Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe
Analysis ID:	1502252
MD5:	6261ee4279a2f896625ca965ad014fb7
SHA1:	0bbd43aed75d13993e364cd7e26393d2b4fefb50
SHA256:	5b36923b5ab87c82b33614790f2ab2add6b8675ebd27ba278f1eaf2499848cdd
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Detected VMProtect packer

Machine Learning detection for sample

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Entry point lies outside standard sections

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses taskkill to terminate processes

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	ReversingLabs: Detection: 63%
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Virustotal: Detection: 70%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.klar.ac

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2875777584.000001AB34810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontello.com
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2875777584.000001AB34810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontello.comhttp://fontello.com
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1790778681.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2875777584.000001AB34810000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1696250635.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1700904553.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1702750336.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2875229910.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2880591079.00007FF71EC6E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.dearimgui.org/faq/
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2880591079.00007FF71EC6E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.dearimgui.org/faq/Set
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2880591079.00007FF71EC6E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://discord.gg/klargg
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1790778681.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1696250635.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1700904553.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1702750336.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2875229910.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fontawesome.com
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1790778681.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1696250635.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1700904553.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1702750336.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2875229910.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont

System Summary

Detected VMProtect packer

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Static PE information: .vmp0 and .vmp1 section names

Source: classification engine

Classification label: mal76.evad.winEXE@20/1@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

File created: C:\Users\user\Desktop\user

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_03

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RainbowSix.exe")

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	ReversingLabs: Detection: 63%
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Virustotal: Detection: 70%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c net start w32time
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start w32time
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start w32time
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /resync /nowait
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM RainbowSix.exe /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /flushdns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /flushdns
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c net start w32time	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c w32tm /resync /nowait	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /flushdns	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start w32time	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start w32time	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /resync /nowait	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM RainbowSix.exe /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /flushdns	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Static file information: File size 5141504 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x4e6c00

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Static PE information: section name: .vmp0
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Static PE information: section name: .vmp1

