4acea05ab0905a50470e55fcb4575e6feee6e7f5ae857bdd388818cee7a562c6

Analysis

max time kernel
97s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
Size

131KB
MD5

844a5fcb3644af223a45da950e14801b
SHA1

928d3c7afa140e9b9e96d4f03ea1d82b4ad37634
SHA256

5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e
SHA512

7aac0f58ff1bf21cd540ef2acecc5866a0d7056496b932e04593d4c256f498079d810b326695e36c62442545a6793b566c50474c9784bb8436905ce4da70e8c4
SSDEEP

3072:4+RlQoN36tGQviFCnMBnMfWl9zmaF9bhYvMY:4jM9zCvMY

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Star Client	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
4716	TASKKILL.exe
4064	TASKKILL.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
Token: SeDebugPrivilege	4064	TASKKILL.exe
Token: SeDebugPrivilege	4716	TASKKILL.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3264	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4716	4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe	87
PID 4020 wrote to memory of 4716	4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe	87
PID 4020 wrote to memory of 4716	4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe	87
PID 4020 wrote to memory of 4064	4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe	88
PID 4020 wrote to memory of 4064	4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe	88
PID 4020 wrote to memory of 4064	4020	5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe	88

C:\Users\Admin\AppData\Local\Temp\5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe
"C:\Users\Admin\AppData\Local\Temp\5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM wscript.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM cmd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4020-0-0x0000000074E22000-0x0000000074E23000-memory.dmp

Filesize
4KB

Download
memory/4020-1-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4020-2-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4020-3-0x0000000074E22000-0x0000000074E23000-memory.dmp

Filesize
4KB

Download
memory/4020-4-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4020-5-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4020-11-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download