6087227bb35383f28a21d99cdb8a110f28648fa4e12cb7f0f6b6c3b521765f2e

Analysis

max time kernel
152s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20241007-es
resource tags

arch:x64arch:x86image:win11-20241007-eslocale:es-esos:windows11-21h2-x64systemwindows
submitted
25/01/2025, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

native instruments monark v1.0 win mac.exe
Size

807.2MB
MD5

0b2a30ec0be8ecf3a2a89736f67a225e
SHA1

b08014503cf64c53eed2b27e56966811fe78fa32
SHA256

cd7344a1923fca79d26161b9a325af852fa617fc1cd81e555df0148e017d27a4
SHA512

d17fc2dea04b508844ceb87940f87ae7c9e472e68c28857a8a3a6701de82d7ab761542bc3e36a109338cdc898632f95da229ae9912e5a17516429c9c10636600
SSDEEP

393216:C07UqU4R/N+Z4hxQDd3GLHOA/YQbDFMUshconFqxit:C0XHBSsbDFah

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2856	Uniprotkb.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1232	tasklist.exe
3132	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PreviewsFreight	native instruments monark v1.0 win mac.exe
File opened for modification	C:\Windows\AngelesTrackback	native instruments monark v1.0 win mac.exe
File opened for modification	C:\Windows\HighsAudio	native instruments monark v1.0 win mac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uniprotkb.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	native instruments monark v1.0 win mac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2856	Uniprotkb.com
2856	Uniprotkb.com
2856	Uniprotkb.com
2856	Uniprotkb.com
2856	Uniprotkb.com
2856	Uniprotkb.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	tasklist.exe
Token: SeDebugPrivilege	3132	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2856	Uniprotkb.com
2856	Uniprotkb.com
2856	Uniprotkb.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2856	Uniprotkb.com
2856	Uniprotkb.com
2856	Uniprotkb.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1428	1876	native instruments monark v1.0 win mac.exe	77
PID 1876 wrote to memory of 1428	1876	native instruments monark v1.0 win mac.exe	77
PID 1876 wrote to memory of 1428	1876	native instruments monark v1.0 win mac.exe	77
PID 1428 wrote to memory of 1232	1428	cmd.exe	79
PID 1428 wrote to memory of 1232	1428	cmd.exe	79
PID 1428 wrote to memory of 1232	1428	cmd.exe	79
PID 1428 wrote to memory of 840	1428	cmd.exe	80
PID 1428 wrote to memory of 840	1428	cmd.exe	80
PID 1428 wrote to memory of 840	1428	cmd.exe	80
PID 1428 wrote to memory of 3132	1428	cmd.exe	82
PID 1428 wrote to memory of 3132	1428	cmd.exe	82
PID 1428 wrote to memory of 3132	1428	cmd.exe	82
PID 1428 wrote to memory of 4740	1428	cmd.exe	83
PID 1428 wrote to memory of 4740	1428	cmd.exe	83
PID 1428 wrote to memory of 4740	1428	cmd.exe	83
PID 1428 wrote to memory of 5104	1428	cmd.exe	84
PID 1428 wrote to memory of 5104	1428	cmd.exe	84
PID 1428 wrote to memory of 5104	1428	cmd.exe	84
PID 1428 wrote to memory of 1544	1428	cmd.exe	85
PID 1428 wrote to memory of 1544	1428	cmd.exe	85
PID 1428 wrote to memory of 1544	1428	cmd.exe	85
PID 1428 wrote to memory of 2868	1428	cmd.exe	86
PID 1428 wrote to memory of 2868	1428	cmd.exe	86
PID 1428 wrote to memory of 2868	1428	cmd.exe	86
PID 1428 wrote to memory of 1868	1428	cmd.exe	87
PID 1428 wrote to memory of 1868	1428	cmd.exe	87
PID 1428 wrote to memory of 1868	1428	cmd.exe	87
PID 1428 wrote to memory of 3448	1428	cmd.exe	88
PID 1428 wrote to memory of 3448	1428	cmd.exe	88
PID 1428 wrote to memory of 3448	1428	cmd.exe	88
PID 1428 wrote to memory of 2856	1428	cmd.exe	89
PID 1428 wrote to memory of 2856	1428	cmd.exe	89
PID 1428 wrote to memory of 2856	1428	cmd.exe	89
PID 1428 wrote to memory of 1316	1428	cmd.exe	90
PID 1428 wrote to memory of 1316	1428	cmd.exe	90
PID 1428 wrote to memory of 1316	1428	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\native instruments monark v1.0 win mac.exe
"C:\Users\Admin\AppData\Local\Temp\native instruments monark v1.0 win mac.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Manga Manga.cmd & Manga.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:840
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 697482
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Latitude
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1544
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Disks" Medications
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 697482\Uniprotkb.com + Deck + Firmware + Local + Commodity + Integrate + Worldcat + Disk + Duncan + Researchers + Franklin 697482\Uniprotkb.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Subsidiaries + ..\Briefly + ..\Prison + ..\Plains + ..\Tactics + ..\Passed + ..\Surf + ..\Postal O
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3448
- - C:\Users\Admin\AppData\Local\Temp\697482\Uniprotkb.com
    Uniprotkb.com O
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2856
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\697482\O

