Analysis Overview
SHA256
ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1
Threat Level: Known bad
The file ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1 was found to be: Known bad.
Malicious Activity Summary
RisePro
.NET Reactor proctector
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-04 10:48
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 10:48
Reported
2024-06-04 10:50
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
RisePro
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2384 set thread context of 3992 | N/A | C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe
"C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
Files
memory/2384-0-0x000000007497E000-0x000000007497F000-memory.dmp
memory/2384-1-0x0000000000160000-0x0000000000670000-memory.dmp
memory/2384-2-0x0000000005090000-0x000000000512C000-memory.dmp
memory/2384-3-0x0000000074970000-0x0000000075120000-memory.dmp
memory/2384-4-0x00000000052A0000-0x00000000054F0000-memory.dmp
memory/2384-5-0x0000000006620000-0x000000000684A000-memory.dmp
memory/2384-6-0x0000000004A60000-0x0000000004A7C000-memory.dmp
memory/2384-16-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-66-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/3992-70-0x0000000000400000-0x0000000000596000-memory.dmp
memory/2384-74-0x0000000074970000-0x0000000075120000-memory.dmp
memory/2384-73-0x0000000074970000-0x0000000075120000-memory.dmp
memory/3992-68-0x0000000000400000-0x0000000000596000-memory.dmp
memory/3992-67-0x0000000000400000-0x0000000000596000-memory.dmp
memory/2384-64-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-62-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-58-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-56-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-54-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-52-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-51-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-48-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-46-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-45-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-40-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-39-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-36-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-35-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-32-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-30-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-28-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-26-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-24-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-22-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-20-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-19-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-14-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-12-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-10-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-8-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-60-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-7-0x0000000004A60000-0x0000000004A75000-memory.dmp
memory/2384-42-0x0000000004A60000-0x0000000004A75000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 10:48
Reported
2024-06-04 10:50
Platform
win11-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
RisePro
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1188 set thread context of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe
"C:\Users\Admin\AppData\Local\Temp\ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
Files
memory/1188-0-0x000000007488E000-0x000000007488F000-memory.dmp
memory/1188-1-0x0000000000520000-0x0000000000A30000-memory.dmp
memory/1188-2-0x00000000054E0000-0x000000000557C000-memory.dmp
memory/1188-3-0x0000000074880000-0x0000000075031000-memory.dmp
memory/1188-4-0x0000000005680000-0x00000000058D0000-memory.dmp
memory/1188-5-0x0000000006A00000-0x0000000006C2A000-memory.dmp
memory/1188-6-0x0000000004D80000-0x0000000004D9C000-memory.dmp
memory/1188-20-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-24-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-66-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-67-0x0000000074880000-0x0000000075031000-memory.dmp
memory/2984-68-0x0000000000400000-0x0000000000596000-memory.dmp
memory/1188-70-0x0000000074880000-0x0000000075031000-memory.dmp
memory/1188-64-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-62-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/2984-72-0x0000000000400000-0x0000000000596000-memory.dmp
memory/2984-71-0x0000000000400000-0x0000000000596000-memory.dmp
memory/1188-60-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-56-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-54-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-52-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-50-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-48-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-46-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-44-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-42-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-40-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-38-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-36-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-34-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-30-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-28-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-26-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-22-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-18-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-16-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-12-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-10-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-8-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-7-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-58-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-32-0x0000000004D80000-0x0000000004D95000-memory.dmp
memory/1188-14-0x0000000004D80000-0x0000000004D95000-memory.dmp