Malware Analysis Report

2025-03-15 06:01

Sample ID 240511-22bqzadc2v
Target Loader (1).exe
SHA256 6a79b18a0b6ce048bd93586272612296073c5b7c252e13f378914a9d2d7fc9a2
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6a79b18a0b6ce048bd93586272612296073c5b7c252e13f378914a9d2d7fc9a2

Threat Level: Shows suspicious behavior

The file Loader (1).exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

VMProtect packed file

Suspicious use of SetThreadContext

Unsigned PE

Gathers network information

Modifies data under HKEY_USERS

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Runs net.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 23:04

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 23:04

Reported

2024-05-11 23:06

Platform

win7-20240221-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader (1).exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2940 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2940 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2668 wrote to memory of 2872 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2668 wrote to memory of 2872 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2668 wrote to memory of 2872 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2984 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 2476 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2476 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2476 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2984 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 2520 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2520 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2520 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2984 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\WerFault.exe
PID 2984 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\WerFault.exe
PID 2984 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Loader (1).exe

"C:\Users\Admin\AppData\Local\Temp\Loader (1).exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net start w32time

C:\Windows\system32\net.exe

net start w32time

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start w32time

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c w32tm /resync /nowait

C:\Windows\system32\w32tm.exe

w32tm /resync /nowait

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f

C:\Windows\system32\taskkill.exe

taskkill /IM RainbowSix.exe /f

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2984 -s 200

Network

N/A

Files

memory/2984-0-0x000000013F420000-0x000000013FE03000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 23:04

Reported

2024-05-11 23:06

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader (1).exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3496 set thread context of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\find.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3496 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 3496 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 3232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2880 wrote to memory of 3232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3232 wrote to memory of 64 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3232 wrote to memory of 64 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3496 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 3496 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1924 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3496 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 3496 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 1828 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1828 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3496 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 3496 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4536 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3496 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 3496 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4196 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe
PID 3496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe
PID 3496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe
PID 3496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe
PID 3496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe
PID 3496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe
PID 3496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe
PID 3496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe
PID 3496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe
PID 3496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe
PID 3496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe
PID 3496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Loader (1).exe C:\Windows\System32\find.exe
PID 2060 wrote to memory of 4332 N/A C:\Windows\System32\find.exe C:\Windows\system32\cmd.exe
PID 2060 wrote to memory of 4332 N/A C:\Windows\System32\find.exe C:\Windows\system32\cmd.exe
PID 4332 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4332 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2060 wrote to memory of 2056 N/A C:\Windows\System32\find.exe C:\Windows\system32\cmd.exe
PID 2060 wrote to memory of 2056 N/A C:\Windows\System32\find.exe C:\Windows\system32\cmd.exe
PID 2056 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2056 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Loader (1).exe

"C:\Users\Admin\AppData\Local\Temp\Loader (1).exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net start w32time

C:\Windows\system32\net.exe

net start w32time

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start w32time

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c w32tm /resync /nowait

C:\Windows\system32\w32tm.exe

w32tm /resync /nowait

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f

C:\Windows\system32\taskkill.exe

taskkill /IM RainbowSix.exe /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\System32\find.exe

22 ios Rafael07?7

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -s

C:\Windows\system32\shutdown.exe

shutdown -s

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3973855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.klar.ac udp
US 172.65.154.135:25565 api.klar.ac tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 135.154.65.172.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 api.klar.ac udp
US 172.65.154.135:25565 api.klar.ac tcp
US 8.8.8.8:53 api.klar.ac udp
US 172.65.154.135:25565 api.klar.ac tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/3496-0-0x00007FF774EF0000-0x00007FF7758D3000-memory.dmp

memory/2060-6-0x00000281626D0000-0x0000028162A7D000-memory.dmp

memory/2060-7-0x00000281626D0000-0x0000028162A7D000-memory.dmp

memory/2060-14-0x00000281626D0000-0x0000028162A7D000-memory.dmp

memory/2060-16-0x00000281626D0000-0x0000028162A7D000-memory.dmp