Filesize
519KB

MD5
90e8a27bf1d8e3010c5001ecaaabe7a5

SHA1
1338dfce062e7d852709f26462420ddcfebe4d0e

SHA256
a2f748539fe0c94d403732747cc9703f80e0b8fbeaad9188891b7f8f83aab6be

SHA512
edf558626258b12c4830e0b285e68ae2d428286a20a3a2d3c6725e7093247bdd300694ef94fe0c0326ddda22fe809e0cecc07646c07cd5ba57803e41350d0936

Download Submit
C:\Users\Admin\AppData\Local\Temp\697482\Uniprotkb.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Briefly

Filesize
98KB

MD5
cae8dcb1f9bb563d2671047e919bbcb5

SHA1
ab3211970c80055d570f4ed7a8500f6b7ec93b5f

SHA256
8e9797b7bfe5c38cc53f5e2a6f95dc493320e776fd8a810c099655e53f26c9ff

SHA512
45e7a3d555faad2ce453f880a4bc0ffe5d51d7edab567d9d722190d50ca77a08eb2d43c5bf7164e2891038f78c5eee917186a012cf2b36e6c3422a877579b2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Commodity

Filesize
67KB

MD5
1b96ceae949cae303867ee5f7e812f24

SHA1
ee9bc6bba5b6eff53acc41b9bb448d4c6e0f11f5

SHA256
8dd0e1bb36f01cddbb6b6134ce8ede34d6e5eae085e37d6457cd0bd8b8a4e8f1

SHA512
51f86a51355b8a0e2864b1c94c83b8ca8b19abdcb8242ef6c9098d0be931c17eeff373919e231eae592890662fc57cbbf0779f2114fc729b4f370e224178002b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deck

Filesize
90KB

MD5
2a83c974f2e4f3b54a3875f1e2d23ea3

SHA1
a5e0d3a1311050d49b7209a53549f1816242201a

SHA256
cf88444bf6afd916e090b758214d26eedd4967e1c3f377a582416b5f3a4e50ec

SHA512
7d19e57d9a512eed4608b1ba2da6660e369716fc9baddcc3b823463aacdf0af49a7d7643eedb509365477f1f0bb1fba38f5bf45abb58116ed3f6cd0c57c2fe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk

Filesize
120KB

MD5
d00fce75af39654d56c5b9e18d23b754

SHA1
94329d1e4e7720e0a7c1b93ed21e37bf0aff4270

SHA256
d934bae025156fff375534a7763de322ed21e74cdb902ed2aa9362f2ba9ff621

SHA512
13c96c9df84243d7e9bec45cbb0bfe2e480532ea3164320c85e0907fc61255986d707936cf793dea83e2dc89805913ade5101e0c8fb96305aaee9fd9f21f09d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Duncan

Filesize
111KB

MD5
314f0486e1cf02910784934cc1f33f8a

SHA1
9b37166b8945e0478b6054801fdf17e6f57dc83b

SHA256
ddd85519bb5addc43d28966e4853a86e26dd0d2a88d92929d2a905adb81049e5

SHA512
f5d7d0791a966fa514fa498abbb3edf4b667a3285912c25f5f45532271642bf75f6aa3581d27617a4fb59b0d19b25abed227f21af36a921ddae0481ea9f9632d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firmware

Filesize
108KB

MD5
8c740362b829284d375f6a8dd2cf8c4a

SHA1
7351ab9d10cfb0c138fdadd4d7a348185aef6a29

SHA256
2771f19004542f7a55e135c11931d67bdb0f1c069e595a64bb0f54e98406b97a

SHA512
6c1d6657404c98728e79cfdcb0b20edcd1b447b72660d6cd6a1b5f287d2306f0fb8a268e75b5278db427b0167007eda4d0d1bd90382675346866c021c3247719

