e1dcc9c259c78a051ead4ae56f9eabdb829bb7c832fe81af6f65f6b465b7f026

General

Target

SkyFlick2.1_WIN11/SkyFlick2.exe
Size

5.4MB
MD5

86a3d3a67b29fe9dd04f3cc865056245
SHA1

210c988487baacbc41dd8590b77688d8a03b81f1
SHA256

646dc44a15f576f31d4f357f2538bf5aec7bd92ed373b8a217daeee7a22e81c0
SHA512

d33dfb990b61ce9930469260cd643ef643ca79c66bfbb41e4e8b4f4e684f8abfac8936ce84667d6154b0c62de2cbbbc7fc4c4d6058a635d07366939207a131cc
SSDEEP

98304:uMaC/In9pCoFypqViZfw+1AFb8qTgDRr19pF2rKELuSLw3aOTy:naUIn9/Fyy+yoqgjRVELuwwqiy

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bin.1bin.1bin.1bin.1bin.1bin.1

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysDrv3S\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\SkyFlick2.1_WIN11\\SysDrv3S.sys"	bin.1
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CEDRIVER73\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\SkyFlick2.1_WIN11\\CEDRIVER73.sys"	bin.1
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CEDRIVER73\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\SkyFlick2.1_WIN11\\CEDRIVER73.sys"	bin.1
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysDrv3S\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\SkyFlick2.1_WIN11\\SysDrv3S.sys"	bin.1
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CEDRIVER73\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\SkyFlick2.1_WIN11\\CEDRIVER73.sys"	bin.1
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CEDRIVER73\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\SkyFlick2.1_WIN11\\CEDRIVER73.sys"	bin.1

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral3/memory/3980-148-0x00007FF60C4C0000-0x00007FF60CF34000-memory.dmp	vmprotect
behavioral3/memory/844-161-0x00007FF60C4C0000-0x00007FF60CF34000-memory.dmp	vmprotect
behavioral3/memory/4188-174-0x00007FF60C4C0000-0x00007FF60CF34000-memory.dmp	vmprotect
behavioral3/memory/5052-191-0x00007FF60C4C0000-0x00007FF60CF34000-memory.dmp	vmprotect
behavioral3/memory/2024-204-0x00007FF60C4C0000-0x00007FF60CF34000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

SkyFlick2.exebin.1bin.1bin.1bin.1bin.1bin.1

pid process

316 SkyFlick2.exe
3980 bin.1
844 bin.1
4188 bin.1
5052 bin.1
2024 bin.1
4424 bin.1

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

SkyFlick2.exebin.1bin.1bin.1bin.1bin.1bin.1

pid	process
316	SkyFlick2.exe
316	SkyFlick2.exe
3980	bin.1
3980	bin.1
3980	bin.1
3980	bin.1
844	bin.1
844	bin.1
844	bin.1
844	bin.1
4188	bin.1
4188	bin.1
4188	bin.1
4188	bin.1
5052	bin.1
5052	bin.1
5052	bin.1
5052	bin.1
2024	bin.1
2024	bin.1
2024	bin.1
2024	bin.1
4424	bin.1
4424	bin.1
4424	bin.1
4424	bin.1

Suspicious behavior: LoadsDriver 7 IoCs

Processes:

