b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
144s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/s8Sj4vA.exe
Size

5.4MB
MD5

1be0e0db93388bd4ac29fc850a122a2e
SHA1

91532349e2c23400b0ec0f2987713d49b8f3af24
SHA256

d1ff00cc1a4fefafcc75abd174864a332f94ee52b4fa463be5a4e71369edcefe
SHA512

e19a532302dfc4a9a0d84dd08d0407d2533c5cc66a15401b7c39779b8eb08554ff83edcbb332812366e9827776dfa36f843917f35cfb9ccbf55c31a5b6ac7681
SSDEEP

98304:q6RUAPvIw0NUBy6EzhQzCWyLt6Tike/E4pCOqn9VdsWAF1t1XqsVUzy:q6NPvIPU/CWGt6+keNpCOqn9A3lhv

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4840	exp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\vbpk2hb902SX\\exp.exe"	s8Sj4vA.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5684 set thread context of 568	5684	s8Sj4vA.exe	82
PID 4840 set thread context of 4360	4840	exp.exe	94

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5684	s8Sj4vA.exe
5684	s8Sj4vA.exe
4840	exp.exe
4840	exp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5684	s8Sj4vA.exe
Token: SeDebugPrivilege	4840	exp.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 5684 wrote to memory of 792	5684	s8Sj4vA.exe	78
PID 5684 wrote to memory of 792	5684	s8Sj4vA.exe	78
PID 792 wrote to memory of 2656	792	csc.exe	80
PID 792 wrote to memory of 2656	792	csc.exe	80
PID 5684 wrote to memory of 2136	5684	s8Sj4vA.exe	81
PID 5684 wrote to memory of 2136	5684	s8Sj4vA.exe	81
PID 5684 wrote to memory of 2136	5684	s8Sj4vA.exe	81
PID 5684 wrote to memory of 568	5684	s8Sj4vA.exe	82
PID 5684 wrote to memory of 568	5684	s8Sj4vA.exe	82
PID 5684 wrote to memory of 568	5684	s8Sj4vA.exe	82
PID 5684 wrote to memory of 568	5684	s8Sj4vA.exe	82
PID 5684 wrote to memory of 568	5684	s8Sj4vA.exe	82
PID 5684 wrote to memory of 568	5684	s8Sj4vA.exe	82
PID 5684 wrote to memory of 568	5684	s8Sj4vA.exe	82
PID 5684 wrote to memory of 568	5684	s8Sj4vA.exe	82
PID 3848 wrote to memory of 3172	3848	cmd.exe	85
PID 3848 wrote to memory of 3172	3848	cmd.exe	85
PID 1932 wrote to memory of 4840	1932	explorer.exe	87
PID 1932 wrote to memory of 4840	1932	explorer.exe	87
PID 4840 wrote to memory of 4188	4840	exp.exe	90
PID 4840 wrote to memory of 4188	4840	exp.exe	90
PID 4188 wrote to memory of 4908	4188	csc.exe	92
PID 4188 wrote to memory of 4908	4188	csc.exe	92
PID 4840 wrote to memory of 3380	4840	exp.exe	93
PID 4840 wrote to memory of 3380	4840	exp.exe	93
PID 4840 wrote to memory of 3380	4840	exp.exe	93
PID 4840 wrote to memory of 4360	4840	exp.exe	94
PID 4840 wrote to memory of 4360	4840	exp.exe	94
PID 4840 wrote to memory of 4360	4840	exp.exe	94
PID 4840 wrote to memory of 4360	4840	exp.exe	94
PID 4840 wrote to memory of 4360	4840	exp.exe	94
PID 4840 wrote to memory of 4360	4840	exp.exe	94
PID 4840 wrote to memory of 4360	4840	exp.exe	94
PID 4840 wrote to memory of 4360	4840	exp.exe	94

C:\Users\Admin\AppData\Local\Temp\quarantine\s8Sj4vA.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\s8Sj4vA.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wnl42von\wnl42von.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF4B.tmp" "c:\Users\Admin\AppData\Local\Temp\wnl42von\CSC3E4E70E0DC9D432587874A8F2B34BAF8.TMP"
    3⤵
    PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe
  2⤵
  PID:3172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe
  "C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s5jfbctb\s5jfbctb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7C7.tmp" "c:\Users\Admin\AppData\Local\Temp\s5jfbctb\CSC81F5F5EEC4D411F8AB3E92DB739CCFC.TMP"
      4⤵
      PID:4908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAF4B.tmp

Filesize
1KB

MD5
f3c57ec8842deb70d8e2e8f20d10ee27

SHA1
82a093284f6fefa87f8b455c7b4d6d6dda7b3c0e

SHA256
bb8a753a406bfdd9b023a3a6187a9fb67f9e72dfea663466bac9c94c5f52fa48

SHA512
1938b7ea3f98a65f248a55659b060133b9e1f752c6ebfe57c6c08743e1e93a95cfdfd65a43e8c4f1a55d6cb4f77c44987464bbb27664e2f06fe1f054d98ae40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB7C7.tmp

Filesize
1KB

MD5
687baad98d3e6db0f33275918fffc467

SHA1
a6afad466c27150c074a191d6306d04b4b0b44a1

SHA256
14c174a4ef0daa604d38b44044471020ceb25ae1f6a10c9bcb27057cda1c0479

SHA512
3f717200464fb4d9d6ae33303676df59b56f1d713fd8264ef10465de12ac08caee52208376a3629b169af27dd4df7e4e04512aacc22af2bc5502af32de70ec46

