bdaejec | c9d662ad82796b60e71f4cb3c1da76badbc00b3c11ab0d4fac14a6ea9c92e0f7

Analysis

max time kernel
140s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe
Size

496KB
MD5

56cdb05fa5a6baa5a787cbf460a46a54
SHA1

4c18a270de95aea4ffd58370a375ce15e0ae7c9a
SHA256

c9d662ad82796b60e71f4cb3c1da76badbc00b3c11ab0d4fac14a6ea9c92e0f7
SHA512

73c538b75fd3a29b9fa89523f8e9974337e72623dd0962e485d198f603e224019ada23d6ad8c3051a3a57e760cec2170293feffa331fbc7dea5accf6a1fd8f53
SSDEEP

6144:bDlS4jMD+gSR+P8mVJbGgB1TpYjyUhUbPI3iBbZiSt/pnyq61keTcnzFdHXtwsi2:FAa+RQjyfTYiBk4QWe0zTXUvflZJ20y

Score

10^/10

bdaejec emotet epoch3 aspackv2 backdoor banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

116.203.117.76:80

108.166.188.146:7080

216.154.222.52:7080

203.99.182.135:443

212.112.113.235:80

139.59.242.76:8080

110.36.234.146:80

113.52.135.33:7080

108.179.216.46:8080

186.10.16.244:53

200.114.134.8:20

41.60.202.26:22

125.99.61.162:7080

176.58.93.123:80

5.189.148.98:8080

201.196.15.79:990

45.33.1.161:8080

46.32.229.152:8080

94.177.253.126:80

78.189.94.99:8443

rsa_pubkey.plain

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral1/memory/2600-36-0x00000000011A0000-0x00000000011A9000-memory.dmp	family_bdaejec_backdoor

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000d000000012281-2.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2600	XinFvK.exe
2768	XinFvK.exe

Loads dropped DLL 4 IoCs

pid	Process
1980	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe
1980	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe
2744	capminimum.exe
2744	capminimum.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	capminimum.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	XinFvK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	XinFvK.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	XinFvK.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	XinFvK.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	XinFvK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	XinFvK.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	XinFvK.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	XinFvK.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	XinFvK.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	XinFvK.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	XinFvK.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	XinFvK.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	XinFvK.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	XinFvK.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	XinFvK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{06715A9D-70D2-4C5C-9F8A-D2392905D83D}\chrome_installer.exe	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	XinFvK.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	XinFvK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XinFvK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	capminimum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XinFvK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	capminimum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	XinFvK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	capminimum.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	capminimum.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	capminimum.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	capminimum.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2DDDD89-2EE2-483A-940C-2419C3B5BCB3}\3a-f6-68-1a-4f-84	capminimum.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-f6-68-1a-4f-84\WpadDecisionTime = c01f7eb3bf88db01	capminimum.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	capminimum.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	XinFvK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	capminimum.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	capminimum.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	capminimum.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	capminimum.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2DDDD89-2EE2-483A-940C-2419C3B5BCB3}	capminimum.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2DDDD89-2EE2-483A-940C-2419C3B5BCB3}\WpadDecisionTime = c01f7eb3bf88db01	capminimum.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2DDDD89-2EE2-483A-940C-2419C3B5BCB3}\WpadNetworkName = "Network 3"	capminimum.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	XinFvK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2DDDD89-2EE2-483A-940C-2419C3B5BCB3}\WpadDecision = "0"	capminimum.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-f6-68-1a-4f-84	capminimum.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-f6-68-1a-4f-84\WpadDecision = "0"	capminimum.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-f6-68-1a-4f-84\WpadDetectedUrl	capminimum.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2DDDD89-2EE2-483A-940C-2419C3B5BCB3}\WpadDecisionTime = 60bb52eebf88db01	capminimum.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-f6-68-1a-4f-84\WpadDecisionTime = 60bb52eebf88db01	capminimum.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	capminimum.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	capminimum.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	capminimum.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2DDDD89-2EE2-483A-940C-2419C3B5BCB3}\WpadDecisionReason = "1"	capminimum.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-f6-68-1a-4f-84\WpadDecisionReason = "1"	capminimum.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
996	capminimum.exe
996	capminimum.exe
996	capminimum.exe
996	capminimum.exe
996	capminimum.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2784	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1980	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe
2784	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe
2744	capminimum.exe
996	capminimum.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2600	1980	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe	30
PID 1980 wrote to memory of 2600	1980	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe	30
PID 1980 wrote to memory of 2600	1980	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe	30
PID 1980 wrote to memory of 2600	1980	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe	30
PID 1980 wrote to memory of 2784	1980	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe	31
PID 1980 wrote to memory of 2784	1980	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe	31
PID 1980 wrote to memory of 2784	1980	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe	31
PID 1980 wrote to memory of 2784	1980	2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe	31
PID 2600 wrote to memory of 2892	2600	XinFvK.exe	34
PID 2600 wrote to memory of 2892	2600	XinFvK.exe	34
PID 2600 wrote to memory of 2892	2600	XinFvK.exe	34
PID 2600 wrote to memory of 2892	2600	XinFvK.exe	34
PID 2744 wrote to memory of 2768	2744	capminimum.exe	37
PID 2744 wrote to memory of 2768	2744	capminimum.exe	37
PID 2744 wrote to memory of 2768	2744	capminimum.exe	37
PID 2744 wrote to memory of 2768	2744	capminimum.exe	37
PID 2768 wrote to memory of 3000	2768	XinFvK.exe	38
PID 2768 wrote to memory of 3000	2768	XinFvK.exe	38
PID 2768 wrote to memory of 3000	2768	XinFvK.exe	38
PID 2768 wrote to memory of 3000	2768	XinFvK.exe	38
PID 2744 wrote to memory of 996	2744	capminimum.exe	40
PID 2744 wrote to memory of 996	2744	capminimum.exe	40
PID 2744 wrote to memory of 996	2744	capminimum.exe	40
PID 2744 wrote to memory of 996	2744	capminimum.exe	40

C:\Users\Admin\AppData\Local\Temp\2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\XinFvK.exe
  C:\Users\Admin\AppData\Local\Temp\XinFvK.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\44e64a6f.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- C:\Users\Admin\AppData\Local\Temp\2025-02-27_56cdb05fa5a6baa5a787cbf460a46a54_smoke-loader_wapomi.exe
  --7269df89
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  PID:2784

C:\Windows\SysWOW64\capminimum.exe
"C:\Windows\SysWOW64\capminimum.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\TEMP\XinFvK.exe
  C:\Windows\TEMP\XinFvK.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\TEMP\789167c4.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000
- C:\Windows\SysWOW64\capminimum.exe
  --8827b70e
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44e64a6f.bat

Filesize
187B

MD5
a2d3bb5727d38a1208a37c82865ae082

SHA1
5e18eeb08de5e8f0da5621adf0004a7372c10f61

SHA256
390d14be8d83f8e690ffb4d00e395287c3c00452261d024b78b0a0b41c778da1

SHA512
cafb2f1faa35ef49827d07bb1bb5576af75dcd19800677d8a04a53409a4a0829f0dc53096c1aeac5acd5017ffc855884174063d6f1736e5ce0a4447d760380bf

Download Submit
C:\Windows\Temp\789167c4.bat

Filesize
133B

MD5
45362f467667d49422b212557b4a4815

SHA1
b2e2106bbcfbf35145c2d9061d098fac8ed49a3c

SHA256
a257fc8a09dfdab8e7e64c1a8b6272421f91f1eb438ad661920ee3a6af1322ba

SHA512
940bd5bb3f217d0b1eb6a69a3a6209a90cf0735acba76aba497600f8eb139e7ede81ad857cef534be4e4efb591e8d68244a3fef260f9be0f57042392b60125ab

Download Submit
\Users\Admin\AppData\Local\Temp\XinFvK.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/996-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/996-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/996-72-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/1980-9-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1980-19-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/1980-14-0x00000000002F0000-0x0000000000306000-memory.dmp

Filesize
88KB

Download
memory/1980-21-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1980-20-0x0000000001D20000-0x0000000001DA0000-memory.dmp

Filesize
512KB

Download
memory/1980-0-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1980-8-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/2600-36-0x00000000011A0000-0x00000000011A9000-memory.dmp

Filesize
36KB

Download
memory/2600-11-0x00000000011A0000-0x00000000011A9000-memory.dmp

Filesize
36KB

Download
memory/2744-39-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2744-60-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2744-47-0x0000000000A10000-0x0000000000A19000-memory.dmp

Filesize
36KB

Download
memory/2744-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2744-65-0x0000000000A10000-0x0000000000A19000-memory.dmp

Filesize
36KB

Download
memory/2768-59-0x0000000000A10000-0x0000000000A19000-memory.dmp

Filesize
36KB

Download
memory/2768-49-0x0000000000A10000-0x0000000000A19000-memory.dmp

Filesize
36KB

Download
memory/2784-46-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2784-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2784-22-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download