ac15a0eb8c6a0d3d7e0be6fbe0a04644c062ccb75a94bf8834fd408ddaf28cfd

Analysis

max time kernel
149s
max time network
108s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
27/03/2025, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

memreduct.exe
Size

290KB
MD5

bfbe78d329b87dd1d5ae51707fdf928b
SHA1

015c758391b620dee72625ed59b522c06f6457d7
SHA256

31689824dd984bd9c0f07c20f05bc253f6d107581aec4609044fddcdd50f655d
SHA512

e950551d53e50a0296a60730c0cc2ee029ef9026159e159bee9bb29a0f19756f5167f77c4024854fd58bede7ff8051ac4a2f5acf55443ed29c381e909fd04e5a
SSDEEP

3072:KV+VDeAxsOc8WdE7KEgD3fN/FZgTMJNa22IR9Lp3FhMd08Xevd0pG46tBHa/FgFj:WQitu7K3rfnh2IRNxfTv69

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3000	update-memreduct-udrynyasy.exe
2132	memreduct.exe

Loads dropped DLL 1 IoCs

pid	Process
3000	update-memreduct-udrynyasy.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update-memreduct-udrynyasy.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4924	memreduct.exe
Token: SeProfSingleProcessPrivilege	4924	memreduct.exe
Token: SeProfSingleProcessPrivilege	2132	memreduct.exe
Token: SeIncreaseQuotaPrivilege	2132	memreduct.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
4924	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe
2132	memreduct.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 3000	4924	memreduct.exe	79
PID 4924 wrote to memory of 3000	4924	memreduct.exe	79
PID 4924 wrote to memory of 3000	4924	memreduct.exe	79
PID 3000 wrote to memory of 2132	3000	update-memreduct-udrynyasy.exe	80
PID 3000 wrote to memory of 2132	3000	update-memreduct-udrynyasy.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\memreduct.exe
"C:\Users\Admin\AppData\Local\Temp\memreduct.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Roaming\Henry++\Mem Reduct\cache\update-memreduct-udrynyasy.exe
  "C:\Users\Admin\AppData\Roaming\Henry++\Mem Reduct\cache\update-memreduct-udrynyasy.exe" "C:\Users\Admin\AppData\Roaming\Henry++\Mem Reduct\cache\update-memreduct-udrynyasy.exe" /u /S /D=C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\memreduct.exe
    "C:\Users\Admin\AppData\Local\Temp\memreduct.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\memreduct.exe

Filesize
380KB

MD5
17718ec34143a262e29c6765c7c1e9b3

SHA1
65c2058ba84fb811b0f169a84c8937acd8b3f03d

SHA256
8e7a54b08939981818c04b22f6755a6cd038438f77cc1541b8b449afeb472f95

SHA512
061f6591bad1f5abf0d0bd23b00b0181e6f67361fbc4a485af7c29dce80e9fe72b5be9cd0622111df23a39b99c5ebf591c945b7651f74f95bc6b3d4a38e8584a

Download Submit
C:\Users\Admin\AppData\Local\Temp\memreduct.lng

Filesize
114KB

MD5
e821e852e3fe8d8687cfbec26ab73de8

SHA1
b091fd9854436c8d765a28245fb321388dff7968

SHA256
d983a2f8bd38fdcf470806230675ff91a1f8d0be9790129b3b6cb61e81409b4e

SHA512
e65db0b3386740cde3623b36ce7a85190791925879338997ebaed344a82519ed503763b4a302004abae2b32608b943f2c2a76ee09d3f611080fc86bad439647d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB095.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Henry++\Mem Reduct\cache\update-memreduct-udrynyasy.exe

Filesize
370KB

MD5
a5dc96f2502aa056c6b995fb41d86ce9

SHA1
ea91f150a3a4b20608e7b34531c4c8c2270b3642

SHA256
4bbcf0c047c91784dc3016349b8dc8d2472b1df6ce282994376cd729c1d17bb5

SHA512
2397c9657fa795f8fb9655b3b1af012ec90176ffb1d45b7a7acd12e61d937cd749f8a37ac0e57222128a2506a8945f8faf14bf3503a844461fe7b8ddd6985c05

Download Submit
C:\Users\Admin\AppData\Roaming\Henry++\Mem Reduct\memreduct.ini

Filesize
42B

MD5
61eb9fa5fe71c6ebe0e5c5c7d373f196

SHA1
f3abb8ee38313ecf846d281707f5c68d4adc5524

SHA256
1c3055379a4f3e3b856a72f89e894348f4c7b33c430bb1f8537fc55b34d4dd1c

SHA512
028860cf1b6c7b507f77ddb933127e497c94e92cfa204ab43544628514afab1b0ff858c3c2a9b28775d5d09ff100ca1ed56d21ef19ca36389e03b11659d860b2

Download Submit
memory/3000-15-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/3000-16-0x0000000074E25000-0x0000000074E26000-memory.dmp

Filesize
4KB

Download