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5jfbctb\s5jfbctb.dll

Filesize
8KB

MD5
d2cf4485c6a91ebfe1542bfde1bc15ff

SHA1
f7c1006bf4cbfdcd0ef7d7605c1acf00cc3dea44

SHA256
ec47d5951973327d182888841c245a6b48496b92bad31c667a975394cfd31fa1

SHA512
e4f3b67f857367b5c57ecf1b9d0e22862a6eba75500d8dbe5d899916035136f5fd4a4b3982586a17db9a759d1a666b7c54180539e35fac13b4b4d8c287b260ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\wnl42von\wnl42von.dll

Filesize
8KB

MD5
81518173afa95d0d2d77beef6db40ef4

SHA1
14c4ebbfdb92c1d61be555d313a0e17bec063053

SHA256
577473014c3267ddb54648809619bea616ed84665696232cf999568e366c5150

SHA512
3b086fd102c767ab74d6b8c6f2c5471bbe8d759c34ea9d46ff01d07b71624036bacbf57b91259568d039afafbe3c9eade4989e1078dc5e257727f6c1a6d97453

Download Submit
C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe

Filesize
5.4MB

MD5
1be0e0db93388bd4ac29fc850a122a2e

SHA1
91532349e2c23400b0ec0f2987713d49b8f3af24

SHA256
d1ff00cc1a4fefafcc75abd174864a332f94ee52b4fa463be5a4e71369edcefe

SHA512
e19a532302dfc4a9a0d84dd08d0407d2533c5cc66a15401b7c39779b8eb08554ff83edcbb332812366e9827776dfa36f843917f35cfb9ccbf55c31a5b6ac7681

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s5jfbctb\CSC81F5F5EEC4D411F8AB3E92DB739CCFC.TMP

Filesize
652B

MD5
4de068191b7f27d5d7688d2b7fffa095

SHA1
4a18d083ad4f6dd066dd15f2c383870d94d76113

SHA256
ab53906fec1e47dbc070fbbd6dc300482010e286ce4441b724516aaed2352191

SHA512
4fde28605fcf6ab6ec8c9833971554eab0633ff5b17cbb92b854d0b5433114fa9ede9c10416f1a56974073d9d87bedeee40ad7480cb2f9611a18a7e94d49cc6e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s5jfbctb\s5jfbctb.cmdline

Filesize
204B

MD5
f55bc3d409a45abf8cfbe5db398110c1

SHA1
a1e2c44b8a7c8a2829d6cea680fc3539d6128729

SHA256
016bfb7b70cc002fbaaa97d18b0b6834aa791d496d84ef31fd255824ad198efc

SHA512
6640715357166435229d92eb721edbe01e6578ee2e1e480e1b97f237fa93dcb2099f1c0b8c23c2372062463559232a417a4f697444fa0764518d11e43d06b889

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wnl42von\CSC3E4E70E0DC9D432587874A8F2B34BAF8.TMP

Filesize
652B

MD5
5172a1dd2855d60e0cbddb373988120a

SHA1
ab1743deee18dd3256d98772822a4f9e472019f1

SHA256
a5269a658379dc15c4c7ddc1158607013629d581fbdd3243bf654c2db7a58599

SHA512
288bd8f9c950924980ffb2ad1987aca5aaac53330dd743449d61f0ecd27cc107da58e23cf60c965de9d167452426e53f8880c67007116b2f332b8d4b4d21ee0e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wnl42von\wnl42von.0.cs

Filesize
8KB

MD5
58b10ef6ba0da88788f1aac56ce7e2db

SHA1
48221936b98aac14ead7c4589513d074365414ec

SHA256
ae11144f426028e50e77d64a66aeb954e169f627f8abfe403791032594834520

SHA512
19c28b5af8e4243350ee13c423fd066cef969a5c86de5f7b2ac4e4fbf75fda17e82a6a91fbd6034786b9beee77e2eb4b1cecd1cf0b901e2874b88da3e338845e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wnl42von\wnl42von.cmdline

Filesize
204B

MD5
086c79d26524df363433cf270db7a441

SHA1
94c23c8c592e3d0a4f4b1f8e0e2f30dd528eb9b9

SHA256
e951b0c4544fa579f56ff5aa55566e93c117d74b7a62e7c075544aa4160f98a8

SHA512
fa631fcde2469448322216d4e9fb7d296bd9f42d5061f358230708de3e3e9fe2946d9cf85c1a2e89016edf9a28f55828d95c628d6a813eda2a54721d93a24306

Download Submit
memory/568-19-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/568-23-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/568-24-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

Filesize
40KB

Download
memory/568-44-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/4840-39-0x000001C223C80000-0x000001C223C88000-memory.dmp

Filesize
32KB

Download
memory/5684-17-0x000001F8EF400000-0x000001F8EF408000-memory.dmp

Filesize
32KB

Download
memory/5684-22-0x00007FFC79F30000-0x00007FFC7A9F2000-memory.dmp

Filesize
10.8MB

Download
memory/5684-0-0x00007FFC79F33000-0x00007FFC79F35000-memory.dmp

Filesize
8KB

Download
memory/5684-4-0x00007FFC79F30000-0x00007FFC7A9F2000-memory.dmp

Filesize
10.8MB

Download
memory/5684-3-0x00007FFC79F30000-0x00007FFC7A9F2000-memory.dmp

Filesize
10.8MB

Download
memory/5684-2-0x00007FFC79F30000-0x00007FFC7A9F2000-memory.dmp

Filesize
10.8MB

Download
memory/5684-1-0x000001F908D20000-0x000001F909254000-memory.dmp

Filesize
5.2MB

Download