Analysis
-
max time kernel
94s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
11/02/2025, 14:19
Behavioral task
behavioral1
Sample
AJProxy.exe
Resource
win7-20241010-en
General
-
Target
AJProxy.exe
-
Size
638KB
-
MD5
6dbf1564024546cf0da4bf8f35936265
-
SHA1
ec7b401b5222590e9116d36fb454108a09c7d6a7
-
SHA256
af01b25f7db087fe50e3deebf5e55f8cdf9c3588d223471b4f71d9aa82fc92fd
-
SHA512
0a4194bbea2b895306a505ca7e27a22fd79589b3c8e6eeae3f747a184f720e87f586d77b5fb88ed24d1447b467f972873150db92f18139d0c5f3d278b304b72d
-
SSDEEP
12288:h32/lChV9mf/2QRXDD1yed0fsU4GSWaOvPESGj4s32xEdRCS:h3yChVA2Q9NXw2/wPOjdGxY
Malware Config
Signatures
-
Growtopia family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 51 1392 Process not Found -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/1104-1-0x00000000003A0000-0x0000000000446000-memory.dmp net_reactor -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 icanhazip.com -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AJProxy.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4280 MicrosoftEdgeUpdate.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3516 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1104 AJProxy.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1104 wrote to memory of 912 1104 AJProxy.exe 94 PID 1104 wrote to memory of 912 1104 AJProxy.exe 94 PID 1104 wrote to memory of 912 1104 AJProxy.exe 94 PID 912 wrote to memory of 3516 912 cmd.exe 96 PID 912 wrote to memory of 3516 912 cmd.exe 96 PID 912 wrote to memory of 3516 912 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\AJProxy.exe"C:\Users\Admin\AppData\Local\Temp\AJProxy.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c timeout /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\AJProxy.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\timeout.exetimeout /T 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3516
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core1⤵
- System Location Discovery: System Language Discovery
PID:2264
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjUzQjlFOTktNENFNy00MjYzLUEwM0QtM0JBQTEyQzc4RjU4fSIgdXNlcmlkPSJ7NzlBREZEQzQtNDA0NC00ODhELUEzRUUtQzE0ODgxN0I5RjJBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjA1MEI0QjAtMDY4Qy00NTJBLUIxOEUtRDYwREMyNzJCOEQ2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzIyODMwNTY1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
402KB
MD58307cbd4f25d09ff45205c0391bd5e76
SHA1fcef1876a82fee4994727693aa53e0390a443422
SHA256bc7ecf54a3b744099f139866d521aea01705037a635ec22b5f65adb842be59a5
SHA51211513d56047dcc6095f3081de81df5ef4d62a5b6accf6e2d68237c329f2fe7cdd248c505086c5696aaa247a7c01ffd78a59a160f8ab95fdf85385ca1f4128ce8