6a79b18a0b6ce048bd93586272612296073c5b7c252e13f378914a9d2d7fc9a2

Analysis

max time kernel
70s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

4.9MB
MD5

c01c4d326d65d94e05361c30821b2dbd
SHA1

16c0e2a2dff1e06cbdc5036d13a7444edc469193
SHA256

6a79b18a0b6ce048bd93586272612296073c5b7c252e13f378914a9d2d7fc9a2
SHA512

69ef9d5870d76e8175f5749b8ab24e9574c021fa8c2a0b0ea088bcd2ad93373efac252295395eb6f0d5896474d9f22275948dd79baded12a634e97e72f50abed
SSDEEP

98304:hpA5XNJzZJydymhLXeH1RPTC3thMtNKbLWst+QixuF:KNpydVajQthgxstR

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\adwHDrEKuYPLpHvlLnO\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\adwHDrEKuYPLpHvlLnO"	find.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/632-0-0x00007FF7C1FF0000-0x00007FF7C29D3000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 632 set thread context of 1200	632	Loader.exe	109

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3228	ipconfig.exe
1988	ipconfig.exe
3248	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4480	taskkill.exe

Runs net.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1200	find.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeLoadDriverPrivilege	1200	find.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
632	Loader.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 4828	632	Loader.exe	86
PID 632 wrote to memory of 4828	632	Loader.exe	86
PID 4828 wrote to memory of 1428	4828	cmd.exe	87
PID 4828 wrote to memory of 1428	4828	cmd.exe	87
PID 1428 wrote to memory of 1676	1428	net.exe	88
PID 1428 wrote to memory of 1676	1428	net.exe	88
PID 632 wrote to memory of 4928	632	Loader.exe	90
PID 632 wrote to memory of 4928	632	Loader.exe	90
PID 4928 wrote to memory of 4212	4928	cmd.exe	91
PID 4928 wrote to memory of 4212	4928	cmd.exe	91
PID 632 wrote to memory of 4824	632	Loader.exe	93
PID 632 wrote to memory of 4824	632	Loader.exe	93
PID 4824 wrote to memory of 4480	4824	cmd.exe	94
PID 4824 wrote to memory of 4480	4824	cmd.exe	94
PID 632 wrote to memory of 3632	632	Loader.exe	96
PID 632 wrote to memory of 3632	632	Loader.exe	96
PID 3632 wrote to memory of 3248	3632	cmd.exe	97
PID 3632 wrote to memory of 3248	3632	cmd.exe	97
PID 632 wrote to memory of 4400	632	Loader.exe	107
PID 632 wrote to memory of 4400	632	Loader.exe	107
PID 4400 wrote to memory of 3228	4400	cmd.exe	108
PID 4400 wrote to memory of 3228	4400	cmd.exe	108
PID 632 wrote to memory of 1200	632	Loader.exe	109
PID 632 wrote to memory of 1200	632	Loader.exe	109
PID 632 wrote to memory of 1200	632	Loader.exe	109
PID 632 wrote to memory of 1200	632	Loader.exe	109
PID 632 wrote to memory of 1200	632	Loader.exe	109
PID 632 wrote to memory of 1200	632	Loader.exe	109
PID 632 wrote to memory of 1200	632	Loader.exe	109
PID 632 wrote to memory of 1200	632	Loader.exe	109
PID 632 wrote to memory of 1200	632	Loader.exe	109
PID 632 wrote to memory of 1200	632	Loader.exe	109
PID 632 wrote to memory of 1200	632	Loader.exe	109
PID 1200 wrote to memory of 1792	1200	find.exe	110
PID 1200 wrote to memory of 1792	1200	find.exe	110
PID 1792 wrote to memory of 1988	1792	cmd.exe	111
PID 1792 wrote to memory of 1988	1792	cmd.exe	111
PID 632 wrote to memory of 1200	632	Loader.exe	109

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net start w32time
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\system32\net.exe
    net start w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start w32time
      4⤵
      PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\system32\w32tm.exe
    w32tm /resync /nowait
    3⤵
    PID:4212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\system32\taskkill.exe
    taskkill /IM RainbowSix.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:3248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:3228
- C:\Windows\System32\find.exe
  4 ItzzRevxnge Savage_05@
  2⤵
  - Sets service image path in registry
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-0-0x00007FF7C1FF0000-0x00007FF7C29D3000-memory.dmp

Filesize
9.9MB

Download
memory/1200-7-0x0000021624340000-0x000002162449F000-memory.dmp

Filesize
1.4MB

Download
memory/1200-6-0x0000021624340000-0x000002162449F000-memory.dmp

Filesize
1.4MB

Download
memory/1200-13-0x0000021624340000-0x000002162449F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads