Analysis Overview
SHA256
6a79b18a0b6ce048bd93586272612296073c5b7c252e13f378914a9d2d7fc9a2
Threat Level: Shows suspicious behavior
The file Loader (1).exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Suspicious use of SetThreadContext
Unsigned PE
Gathers network information
Modifies data under HKEY_USERS
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Runs net.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-11 23:04
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 23:04
Reported
2024-05-11 23:06
Platform
win7-20240221-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Loader (1).exe
"C:\Users\Admin\AppData\Local\Temp\Loader (1).exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net start w32time
C:\Windows\system32\net.exe
net start w32time
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start w32time
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
C:\Windows\system32\w32tm.exe
w32tm /resync /nowait
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
C:\Windows\system32\taskkill.exe
taskkill /IM RainbowSix.exe /f
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2984 -s 200
Network
Files
memory/2984-0-0x000000013F420000-0x000000013FE03000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-11 23:04
Reported
2024-05-11 23:06
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3496 set thread context of 2060 | N/A | C:\Users\Admin\AppData\Local\Temp\Loader (1).exe | C:\Windows\System32\find.exe |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\find.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader (1).exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Loader (1).exe
"C:\Users\Admin\AppData\Local\Temp\Loader (1).exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net start w32time
C:\Windows\system32\net.exe
net start w32time
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start w32time
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
C:\Windows\system32\w32tm.exe
w32tm /resync /nowait
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
C:\Windows\system32\taskkill.exe
taskkill /IM RainbowSix.exe /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\System32\find.exe
22 ios Rafael07?7
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -s
C:\Windows\system32\shutdown.exe
shutdown -s
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3973855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.klar.ac | udp |
| US | 172.65.154.135:25565 | api.klar.ac | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 135.154.65.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.klar.ac | udp |
| US | 172.65.154.135:25565 | api.klar.ac | tcp |
| US | 8.8.8.8:53 | api.klar.ac | udp |
| US | 172.65.154.135:25565 | api.klar.ac | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
memory/3496-0-0x00007FF774EF0000-0x00007FF7758D3000-memory.dmp
memory/2060-6-0x00000281626D0000-0x0000028162A7D000-memory.dmp
memory/2060-7-0x00000281626D0000-0x0000028162A7D000-memory.dmp
memory/2060-14-0x00000281626D0000-0x0000028162A7D000-memory.dmp
memory/2060-16-0x00000281626D0000-0x0000028162A7D000-memory.dmp