Download Submit
C:\Users\Admin\AppData\Local\Temp\Franklin

Filesize
82KB

MD5
e1677dfae45b1df9529e006de4177be5

SHA1
c577777da1b5fe1ec5e36e03be4797ae35d19e47

SHA256
8cb31427849b696a44d116859d711f9b152c062e3c243abb6538c2f16b99536e

SHA512
f2ab6f81699921b29571f34c46162e5aa2c13a3ade6ddd3fe33221eeffa88001dfb879ddbef88b8c677c0cad11cf9284e0986a251ecd5abbec89c438852540bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Integrate

Filesize
82KB

MD5
aae65503db290d40ce5dd2e4775b0704

SHA1
7974415581f365a92b20835ab6f3088697207cf8

SHA256
0235e7f925c9c4f36e3663ca3eb739c4d732d4341ea0604819caaf64d1b0be89

SHA512
3ce834b725ed5f93c7db2f103259ad5764eff7efe2719c480feea431aa9c1d134216cfec25f662f71191b039fac839680ff9e68f814e882e6a2edbe5e8f4ed37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Latitude

Filesize
476KB

MD5
089124d0c187d58c606a2412ecb093bd

SHA1
0ced5703b7d4bcb76778ee9cc622755d98c4df29

SHA256
93b9d78fbda1edf0e076a5fde3e50ac440e8c2b0f8386e7b935a8d22ca8c86f8

SHA512
3b931aa879bd76500b345c1902d1e4694a7350b8aa82a9e34aaa6aa294ae628a0265a4cf8da2838abd911b192cf844e99949980615ef34205fcc4d37ffdb3f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Local

Filesize
120KB

MD5
504753aef58694f48717c273a27530fa

SHA1
f86bb2661848e6c1687b5321506ffb972438ca24

SHA256
d68b89f865707119b14acc02bbaf18aea669ac000d453db8055f62efe2050d45

SHA512
a779176f09df25ad6c1d5175c9714a7cbec94e77fc0d6fe30de215e2928292dd6b12ef1a58e9a38ec23b5ab5895868a94394ed5e83f1965caaad37c139b4218d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Manga

Filesize
8KB

MD5
e981d4e0de467cdb5eac02b75128130a

SHA1
ebf5778756d052f757d6b818bed9c982649b9b83

SHA256
5af22e1ebc2763756759a350e515644b0b38981591cb2b8c7e254560e1afa7fb

SHA512
e9f16caf23155622cc1d129bb4c4eb011034c393da4ef51ce7c90a99709d3a763525e1f770002174a1ba38626c0598a1e7e106f64bae578977dd4b089bf9d6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Medications

Filesize
2KB

MD5
1b5dd37c92b3e66032654979843459b3

SHA1
33cd6f3eba9f845b70c981c89aabea66b442b019

SHA256
277bfcc909d7834dd0e9258b3f313e1fc65c7f085479216bfd874acdffdab0ae

SHA512
053c2d2e2d204171433e0d64a699abe923fa1dedddb1c8ee2f1990e7851b32722b00cdac7d03d22566ea3d9a3cd488ac2175d37356f96042e7dbc805b4452215

Download Submit
C:\Users\Admin\AppData\Local\Temp\Passed

Filesize
56KB

MD5
57faf82635a958282890c277800a4c39

SHA1
077e733bf8d09e37f2f91284d9356d7ef07ae793

SHA256
2ef31e660f9449f0c6ce27483eb6fa39f88a1c280b539cd7d435e32fccc4d850

SHA512
94a7dddaba12f4f660e9130676798a0a5064f872251f7dcd90491d0980c616ae6e74913d776c04fd4c4426af1d9b1fc3b910126e5d76187fccd8de5022ca75d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plains

Filesize
58KB

MD5
0d98238ed768a22251cf0dd763fc1938

SHA1
a19cb30956be9ddf0b18681137a1faa2a5fba487

SHA256
a834a37a99b006962e4958fa139451b45c72836f2d0055bca12983b31e3b990d

SHA512
e245c99d065bcea368c9ce6013b887ae0619b476240e6b2edd3ed927758d63ab592c29a4de6f4e99c65d828686d25ca24325719b86992d16f7820e809290d95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Postal

Filesize
18KB

MD5
728de55c0ea34b3c00e2d6b7185e2fdc

SHA1
d352adcb51b9d7e76f819d64e7abf7ea8dc645a7

SHA256
db8645c89120a77e998d717a130e4c96c1cf45984c8cb2361e6d480e757874de

SHA512
3d0cb919f6b626f272536de768a32ca129b1fb9796dc081ccf9dde243d889f2fe2f4d529ae5c582c093cfc081e494e2220178ee444a6c86cbae560e1c502a51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prison

Filesize
64KB

MD5
5ac4420057a44be940c4a40a758aee69

SHA1
8fe369bf121e9898836008e406c9a9b1a76df736

SHA256
3c5796d1fb862d1ffcb5e820b7d4c6c2dcb6b63b5ffd17b55946bf7d352a0a27

SHA512
97f2fe2013413d9c2d1276b38c8cd2fe0f7520b86b77eb860206661dffc0e2e858757ad1eda4d0d256b9aeb8d1cfaa503bd6c4e3fda918d6322a77284988d6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Researchers

Filesize
57KB

MD5
18c6503a3f8e41d9829e09b1b63ffb91

SHA1
0e820757b6ecd4e28d67015ec6c7ad5fbce4b96b

SHA256
fea57377e517e96f7ddbc5fba6675a88320b8790cb0ad454cdf2161291de4582

SHA512
fcedcfbf66d952b661ba565a55b6255bff02923f6edd5a863f70acebee5dbbad956a28325e64255c29097c037e0c5691cf847c8574e22505a3225df6bc65dd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Subsidiaries

Filesize
79KB

MD5
8a439bfd9f9092561688349cd1eb9670

SHA1
ac56d340dd34e02bdc432f453ff6ab424156a424

SHA256
24f1a880e15e8af71f329f861d3dc8633227db43f4d58b88ebcd7523411dc365

SHA512
a849ab36a191277ba5e1d7e00350be815f3e1cef1dfadb9da5511ca9d2d890b697ef0ccb3a1eb936537af3fc8ee43019c935cf1da88ef0d3f41a30da7ae42738

Download Submit
C:\Users\Admin\AppData\Local\Temp\Surf

Filesize
65KB

MD5
d94f616a813e5c6d50931250d7ea3d43

SHA1
c87647cf7e46befcb21e8d2b94c808630e32ba6e

SHA256
7ed9ebbf4ca6146259fd01fadc83498e787724a24f49d2de9f6d74ad5c68bb1b

SHA512
c8869ba777f88f0f2b66107a479c8510c79f2d333c7e5d15ce953ed89482693c0d9851ee60bd3ca43bafcc05774a607fde870ecf05b938ed404c6a3aef837429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tactics

Filesize
81KB

MD5
9ca954f25e6b75fbebbbcfd7f961620e

SHA1
30a9317730abe844dccbca85867d16c8feead90a

SHA256
5b10e47f30a33eb894694c6f13055adac2ab65fdc160ef0ed2c0f63317616feb

SHA512
0ab6b4e73828e1dee8865266e326434cab6b4aaae1fd0d8f719440f4d31886fe6968890005974700270545f5dd450ed2077612c1c61e434b67b4ed6e398e42eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Worldcat

Filesize
85KB

MD5
5fdb9295e1e1d72eacb99954aca091df

SHA1
0cc223a9f5819569910f45f22bfe91747922d13d

SHA256
bfaad8f10a02e5ba7131d5362b2176995bae6dd5ea10fc544adc00f22ffe1283

SHA512
3c8ff497fd182d6cf6a2f56e81ab559c7098e4dd3ed8515883faf8ed55c6280ffd80ea3916993a91336f777570c40b700d824cd22705ac42c0a8047fc471892d

Download Submit
memory/2856-264-0x0000000004770000-0x00000000047D0000-memory.dmp

Filesize
384KB

Download
memory/2856-265-0x0000000004770000-0x00000000047D0000-memory.dmp

Filesize
384KB

Download
memory/2856-267-0x0000000004770000-0x00000000047D0000-memory.dmp

Filesize
384KB

Download
memory/2856-268-0x0000000004770000-0x00000000047D0000-memory.dmp

Filesize
384KB

Download
memory/2856-266-0x0000000004770000-0x00000000047D0000-memory.dmp

Filesize
384KB

Download