b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/s8Sj4vA.exe
Size

5.4MB
MD5

1be0e0db93388bd4ac29fc850a122a2e
SHA1

91532349e2c23400b0ec0f2987713d49b8f3af24
SHA256

d1ff00cc1a4fefafcc75abd174864a332f94ee52b4fa463be5a4e71369edcefe
SHA512

e19a532302dfc4a9a0d84dd08d0407d2533c5cc66a15401b7c39779b8eb08554ff83edcbb332812366e9827776dfa36f843917f35cfb9ccbf55c31a5b6ac7681
SSDEEP

98304:q6RUAPvIw0NUBy6EzhQzCWyLt6Tike/E4pCOqn9VdsWAF1t1XqsVUzy:q6NPvIPU/CWGt6+keNpCOqn9A3lhv

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	exp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\vbpk2hb902SX\\exp.exe"	s8Sj4vA.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 1780	2756	s8Sj4vA.exe	89
PID 2016 set thread context of 4012	2016	exp.exe	102

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2016	exp.exe
2016	exp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	s8Sj4vA.exe
Token: SeDebugPrivilege	2016	exp.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 3668	2756	s8Sj4vA.exe	86
PID 2756 wrote to memory of 3668	2756	s8Sj4vA.exe	86
PID 3668 wrote to memory of 5072	3668	csc.exe	88
PID 3668 wrote to memory of 5072	3668	csc.exe	88
PID 2756 wrote to memory of 1780	2756	s8Sj4vA.exe	89
PID 2756 wrote to memory of 1780	2756	s8Sj4vA.exe	89
PID 2756 wrote to memory of 1780	2756	s8Sj4vA.exe	89
PID 2756 wrote to memory of 1780	2756	s8Sj4vA.exe	89
PID 2756 wrote to memory of 1780	2756	s8Sj4vA.exe	89
PID 2756 wrote to memory of 1780	2756	s8Sj4vA.exe	89
PID 2756 wrote to memory of 1780	2756	s8Sj4vA.exe	89
PID 2756 wrote to memory of 1780	2756	s8Sj4vA.exe	89
PID 1836 wrote to memory of 2136	1836	cmd.exe	92
PID 1836 wrote to memory of 2136	1836	cmd.exe	92
PID 3228 wrote to memory of 2016	3228	explorer.exe	94
PID 3228 wrote to memory of 2016	3228	explorer.exe	94
PID 2016 wrote to memory of 3032	2016	exp.exe	97
PID 2016 wrote to memory of 3032	2016	exp.exe	97
PID 3032 wrote to memory of 3408	3032	csc.exe	100
PID 3032 wrote to memory of 3408	3032	csc.exe	100
PID 2016 wrote to memory of 3252	2016	exp.exe	101
PID 2016 wrote to memory of 3252	2016	exp.exe	101
PID 2016 wrote to memory of 3252	2016	exp.exe	101
PID 2016 wrote to memory of 4012	2016	exp.exe	102
PID 2016 wrote to memory of 4012	2016	exp.exe	102
PID 2016 wrote to memory of 4012	2016	exp.exe	102
PID 2016 wrote to memory of 4012	2016	exp.exe	102
PID 2016 wrote to memory of 4012	2016	exp.exe	102
PID 2016 wrote to memory of 4012	2016	exp.exe	102
PID 2016 wrote to memory of 4012	2016	exp.exe	102
PID 2016 wrote to memory of 4012	2016	exp.exe	102

C:\Users\Admin\AppData\Local\Temp\quarantine\s8Sj4vA.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\s8Sj4vA.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\akuufdhm\akuufdhm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9441.tmp" "c:\Users\Admin\AppData\Local\Temp\akuufdhm\CSCC4D13F7653C245E7B3F7FBE474A9BBEC.TMP"
    3⤵
    PID:5072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe
  2⤵
  PID:2136

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe
  "C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2biyov5y\2biyov5y.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AB9.tmp" "c:\Users\Admin\AppData\Local\Temp\2biyov5y\CSCA79DAFF550DA4695B74437A2CBC47EC.TMP"
      4⤵
      PID:3408
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4012

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2biyov5y\2biyov5y.dll

Filesize
8KB

MD5
284760e31eeee34dcc68d6f8464f680d

SHA1
e176bc04c54a2d7dfccf8c65211b7a2cc0448580

SHA256
a947ad45fe92fe96c1f41fc484295fb9ab46f5a4713003867f0822902cfcc099

SHA512
eb8ec81d420fb63f14584b2ee881dc22826b13d561ae50c09f44fe241ab5637aab619ec46a24ec6e5e206b803f132923406cb4d83b68d9424302bc092d5d6059

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9441.tmp

Filesize
1KB

MD5
bf229c3af2aa16dcf13858eb0dca283b

SHA1
acda3654edb2fb95a7d8c9c9a941e6926f43eb7c

SHA256
06e0d90b1814de39c83b526205e88f8bdeaf96a501887d6e77bc723de3484e66

SHA512
d942970872c357df1e55a707e1f0a418af2b6097dbe4ae9c4763059f05784a36f8bfd610d6993c968e891419308637a3782baa685505bd80095ae75b161e5492

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9AB9.tmp

Filesize
1KB

MD5
c6c43b46013114343fa0cc6bd51a3033

SHA1
de77232ba550a7fdb89c036e11b6669ef486b0be

SHA256
b28f2fc29c8c1d619cc13ac295d9952df49a2bb7f0db292abcf57094aaee9320

SHA512
38a3459618c55140f9ae9746bcba70d2598d7d7326aa3d7646caf8768d7e6c6ebc0dbdc946b9d62b8f2a2f0255e1d2b397bdb8b9f4839ed5ff701d9ec7b4d168

Download Submit
C:\Users\Admin\AppData\Local\Temp\akuufdhm\akuufdhm.dll

Filesize
8KB

MD5
65defae8e91871ab48d8571b08fa49db

SHA1
ede8f34fcf09a7e06cb49e0fc72b4d280820cb1b

SHA256
ce82c34059b53743fe5c09fdba77d0a47213265c1f8ff8b5556537fad0a6fce3

SHA512
9aa4cf9442decb0f04e8eb7ae1bb34fb787e1af2bef6a28950bbdb589c18bcf5991da990a0990475881177a83f9b239e6cf28a7ef92a5f4e09a7ea03aa351d5a

Download Submit
C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe

Filesize
5.4MB

MD5
1be0e0db93388bd4ac29fc850a122a2e

SHA1
91532349e2c23400b0ec0f2987713d49b8f3af24

SHA256
d1ff00cc1a4fefafcc75abd174864a332f94ee52b4fa463be5a4e71369edcefe

SHA512
e19a532302dfc4a9a0d84dd08d0407d2533c5cc66a15401b7c39779b8eb08554ff83edcbb332812366e9827776dfa36f843917f35cfb9ccbf55c31a5b6ac7681

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2biyov5y\2biyov5y.cmdline

Filesize
204B

MD5
454a7065413cd2d4594cc88defcbfb0e

SHA1
d3d7bcfae1a72ad43aee23f2894ca2ec69ae75e2

SHA256
c641611a18226cdafd2e2f07f1b13eca72639309622eb13fdeb8f9db174234c7

SHA512
90310cc207ecb369c9afb141280fd7048b26251e37befc0692331b77af882136cdd5cd62f54f38ccad59e015f9c9c91c790debcd5af3a4599ac0bd9447bc24f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2biyov5y\CSCA79DAFF550DA4695B74437A2CBC47EC.TMP

Filesize
652B

MD5
3f9374fd2c29d41af20bac5a14a8437d

SHA1
4971dfbf8568bc3acddbedcec20e5697fe617a5d

SHA256
eb3e1c12a036033057e47f87a571ac81a7c46a04bfb07842947cab27de62400f

SHA512
3da264c57d4720d20c2d13dd84b6b6e4f3d9fc02db305fec06a1441e455c2c9d52a8468f109024b5ad9f1c2210d4b3b68ed2f88748104d0a2afe1b8b80356288

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\akuufdhm\CSCC4D13F7653C245E7B3F7FBE474A9BBEC.TMP

Filesize
652B

MD5
acc3c241dfc228fb8227ffdce215d561

SHA1
22a242e741ae0fd5d436dc475911c8251e63e826

SHA256
bd7da6563fbe2cb2aea87c4f54de73e6f1ece1d1cc6f826665b6112a3fd5ee9f

SHA512
20f43634ae2731ffb3e0ba0cf8364decdcde0153bd73707e28d02275fd47a33d5dd281ae899593525b77724ca7fdb553615654e19c7cba63efa9a09058aad31b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\akuufdhm\akuufdhm.0.cs

Filesize
8KB

MD5
58b10ef6ba0da88788f1aac56ce7e2db

SHA1
48221936b98aac14ead7c4589513d074365414ec

SHA256
ae11144f426028e50e77d64a66aeb954e169f627f8abfe403791032594834520

SHA512
19c28b5af8e4243350ee13c423fd066cef969a5c86de5f7b2ac4e4fbf75fda17e82a6a91fbd6034786b9beee77e2eb4b1cecd1cf0b901e2874b88da3e338845e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\akuufdhm\akuufdhm.cmdline

Filesize
204B

MD5
5dfeeee05f24ea760eacab1185a91e3e

SHA1
363251d987b8047d52558a434def25992440aaf5

SHA256
6e36f016f73eeeb96e830fafd0063b189ed55c65ebba44ab9b78c0154dd30038

SHA512
8185c9e2e652920cae7c9effdb2a888df299dbdfd9b234c7152abb5815931f50629e5b25650e427c38e41d3d1318568c0c8754eeea57b9bd882e2ac72926d27e

Download Submit
memory/1780-25-0x0000000005250000-0x000000000525A000-memory.dmp

Filesize
40KB

Download
memory/1780-19-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1780-23-0x00000000747FE000-0x00000000747FF000-memory.dmp

Filesize
4KB

Download
memory/1780-44-0x00000000747FE000-0x00000000747FF000-memory.dmp

Filesize
4KB

Download
memory/2016-39-0x000001F24B040000-0x000001F24B048000-memory.dmp

Filesize
32KB

Download
memory/2756-22-0x00007FFA16B20000-0x00007FFA175E1000-memory.dmp

Filesize
10.8MB

Download
memory/2756-17-0x0000027577580000-0x0000027577588000-memory.dmp

Filesize
32KB

Download
memory/2756-0-0x00007FFA16B23000-0x00007FFA16B25000-memory.dmp

Filesize
8KB

Download
memory/2756-4-0x00007FFA16B20000-0x00007FFA175E1000-memory.dmp

Filesize
10.8MB

Download
memory/2756-3-0x00007FFA16B20000-0x00007FFA175E1000-memory.dmp

Filesize
10.8MB

Download
memory/2756-2-0x00007FFA16B20000-0x00007FFA175E1000-memory.dmp

Filesize
10.8MB

Download
memory/2756-1-0x0000027578E60000-0x0000027579394000-memory.dmp

Filesize
5.2MB

Download