19ba596c9afab5f63bd263ea8e14b51185005eb3bbdc47837d126ba46eeaea26

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe
Size

342KB
MD5

07bf0d794610eab72b0ac85ed40aabf1
SHA1

eb1badb78457daab0d03fbeefbbbcc32c05a9e05
SHA256

19ba596c9afab5f63bd263ea8e14b51185005eb3bbdc47837d126ba46eeaea26
SHA512

6f9d793e5a109325065d48d37eac89ad60b28e154f1e1fcfb2284abe59363bc3ea50d95a06d4d17d1ae5b19811421307a7a2ae3ea57c98d879d8c9bc7cd5204c
SSDEEP

3072:WIDCldZsGbYS9fAgo3ji0IDCldZsGbYqVDrXhzlrOgkVDpBSqao9c3HwsanTdgyc:Wrv6W0rvX/eSqjc3HsTaxoq/cRzSZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\kvja.exe -dwup"	kvja.exe

Executes dropped EXE 49 IoCs

pid	Process
2156	kvja.exe
2740	kvja.exe
2840	kvja.exe
1124	kvja.exe
1128	kvja.exe
1316	kvja.exe
2556	kvja.exe
1372	kvja.exe
2940	kvja.exe
396	kvja.exe
3016	kvja.exe
1216	kvja.exe
2420	kvja.exe
2216	kvja.exe
2164	kvja.exe
1692	kvja.exe
2544	kvja.exe
2540	kvja.exe
1200	kvja.exe
1844	kvja.exe
1832	kvja.exe
276	kvja.exe
2108	kvja.exe
1752	kvja.exe
1448	kvja.exe
2336	kvja.exe
2368	kvja.exe
2728	kvja.exe
2720	kvja.exe
2608	kvja.exe
2708	kvja.exe
2052	kvja.exe
2396	kvja.exe
1820	kvja.exe
2456	kvja.exe
1652	kvja.exe
1088	kvja.exe
1824	kvja.exe
2388	kvja.exe
1240	kvja.exe
2976	kvja.exe
1776	kvja.exe
1244	kvja.exe
2424	kvja.exe
2184	kvja.exe
1224	kvja.exe
1436	kvja.exe
2380	kvja.exe
1772	kvja.exe

Loads dropped DLL 2 IoCs

pid	Process
348	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe
348	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe

Suspicious use of SetThreadContext 25 IoCs

description	pid	Process	procid_target
PID 908 set thread context of 348	908	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	29
PID 2156 set thread context of 2740	2156	kvja.exe	31
PID 1124 set thread context of 1128	1124	kvja.exe	35
PID 1316 set thread context of 2556	1316	kvja.exe	37
PID 1372 set thread context of 2940	1372	kvja.exe	39
PID 396 set thread context of 3016	396	kvja.exe	41
PID 1216 set thread context of 2420	1216	kvja.exe	43
PID 2216 set thread context of 2164	2216	kvja.exe	45
PID 1692 set thread context of 2544	1692	kvja.exe	47
PID 2540 set thread context of 1200	2540	kvja.exe	49
PID 1844 set thread context of 1832	1844	kvja.exe	51
PID 276 set thread context of 2108	276	kvja.exe	53
PID 1752 set thread context of 1448	1752	kvja.exe	55
PID 2336 set thread context of 2368	2336	kvja.exe	57
PID 2728 set thread context of 2720	2728	kvja.exe	59
PID 2608 set thread context of 2708	2608	kvja.exe	61
PID 2052 set thread context of 2396	2052	kvja.exe	63
PID 1820 set thread context of 2456	1820	kvja.exe	65
PID 1652 set thread context of 1088	1652	kvja.exe	67
PID 1824 set thread context of 2388	1824	kvja.exe	69
PID 1240 set thread context of 2976	1240	kvja.exe	71
PID 1776 set thread context of 1244	1776	kvja.exe	73
PID 2424 set thread context of 2184	2424	kvja.exe	75
PID 1224 set thread context of 1436	1224	kvja.exe	77
PID 2380 set thread context of 1772	2380	kvja.exe	79