bin.1bin.1bin.1bin.1bin.1bin.1

pid process

3980 bin.1
844 bin.1
648
4188 bin.1
5052 bin.1
2024 bin.1
4424 bin.1

pid	process
3980	bin.1
844	bin.1
648
4188	bin.1
5052	bin.1
2024	bin.1
4424	bin.1

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exebin.1bin.1bin.1WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4356	WMIC.exe
Token: SeSecurityPrivilege	4356	WMIC.exe
Token: SeTakeOwnershipPrivilege	4356	WMIC.exe
Token: SeLoadDriverPrivilege	4356	WMIC.exe
Token: SeSystemProfilePrivilege	4356	WMIC.exe
Token: SeSystemtimePrivilege	4356	WMIC.exe
Token: SeProfSingleProcessPrivilege	4356	WMIC.exe
Token: SeIncBasePriorityPrivilege	4356	WMIC.exe
Token: SeCreatePagefilePrivilege	4356	WMIC.exe
Token: SeBackupPrivilege	4356	WMIC.exe
Token: SeRestorePrivilege	4356	WMIC.exe
Token: SeShutdownPrivilege	4356	WMIC.exe
Token: SeDebugPrivilege	4356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4356	WMIC.exe
Token: SeRemoteShutdownPrivilege	4356	WMIC.exe
Token: SeUndockPrivilege	4356	WMIC.exe
Token: SeManageVolumePrivilege	4356	WMIC.exe
Token: 33	4356	WMIC.exe
Token: 34	4356	WMIC.exe
Token: 35	4356	WMIC.exe
Token: 36	4356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4356	WMIC.exe
Token: SeSecurityPrivilege	4356	WMIC.exe
Token: SeTakeOwnershipPrivilege	4356	WMIC.exe
Token: SeLoadDriverPrivilege	4356	WMIC.exe
Token: SeSystemProfilePrivilege	4356	WMIC.exe
Token: SeSystemtimePrivilege	4356	WMIC.exe
Token: SeProfSingleProcessPrivilege	4356	WMIC.exe
Token: SeIncBasePriorityPrivilege	4356	WMIC.exe
Token: SeCreatePagefilePrivilege	4356	WMIC.exe
Token: SeBackupPrivilege	4356	WMIC.exe
Token: SeRestorePrivilege	4356	WMIC.exe
Token: SeShutdownPrivilege	4356	WMIC.exe
Token: SeDebugPrivilege	4356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4356	WMIC.exe
Token: SeRemoteShutdownPrivilege	4356	WMIC.exe
Token: SeUndockPrivilege	4356	WMIC.exe
Token: SeManageVolumePrivilege	4356	WMIC.exe
Token: 33	4356	WMIC.exe
Token: 34	4356	WMIC.exe
Token: 35	4356	WMIC.exe
Token: 36	4356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3980	bin.1
Token: SeDebugPrivilege	3980	bin.1
Token: SeLoadDriverPrivilege	3980	bin.1
Token: SeSystemEnvironmentPrivilege	844	bin.1
Token: SeDebugPrivilege	844	bin.1
Token: SeLoadDriverPrivilege	844	bin.1
Token: SeSystemEnvironmentPrivilege	4188	bin.1
Token: SeDebugPrivilege	4188	bin.1
Token: SeLoadDriverPrivilege	4188	bin.1
Token: SeIncreaseQuotaPrivilege	5024	WMIC.exe
Token: SeSecurityPrivilege	5024	WMIC.exe
Token: SeTakeOwnershipPrivilege	5024	WMIC.exe
Token: SeLoadDriverPrivilege	5024	WMIC.exe
Token: SeSystemProfilePrivilege	5024	WMIC.exe
Token: SeSystemtimePrivilege	5024	WMIC.exe
Token: SeProfSingleProcessPrivilege	5024	WMIC.exe
Token: SeIncBasePriorityPrivilege	5024	WMIC.exe
Token: SeCreatePagefilePrivilege	5024	WMIC.exe
Token: SeBackupPrivilege	5024	WMIC.exe
Token: SeRestorePrivilege	5024	WMIC.exe
Token: SeShutdownPrivilege	5024	WMIC.exe
Token: SeDebugPrivilege	5024	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SkyFlick2.execmd.execmd.exe

description	pid	process	target process
PID 316 wrote to memory of 4992	316	SkyFlick2.exe	cmd.exe
PID 316 wrote to memory of 4992	316	SkyFlick2.exe	cmd.exe
PID 4992 wrote to memory of 4356	4992	cmd.exe	WMIC.exe
PID 4992 wrote to memory of 4356	4992	cmd.exe	WMIC.exe
PID 316 wrote to memory of 3980	316	SkyFlick2.exe	bin.1
PID 316 wrote to memory of 3980	316	SkyFlick2.exe	bin.1
PID 316 wrote to memory of 844	316	SkyFlick2.exe	bin.1
PID 316 wrote to memory of 844	316	SkyFlick2.exe	bin.1
PID 316 wrote to memory of 4188	316	SkyFlick2.exe	bin.1
PID 316 wrote to memory of 4188	316	SkyFlick2.exe	bin.1
PID 316 wrote to memory of 4800	316	SkyFlick2.exe	cmd.exe
PID 316 wrote to memory of 4800	316	SkyFlick2.exe	cmd.exe
PID 316 wrote to memory of 1828	316	SkyFlick2.exe	cmd.exe
PID 316 wrote to memory of 1828	316	SkyFlick2.exe	cmd.exe
PID 1828 wrote to memory of 5024	1828	cmd.exe	WMIC.exe
PID 1828 wrote to memory of 5024	1828	cmd.exe	WMIC.exe
PID 316 wrote to memory of 5052	316	SkyFlick2.exe	bin.1
PID 316 wrote to memory of 5052	316	SkyFlick2.exe	bin.1
PID 316 wrote to memory of 2024	316	SkyFlick2.exe	bin.1
PID 316 wrote to memory of 2024	316	SkyFlick2.exe	bin.1
PID 316 wrote to memory of 4424	316	SkyFlick2.exe	bin.1
PID 316 wrote to memory of 4424	316	SkyFlick2.exe	bin.1
PID 316 wrote to memory of 3720	316	SkyFlick2.exe	cmd.exe
PID 316 wrote to memory of 3720	316	SkyFlick2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SkyFlick2.1_WIN11\SkyFlick2.exe
"C:\Users\Admin\AppData\Local\Temp\SkyFlick2.1_WIN11\SkyFlick2.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic csproduct get UUID 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get UUID
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Users\Admin\AppData\Local\Temp\SkyFlick2.1_WIN11\data\bin.1
kdu -prv 24 -dse 0
2⤵
- Sets service image path in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Users\Admin\AppData\Local\Temp\SkyFlick2.1_WIN11\data\bin.1
kdu -prv 21 -dse 0
2⤵
- Sets service image path in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Users\Admin\AppData\Local\Temp\SkyFlick2.1_WIN11\data\bin.1
kdu -prv 21 -dse 6
2⤵
- Sets service image path in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
2⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic csproduct get UUID 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get UUID
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Users\Admin\AppData\Local\Temp\SkyFlick2.1_WIN11\data\bin.1
kdu -prv 24 -dse 0
2⤵
- Sets service image path in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
PID:5052

C:\Users\Admin\AppData\Local\Temp\SkyFlick2.1_WIN11\data\bin.1
kdu -prv 21 -dse 0
2⤵
- Sets service image path in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
PID:2024

C:\Users\Admin\AppData\Local\Temp\SkyFlick2.1_WIN11\data\bin.1
kdu -prv 21 -dse 6
2⤵
- Sets service image path in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
2⤵
PID:3720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-134-0x00007FF9EA020000-0x00007FF9EA022000-memory.dmp

Filesize
8KB

Download
memory/316-135-0x00007FF689B60000-0x00007FF68A474000-memory.dmp

Filesize
9.1MB

Download
memory/316-133-0x00007FF9EA010000-0x00007FF9EA012000-memory.dmp

Filesize
8KB

Download
memory/844-161-0x00007FF60C4C0000-0x00007FF60CF34000-memory.dmp

Filesize
10.5MB

Download
memory/2024-204-0x00007FF60C4C0000-0x00007FF60CF34000-memory.dmp

Filesize
10.5MB

Download
memory/3980-141-0x00007FF9EA020000-0x00007FF9EA022000-memory.dmp

Filesize
8KB

Download
memory/3980-143-0x00007FF9E8A20000-0x00007FF9E8A22000-memory.dmp

Filesize
8KB

Download
memory/3980-144-0x00007FF9E7E60000-0x00007FF9E7E62000-memory.dmp

Filesize
8KB

Download
memory/3980-145-0x00007FF9E7E70000-0x00007FF9E7E72000-memory.dmp

Filesize
8KB

Download
memory/3980-146-0x00007FF9EA030000-0x00007FF9EA032000-memory.dmp

Filesize
8KB

Download
memory/3980-147-0x00007FF9EA040000-0x00007FF9EA042000-memory.dmp

Filesize
8KB

Download
memory/3980-148-0x00007FF60C4C0000-0x00007FF60CF34000-memory.dmp

Filesize
10.5MB

Download
memory/3980-142-0x00007FF9E8A10000-0x00007FF9E8A12000-memory.dmp

Filesize
8KB

Download
memory/3980-140-0x00007FF9EA010000-0x00007FF9EA012000-memory.dmp

Filesize
8KB

Download
memory/4188-174-0x00007FF60C4C0000-0x00007FF60CF34000-memory.dmp

Filesize
10.5MB

Download
memory/5052-191-0x00007FF60C4C0000-0x00007FF60CF34000-memory.dmp

Filesize
10.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads