03ee5437a1dad818f417db18dd50e16bc08c890b442874d841cd1a6a643c4010

Resubmissions

13/01/2024, 14:02

240113-rb4c7abfh9 7

13/01/2024, 13:36

240113-qv9hwabfg8 7

Analysis

max time kernel
133s
max time network
132s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
13/01/2024, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

5.0MB
MD5

e9a24c7a42f9b296cc1e31dc3ea73b2b
SHA1

06e9607fb973400f0f110854ce90382965cd43d9
SHA256

03ee5437a1dad818f417db18dd50e16bc08c890b442874d841cd1a6a643c4010
SHA512

48af794e0042ce3cea37ff11e3f9b74d0a8e463018fc827d7ef459cc58252a5f436632c19b5d4674a6b54f02543005a294ef94f86d46d1ecff574ba6fab0464b
SSDEEP

98304:XrdCegVSGMzByLXMfivQayGnOht5RTc7kjRX1LNNDw7:waGMlyLXvvQdmmt5RTcGzLNe7

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1344	46OPZS4XG3.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/916-0-0x00007FF68D590000-0x00007FF68DFB0000-memory.dmp	vmprotect
behavioral1/files/0x000f00000000e63c-6.dat	vmprotect
behavioral1/files/0x000f00000000e63c-7.dat	vmprotect
behavioral1/memory/1344-8-0x00007FF6C46B0000-0x00007FF6C50C9000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 4956	1344	46OPZS4XG3.exe	118

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1120	ipconfig.exe
4912	ipconfig.exe
2772	ipconfig.exe
2296	ipconfig.exe
1596	ipconfig.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4136	taskkill.exe
104	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
784	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	104	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	4956	find.exe
Token: SeShutdownPrivilege	1984	shutdown.exe
Token: SeRemoteShutdownPrivilege	1984	shutdown.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
916	Loader.exe
1344	46OPZS4XG3.exe
3820	PickerHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 3968	916	Loader.exe	82
PID 916 wrote to memory of 3968	916	Loader.exe	82
PID 3968 wrote to memory of 4288	3968	cmd.exe	83
PID 3968 wrote to memory of 4288	3968	cmd.exe	83
PID 4288 wrote to memory of 4760	4288	net.exe	84
PID 4288 wrote to memory of 4760	4288	net.exe	84
PID 916 wrote to memory of 3652	916	Loader.exe	85
PID 916 wrote to memory of 3652	916	Loader.exe	85
PID 3652 wrote to memory of 400	3652	cmd.exe	86
PID 3652 wrote to memory of 400	3652	cmd.exe	86
PID 916 wrote to memory of 3976	916	Loader.exe	87
PID 916 wrote to memory of 3976	916	Loader.exe	87
PID 3976 wrote to memory of 104	3976	cmd.exe	88
PID 3976 wrote to memory of 104	3976	cmd.exe	88
PID 916 wrote to memory of 2756	916	Loader.exe	90
PID 916 wrote to memory of 2756	916	Loader.exe	90
PID 2756 wrote to memory of 2772	2756	cmd.exe	91
PID 2756 wrote to memory of 2772	2756	cmd.exe	91
PID 916 wrote to memory of 1936	916	Loader.exe	92
PID 916 wrote to memory of 1936	916	Loader.exe	92
PID 1936 wrote to memory of 2296	1936	cmd.exe	93
PID 1936 wrote to memory of 2296	1936	cmd.exe	93
PID 916 wrote to memory of 1344	916	Loader.exe	94
PID 916 wrote to memory of 1344	916	Loader.exe	94
PID 916 wrote to memory of 1320	916	Loader.exe	95
PID 916 wrote to memory of 1320	916	Loader.exe	95
PID 1320 wrote to memory of 784	1320	cmd.exe	97
PID 1320 wrote to memory of 784	1320	cmd.exe	97
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	98
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	98
PID 4956 wrote to memory of 4964	4956	cmd.exe	99
PID 4956 wrote to memory of 4964	4956	cmd.exe	99
PID 4964 wrote to memory of 3864	4964	net.exe	100
PID 4964 wrote to memory of 3864	4964	net.exe	100
PID 1344 wrote to memory of 3036	1344	46OPZS4XG3.exe	104
PID 1344 wrote to memory of 3036	1344	46OPZS4XG3.exe	104
PID 3036 wrote to memory of 836	3036	cmd.exe	103
PID 3036 wrote to memory of 836	3036	cmd.exe	103
PID 1344 wrote to memory of 4732	1344	46OPZS4XG3.exe	102
PID 1344 wrote to memory of 4732	1344	46OPZS4XG3.exe	102
PID 4732 wrote to memory of 4136	4732	cmd.exe	101
PID 4732 wrote to memory of 4136	4732	cmd.exe	101
PID 1344 wrote to memory of 2284	1344	46OPZS4XG3.exe	105
PID 1344 wrote to memory of 2284	1344	46OPZS4XG3.exe	105
PID 2284 wrote to memory of 1596	2284	cmd.exe	106
PID 2284 wrote to memory of 1596	2284	cmd.exe	106
PID 1344 wrote to memory of 2264	1344	46OPZS4XG3.exe	115
PID 1344 wrote to memory of 2264	1344	46OPZS4XG3.exe	115
PID 2264 wrote to memory of 1120	2264	cmd.exe	116
PID 2264 wrote to memory of 1120	2264	cmd.exe	116
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	118
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	118
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	118
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	118
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	118
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	118
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	118
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	118
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	118
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	118
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	118
PID 1344 wrote to memory of 4956	1344	46OPZS4XG3.exe	118
PID 4956 wrote to memory of 4764	4956	find.exe	119
PID 4956 wrote to memory of 4764	4956	find.exe	119

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net start w32time
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\system32\net.exe
    net start w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start w32time
      4⤵
      PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\system32\w32tm.exe
    w32tm /resync /nowait
    3⤵
    PID:400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\system32\taskkill.exe
    taskkill /IM RainbowSix.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:2296
- C:\Users\Admin\AppData\Local\Temp\46OPZS4XG3.exe
  "C:\Users\Admin\AppData\Local\Temp\46OPZS4XG3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net start w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\system32\net.exe
      net start w32time
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start w32time
        5⤵
        
        PID:3864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:1120
- - C:\Windows\System32\find.exe
    21 Royzer 5!m1k4LxYA
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /flushdns
      4⤵
      PID:4764
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:4912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c shutdown -s
      4⤵
      PID:4656
    - - C:\Windows\system32\shutdown.exe
        
        shutdown -s
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:784

C:\Windows\system32\taskkill.exe
taskkill /IM RainbowSix.exe /f
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\system32\w32tm.exe
w32tm /resync /nowait
1⤵
PID:836

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46OPZS4XG3.exe

Filesize
2.5MB

MD5
bf3be4bcb08ea91780da0f9b883e8ef3

SHA1
85ed2f7968886978eac9cf0c1d89d4a2b3784af6

SHA256
a4c267266a9aab70342ffa0e199570d2401702dfbc2fa9354efc16e75c16b18c

SHA512
df2193dddee75f6df22b2112e9241e5bab1109104d238d1d617946aed470aba73561dc55b38b7125d0d11d43af46dbe8a14e18b42b5f055554119471eb52e58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\46OPZS4XG3.exe

Filesize
2.2MB

MD5
8f06c22b82112e933087efe0ec3af34e

SHA1
f6b7ab166b6b221e46ed43ccd7ac50ceb5792ff7

SHA256
898dfca89a2eb6b41ca94d0c2fa97e83cde3563a911b359aea920123446cfcdb

SHA512
2af1a6fbbd483fd7c3af4c66acb5bbff3251dee7e6edd534fd1c5cff3b42eae75d67813a6d72fe27fbc38f2d0ee173baa31d300e27186c34b9af0ce33fb3e925

Download Submit
memory/916-0-0x00007FF68D590000-0x00007FF68DFB0000-memory.dmp

Filesize
10.1MB

Download
memory/1344-8-0x00007FF6C46B0000-0x00007FF6C50C9000-memory.dmp

Filesize
10.1MB

Download
memory/4956-14-0x000002172A1C0000-0x000002172A572000-memory.dmp

Filesize
3.7MB

Download
memory/4956-22-0x000002172A1C0000-0x000002172A572000-memory.dmp

Filesize
3.7MB

Download
memory/4956-29-0x000002172A1C0000-0x000002172A572000-memory.dmp

Filesize
3.7MB

Download
memory/4956-30-0x000002172A1C0000-0x000002172A572000-memory.dmp

Filesize
3.7MB

Download