Analysis
-
max time kernel
303s -
max time network
305s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
16/01/2025, 03:02
General
-
Target
Desktop.rar
-
Size
1.1MB
-
MD5
be745da42d890da3a7101d151440eac7
-
SHA1
822680e969b96b3dbb114364bf1b6859fefdb46a
-
SHA256
c7a83f87a794a496f0274ea9809496c5f1f765ac7ea9c7d90bc9b9dbcb99b0d5
-
SHA512
f0c42be0df379c55d91f4497f16c58785682d1075ff18eb8ee77244a91151773997b05e3a1b57b0ed478510c9735d2fbac1ace6494e07fc661de7fb7d1b9b7df
-
SSDEEP
24576:I33vV6GlG4lqjQT/mVhVMQHSR05mIV/nuMmlb18mbT0RNzUQ:It9+rNHSRmmMuMCb2kkNd
Malware Config
Signatures
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/files/0x002600000004625e-23.dat net_reactor -
Executes dropped EXE 1 IoCs
pid Process 3336 Babel Deobfuscator(XenocodeRCE).exe -
Loads dropped DLL 2 IoCs
pid Process 3336 Babel Deobfuscator(XenocodeRCE).exe 3336 Babel Deobfuscator(XenocodeRCE).exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x002600000004625e-23.dat agile_net -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babel Deobfuscator(XenocodeRCE).exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 236 7zFM.exe Token: 35 236 7zFM.exe Token: SeSecurityPrivilege 236 7zFM.exe Token: SeRestorePrivilege 2132 7zG.exe Token: 35 2132 7zG.exe Token: SeSecurityPrivilege 2132 7zG.exe Token: SeSecurityPrivilege 2132 7zG.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 236 7zFM.exe 236 7zFM.exe 2132 7zG.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Desktop.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:236
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap11113:120:7zEvent288001⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2132
-
C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe"C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5a5a51b2c774125314b8c5d0f8d44ebc5
SHA1ff5ffabb88fff1b8c3761ffbe05f9e6b62673bbf
SHA256156e5c2a195616afbbdd8b676b35d3d3df97d3fad967a6700ca4e79fa6e1a747
SHA512f7794cb36bbe22cbb54eed7dd811e978d64b0e5c5f2e2becf9a841ba01986c13a5aec2ddb988f3e6c1522fae763689e92c592b7cb44c56cdd81c9d60a64dcb03
-
Filesize
372KB
MD5d4aa41c14abe64b83d8e279e3c9bd6d2
SHA1906a64ae9de3778e0bbf5d332028950adc1496aa
SHA25682c06f2d952865069324c02cdcd247eabcb708e05206026ea423db17945f56a5
SHA512e9a5447da0b2dd0b79612762940c3a772cdd5ddd93d806b6a2c713d935690f1bbad4f5f762230b958287535971de952b937a328ca9b4053d805663bac751c5b0
-
Filesize
1.6MB
MD5bd970b9af58a8446643ac53a257bc328
SHA155c72ab6d08e0f109655ddd25dbeda361aede1b9
SHA25686c8184edce60828dedf25d3f4c10ac1cbb2ac9f26f63e32f8082fbfec7cd756
SHA512aa5f4416278da08b4ff6450f4c97db15d4c14644a7a3d4121544d254340630cd75bfc763cd3c3bcd59cc1fbd23380920f7d0f9b384dd71dbbbfb48af35ad6610
-
Filesize
1.1MB
MD54c9210f604923f03b1167dad7a45a0ca
SHA123560893a0ac7c1c6bee12ae37c4f5de5d711d61
SHA2561ad463b80a08a6698ec3fe3fec1d081ad3250ee6d0bdb3abdbb122be59b836b2
SHA512c6634d61cbc849e8c99e6e3d9781f406f6a2fd09e5ce5820999033350252b6bb22da085bea97e703aefddb7508312226827fc5ed2a04733135a47c900e204393