Overview

overview

7

Static

static

7

SK5UOIY7PM.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    27s
  • max time network
    37s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-07-2024 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SK5UOIY7PM.exe

  • Size

    4.9MB

  • MD5

    6785144a0ecb7fb6754c61da7ba3612b

  • SHA1

    83528ab1782a9d21a82845dd1f519ed3f252b61a

  • SHA256

    7dd73af4a4845b7df80ad1aabd8fc269395c9ba515312e26645e6339cb9fd765

  • SHA512

    e22d56532c02a5342c70bf34fff85be2e6510afd108f01f322a2c4c2f68f8051dc4ec481a308df56bb98001c1fb6e655e7b5d2d42c5c177a58e4c2e124b24775

  • SSDEEP

    98304:i/cRg1mAbtevr9bUHR+SoATt567/CPDMV9AFZtPT3nvRBQzxr:i/qz9bUHR+wTXICrRFZt7/bQ1r

Score
7/10
vmprotect

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Gathers network information 2 TTPs 4 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 2 IoCs
    evasion
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SK5UOIY7PM.exe
    "C:\Users\Admin\AppData\Local\Temp\SK5UOIY7PM.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net start w32time
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\system32\net.exe
        net start w32time
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 start w32time
          4⤵
            PID:4964
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Windows\system32\w32tm.exe
          w32tm /resync /nowait
          3⤵
            PID:3832
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2432
          • C:\Windows\system32\taskkill.exe
            taskkill /IM RainbowSix.exe /f
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3184
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ipconfig /flushdns
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4496
          • C:\Windows\system32\ipconfig.exe
            ipconfig /flushdns
            3⤵
            • Gathers network information
            PID:4940
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ipconfig /flushdns
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4432
          • C:\Windows\system32\ipconfig.exe
            ipconfig /flushdns
            3⤵
            • Gathers network information
            PID:2500
        • C:\Users\Admin\AppData\Local\Temp\U591RT4ILT.exe
          "C:\Users\Admin\AppData\Local\Temp\U591RT4ILT.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3076
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c net start w32time
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3028
            • C:\Windows\system32\net.exe
              net start w32time
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1484
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 start w32time
                5⤵
                  PID:2400
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:5092
              • C:\Windows\system32\w32tm.exe
                w32tm /resync /nowait
                4⤵
                  PID:4464
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1500
                • C:\Windows\system32\taskkill.exe
                  taskkill /IM RainbowSix.exe /f
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2836
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ipconfig /flushdns
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2288
                • C:\Windows\system32\ipconfig.exe
                  ipconfig /flushdns
                  4⤵
                  • Gathers network information
                  PID:2604
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ipconfig /flushdns
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:944
                • C:\Windows\system32\ipconfig.exe
                  ipconfig /flushdns
                  4⤵
                  • Gathers network information
                  PID:336
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\SK5UOIY7PM.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4284
              • C:\Windows\system32\PING.EXE
                ping 1.1.1.1 -n 1 -w 3000
                3⤵
                • Runs ping.exe
                PID:3652

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\U591RT4ILT.exe
            Filesize

            4.9MB

            MD5

            6261ee4279a2f896625ca965ad014fb7

            SHA1

            0bbd43aed75d13993e364cd7e26393d2b4fefb50

            SHA256

            5b36923b5ab87c82b33614790f2ab2add6b8675ebd27ba278f1eaf2499848cdd

            SHA512

            40d39aa83b603ec5b9b2260d9976663decdf49799e6387b7f4a557e6e5662e5246b75ec97507af4c117cd6aafbd9ebb332f705961e50fd68830df19dd9bbd3f8

            Download Submit
          • memory/3076-9-0x00007FF7B8BB0000-0x00007FF7B959C000-memory.dmp
            Filesize

            9.9MB

            Download
          • memory/3308-1-0x00007FF7EB5C0000-0x00007FF7EBFA5000-memory.dmp
            Filesize

            9.9MB

            Download