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvja.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 348	908	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	29
PID 908 wrote to memory of 348	908	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	29
PID 908 wrote to memory of 348	908	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	29
PID 908 wrote to memory of 348	908	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	29
PID 908 wrote to memory of 348	908	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	29
PID 908 wrote to memory of 348	908	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	29
PID 908 wrote to memory of 348	908	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	29
PID 908 wrote to memory of 348	908	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	29
PID 908 wrote to memory of 348	908	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	29
PID 348 wrote to memory of 2156	348	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	30
PID 348 wrote to memory of 2156	348	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	30
PID 348 wrote to memory of 2156	348	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	30
PID 348 wrote to memory of 2156	348	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2740	2156	kvja.exe	31
PID 2156 wrote to memory of 2740	2156	kvja.exe	31
PID 2156 wrote to memory of 2740	2156	kvja.exe	31
PID 2156 wrote to memory of 2740	2156	kvja.exe	31
PID 2156 wrote to memory of 2740	2156	kvja.exe	31
PID 2156 wrote to memory of 2740	2156	kvja.exe	31
PID 2156 wrote to memory of 2740	2156	kvja.exe	31
PID 2156 wrote to memory of 2740	2156	kvja.exe	31
PID 2156 wrote to memory of 2740	2156	kvja.exe	31
PID 2740 wrote to memory of 2840	2740	kvja.exe	32
PID 2740 wrote to memory of 2840	2740	kvja.exe	32
PID 2740 wrote to memory of 2840	2740	kvja.exe	32
PID 2740 wrote to memory of 2840	2740	kvja.exe	32
PID 2740 wrote to memory of 2840	2740	kvja.exe	32
PID 2740 wrote to memory of 2840	2740	kvja.exe	32
PID 2840 wrote to memory of 1124	2840	kvja.exe	34
PID 2840 wrote to memory of 1124	2840	kvja.exe	34
PID 2840 wrote to memory of 1124	2840	kvja.exe	34
PID 2840 wrote to memory of 1124	2840	kvja.exe	34
PID 1124 wrote to memory of 1128	1124	kvja.exe	35
PID 1124 wrote to memory of 1128	1124	kvja.exe	35
PID 1124 wrote to memory of 1128	1124	kvja.exe	35
PID 1124 wrote to memory of 1128	1124	kvja.exe	35
PID 1124 wrote to memory of 1128	1124	kvja.exe	35
PID 1124 wrote to memory of 1128	1124	kvja.exe	35
PID 1124 wrote to memory of 1128	1124	kvja.exe	35
PID 1124 wrote to memory of 1128	1124	kvja.exe	35
PID 1124 wrote to memory of 1128	1124	kvja.exe	35
PID 2840 wrote to memory of 1316	2840	kvja.exe	36
PID 2840 wrote to memory of 1316	2840	kvja.exe	36
PID 2840 wrote to memory of 1316	2840	kvja.exe	36
PID 2840 wrote to memory of 1316	2840	kvja.exe	36
PID 1316 wrote to memory of 2556	1316	kvja.exe	37
PID 1316 wrote to memory of 2556	1316	kvja.exe	37
PID 1316 wrote to memory of 2556	1316	kvja.exe	37
PID 1316 wrote to memory of 2556	1316	kvja.exe	37
PID 1316 wrote to memory of 2556	1316	kvja.exe	37
PID 1316 wrote to memory of 2556	1316	kvja.exe	37
PID 1316 wrote to memory of 2556	1316	kvja.exe	37
PID 1316 wrote to memory of 2556	1316	kvja.exe	37
PID 1316 wrote to memory of 2556	1316	kvja.exe	37
PID 2840 wrote to memory of 1372	2840	kvja.exe	38
PID 2840 wrote to memory of 1372	2840	kvja.exe	38
PID 2840 wrote to memory of 1372	2840	kvja.exe	38
PID 2840 wrote to memory of 1372	2840	kvja.exe	38
PID 1372 wrote to memory of 2940	1372	kvja.exe	39
PID 1372 wrote to memory of 2940	1372	kvja.exe	39
PID 1372 wrote to memory of 2940	1372	kvja.exe	39
PID 1372 wrote to memory of 2940	1372	kvja.exe	39
PID 1372 wrote to memory of 2940	1372	kvja.exe	39
PID 1372 wrote to memory of 2940	1372	kvja.exe	39

C:\Users\Admin\AppData\Local\Temp\07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\AppData\Local\Temp\07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Users\Admin\AppData\Roaming\kvja.exe
    C:\Users\Admin\AppData\Local\Temp\07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe -dwup
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Roaming\kvja.exe
      C:\Users\Admin\AppData\Local\Temp\07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe -dwup
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:1128
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2556
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2940
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:3016
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2420
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2164
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2544
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:1200
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:1832
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:276
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2108
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:1448
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2368
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2720
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2708
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2396
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2456
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:1088
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2388
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2976
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:1244
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:2184
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:1436
      - C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        
        C:\Users\Admin\AppData\Roaming\kvja.exe
        7⤵
        Executes dropped EXE
        
        PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\kvja.exe

Filesize
342KB

MD5
07bf0d794610eab72b0ac85ed40aabf1

SHA1
eb1badb78457daab0d03fbeefbbbcc32c05a9e05

SHA256
19ba596c9afab5f63bd263ea8e14b51185005eb3bbdc47837d126ba46eeaea26

SHA512
6f9d793e5a109325065d48d37eac89ad60b28e154f1e1fcfb2284abe59363bc3ea50d95a06d4d17d1ae5b19811421307a7a2ae3ea57c98d879d8c9bc7cd5204c

Download Submit
memory/348-2-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/348-13-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/348-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/348-6-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/348-4-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/348-12-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/348-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/348-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1128-68-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2740-41-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2740-51-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2840-48-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2840-44-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2840-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads