4f98137a7d8cea117fe163661d28f4a4f8cbdc93187bc21456bc9b9446e18015

Analysis

max time kernel
138s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2023, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

memenite-master/loadcheat.exe
Size

5.5MB
MD5

9a9ce1911efea388a090b14fcd5b616e
SHA1

48089e1feb420a7a6cf1cd310e2d7fcbb26e181f
SHA256

5f18528d89f0fad6830feb611772d9e918298125504fc913277d6614d2dd75ef
SHA512

26092d2b26dac2e9803908d0f714b685a619da09698796ffe9dca7c58fadc989aada31c1449d3212ed97a763189b3f877aa001784a8546311dfd4eea3b5eaae2
SSDEEP

98304:MgSz8rEHLkDXruhOSgx8lzt/SBMzLiwZKtrCms6DERzpHWcBBR2LDnLYDeiv:MgSzsEYDbIOLYxzLfQX500cBBRaDLYDb

Score

8^/10

evasion vmprotect

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral6/memory/3940-134-0x00007FF6A7D00000-0x00007FF6A8696000-memory.dmp	vmprotect

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4972	sc.exe
4836	sc.exe
4604	sc.exe
4656	sc.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2656	taskkill.exe
3092	taskkill.exe
3860	taskkill.exe
224	taskkill.exe
1860	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3940	loadcheat.exe
3940	loadcheat.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	3092	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 4344	3940	loadcheat.exe	82
PID 3940 wrote to memory of 4344	3940	loadcheat.exe	82
PID 4344 wrote to memory of 2656	4344	cmd.exe	84
PID 4344 wrote to memory of 2656	4344	cmd.exe	84
PID 3940 wrote to memory of 1544	3940	loadcheat.exe	85
PID 3940 wrote to memory of 1544	3940	loadcheat.exe	85
PID 1544 wrote to memory of 3092	1544	cmd.exe	87
PID 1544 wrote to memory of 3092	1544	cmd.exe	87
PID 3940 wrote to memory of 4148	3940	loadcheat.exe	88
PID 3940 wrote to memory of 4148	3940	loadcheat.exe	88
PID 4148 wrote to memory of 3860	4148	cmd.exe	90
PID 4148 wrote to memory of 3860	4148	cmd.exe	90
PID 3940 wrote to memory of 3820	3940	loadcheat.exe	91
PID 3940 wrote to memory of 3820	3940	loadcheat.exe	91
PID 3820 wrote to memory of 224	3820	cmd.exe	93
PID 3820 wrote to memory of 224	3820	cmd.exe	93
PID 3940 wrote to memory of 3992	3940	loadcheat.exe	94
PID 3940 wrote to memory of 3992	3940	loadcheat.exe	94
PID 3992 wrote to memory of 1860	3992	cmd.exe	96
PID 3992 wrote to memory of 1860	3992	cmd.exe	96
PID 3940 wrote to memory of 1188	3940	loadcheat.exe	97
PID 3940 wrote to memory of 1188	3940	loadcheat.exe	97
PID 1188 wrote to memory of 4836	1188	cmd.exe	99
PID 1188 wrote to memory of 4836	1188	cmd.exe	99
PID 3940 wrote to memory of 2136	3940	loadcheat.exe	100
PID 3940 wrote to memory of 2136	3940	loadcheat.exe	100
PID 2136 wrote to memory of 4604	2136	cmd.exe	102
PID 2136 wrote to memory of 4604	2136	cmd.exe	102
PID 3940 wrote to memory of 1896	3940	loadcheat.exe	103
PID 3940 wrote to memory of 1896	3940	loadcheat.exe	103
PID 1896 wrote to memory of 4656	1896	cmd.exe	105
PID 1896 wrote to memory of 4656	1896	cmd.exe	105
PID 3940 wrote to memory of 3444	3940	loadcheat.exe	106
PID 3940 wrote to memory of 3444	3940	loadcheat.exe	106
PID 3444 wrote to memory of 4972	3444	cmd.exe	108
PID 3444 wrote to memory of 4972	3444	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\memenite-master\loadcheat.exe
"C:\Users\Admin\AppData\Local\Temp\memenite-master\loadcheat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop BEService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\system32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop BEDaisy
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\system32\sc.exe
    sc stop BEDaisy
    3⤵
    - Launches sc.exe
    PID:4604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheatSys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheatSys
    3⤵
    - Launches sc.exe
    PID:4972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3940-133-0x00007FF81E330000-0x00007FF81E332000-memory.dmp

Filesize
8KB

Download
memory/3940-134-0x00007FF6A7D00000-0x00007FF6A8696000-memory.dmp

Filesize
9.6MB

Download