4f98137a7d8cea117fe163661d28f4a4f8cbdc93187bc21456bc9b9446e18015

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-06-2023 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

memenite-master/loadcheat.exe
Size

5.5MB
MD5

9a9ce1911efea388a090b14fcd5b616e
SHA1

48089e1feb420a7a6cf1cd310e2d7fcbb26e181f
SHA256

5f18528d89f0fad6830feb611772d9e918298125504fc913277d6614d2dd75ef
SHA512

26092d2b26dac2e9803908d0f714b685a619da09698796ffe9dca7c58fadc989aada31c1449d3212ed97a763189b3f877aa001784a8546311dfd4eea3b5eaae2
SSDEEP

98304:MgSz8rEHLkDXruhOSgx8lzt/SBMzLiwZKtrCms6DERzpHWcBBR2LDnLYDeiv:MgSzsEYDbIOLYxzLfQX500cBBRaDLYDb

Score

8^/10

evasion vmprotect

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral5/memory/336-57-0x000000013F550000-0x000000013FEE6000-memory.dmp	vmprotect

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1260	sc.exe
1856	sc.exe
1696	sc.exe
328	sc.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
856	taskkill.exe
1552	taskkill.exe
1896	taskkill.exe
1520	taskkill.exe
296	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
336	loadcheat.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	296	taskkill.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 1712	336	loadcheat.exe	28
PID 336 wrote to memory of 1712	336	loadcheat.exe	28
PID 336 wrote to memory of 1712	336	loadcheat.exe	28
PID 1712 wrote to memory of 856	1712	cmd.exe	30
PID 1712 wrote to memory of 856	1712	cmd.exe	30
PID 1712 wrote to memory of 856	1712	cmd.exe	30
PID 336 wrote to memory of 752	336	loadcheat.exe	32
PID 336 wrote to memory of 752	336	loadcheat.exe	32
PID 336 wrote to memory of 752	336	loadcheat.exe	32
PID 752 wrote to memory of 1552	752	cmd.exe	34
PID 752 wrote to memory of 1552	752	cmd.exe	34
PID 752 wrote to memory of 1552	752	cmd.exe	34
PID 336 wrote to memory of 1776	336	loadcheat.exe	35
PID 336 wrote to memory of 1776	336	loadcheat.exe	35
PID 336 wrote to memory of 1776	336	loadcheat.exe	35
PID 1776 wrote to memory of 1896	1776	cmd.exe	37
PID 1776 wrote to memory of 1896	1776	cmd.exe	37
PID 1776 wrote to memory of 1896	1776	cmd.exe	37
PID 336 wrote to memory of 848	336	loadcheat.exe	38
PID 336 wrote to memory of 848	336	loadcheat.exe	38
PID 336 wrote to memory of 848	336	loadcheat.exe	38
PID 848 wrote to memory of 1520	848	cmd.exe	40
PID 848 wrote to memory of 1520	848	cmd.exe	40
PID 848 wrote to memory of 1520	848	cmd.exe	40
PID 336 wrote to memory of 1792	336	loadcheat.exe	42
PID 336 wrote to memory of 1792	336	loadcheat.exe	42
PID 336 wrote to memory of 1792	336	loadcheat.exe	42
PID 1792 wrote to memory of 296	1792	cmd.exe	43
PID 1792 wrote to memory of 296	1792	cmd.exe	43
PID 1792 wrote to memory of 296	1792	cmd.exe	43
PID 336 wrote to memory of 1156	336	loadcheat.exe	44
PID 336 wrote to memory of 1156	336	loadcheat.exe	44
PID 336 wrote to memory of 1156	336	loadcheat.exe	44
PID 1156 wrote to memory of 1260	1156	cmd.exe	46
PID 1156 wrote to memory of 1260	1156	cmd.exe	46
PID 1156 wrote to memory of 1260	1156	cmd.exe	46
PID 336 wrote to memory of 1636	336	loadcheat.exe	48
PID 336 wrote to memory of 1636	336	loadcheat.exe	48
PID 336 wrote to memory of 1636	336	loadcheat.exe	48
PID 1636 wrote to memory of 1856	1636	cmd.exe	49
PID 1636 wrote to memory of 1856	1636	cmd.exe	49
PID 1636 wrote to memory of 1856	1636	cmd.exe	49
PID 336 wrote to memory of 428	336	loadcheat.exe	50
PID 336 wrote to memory of 428	336	loadcheat.exe	50
PID 336 wrote to memory of 428	336	loadcheat.exe	50
PID 428 wrote to memory of 1696	428	cmd.exe	52
PID 428 wrote to memory of 1696	428	cmd.exe	52
PID 428 wrote to memory of 1696	428	cmd.exe	52
PID 336 wrote to memory of 1652	336	loadcheat.exe	53
PID 336 wrote to memory of 1652	336	loadcheat.exe	53
PID 336 wrote to memory of 1652	336	loadcheat.exe	53
PID 1652 wrote to memory of 328	1652	cmd.exe	55
PID 1652 wrote to memory of 328	1652	cmd.exe	55
PID 1652 wrote to memory of 328	1652	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\memenite-master\loadcheat.exe
"C:\Users\Admin\AppData\Local\Temp\memenite-master\loadcheat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop BEService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\system32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:1260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop BEDaisy
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\sc.exe
    sc stop BEDaisy
    3⤵
    - Launches sc.exe
    PID:1856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheatSys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheatSys
    3⤵
    - Launches sc.exe
    PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-55-0x0000000077140000-0x0000000077142000-memory.dmp

Filesize
8KB

Download
memory/336-54-0x0000000077140000-0x0000000077142000-memory.dmp

Filesize
8KB

Download
memory/336-56-0x0000000077140000-0x0000000077142000-memory.dmp

Filesize
8KB

Download
memory/336-57-0x000000013F550000-0x000000013FEE6000-memory.dmp

Filesize
9.6MB

Download