dc84efd6a2fb51aaa7e69a8674e4b2c60ceb48c3bff06a8e35777c6abb29569d

Analysis

max time kernel
118s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1337v3 setup.exe
Size

3.4MB
MD5

4c75ef26b3ebdd27f01d5184f8b29558
SHA1

eef93934c7136b973f7339d8a61c36cd09c65b5d
SHA256

dc84efd6a2fb51aaa7e69a8674e4b2c60ceb48c3bff06a8e35777c6abb29569d
SHA512

8164093bc984b911dab71b7a8c0cd69c8f694bbaebf7bb78d29eb1c142eeb9e282a1f7f8ef768aa27f1905e686bcbc6fc796543078b5a3d0467e63b7f77591d8
SSDEEP

98304:9wRExOWP5ypYDj7nBOHMT2lG2NP8N52rYHu:37PT7nBOG2lG2NP8DO

Score

7^/10

discovery

Malware Config

Signatures

.NET Reactor proctector 34 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/716-25-0x0000000004E20000-0x0000000004EF6000-memory.dmp	net_reactor
behavioral1/memory/716-28-0x0000000004D40000-0x0000000004E14000-memory.dmp	net_reactor
behavioral1/memory/716-33-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-62-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-68-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-92-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-90-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-86-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-82-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-80-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-78-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-76-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-74-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-72-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-71-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-66-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-64-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-60-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-57-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-88-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-84-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-55-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-53-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-49-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-41-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-39-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-37-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-31-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-51-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-30-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-47-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-45-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-43-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor
behavioral1/memory/716-35-0x0000000004D40000-0x0000000004E0F000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

pid	Process
3740	1337v3 setup.tmp
716	1337spooferv3.exe

Loads dropped DLL 4 IoCs

pid	Process
716	1337spooferv3.exe
716	1337spooferv3.exe
716	1337spooferv3.exe
716	1337spooferv3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\1337Spooferv3\Siticone.UI.dll	1337v3 setup.tmp
File created	C:\Program Files (x86)\1337Spooferv3\unins000.dat	1337v3 setup.tmp
File opened for modification	C:\Program Files (x86)\1337Spooferv3\unins000.dat	1337v3 setup.tmp
File opened for modification	C:\Program Files (x86)\1337Spooferv3\1337spooferv3.exe	1337v3 setup.tmp
File created	C:\Program Files (x86)\1337Spooferv3\is-ENKFF.tmp	1337v3 setup.tmp
File created	C:\Program Files (x86)\1337Spooferv3\is-DP2VG.tmp	1337v3 setup.tmp
File created	C:\Program Files (x86)\1337Spooferv3\is-D6A0V.tmp	1337v3 setup.tmp
File created	C:\Program Files (x86)\1337Spooferv3\is-2VDUF.tmp	1337v3 setup.tmp
File opened for modification	C:\Program Files (x86)\1337Spooferv3\Guna.UI2.dll	1337v3 setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1337v3 setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1337v3 setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1337spooferv3.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\1337Spooferv3.myp	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\1337Spooferv3.myp\DefaultIcon	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\1337Spooferv3.myp\shell\open\command	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\1337spooferv3.exe\SupportedTypes	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\1337spooferv3.exe	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\1337spooferv3.exe\SupportedTypes	1337v3 setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\1337spooferv3.exe\SupportedTypes\.myp	1337v3 setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1337Spooferv3.myp\shell\open\command\ = "\"C:\\Program Files (x86)\\1337Spooferv3\\1337spooferv3.exe\" \"%1\""	1337v3 setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1337Spooferv3.myp\ = "1337Spooferv3"	1337v3 setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1337Spooferv3.myp\DefaultIcon\ = "C:\\Program Files (x86)\\1337Spooferv3\\1337spooferv3.exe,0"	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1337Spooferv3.myp\shell	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1337Spooferv3.myp\shell\open\command	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\1337Spooferv3.myp	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1337Spooferv3.myp	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1337Spooferv3.myp\shell\open	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	1337v3 setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp	1337v3 setup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3740	1337v3 setup.tmp
3740	1337v3 setup.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	716	1337spooferv3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3740	1337v3 setup.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3740	2388	1337v3 setup.exe	83
PID 2388 wrote to memory of 3740	2388	1337v3 setup.exe	83
PID 2388 wrote to memory of 3740	2388	1337v3 setup.exe	83
PID 3740 wrote to memory of 716	3740	1337v3 setup.tmp	86
PID 3740 wrote to memory of 716	3740	1337v3 setup.tmp	86
PID 3740 wrote to memory of 716	3740	1337v3 setup.tmp	86

C:\Users\Admin\AppData\Local\Temp\1337v3 setup.exe
"C:\Users\Admin\AppData\Local\Temp\1337v3 setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\is-8TRP2.tmp\1337v3 setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8TRP2.tmp\1337v3 setup.tmp" /SL5="$7024C,2641178,801792,C:\Users\Admin\AppData\Local\Temp\1337v3 setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Program Files (x86)\1337Spooferv3\1337spooferv3.exe
    "C:\Program Files (x86)\1337Spooferv3\1337spooferv3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1337Spooferv3\1337spooferv3.exe

