ac15a0eb8c6a0d3d7e0be6fbe0a04644c062ccb75a94bf8834fd408ddaf28cfd

Analysis

max time kernel
149s
max time network
105s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
27/03/2025, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Conker Free V6/Memreduct/memreduct-3.4-setup.exe
Size

309KB
MD5

0f74e88d113f46798dc0f5d69c26da2f
SHA1

ace6920cd953bca45cb798672592ae7089d6d01d
SHA256

a7ba8b9da0a1fdf7a886fe86b2ca55b4afe05d69b2c9c4d33b27d65986d6a033
SHA512

6434786151677e3cfef57b2d7069dc37a4b4d08c8c7eb7e817d7a956517a9d298bc08b38f8342d91234a65979ade1898dfe79ae9cb218332d5496c1517c124ae
SSDEEP

6144:4Ya6eFisfjzl/eP3OD8Jb+Wh1btdxlrgTM5onRIR7YdH3zfbv7cxQ1/C8z:4YgzjJWPe0+ybt+TMGnqR7YFfH+QFpz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3736	memreduct.exe
4564	update-memreduct-kflrsuoaw.exe
4632	memreduct.exe

Loads dropped DLL 3 IoCs

pid	Process
4988	memreduct-3.4-setup.exe
4988	memreduct-3.4-setup.exe
4564	update-memreduct-kflrsuoaw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Mem Reduct\memreduct.exe.sig	memreduct-3.4-setup.exe
File created	C:\Program Files\Mem Reduct\History.txt	memreduct-3.4-setup.exe
File opened for modification	C:\Program Files\Mem Reduct\License.txt	update-memreduct-kflrsuoaw.exe
File opened for modification	C:\Program Files\Mem Reduct\Readme.txt	update-memreduct-kflrsuoaw.exe
File opened for modification	C:\Program Files\Mem Reduct\memreduct.lng	update-memreduct-kflrsuoaw.exe
File created	C:\Program Files\Mem Reduct\License.txt	memreduct-3.4-setup.exe
File created	C:\Program Files\Mem Reduct\Readme.txt	memreduct-3.4-setup.exe
File created	C:\Program Files\Mem Reduct\uninstall.exe	memreduct-3.4-setup.exe
File created	C:\Program Files\Mem Reduct\memreduct.lng	memreduct-3.4-setup.exe
File opened for modification	C:\Program Files\Mem Reduct\memreduct.exe	update-memreduct-kflrsuoaw.exe
File opened for modification	C:\Program Files\Mem Reduct\memreduct.exe.sig	update-memreduct-kflrsuoaw.exe
File opened for modification	C:\Program Files\Mem Reduct\History.txt	update-memreduct-kflrsuoaw.exe
File opened for modification	C:\Program Files\Mem Reduct\uninstall.exe	update-memreduct-kflrsuoaw.exe
File created	C:\Program Files\Mem Reduct\memreduct.exe	memreduct-3.4-setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update-memreduct-kflrsuoaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	memreduct-3.4-setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3736	memreduct.exe
Token: SeProfSingleProcessPrivilege	3736	memreduct.exe
Token: SeProfSingleProcessPrivilege	4632	memreduct.exe
Token: SeIncreaseQuotaPrivilege	4632	memreduct.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
3736	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe
4632	memreduct.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 3736	4988	memreduct-3.4-setup.exe	78
PID 4988 wrote to memory of 3736	4988	memreduct-3.4-setup.exe	78
PID 3736 wrote to memory of 4564	3736	memreduct.exe	80
PID 3736 wrote to memory of 4564	3736	memreduct.exe	80
PID 3736 wrote to memory of 4564	3736	memreduct.exe	80
PID 4564 wrote to memory of 4632	4564	update-memreduct-kflrsuoaw.exe	81
PID 4564 wrote to memory of 4632	4564	update-memreduct-kflrsuoaw.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Conker Free V6\Memreduct\memreduct-3.4-setup.exe
"C:\Users\Admin\AppData\Local\Temp\Conker Free V6\Memreduct\memreduct-3.4-setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files\Mem Reduct\memreduct.exe
  "C:\Program Files\Mem Reduct\memreduct.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Users\Admin\AppData\Roaming\Henry++\Mem Reduct\cache\update-memreduct-kflrsuoaw.exe
    "C:\Users\Admin\AppData\Roaming\Henry++\Mem Reduct\cache\update-memreduct-kflrsuoaw.exe" "C:\Users\Admin\AppData\Roaming\Henry++\Mem Reduct\cache\update-memreduct-kflrsuoaw.exe" /u /S /D=C:\Program Files\Mem Reduct
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Program Files\Mem Reduct\memreduct.exe
      "C:\Program Files\Mem Reduct\memreduct.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mem Reduct\Readme.txt

