmp
memory/1784-2-0x0000000005BB0000-0x0000000005C4C000-memory.dmp
memory/1784-3-0x0000000075130000-0x00000000758E1000-memory.dmp
memory/1784-4-0x0000000005C50000-0x0000000005EA0000-memory.dmp
memory/1784-5-0x0000000007070000-0x000000000729A000-memory.dmp
memory/1784-6-0x0000000005500000-0x000000000551C000-memory.dmp
memory/1784-7-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-14-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-13-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-10-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-8-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-66-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-46-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-34-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-16-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-64-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-62-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-60-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-58-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-56-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-54-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-52-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-50-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-48-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-44-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-67-0x0000000075130000-0x00000000758E1000-memory.dmp
memory/1784-42-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-40-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-38-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-36-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-32-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-30-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-29-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-26-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-24-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-22-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-20-0x0000000005500000-0x0000000005515000-memory.dmp
memory/1784-18-0x0000000005500000-0x0000000005515000-memory.dmp
memory/4472-68-0x0000000000400000-0x0000000000596000-memory.dmp
memory/4472-70-0x0000000000400000-0x0000000000596000-memory.dmp
memory/4472-69-0x0000000000400000-0x0000000000596000-memory.dmp
memory/1784-74-0x0000000075130000-0x00000000758E1000-memory.dmp