Filesize
701KB

MD5
db9f1419f196d4c20e60a992e79ee331

SHA1
4c6754761dfb1c94eaaefca3056ae3ee0729d9ce

SHA256
ce3abc58f54a17c27619832aa0edece56ad287b8777e7fd04686e1ccb04dec6b

SHA512
bc03989c12bb11983e594cebd716b3a945d9995212780f7c7aa594507a5baaf43a96bbccdc3fc1188709d3dff23141e866c0e9c36f8663fc75e109661a65d0ba

Download Submit
C:\Program Files (x86)\1337Spooferv3\Guna.UI2.dll

Filesize
3.7MB

MD5
de97f5f8b11269f60e9b0a0d66266a4c

SHA1
ac01b2bf4238810c5db34b436f77de4c9182b1d7

SHA256
7c6196edac2b156e5da4556f391d3486250960dab1d1ca093cd6cfdde59a3a84

SHA512
9f196e961b8d4a1e4b3f2bf1ae4f2145978503f54460c28e95fd49b1998964f6d1c8fe8da3a6a48183d00c5645fbc28ba9d1dd1e875f008739085fb6e466ff87

Download Submit
C:\Program Files (x86)\1337Spooferv3\Siticone.UI.dll

Filesize
1.3MB

MD5
750c58af2e56b6addecffcf152520ab8

SHA1
14995e7f1d12498606d9d209d78d55fe6fd87802

SHA256
27c56a28cbde094157206da1bfcd7a395111ab97b8a5ff600b11c2175dcefb26

SHA512
2179790e23f61b3dfea828457f8609279c70b1e071cddc73b1dbda02caa664e0aae2553fc24a4956f9e89c477d66b1a704bde26fa23bc6db26c19e18db00abb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8TRP2.tmp\1337v3 setup.tmp

Filesize
3.1MB

MD5
864eb8a38824e35b09700a9c8c7ac68a

SHA1
984ac6070e9750f4b9a00872bd26cb1fba5ef374

SHA256
4b73a053a2db29248a905a64797f67b2bfb784c2b0204af038c8e455f07d85c1

SHA512
75c70636649b2525f36a4cf28063c66378e2782005c44cffb1ba2b91185028bafe6046e986f9bd06270ed846afa1417d6a657aef5dca70228e842831bb618383

Download Submit
memory/716-53-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-35-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-25-0x0000000004E20000-0x0000000004EF6000-memory.dmp

Filesize
856KB

Download
memory/716-26-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download
memory/716-41-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-28-0x0000000004D40000-0x0000000004E14000-memory.dmp

Filesize
848KB

Download
memory/716-29-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download
memory/716-33-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-62-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-68-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-92-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-90-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-86-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-82-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-80-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-78-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-76-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-74-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-72-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-71-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-66-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-64-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-60-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-57-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-88-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-84-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-58-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download
memory/716-55-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-24-0x000000007302E000-0x000000007302F000-memory.dmp

Filesize
4KB

Download
memory/716-3555-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download
memory/716-27-0x0000000004F00000-0x00000000054A4000-memory.dmp

Filesize
5.6MB

Download
memory/716-39-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-37-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-31-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-51-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-30-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-47-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-45-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-43-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-49-0x0000000004D40000-0x0000000004E0F000-memory.dmp

Filesize
828KB

Download
memory/716-3532-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/716-3533-0x0000000005550000-0x0000000005562000-memory.dmp

Filesize
72KB

Download
memory/716-3534-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download
memory/716-3535-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download
memory/716-3554-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download
memory/716-3539-0x0000000005830000-0x0000000005BF0000-memory.dmp

Filesize
3.8MB

Download
memory/716-3553-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download
memory/716-3543-0x0000000006040000-0x000000000618E000-memory.dmp

Filesize
1.3MB

Download
memory/716-3544-0x0000000005800000-0x0000000005814000-memory.dmp

Filesize
80KB

Download
memory/716-3545-0x0000000007390000-0x00000000073E2000-memory.dmp

Filesize
328KB

Download
memory/716-3546-0x000000007302E000-0x000000007302F000-memory.dmp

Filesize
4KB

Download
memory/716-3547-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download
memory/716-3548-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download
memory/716-3549-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download
memory/716-3551-0x00000000090F0000-0x000000000918C000-memory.dmp

Filesize
624KB

Download
memory/716-3550-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download
memory/716-3552-0x0000000009990000-0x00000000099CC000-memory.dmp

Filesize
240KB

Download
memory/2388-2-0x0000000000C61000-0x0000000000D09000-memory.dmp

Filesize
672KB

Download
memory/2388-1-0x0000000000C60000-0x0000000000D32000-memory.dmp

Filesize
840KB

Download
memory/3740-6-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download