Filesize
787B

MD5
ea6e2848504de914b00d9c5c60b14733

SHA1
d4c13760d573c6b85956f3f9a1af0ed2f20f5ce6

SHA256
43f886bc0bf6f98d366bb02d49ba9ff763b4df591df9b32106d68b9b3d59cd08

SHA512
946bab9948d184fba685b8ca83bb5363d096917c766cfeae214c9a4e45554bbf1a3ca0c288deb3a9978ebc188fc075ce6db294cbc22a5007d05165a46789b35d

Download Submit
C:\Program Files\Mem Reduct\memreduct.exe

Filesize
290KB

MD5
bfbe78d329b87dd1d5ae51707fdf928b

SHA1
015c758391b620dee72625ed59b522c06f6457d7

SHA256
31689824dd984bd9c0f07c20f05bc253f6d107581aec4609044fddcdd50f655d

SHA512
e950551d53e50a0296a60730c0cc2ee029ef9026159e159bee9bb29a0f19756f5167f77c4024854fd58bede7ff8051ac4a2f5acf55443ed29c381e909fd04e5a

Download Submit
C:\Program Files\Mem Reduct\memreduct.exe

Filesize
380KB

MD5
17718ec34143a262e29c6765c7c1e9b3

SHA1
65c2058ba84fb811b0f169a84c8937acd8b3f03d

SHA256
8e7a54b08939981818c04b22f6755a6cd038438f77cc1541b8b449afeb472f95

SHA512
061f6591bad1f5abf0d0bd23b00b0181e6f67361fbc4a485af7c29dce80e9fe72b5be9cd0622111df23a39b99c5ebf591c945b7651f74f95bc6b3d4a38e8584a

Download Submit
C:\Program Files\Mem Reduct\memreduct.exe.sig

Filesize
566B

MD5
28367cf1336062097ef0f7d605fd492f

SHA1
efdc6038115678ffc3ed991600a2df5f4c74c2f4

SHA256
394924af815c270666172c8b6dee882ee70ee551933d477558b262c57326c27f

SHA512
503b75589551fda2dea7cd62f6b438a5aff40299fdd2b9b229861094fb11343beb16b351b467404c27aa97c0534de797f4f2f8ccd1266bf67ce20884c34cb498

Download Submit
C:\Program Files\Mem Reduct\memreduct.lng

Filesize
95KB

MD5
fd343886fff92efb78d9c037030940c2

SHA1
3569587a9540d5e90e0adbf49548d0510bc5a2ea

SHA256
d8e4df8cf32ac59b5cf17187725b06a87783306cd09f56551b07dbac28996241

SHA512
2ac3a75d21748d52bd1602da6ee0dd914f76fcb274855e8fa91231bf184e531b2fa60a18c192b38c5f22888a7ef3b6239ba3ef31018524b916b94f408ef214db

Download Submit
C:\Program Files\Mem Reduct\memreduct.lng

Filesize
114KB

MD5
e821e852e3fe8d8687cfbec26ab73de8

SHA1
b091fd9854436c8d765a28245fb321388dff7968

SHA256
d983a2f8bd38fdcf470806230675ff91a1f8d0be9790129b3b6cb61e81409b4e

SHA512
e65db0b3386740cde3623b36ce7a85190791925879338997ebaed344a82519ed503763b4a302004abae2b32608b943f2c2a76ee09d3f611080fc86bad439647d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7099.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi6822.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi6822.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Roaming\Henry++\Mem Reduct\cache\update-memreduct-kflrsuoaw.exe

Filesize
370KB

MD5
a5dc96f2502aa056c6b995fb41d86ce9

SHA1
ea91f150a3a4b20608e7b34531c4c8c2270b3642

SHA256
4bbcf0c047c91784dc3016349b8dc8d2472b1df6ce282994376cd729c1d17bb5

SHA512
2397c9657fa795f8fb9655b3b1af012ec90176ffb1d45b7a7acd12e61d937cd749f8a37ac0e57222128a2506a8945f8faf14bf3503a844461fe7b8ddd6985c05

Download Submit
C:\Users\Admin\AppData\Roaming\Henry++\Mem Reduct\memreduct.ini

Filesize
42B

MD5
9958f8d573689b887cfa337fc79c6a9e

SHA1
e40c2c6797582c69d9328df7884b361fa3da54f0

SHA256
795f943fd19a0c29dde99c1f9974bd2bded03265462b5762182eebb542f6291e

SHA512
187bdc1dbb86bfd8057a9156566a38556294104d6945b8ef39762d3988af028aea056e27f0e2fbbeae1dae84874903791ad4b65e099aa0bf8c06c8492e6a9d96

Download Submit