2767dbefb103b35c850f1a4a620d9e0ea474cd1bf18878afe9d33815a2c8c5c2

Analysis

max time kernel
44s
max time network
45s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 18:06

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2E83743D665211F9A7B9715BE0E37273.exe
Size

4.5MB
MD5

2e83743d665211f9a7b9715be0e37273
SHA1

50ff943aeb8aff52695a0cdc17b431f3f374c9e5
SHA256

2767dbefb103b35c850f1a4a620d9e0ea474cd1bf18878afe9d33815a2c8c5c2
SHA512

d7dad36e8eb4eb4cf15c214ea14695fb645278684d0d964b6508f9cf6d05a348263369d9dc11a6a0eee8ec044aa2f30351cee7fa3ace3abaccb229d74a31bb12
SSDEEP

98304:g3Lv3af7+lxwdZTF4I+F5VZJjcsB4akNma+JKYKfmN4lN3LQp7YtYCR:gzuuxxI+FfZJjEakNmayURlN7Qp7y

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2064-0-0x000000013FB10000-0x0000000140357000-memory.dmp	vmprotect

Kills process with taskkill 1 IoCs

evasion

pid	Process
2792	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeShutdownPrivilege	2436	shutdown.exe
Token: SeRemoteShutdownPrivilege	2436	shutdown.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2012	2064	2E83743D665211F9A7B9715BE0E37273.exe	29
PID 2064 wrote to memory of 2012	2064	2E83743D665211F9A7B9715BE0E37273.exe	29
PID 2064 wrote to memory of 2012	2064	2E83743D665211F9A7B9715BE0E37273.exe	29
PID 2012 wrote to memory of 1756	2012	cmd.exe	30
PID 2012 wrote to memory of 1756	2012	cmd.exe	30
PID 2012 wrote to memory of 1756	2012	cmd.exe	30
PID 1756 wrote to memory of 2172	1756	net.exe	31
PID 1756 wrote to memory of 2172	1756	net.exe	31
PID 1756 wrote to memory of 2172	1756	net.exe	31
PID 2064 wrote to memory of 3048	2064	2E83743D665211F9A7B9715BE0E37273.exe	32
PID 2064 wrote to memory of 3048	2064	2E83743D665211F9A7B9715BE0E37273.exe	32
PID 2064 wrote to memory of 3048	2064	2E83743D665211F9A7B9715BE0E37273.exe	32
PID 3048 wrote to memory of 2784	3048	cmd.exe	33
PID 3048 wrote to memory of 2784	3048	cmd.exe	33
PID 3048 wrote to memory of 2784	3048	cmd.exe	33
PID 2064 wrote to memory of 1324	2064	2E83743D665211F9A7B9715BE0E37273.exe	35
PID 2064 wrote to memory of 1324	2064	2E83743D665211F9A7B9715BE0E37273.exe	35
PID 2064 wrote to memory of 1324	2064	2E83743D665211F9A7B9715BE0E37273.exe	35
PID 1324 wrote to memory of 2792	1324	cmd.exe	34
PID 1324 wrote to memory of 2792	1324	cmd.exe	34
PID 1324 wrote to memory of 2792	1324	cmd.exe	34
PID 2064 wrote to memory of 2564	2064	2E83743D665211F9A7B9715BE0E37273.exe	37
PID 2064 wrote to memory of 2564	2064	2E83743D665211F9A7B9715BE0E37273.exe	37
PID 2064 wrote to memory of 2564	2064	2E83743D665211F9A7B9715BE0E37273.exe	37
PID 2564 wrote to memory of 2436	2564	cmd.exe	38
PID 2564 wrote to memory of 2436	2564	cmd.exe	38
PID 2564 wrote to memory of 2436	2564	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\2E83743D665211F9A7B9715BE0E37273.exe
"C:\Users\Admin\AppData\Local\Temp\2E83743D665211F9A7B9715BE0E37273.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net start w32time
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\net.exe
    net start w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start w32time
      4⤵
      PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\system32\w32tm.exe
    w32tm /resync /nowait
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown -s
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\system32\shutdown.exe
    shutdown -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2436

C:\Windows\system32\taskkill.exe
taskkill /IM RainbowSix.exe /f
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2528

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-0-0x000000013FB10000-0x0000000140357000-memory.dmp

Filesize
8.3MB

Download
memory/2364-5-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2528-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download