8b2c1c503028727000a3c4c10afcde49894d1931b3099a3ab6549d3f7d545276

Analysis

max time kernel
900s
max time network
555s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
03/04/2025, 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EMV Reader Writer/EMV.exe
Size

676KB
MD5

c02eb2922d0d441d0feb165978bace0b
SHA1

1742e04ea8268a87d4308bf462ea0b2196c04363
SHA256

e7c4ccc44305bbf8832946347be0774fee2bbce6dd1602651f1bfcb7ba3c0e6a
SHA512

a61eadd7eded59fc855ea5e068fb25037d869972d309944eb79f466552334a12c41caae5754b293539693ff93d1a0d1651dfd321e272c439d41143ae01398ec7
SSDEEP

12288:20Yu2IAbjFm4Eq7duqXXyFsKJ0kXky/u523DjUN3npCeYHfDugU+6:LYutAbjwo7dhyS4W523UN5C72

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\yHvp7YTZVsXh7jst\\vLdlxiQDuedN.exe\",explorer.exe"	EMV.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	EMV.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EMV.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe
2020	EMV.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	EMV.exe

C:\Users\Admin\AppData\Local\Temp\EMV Reader Writer\EMV.exe
"C:\Users\Admin\AppData\Local\Temp\EMV Reader Writer\EMV.exe"
1⤵
- Modifies WinLogon for persistence
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-0-0x0000000075132000-0x0000000075133000-memory.dmp

Filesize
4KB

Download
memory/2020-1-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-2-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-3-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-4-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-5-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-6-0x0000000075132000-0x0000000075133000-memory.dmp

Filesize
4KB

Download
memory/2020-7-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-8-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-9-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-10-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download