Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 01:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
The Injector lol made with c# ReIn2ct1.zip
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
The Injector lol made with c# ReIn2ct1.zip
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
The Injector lol made with c# ReIn2ct1.zip
-
Size
14.1MB
-
MD5
d0785a1784a9904f6a716618f4e8f878
-
SHA1
df211857a3a310d1762b27b36c78af905636f2a5
-
SHA256
213720c1d351d7ba4796a645e08b086fa309423e519d57dd15ad570f3301661a
-
SHA512
2a50dc542ec9f8bc7006cec3072aa71d643e95afd8eb9b74bb3906571b4d32030d42530ccab17f47c4d115bce78948168f63fb54e2996ecb6b3ae13e29cc3143
-
SSDEEP
393216:6rj5GryEtqLlVh4Jl8G/10GDO40KVQlifi9AfU/jp8bGhsvQJ:6rnVai8Gw6Kfgj8ssvQJ
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 3916 ReIn2ct.exe 228 ReIn2ct.exe 5040 ReIn2ct.exe 2824 ReIn2ct.exe 1324 ReIn2ct.exe 4732 ReIn2ct.exe 4356 ReIn2ct.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4868 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 4868 taskmgr.exe Token: SeSystemProfilePrivilege 4868 taskmgr.exe Token: SeCreateGlobalPrivilege 4868 taskmgr.exe Token: SeRestorePrivilege 2728 7zG.exe Token: 35 2728 7zG.exe Token: SeSecurityPrivilege 2728 7zG.exe Token: SeSecurityPrivilege 2728 7zG.exe Token: SeDebugPrivilege 3916 ReIn2ct.exe Token: SeDebugPrivilege 228 ReIn2ct.exe Token: SeDebugPrivilege 5040 ReIn2ct.exe Token: SeDebugPrivilege 2824 ReIn2ct.exe Token: SeDebugPrivilege 1324 ReIn2ct.exe Token: SeDebugPrivilege 4732 ReIn2ct.exe Token: SeDebugPrivilege 4356 ReIn2ct.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 2728 7zG.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe 4868 taskmgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3916 ReIn2ct.exe 228 ReIn2ct.exe 5040 ReIn2ct.exe 2824 ReIn2ct.exe 1324 ReIn2ct.exe 4732 ReIn2ct.exe 4356 ReIn2ct.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1.zip"1⤵PID:5016
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4868
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4732
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\" -ad -an -ai#7zMap28063:156:7zEvent51731⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2728
-
C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe"C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3916
-
C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe"C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:228
-
C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe"C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5040
-
C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe"C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe" "C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\mm.dll"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2824
-
C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe"C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe" "C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2cs.dll"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1324
-
C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe"C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe" "C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\MainMode.dll"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4732
-
C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe"C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\ReIn2ct.exe" "C:\Users\Admin\AppData\Local\Temp\The Injector lol made with c# ReIn2ct1\ReIn2ct1\License"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
847B
MD566a0a4aa01208ed3d53a5e131a8d030a
SHA1ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1
SHA256f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8
SHA512626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c
-
Filesize
11B
MD5d7959e8a48299a9276354ac9a706337d
SHA1d1b43037b68e5c47464093d5e2d952e8c444f788
SHA256d6056789b0061df4004f60e2e8a53fc8b2f6161fac4e289dcc43e0de812869a5
SHA51208d324f58addff557f84117867ebadf2c36bb5072c4f1a374642a066dc1d70967163e2f6217204d93680fe34c515d674246f7d81e77977dc114a6ec7f8d00fad
-
Filesize
5KB
MD5da1c2daeab3db85f72fa3f0b950efba7
SHA1cc231b3db93a65ec260fce0fc170d85d31df9fb8
SHA256b124f8228761c5a0e8d512d222e98a333d9312f0575da1fc05ac8ac4c084510e
SHA5123eee5416e6dc9cf7117f5c1bb06da309fc84d10c59a6e6504d121c64b8bc16c6ceb7be4bf9adecdb11af1033d49fa47b18e0cacf65ded65142ef1a64cf60aa23
-
Filesize
129KB
MD5d84aaca1a705738bb6793fadf35487f5
SHA12fec4ba481036efbbdf5eeaeab27eeef689e795f
SHA2565264694a8c8dc7f2366f89c8b29fd7bd876fb7761dd81dffb8d640ec1fed599f
SHA512599c3bb7a635814b8cb2647360abe942cbf83e25a25c129c229ac836481eb49ba1185fbe3e0ae3f1282e97ccc593aa79a93c08e299c189d9062594b7c3c757ff