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /flushdns

Source: C:\Windows\System32\taskkill.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71F501DC8 second address: 7FF71F4B6BBB instructions: 0x00000000 rdtsc 0x00000002 bsr edx, edx 0x00000005 inc ecx 0x00000006 xor bh, cl 0x00000008 inc ax 0x0000000b rcr ah, FFFFFFAEh 0x0000000e mov edx, ebp 0x00000010 inc eax 0x00000011 neg bh 0x00000013 inc eax 0x00000014 not bh 0x00000016 inc eax 0x00000017 neg bh 0x00000019 inc eax 0x0000001a rol bh, 1 0x0000001c shld dx, cx, 000000F5h 0x00000021 dec ecx 0x00000022 arpl si, ax 0x00000024 jmp 00007FE7A8B93337h 0x00000029 inc eax 0x0000002a sub bh, FFFFFF92h 0x0000002d inc eax 0x0000002e xor bh, FFFFFFE4h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71F531A20 second address: 7FF71F531A28 instructions: 0x00000000 rdtsc 0x00000002 inc eax 0x00000003 inc bh 0x00000005 inc ecx 0x00000006 sbb dl, cl 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EFE812B second address: 7FF71EFE8137 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, ax 0x00000005 inc bp 0x00000007 movzx ebp, ch 0x0000000a inc ecx 0x0000000b pop ebp 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EF8C8DB second address: 7FF71EF8C8E3 instructions: 0x00000000 rdtsc 0x00000002 inc eax 0x00000003 inc bh 0x00000005 inc ecx 0x00000006 sbb dl, cl 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EFF0208 second address: 7FF71EFCFBE6 instructions: 0x00000000 rdtsc 0x00000002 bsr edx, edx 0x00000005 inc ecx 0x00000006 xor bh, cl 0x00000008 inc ax 0x0000000b rcr ah, FFFFFFAEh 0x0000000e mov edx, ebp 0x00000010 inc eax 0x00000011 neg bh 0x00000013 inc eax 0x00000014 not bh 0x00000016 inc eax 0x00000017 neg bh 0x00000019 inc eax 0x0000001a rol bh, 1 0x0000001c shld dx, cx, 000000F5h 0x00000021 dec ecx 0x00000022 arpl si, ax 0x00000024 jmp 00007FE7A8BBDF22h 0x00000029 inc eax 0x0000002a sub bh, FFFFFF92h 0x0000002d inc eax 0x0000002e xor bh, FFFFFFE4h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EF5C71D second address: 7FF71EF5C751 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edi 0x00000004 dec ecx 0x00000005 movzx ebx, cx 0x00000008 shr bx, cl 0x0000000b inc eax 0x0000000c sbb bh, 00000065h 0x0000000f inc ecx 0x00000010 pop ebx 0x00000011 sar si, 002Ch 0x00000015 pop edi 0x00000016 stc 0x00000017 dec ecx 0x00000018 rcl ecx, 49h 0x0000001b inc ecx 0x0000001c pop esi 0x0000001d pop ebx 0x0000001e lahf 0x0000001f dec eax 0x00000020 movsx esi, ax 0x00000023 dec ebp 0x00000024 arpl si, ax 0x00000026 pop ebp 0x00000027 pop esi 0x00000028 dec ah 0x0000002a inc ecx 0x0000002b pop ebp 0x0000002c inc bp 0x0000002e xchg eax, eax 0x00000030 inc ecx 0x00000031 test ah, ah 0x00000033 pop ecx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71F04E2C6 second address: 7FF71F04E2ED instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 movsx edi, di 0x00000006 dec eax 0x00000007 cwde 0x00000008 inc ecx 0x00000009 pop ebx 0x0000000a cbw 0x0000000c inc ax 0x0000000e movsx edx, dh 0x00000011 inc ecx 0x00000012 pop eax 0x00000013 inc ebp 0x00000014 movzx edx, cx 0x00000017 pop esi 0x00000018 inc ecx 0x00000019 movzx ecx, ax 0x0000001c inc ecx 0x0000001d pop edi 0x0000001e cwd 0x00000020 pop ebp 0x00000021 inc cx 0x00000023 cmovnp eax, esi 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71F02992D second address: 7FF71F029933 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop ebp 0x00000004 xchg edi, ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EFDF337 second address: 7FF71EFDF34E instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 inc cx 0x00000005 btc ebp, esp 0x00000008 popfd 0x00000009 inc cx 0x0000000b mov edx, CF8B3D13h 0x00000010 dec eax 0x00000011 cdq 0x00000012 pop ebp 0x00000013 dec esp 0x00000014 movsx ebp, bx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EFDF34E second address: 7FF71EFDF361 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop esp 0x00000004 dec esp 0x00000005 arpl di, cx 0x00000007 inc esp 0x00000008 mov dl, dl 0x0000000a inc ecx 0x0000000b pop edi 0x0000000c inc ecx 0x0000000d pop ebx 0x0000000e inc ecx 0x0000000f xchg cl, cl 0x00000011 inc ecx 0x00000012 pop ebp 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EFA7347 second address: 7FF71EFA736F instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 movsx ecx, bx 0x00000006 inc ecx 0x00000007 pop edi 0x00000008 inc bp 0x0000000a movzx esp, bh 0x0000000d dec ebp 0x0000000e movsx esp, dx 0x00000011 cwde 0x00000012 pop ebp 0x00000013 cbw 0x00000015 dec eax 0x00000016 movsx eax, cx 0x00000019 cdq 0x0000001a pop ebx 0x0000001b inc cx 0x0000001d movzx eax, dl 0x00000020 cwd 0x00000022 cmovs dx, dx 0x00000026 inc ecx 0x00000027 pop esp 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71F034B74 second address: 7FF71F034B93 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop ebx 0x00000004 inc bp 0x00000006 movzx edi, ch 0x00000009 inc ecx 0x0000000a shl edx, cl 0x0000000c pop edi 0x0000000d inc cx 0x0000000f sal edx, FFFFFF85h 0x00000012 add al, 18h 0x00000014 dec ecx 0x00000015 movzx ebx, dx 0x00000018 inc ecx 0x00000019 pop edi 0x0000001a pop esi 0x0000001b shl dh, cl 0x0000001d inc ecx 0x0000001e pop esi 0x0000001f rdtsc

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1691201137.000001AB34D3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1652945810.000001AB34D3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1649068596.000001AB34D3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1698772115.000001AB34D3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2876172761.000001AB34D3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1695411338.000001AB34D3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1645499302.000001AB34D3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1654829652.000001AB34D3E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Enables debug privileges

Source: C:\Windows\System32\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c net start w32time	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c w32tm /resync /nowait	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /flushdns	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start w32time	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start w32time	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /resync /nowait	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM RainbowSix.exe /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /flushdns	Jump to behavior

Uses taskkill to terminate processes

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /IM RainbowSix.exe /f

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.65.154.135	ac86eaa6fe0c4cb58393b3297e524ca9.pacloudflare.com	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
ac86eaa6fe0c4cb58393b3297e524ca9.pacloudflare.com	172.65.154.135	true
api.klar.ac	unknown	unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Desktop\user	PNG image data, 7500 x 7500, 8-bit/color RGBA, non-interlaced	8BEB4B0676D3C064750BE6EDAD0764BA	020D2082F15556B277D2DF90098F619570E5E053	C63799634E85F95F9B6160F64557AE171F79F67305CBFBAF8B6F4218CF1201EC

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	ReversingLabs: Detection: 63%
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Virustotal: Detection: 70%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.klar.ac

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2875777584.000001AB34810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontello.com
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2875777584.000001AB34810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontello.comhttp://fontello.com
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1790778681.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2875777584.000001AB34810000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1696250635.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1700904553.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1702750336.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2875229910.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2880591079.00007FF71EC6E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.dearimgui.org/faq/
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2880591079.00007FF71EC6E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.dearimgui.org/faq/Set
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2880591079.00007FF71EC6E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://discord.gg/klargg
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1790778681.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1696250635.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1700904553.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1702750336.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2875229910.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fontawesome.com
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1790778681.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1696250635.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1700904553.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000003.1702750336.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe, 00000000.00000002.2875229910.000001AB2FBBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont

System Summary

Detected VMProtect packer

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Static PE information: .vmp0 and .vmp1 section names

Source: classification engine

Classification label: mal76.evad.winEXE@20/1@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

File created: C:\Users\user\Desktop\user

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_03

Source: C:\Windows\System32\taskkill.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	ReversingLabs: Detection: 63%
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Virustotal: Detection: 70%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c net start w32time
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start w32time
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start w32time
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /resync /nowait
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM RainbowSix.exe /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /flushdns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /flushdns
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c net start w32time	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c w32tm /resync /nowait	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /flushdns	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start w32time	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start w32time	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /resync /nowait	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM RainbowSix.exe /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /flushdns	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Static file information: File size 5141504 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x4e6c00

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Static PE information: section name: .vmp0
Source: SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Static PE information: section name: .vmp1

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /flushdns

Source: C:\Windows\System32\taskkill.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71F501DC8 second address: 7FF71F4B6BBB instructions: 0x00000000 rdtsc 0x00000002 bsr edx, edx 0x00000005 inc ecx 0x00000006 xor bh, cl 0x00000008 inc ax 0x0000000b rcr ah, FFFFFFAEh 0x0000000e mov edx, ebp 0x00000010 inc eax 0x00000011 neg bh 0x00000013 inc eax 0x00000014 not bh 0x00000016 inc eax 0x00000017 neg bh 0x00000019 inc eax 0x0000001a rol bh, 1 0x0000001c shld dx, cx, 000000F5h 0x00000021 dec ecx 0x00000022 arpl si, ax 0x00000024 jmp 00007FE7A8B93337h 0x00000029 inc eax 0x0000002a sub bh, FFFFFF92h 0x0000002d inc eax 0x0000002e xor bh, FFFFFFE4h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71F531A20 second address: 7FF71F531A28 instructions: 0x00000000 rdtsc 0x00000002 inc eax 0x00000003 inc bh 0x00000005 inc ecx 0x00000006 sbb dl, cl 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EFE812B second address: 7FF71EFE8137 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, ax 0x00000005 inc bp 0x00000007 movzx ebp, ch 0x0000000a inc ecx 0x0000000b pop ebp 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EF8C8DB second address: 7FF71EF8C8E3 instructions: 0x00000000 rdtsc 0x00000002 inc eax 0x00000003 inc bh 0x00000005 inc ecx 0x00000006 sbb dl, cl 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EFF0208 second address: 7FF71EFCFBE6 instructions: 0x00000000 rdtsc 0x00000002 bsr edx, edx 0x00000005 inc ecx 0x00000006 xor bh, cl 0x00000008 inc ax 0x0000000b rcr ah, FFFFFFAEh 0x0000000e mov edx, ebp 0x00000010 inc eax 0x00000011 neg bh 0x00000013 inc eax 0x00000014 not bh 0x00000016 inc eax 0x00000017 neg bh 0x00000019 inc eax 0x0000001a rol bh, 1 0x0000001c shld dx, cx, 000000F5h 0x00000021 dec ecx 0x00000022 arpl si, ax 0x00000024 jmp 00007FE7A8BBDF22h 0x00000029 inc eax 0x0000002a sub bh, FFFFFF92h 0x0000002d inc eax 0x0000002e xor bh, FFFFFFE4h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EF5C71D second address: 7FF71EF5C751 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edi 0x00000004 dec ecx 0x00000005 movzx ebx, cx 0x00000008 shr bx, cl 0x0000000b inc eax 0x0000000c sbb bh, 00000065h 0x0000000f inc ecx 0x00000010 pop ebx 0x00000011 sar si, 002Ch 0x00000015 pop edi 0x00000016 stc 0x00000017 dec ecx 0x00000018 rcl ecx, 49h 0x0000001b inc ecx 0x0000001c pop esi 0x0000001d pop ebx 0x0000001e lahf 0x0000001f dec eax 0x00000020 movsx esi, ax 0x00000023 dec ebp 0x00000024 arpl si, ax 0x00000026 pop ebp 0x00000027 pop esi 0x00000028 dec ah 0x0000002a inc ecx 0x0000002b pop ebp 0x0000002c inc bp 0x0000002e xchg eax, eax 0x00000030 inc ecx 0x00000031 test ah, ah 0x00000033 pop ecx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71F04E2C6 second address: 7FF71F04E2ED instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 movsx edi, di 0x00000006 dec eax 0x00000007 cwde 0x00000008 inc ecx 0x00000009 pop ebx 0x0000000a cbw 0x0000000c inc ax 0x0000000e movsx edx, dh 0x00000011 inc ecx 0x00000012 pop eax 0x00000013 inc ebp 0x00000014 movzx edx, cx 0x00000017 pop esi 0x00000018 inc ecx 0x00000019 movzx ecx, ax 0x0000001c inc ecx 0x0000001d pop edi 0x0000001e cwd 0x00000020 pop ebp 0x00000021 inc cx 0x00000023 cmovnp eax, esi 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71F02992D second address: 7FF71F029933 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop ebp 0x00000004 xchg edi, ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EFDF337 second address: 7FF71EFDF34E instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 inc cx 0x00000005 btc ebp, esp 0x00000008 popfd 0x00000009 inc cx 0x0000000b mov edx, CF8B3D13h 0x00000010 dec eax 0x00000011 cdq 0x00000012 pop ebp 0x00000013 dec esp 0x00000014 movsx ebp, bx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EFDF34E second address: 7FF71EFDF361 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop esp 0x00000004 dec esp 0x00000005 arpl di, cx 0x00000007 inc esp 0x00000008 mov dl, dl 0x0000000a inc ecx 0x0000000b pop edi 0x0000000c inc ecx 0x0000000d pop ebx 0x0000000e inc ecx 0x0000000f xchg cl, cl 0x00000011 inc ecx 0x00000012 pop ebp 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71EFA7347 second address: 7FF71EFA736F instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 movsx ecx, bx 0x00000006 inc ecx 0x00000007 pop edi 0x00000008 inc bp 0x0000000a movzx esp, bh 0x0000000d dec ebp 0x0000000e movsx esp, dx 0x00000011 cwde 0x00000012 pop ebp 0x00000013 cbw 0x00000015 dec eax 0x00000016 movsx eax, cx 0x00000019 cdq 0x0000001a pop ebx 0x0000001b inc cx 0x0000001d movzx eax, dl 0x00000020 cwd 0x00000022 cmovs dx, dx 0x00000026 inc ecx 0x00000027 pop esp 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	RDTSC instruction interceptor: First address: 7FF71F034B74 second address: 7FF71F034B93 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop ebx 0x00000004 inc bp 0x00000006 movzx edi, ch 0x00000009 inc ecx 0x0000000a shl edx, cl 0x0000000c pop edi 0x0000000d inc cx 0x0000000f sal edx, FFFFFF85h 0x00000012 add al, 18h 0x00000014 dec ecx 0x00000015 movzx ebx, dx 0x00000018 inc ecx 0x00000019 pop edi 0x0000001a pop esi 0x0000001b shl dh, cl 0x0000001d inc ecx 0x0000001e pop esi 0x0000001f rdtsc

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Binary or memory string: Hyper-V RAW

Enables debug privileges

Source: C:\Windows\System32\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c net start w32time	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c w32tm /resync /nowait	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /flushdns	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start w32time	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start w32time	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /resync /nowait	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM RainbowSix.exe /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /flushdns	Jump to behavior

Uses taskkill to terminate processes

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /IM RainbowSix.exe /f

Jump to behavior

ID:	1502252
Product:	CloudBasic
Start time:	20:22:08
Start date:	31.08.2024
Sample:	SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6261ee4279a2f896625ca965ad014fb7
SHA1:	0bbd43aed75d13993e364cd7e26393d2b4fefb50
SHA256:	5b36923b5ab87c82b33614790f2ab2add6b8675ebd27ba278f1eaf2499848cdd
Filetype:	Win64 Executable Console (202006/5) 92.65%

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe