Analysis Overview
SHA256
c7a83f87a794a496f0274ea9809496c5f1f765ac7ea9c7d90bc9b9dbcb99b0d5
Threat Level: Shows suspicious behavior
The file Desktop.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
.NET Reactor proctector
Executes dropped EXE
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-16 03:02
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-16 03:02
Reported
2025-01-16 03:08
Platform
win10ltsc2021-20250113-en
Max time kernel
303s
Max time network
305s
Command Line
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Desktop.rar"
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap11113:120:7zEvent28800
C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe
"C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.69.228:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.69.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).zip
| MD5 | d4aa41c14abe64b83d8e279e3c9bd6d2 |
| SHA1 | 906a64ae9de3778e0bbf5d332028950adc1496aa |
| SHA256 | 82c06f2d952865069324c02cdcd247eabcb708e05206026ea423db17945f56a5 |
| SHA512 | e9a5447da0b2dd0b79612762940c3a772cdd5ddd93d806b6a2c713d935690f1bbad4f5f762230b958287535971de952b937a328ca9b4053d805663bac751c5b0 |
C:\Users\Admin\Desktop\Babel Deobfuscator(XenocodeRCE).exe
| MD5 | a5a51b2c774125314b8c5d0f8d44ebc5 |
| SHA1 | ff5ffabb88fff1b8c3761ffbe05f9e6b62673bbf |
| SHA256 | 156e5c2a195616afbbdd8b676b35d3d3df97d3fad967a6700ca4e79fa6e1a747 |
| SHA512 | f7794cb36bbe22cbb54eed7dd811e978d64b0e5c5f2e2becf9a841ba01986c13a5aec2ddb988f3e6c1522fae763689e92c592b7cb44c56cdd81c9d60a64dcb03 |
memory/3336-11-0x000000007519E000-0x000000007519F000-memory.dmp
memory/3336-12-0x0000000000FC0000-0x0000000000FCA000-memory.dmp
memory/3336-13-0x0000000006080000-0x0000000006626000-memory.dmp
memory/3336-14-0x00000000059B0000-0x0000000005A42000-memory.dmp
memory/3336-15-0x0000000075190000-0x0000000075941000-memory.dmp
memory/3336-16-0x0000000005A60000-0x0000000005A6A000-memory.dmp
memory/3336-17-0x000000007519E000-0x000000007519F000-memory.dmp
memory/3336-18-0x0000000075190000-0x0000000075941000-memory.dmp
C:\Users\Admin\Desktop\dnlib.dll
| MD5 | 4c9210f604923f03b1167dad7a45a0ca |
| SHA1 | 23560893a0ac7c1c6bee12ae37c4f5de5d711d61 |
| SHA256 | 1ad463b80a08a6698ec3fe3fec1d081ad3250ee6d0bdb3abdbb122be59b836b2 |
| SHA512 | c6634d61cbc849e8c99e6e3d9781f406f6a2fd09e5ce5820999033350252b6bb22da085bea97e703aefddb7508312226827fc5ed2a04733135a47c900e204393 |
memory/3336-22-0x0000000009A90000-0x0000000009BAA000-memory.dmp
C:\Users\Admin\Desktop\disk spoofer.dump_Slayed.exe
| MD5 | bd970b9af58a8446643ac53a257bc328 |
| SHA1 | 55c72ab6d08e0f109655ddd25dbeda361aede1b9 |
| SHA256 | 86c8184edce60828dedf25d3f4c10ac1cbb2ac9f26f63e32f8082fbfec7cd756 |
| SHA512 | aa5f4416278da08b4ff6450f4c97db15d4c14644a7a3d4121544d254340630cd75bfc763cd3c3bcd59cc1fbd23380920f7d0f9b384dd71dbbbfb48af35ad6610 |
memory/3336-25-0x0000000075190000-0x0000000075941000-memory.dmp