Analysis

  • max time kernel
    303s
  • max time network
    305s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    16/01/2025, 03:02

General

  • Target

    Desktop.rar

  • Size

    1.1MB

  • MD5

    be745da42d890da3a7101d151440eac7

  • SHA1

    822680e969b96b3dbb114364bf1b6859fefdb46a

  • SHA256

    c7a83f87a794a496f0274ea9809496c5f1f765ac7ea9c7d90bc9b9dbcb99b0d5

  • SHA512

    f0c42be0df379c55d91f4497f16c58785682d1075ff18eb8ee77244a91151773997b05e3a1b57b0ed478510c9735d2fbac1ace6494e07fc661de7fb7d1b9b7df

  • SSDEEP

    24576:I33vV6GlG4lqjQT/mVhVMQHSR05mIV/nuMmlb18mbT0RNzUQ:It9+rNHSRmmMuMCb2kkNd

Score
7/10

Malware Config

Signatures

  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Desktop.rar"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:236
  • C:\Program Files\7-Zip\7zG.exe
    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap11113:120:7zEvent28800
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2132
  • C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe
    "C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:3336

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe

          Filesize

          15KB

          MD5

          a5a51b2c774125314b8c5d0f8d44ebc5

          SHA1

          ff5ffabb88fff1b8c3761ffbe05f9e6b62673bbf

          SHA256

          156e5c2a195616afbbdd8b676b35d3d3df97d3fad967a6700ca4e79fa6e1a747

          SHA512

          f7794cb36bbe22cbb54eed7dd811e978d64b0e5c5f2e2becf9a841ba01986c13a5aec2ddb988f3e6c1522fae763689e92c592b7cb44c56cdd81c9d60a64dcb03

        • C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).zip

          Filesize

          372KB

          MD5

          d4aa41c14abe64b83d8e279e3c9bd6d2

          SHA1

          906a64ae9de3778e0bbf5d332028950adc1496aa

          SHA256

          82c06f2d952865069324c02cdcd247eabcb708e05206026ea423db17945f56a5

          SHA512

          e9a5447da0b2dd0b79612762940c3a772cdd5ddd93d806b6a2c713d935690f1bbad4f5f762230b958287535971de952b937a328ca9b4053d805663bac751c5b0

        • C:\Users\Admin\Desktop\disk spoofer.dump_Slayed.exe

          Filesize

          1.6MB

          MD5

          bd970b9af58a8446643ac53a257bc328

          SHA1

          55c72ab6d08e0f109655ddd25dbeda361aede1b9

          SHA256

          86c8184edce60828dedf25d3f4c10ac1cbb2ac9f26f63e32f8082fbfec7cd756

          SHA512

          aa5f4416278da08b4ff6450f4c97db15d4c14644a7a3d4121544d254340630cd75bfc763cd3c3bcd59cc1fbd23380920f7d0f9b384dd71dbbbfb48af35ad6610

        • C:\Users\Admin\Desktop\dnlib.dll

          Filesize

          1.1MB

          MD5

          4c9210f604923f03b1167dad7a45a0ca

          SHA1

          23560893a0ac7c1c6bee12ae37c4f5de5d711d61

          SHA256

          1ad463b80a08a6698ec3fe3fec1d081ad3250ee6d0bdb3abdbb122be59b836b2

          SHA512

          c6634d61cbc849e8c99e6e3d9781f406f6a2fd09e5ce5820999033350252b6bb22da085bea97e703aefddb7508312226827fc5ed2a04733135a47c900e204393

        • memory/3336-15-0x0000000075190000-0x0000000075941000-memory.dmp

          Filesize

          7.7MB

        • memory/3336-14-0x00000000059B0000-0x0000000005A42000-memory.dmp

          Filesize

          584KB

        • memory/3336-13-0x0000000006080000-0x0000000006626000-memory.dmp

          Filesize

          5.6MB

        • memory/3336-16-0x0000000005A60000-0x0000000005A6A000-memory.dmp

          Filesize

          40KB

        • memory/3336-17-0x000000007519E000-0x000000007519F000-memory.dmp

          Filesize

          4KB

        • memory/3336-18-0x0000000075190000-0x0000000075941000-memory.dmp

          Filesize

          7.7MB

        • memory/3336-12-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

          Filesize

          40KB

        • memory/3336-22-0x0000000009A90000-0x0000000009BAA000-memory.dmp

          Filesize

          1.1MB

        • memory/3336-11-0x000000007519E000-0x000000007519F000-memory.dmp

          Filesize

          4KB

        • memory/3336-25-0x0000000075190000-0x0000000075941000-memory.dmp

          Filesize

          7.7MB