0d2a0556f2de44606689a479fcc8943f0d0b9aab62402d6bbf709a2aa01092d0

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 02:35

Target

12dcd49e22caf9bda7ec64df429f37b0N.exe
Size

1.9MB
MD5

12dcd49e22caf9bda7ec64df429f37b0
SHA1

2bd9e40808a91d34e0021c7c1f112eb1c95d8b41
SHA256

0d2a0556f2de44606689a479fcc8943f0d0b9aab62402d6bbf709a2aa01092d0
SHA512

a7ccd87b1724c00ecaa0be7c50a3fe8c94f5667a35360363c4b2bbe54f1a9877ec68f3064f87a40b6806c45a58f3646766016ee66d6946f80babe91fc48af6ec
SSDEEP

12288:2Wh2hbLbDJ8EysgSSVP5oDpqH2T6jIvzGqsyLCfOpQWpphnC0slLC6JCUhifWpF6:uiJr7Lv5D91zOk4OE

Score

7^/10

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1592-1-0x0000000000820000-0x0000000000A00000-memory.dmp	net_reactor

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 2164	1592	12dcd49e22caf9bda7ec64df429f37b0N.exe	29
PID 1592 wrote to memory of 2164	1592	12dcd49e22caf9bda7ec64df429f37b0N.exe	29
PID 1592 wrote to memory of 2164	1592	12dcd49e22caf9bda7ec64df429f37b0N.exe	29

C:\Users\Admin\AppData\Local\Temp\12dcd49e22caf9bda7ec64df429f37b0N.exe
"C:\Users\Admin\AppData\Local\Temp\12dcd49e22caf9bda7ec64df429f37b0N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1592 -s 528
  2⤵
  PID:2164

memory/1592-0-0x000007FEF5873000-0x000007FEF5874000-memory.dmp

Filesize
4KB

Download
memory/1592-1-0x0000000000820000-0x0000000000A00000-memory.dmp

Filesize
1.9MB

Download
memory/1592-2-0x000007FEF5873000-0x000007FEF5874000-memory.dmp

Filesize
4KB

Download