789473143f4f1465f0221fca36ac25f48cae1223f51c9d6219544b27879ec3a6

General

Target

srtware loader.exe
Size

1.1MB
MD5

12395d08dc0bfe12e63605328ddd982f
SHA1

51ceb544e3900fb85fe7aada564d081219464d1d
SHA256

789473143f4f1465f0221fca36ac25f48cae1223f51c9d6219544b27879ec3a6
SHA512

1a26d4de93abf8f5af0b7e6ac3307f6cc6c3ce5b905545788430460c1664efa5637c856db3e994163147e259385da3125d6ff13a39bbade962c95872ea5bd4e4
SSDEEP

24576:vTc28b2Yf2eSf1xZ9a9wwz+NzYbiaCoWTXKjvFQxf:bcbb2UCrZ9wwwKJL2jvFQx

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2948	powershell.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2296-2-0x00000000003A0000-0x0000000000732000-memory.dmp	net_reactor

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe
2296	srtware loader.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srtware loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2296	srtware loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2948	2296	srtware loader.exe	31
PID 2296 wrote to memory of 2948	2296	srtware loader.exe	31
PID 2296 wrote to memory of 2948	2296	srtware loader.exe	31
PID 2296 wrote to memory of 2948	2296	srtware loader.exe	31
PID 2296 wrote to memory of 1944	2296	srtware loader.exe	33
PID 2296 wrote to memory of 1944	2296	srtware loader.exe	33
PID 2296 wrote to memory of 1944	2296	srtware loader.exe	33
PID 2296 wrote to memory of 1944	2296	srtware loader.exe	33
PID 2296 wrote to memory of 2744	2296	srtware loader.exe	35
PID 2296 wrote to memory of 2744	2296	srtware loader.exe	35
PID 2296 wrote to memory of 2744	2296	srtware loader.exe	35
PID 2296 wrote to memory of 2744	2296	srtware loader.exe	35

C:\Users\Admin\AppData\Local\Temp\srtware loader.exe
"C:\Users\Admin\AppData\Local\Temp\srtware loader.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c mkdir C:\Users\gbcd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1944
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /tn "chromeupdatecc" /tr "C:\Users\gbcd\qqq.scr" /sc onstart /rl highest /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2296-0-0x00000000003A0000-0x0000000000732000-memory.dmp

Filesize
3.6MB

Download
memory/2296-1-0x00000000747FE000-0x00000000747FF000-memory.dmp

Filesize
4KB

Download
memory/2296-2-0x00000000003A0000-0x0000000000732000-memory.dmp

Filesize
3.6MB

Download
memory/2296-3-0x0000000000AF0000-0x0000000000AF6000-memory.dmp

Filesize
24KB

Download
memory/2296-11-0x00000000747FE000-0x00000000747FF000-memory.dmp

Filesize
4KB

Download
memory/2948-6-0x0000000071B11000-0x0000000071B12000-memory.dmp

Filesize
4KB

Download
memory/2948-7-0x0000000071B10000-0x00000000720BB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-8-0x0000000071B10000-0x00000000720BB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-9-0x0000000071B10000-0x00000000720BB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-10-0x0000000071B10000-0x00000000720BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads