b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 20:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Xtroas Val Cheeto.exe
Size

808KB
MD5

4ac882ebdbc1431cdd3ab45e1712ada1
SHA1

b871304fd060b700fd66ce0c87014ec955d12979
SHA256

b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6
SHA512

f3ff8d00849289436b723bc48c14113e51b583955d7f69870458d7b7d72ba214ad531d601a950b247f43325a610fd15cd6584008fd842a29c1dd0804ee2e6f98
SSDEEP

24576:65MOrT+F0sIE9JqsC6mVFyCsffzMS6pcsP9Qtce0TBs/lPsoCyEbDb7Br5oANn90:+bjnS

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\JOyFAnFBEP\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\JOyFAnFBEP"	Xtroas Val Cheeto.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe
216	Xtroas Val Cheeto.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
216	Xtroas Val Cheeto.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	216	Xtroas Val Cheeto.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 3688	216	Xtroas Val Cheeto.exe	84
PID 216 wrote to memory of 3688	216	Xtroas Val Cheeto.exe	84
PID 216 wrote to memory of 4580	216	Xtroas Val Cheeto.exe	97
PID 216 wrote to memory of 4580	216	Xtroas Val Cheeto.exe	97
PID 216 wrote to memory of 3700	216	Xtroas Val Cheeto.exe	99
PID 216 wrote to memory of 3700	216	Xtroas Val Cheeto.exe	99
PID 216 wrote to memory of 1900	216	Xtroas Val Cheeto.exe	100
PID 216 wrote to memory of 1900	216	Xtroas Val Cheeto.exe	100
PID 216 wrote to memory of 3952	216	Xtroas Val Cheeto.exe	101
PID 216 wrote to memory of 3952	216	Xtroas Val Cheeto.exe	101
PID 216 wrote to memory of 2452	216	Xtroas Val Cheeto.exe	104
PID 216 wrote to memory of 2452	216	Xtroas Val Cheeto.exe	104
PID 216 wrote to memory of 2364	216	Xtroas Val Cheeto.exe	105
PID 216 wrote to memory of 2364	216	Xtroas Val Cheeto.exe	105
PID 216 wrote to memory of 4964	216	Xtroas Val Cheeto.exe	106
PID 216 wrote to memory of 4964	216	Xtroas Val Cheeto.exe	106
PID 216 wrote to memory of 3692	216	Xtroas Val Cheeto.exe	107
PID 216 wrote to memory of 3692	216	Xtroas Val Cheeto.exe	107
PID 216 wrote to memory of 2408	216	Xtroas Val Cheeto.exe	108
PID 216 wrote to memory of 2408	216	Xtroas Val Cheeto.exe	108
PID 216 wrote to memory of 1388	216	Xtroas Val Cheeto.exe	109
PID 216 wrote to memory of 1388	216	Xtroas Val Cheeto.exe	109
PID 216 wrote to memory of 2436	216	Xtroas Val Cheeto.exe	110
PID 216 wrote to memory of 2436	216	Xtroas Val Cheeto.exe	110
PID 216 wrote to memory of 4136	216	Xtroas Val Cheeto.exe	111
PID 216 wrote to memory of 4136	216	Xtroas Val Cheeto.exe	111
PID 216 wrote to memory of 1508	216	Xtroas Val Cheeto.exe	112
PID 216 wrote to memory of 1508	216	Xtroas Val Cheeto.exe	112
PID 216 wrote to memory of 1700	216	Xtroas Val Cheeto.exe	113
PID 216 wrote to memory of 1700	216	Xtroas Val Cheeto.exe	113
PID 216 wrote to memory of 3112	216	Xtroas Val Cheeto.exe	114
PID 216 wrote to memory of 3112	216	Xtroas Val Cheeto.exe	114
PID 216 wrote to memory of 3408	216	Xtroas Val Cheeto.exe	115
PID 216 wrote to memory of 3408	216	Xtroas Val Cheeto.exe	115
PID 216 wrote to memory of 4020	216	Xtroas Val Cheeto.exe	116
PID 216 wrote to memory of 4020	216	Xtroas Val Cheeto.exe	116
PID 216 wrote to memory of 4432	216	Xtroas Val Cheeto.exe	118
PID 216 wrote to memory of 4432	216	Xtroas Val Cheeto.exe	118
PID 216 wrote to memory of 2760	216	Xtroas Val Cheeto.exe	122
PID 216 wrote to memory of 2760	216	Xtroas Val Cheeto.exe	122
PID 216 wrote to memory of 2416	216	Xtroas Val Cheeto.exe	123
PID 216 wrote to memory of 2416	216	Xtroas Val Cheeto.exe	123
PID 216 wrote to memory of 1020	216	Xtroas Val Cheeto.exe	124
PID 216 wrote to memory of 1020	216	Xtroas Val Cheeto.exe	124
PID 216 wrote to memory of 5096	216	Xtroas Val Cheeto.exe	125
PID 216 wrote to memory of 5096	216	Xtroas Val Cheeto.exe	125
PID 216 wrote to memory of 2120	216	Xtroas Val Cheeto.exe	126
PID 216 wrote to memory of 2120	216	Xtroas Val Cheeto.exe	126
PID 216 wrote to memory of 3192	216	Xtroas Val Cheeto.exe	127
PID 216 wrote to memory of 3192	216	Xtroas Val Cheeto.exe	127
PID 216 wrote to memory of 876	216	Xtroas Val Cheeto.exe	128
PID 216 wrote to memory of 876	216	Xtroas Val Cheeto.exe	128
PID 216 wrote to memory of 4856	216	Xtroas Val Cheeto.exe	129
PID 216 wrote to memory of 4856	216	Xtroas Val Cheeto.exe	129
PID 216 wrote to memory of 2324	216	Xtroas Val Cheeto.exe	130
PID 216 wrote to memory of 2324	216	Xtroas Val Cheeto.exe	130
PID 216 wrote to memory of 4724	216	Xtroas Val Cheeto.exe	131
PID 216 wrote to memory of 4724	216	Xtroas Val Cheeto.exe	131
PID 216 wrote to memory of 2508	216	Xtroas Val Cheeto.exe	132
PID 216 wrote to memory of 2508	216	Xtroas Val Cheeto.exe	132
PID 216 wrote to memory of 2940	216	Xtroas Val Cheeto.exe	133
PID 216 wrote to memory of 2940	216	Xtroas Val Cheeto.exe	133
PID 216 wrote to memory of 4456	216	Xtroas Val Cheeto.exe	134
PID 216 wrote to memory of 4456	216	Xtroas Val Cheeto.exe	134

C:\Users\Admin\AppData\Local\Temp\Xtroas Val Cheeto.exe
"C:\Users\Admin\AppData\Local\Temp\Xtroas Val Cheeto.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads