e72b0bdfcde42b79c8b9266fc25c37d62a2c536d33c32eb6dcb4e2a17961f2ff

Analysis

max time kernel
3s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
05-07-2024 04:32

Target

newdcnyash/data/dotNET_Reactor.Console.exe
Size

34KB
MD5

69d18a3245f3c2fd02c82304c494e977
SHA1

049cda6bc59daeadfe82fce2197e0e15c2847a7b
SHA256

b55b0a652538836ed681c2afd985310fd39ad2f31ac159847fc46a6065f3232e
SHA512

5791cffbc2389eaaf18e4f31c320325d4bdfadf7ab00c847bfedccbea8fec26a3f4452877d00c95e0573e90306d7a2c988c00fcb7d495ac22955c7f64fb047c3
SSDEEP

768:5oOABBREOgrMTPrZwbiRPp7yMkZwuzZyiRYn7:5oHB2OlfZwbixp7yMkZwWZyien7

Score

7^/10

.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource yara_rule

behavioral13/memory/2124-4-0x0000000000AE0000-0x0000000001D8A000-memory.dmp net_reactor
behavioral13/memory/2124-10-0x0000000000AE0000-0x0000000001D8A000-memory.dmp net_reactor
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

dotNET_Reactor.exe

pid process

2124 dotNET_Reactor.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dotNET_Reactor.exe

pid process

2124 dotNET_Reactor.exe

resource	yara_rule
behavioral13/memory/2124-4-0x0000000000AE0000-0x0000000001D8A000-memory.dmp	net_reactor
behavioral13/memory/2124-10-0x0000000000AE0000-0x0000000001D8A000-memory.dmp	net_reactor

pid	process
2124	dotNET_Reactor.exe

pid	process
2124	dotNET_Reactor.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

dotNET_Reactor.Console.exe

description	pid	process	target process
PID 1996 wrote to memory of 2124	1996	dotNET_Reactor.Console.exe	dotNET_Reactor.exe
PID 1996 wrote to memory of 2124	1996	dotNET_Reactor.Console.exe	dotNET_Reactor.exe
PID 1996 wrote to memory of 2124	1996	dotNET_Reactor.Console.exe	dotNET_Reactor.exe

C:\Users\Admin\AppData\Local\Temp\newdcnyash\data\dotNET_Reactor.Console.exe
"C:\Users\Admin\AppData\Local\Temp\newdcnyash\data\dotNET_Reactor.Console.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996

memory/1996-0-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download
memory/1996-1-0x00007FFDC2A93000-0x00007FFDC2A95000-memory.dmp

Filesize
8KB

Download
memory/2124-2-0x0000000000AE0000-0x0000000001D8A000-memory.dmp

Filesize
18.7MB

Download
memory/2124-3-0x0000000073D8E000-0x0000000073D8F000-memory.dmp

Filesize
4KB

Download
memory/2124-4-0x0000000000AE0000-0x0000000001D8A000-memory.dmp

Filesize
18.7MB

Download
memory/2124-5-0x0000000006C60000-0x0000000007206000-memory.dmp

Filesize
5.6MB

Download
memory/2124-6-0x0000000073D80000-0x0000000074531000-memory.dmp

Filesize
7.7MB

Download
memory/2124-7-0x0000000006900000-0x0000000006966000-memory.dmp

Filesize
408KB

Download
memory/2124-8-0x0000000007730000-0x00000000077C2000-memory.dmp

Filesize
584KB

Download
memory/2124-10-0x0000000000AE0000-0x0000000001D8A000-memory.dmp

Filesize
18.7MB

Download
memory/2124-11-0x0000000073D80000-0x0000000074531000-memory.dmp

Filesize
7.7MB

Download